tag:blogger.com,1999:blog-6769482052318571836.post6458131907768741740..comments2023-05-24T06:58:01.648-05:00Comments on Tech Ennui: Stupid Company TricksGhttp://www.blogger.com/profile/06206297717772985110noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-6769482052318571836.post-9809260990357557952007-10-12T17:26:00.000-05:002007-10-12T17:26:00.000-05:00Here is one, a fairly well known bank wants to sav...Here is one, a fairly well known bank wants to save money and convinces customer to start using a "provided" system and scanner to process the check for the bank.<BR/><BR/>Banks sends hardware with XPSP2 (not fully patched) and TWO full blown Administrator accounts and one User account. Both the User and one of the Administrators have passwords provided that are straight plain-text and it is SUGGESTED that the passwords be changed. Bank wants this system dropped into clients existing network and I say NO. I set it up outside the internal domain but behind a firewall.<BR/><BR/>This is now where it gets even better. I hook everything up, and AFTER changing the passwords, for both the XP logins I check the security policy settings and yes of course NOTHING was set. I call the provided Help-Desk number and explain what I see and ask if this one was not setup fully and was informed no, this is the way they go out the door to the customers. I then tell them that I am setting security policies that I always set for any W2KXP+ system I work on and she tells that is fine. I then connect the patch cable, login into the bank software and proceed to set the strongest password it will allow me to- this is of course after finding out the the SSL Certificate for their site is out of date by ten months. I ask the Help-Desk about this and was told:<BR/><BR/>"You know, I see that all of the time and I just click on through."<BR/><BR/>I end the call there and proceed to create a non-admin account for processing the checks for the client and then see that under the administration page another companies users. Startled, I refresh the page and yup, information still there. Time to call the Help-Desk again and explain what I have found. I am told I should not be able to see this and I mentally scream to the heavens.<BR/><BR/>I tell the Help-Desk that this needs corrected.<BR/><BR/>I then explain to the client what I have found and make them promise that the system will ONLY be turned on when needed and NEVER left running when not in use.<BR/><BR/>Two days later I receive a call from the client and am told that they cannot login and a bank representative is there. I head over and explain that they had the passwords reversed. It is now time to hammer the bank rep about what I have found and ask for answers of whihc none were really forthcoming. <BR/><BR/>In fact, the rep tells me that I am the first who placed ANY security and even when companies inside our outside IT sets them up- they leave everything with the DEFAULT settings.<BR/><BR/>I then told him that if anything ever happens and this ever winds up in court, I would place the blame squarely with the bank as the send these systems out this way. He tells me that we ASK them to change passwords and that is where I cut him off. I explain to him that you do NOT ask you TELL them they will change passwords and that the crappy McAfee's security software is a joke and further the banks fault especially since they, the bank gave everyone a default plain-text password for the ADMINISTRATOR account and all it will take is one pissed off employee of a company or the bank itself and they are screwed.<BR/><BR/>He was rattled but felt secure but said he would discuss this with his superiors. I then pointed out to him that the check we had just processed was almost the full 100K insured by the FDIC- that is when he went white.<BR/><BR/>Yes, feeling safer already.Anonymoushttps://www.blogger.com/profile/05463762590137197407noreply@blogger.com