Change mentalities
Beware old school administrators.

I was talking with the network technician of a Canado-American enterprise that works in the field of technical didactic materiel like didactic aeration systems, radar system, etc. This is a small size enterprise of approximately 215 employees and exists for more than 45 years.

I was stupefied when I learned that every employees of the enterprise shared the same email password. There was only one password know by some key peoples like administrators and network technicians. The password is saved by the email client software for future email retrieval. If you have some problems with your email client and need the password to get your emails, you only need to ask a technician to come at your workstation and let him enter the global email password.

After this astonishing exposé, I was asking to myself, ?Why?? Why are they using a single password to retrieve emails of every employee, from the secretary to the chef of software development? I was not able to answer to this question; it?s why I asked it to the tech. His answer was unbelievable: ?I know Fred, its crazy, but the answer is simple: it?s because the administrators says that it always worked in this way and it will always work like this the time they will be here?.

This situation can lead to two important threats: privacy of employees and crucial information gathering by insiders. First you need to have in mind that in both cases, an insider can easily get the password by crashing is email client software, installing a key logger on the computer and calling the tech to let him enter the password. You can also simply look the tech entering the password by watching the keyboard while he is typing it.

When the insider has the password, he can now retrieve the emails of any employees of the enterprise. There is the threat to the privacy. He can easily retrieve the emails of the beautiful blond secretary and learn more on her to know how to woo her.

He can also send emails with the email address of any employee, boss included. There is the threat on the critical information gathering. Think about it, the insider is working as an industrial spy for a concurrent enterprise. He needs to have the latest and most crucial fiscal information of the enterprise. He just has to log on the mail server as the president of the enterprise (who have same password as him) and send an email to the chief of fiscal division and ask him this information. After, he just has to wait and check emails on this account (of the president) every minute to retrieve the requested information.

The source of risks is clearly the administration?s old habit and refusal to change. Nevertheless, how can we change the mentalities of administrators? You need to have in mind that they are not IT security gurus and can have lack of security concern by interest or simply by the lack of knowledge in the domain. The best way is probably by educate them to the problem, show them to which threats the situation can lead.

Leave a Reply

Your email address will not be published. Required fields are marked *