Originally published at: https://boingboing.net/2019/10/22/bumbling-identity-thieves.html
…
Ya gotta admin it, that was a pretty dumb thing to do.
I’m baffled by how extremely and obviously stupid this stuff is. You shouldn’t need even actual IT professionals to see how insanely dumb and risky it is to have something like that as your login and password, just an average user with half a brain!
So, not to defend them, but:
This is likely true for every company in the world.
Really? I almost have to just call it fake, I have to jump through so many security hoops with a deployment that I find it hard to believe equifax left admin/admin unguarded. Seriously script kiddies knock on my door every day if I run a service on an expected port.
Notably this is well after the horse got out of the barn. They already had a CONGRESSIONAL level leak, and they didn’t patch it? This level of lax security is really beyond my imagining.
Not to mention for a company that sells identity theft services.
So did anyone get their years of free monitoring yet? I was affected by the breach, said I could have free service, but then I haven’t gotten any other notices (other than the couple of email offers for paid service I get a week)
This is the kind of thing that it hard to audit.
“But wait! Password policies, right?”
Password policies are applied by a domain. Many dev/test servers are not joined up to a domain. Dev/test servers should not have sensitive data on them, but sometimes they do.
A place I used to work hadn’t been breached, but had a similar problem. A common password was one which I guess someone started using as a matter of company pride, and then everyone used it as the default password. I would speculate the number of machines at that company with that same password is currently mind-boggling, in the thousands. By the numbers, I am sure there’s at least a few dev/test servers with that default password with PII and a public IP address.
Anyways, the way you keep this from happening is locking down the Devs. Don’t let them spin up their own machines, and force them to go through a strict provisioning process which is locked down. All machines should live on the domain. That alone is hard, because Devs want to have all the rights in the world to do whatever they need to do and they usually make a good business case for needing that access. They do not like losing access / permissions / rights of any kind.
Well they are very good at it! (Getting your identity stolen.)
But they do not sell that service - they give it away for FREE!
With any luck the court has equally bad IT-security so Equifax can hack their server and reduce the coming fines.
It’s only a risk if they actually cared.
Our company has some stupid password protocols, but they aren’t this stupid. And we also don’t have that much important information that could be stolen.
I was going for the payout rather than the monitoring because I already have monitoring. All I’ve heard since is when they emailed back and said that I needed to submit to them WHO was monitoring my credit, or they would disallow my claim.
Security by obviousity.
That’s fantastic
One of the things that made me happy to leave my short lived time supporting servers for a large provider was like that. I am reading through the active directory audit as among other dumb things the network folk for the end customer thought blocking the port for AD replication was a smart move and nobody said anything to them from our end. I am just getting situated with the job when the remote domain controllers started getting tombstoned, or bascially I haven’t been able to talk to the main server for too damn long and fuck it I am gonna quit letting people log in now.
They had a “password policy” on paper. However it wasn’t actually enforced on the servers so the users could have set up any shitty password they wanted other than a blank one. I tried to let them know but they kept saying ‘but we have a rule’. Sometimes I wonder why it isn’t worse than we hear, well all the time really.
The best!
I remember reading how between two password breaches on a site, it was discovered that the most common password was “password”, so some complexity rules were added (such as needing numbers and letters*). In the next breach, the most common pw was “password1”
One of the perks of being hegemonic is not having to learn from your mistakes; just how to externalize the costs of making them.
This topic was automatically closed after 5 days. New replies are no longer allowed.