I scan the network I’m paid and sworn to protect on a nearly daily basis. I experienced a problem with the account I use for that, and I tested by scanning a small quantity of machines (my own and my cubicle neighbor’s) with my own account to make sure the problem was the account, not the tool.
Fixing the account has become a problem–my boss’ problem now–but when I told him about it, I said I could scan the network with my personal admin account, but didn’t want to. One reason has to do with liability and HR. The other, believe it or not, is technical.
Years ago, I was in charge of scanning and patching a small network of about 600 machines. We had very few service accounts, so I used my personal admin account to do my scans and patching. I had to enter the credentials every time I initiated a scan or patch sequence; the software didn’t save them. One day I entered my credentials the same as I always did, and it failed. Thinking nothing of it, it prompted me again. It left the username filled in but I had to re-enter the password. I re-entered the password and got back on with work.
My password at the time was Jeff.Liar@[non-profit organization].org. Yes, it looked like a human-readable e-mail address. It fulfilled our password requirements at the time. I knew this guy named Jeff who lied a lot, and his last name rhymed perfectly with “Liar,” so it was easy to remember. Well, actually Jeff was this guy’s son’s name, but to this day I’m reluctant to reveal too much about a password I used to use, even if it was in 2007. The real password was also surprisingly easy to type–the guy’s actual first name alternates between your two hands for all four letters.
The next day, I had e-mail from my boss.
Someone saw a several failed login attempts from Jeff.Liar@[non-profit organization].org in several server logs and was having a cow about it. My boss did some detective work, first doing a DNS query to make sure that organization existed. When he saw it did, he visited its web page. As it turned out, both he and I had been connected with that organization at one time.
“The only two people here who know anything about that place are Dave and me,” he responded. “It wasn’t me, so it must be something Dave was doing. Next time I see him, I’ll beat it out of him.”
When I saw the e-mail, I admitted to him that it was me pushing patches, and what they saw in the logs was my password. By some freak occurrence, my patch management software had sent my password when it intended to send my username. It never did it again, so I have no idea if it was a very rare bug, or just a hiccup in the network traffic. But my password ended up in cleartext in some system logs, regardless of how it happened.
Lesson #1: Don’t use an e-mail address as your password.
Lesson #2: Use service accounts to scan your network. Your boss and the rest of your power hierarchy should be aware of the account(s), their purpose, who has access to them, and, ideally, should also be able to get at the password if absolutely necessary. Yes, the password should be stored in some kind of encrypted safe.
Lesson #3: Make the password random, so if it ends up in a log somewhere, it looks like a glitch, rather than malicious activity that’s going to get investigated.
Lesson #4: Don’t use anything potentially embarrassing in your password, in case something goes wrong and it ends up in a log somewhere. If saying it out loud would get you in trouble with HR, it’s probably best not to use it as your password either.
My boss was surprisingly understanding. I was afraid he’d want to launch an investigation into why our patching software flubbed up the account, but perhaps our impeding deadline to get the patches down, and his intense dislike of applying patches, made him willing to just let a glitch be a glitch and let it go. I changed my password and got the patches down, but ever since I left that position, I’ve been reluctant to turn a machine loose with an account connected to me personally.
2 thoughts on “Why I don’t scan networks with my own credentials”
On similar lines, when working for a large multi-national conglomerate a few years ago, we were given access to an online training system. I set my password to a default password that I use for systems I don’t care about. A couple weeks later, I get a rocket from HR about using obscenities in my passwords! We then had a long conversation about how inappropriate it was that HR could see my password. I left a few months later. The company has since “ceased North American operations”. 🙂
Scanning passwords to see which ones are weak and easy to guess is fairly common practice–it’s especially fun when the red team pen tester finds one of the AD admins is using “12345678”–but that’s very different from having HR review them. If they don’t want obscenities in passwords, there are technical means to block them (the Department of Defense does) without HR being able to see them.
Nobody should be able to see them.
Then there are the people who e-mail me their passwords from time to time. Yes, someone did that a week or two ago. That’s another matter entirely…
Comments are closed.