Re: Security's Hard Knocks - easy open doors

[InfoSec News <isn () C4I ORG>]

Forwarded by: Patrick Campbell <jp_campbell () yahoo com>

Even employees with no criminal history can be a danger.

I am a telephone/email support technician and often I have to return
phone calls to clients.

Many times i've initiated calls to customers, I end up talking to a
secretary and when I need to get into their router to modify the
config, he/she will give me all of their internet connection
passwords, passwords to the router, and the IP address once I show
them how to find it.

They never question my identity.

There are employees with criminal backgrounds, and there are
uneducated employees who can compromise your security.

Luckily for the people I call, I'm calling to help them and not hack
their systems.

Educate your employees to be very skeptical of people who call in
claiming to be with tech support.

You may make my job more difficult, i.e. I have to take time to let
them verify who I am but your network will be more secure.



At 04:37 AM 1/4/2001 Thursday, you wrote:
> http://networkcomputing.com/1201/1201colfeldman.html
>
> January 8, 2001
> By Jonathan Feldman
>
> My pop would sometimes despair at having to teach his seven scalawag
> children good work habits; he complained that we could learn only at
> the school of hard knocks.
>
> A few months ago, I learned a hard lesson about hiring practices. My
> colleagues and I found ourselves with a technician who just wasn't
> working out. The fellow was habitually late and didn't take
> responsibility seriously so we said goodbye. End of story. Or so we
> thought.
>
> Next thing we knew we got a call from a police officer who frequently
> works with us. "You know that guy who was working for you?" he asked.
> "Well, he's got a criminal record as long as my arm. Didn't you run a
> background check?" Whoops. Now that's a security problem, isn't it?
> Not quite as sexy as the latest IIS exploit, but bad enough.
>
> Turns out we only thought we had run a background check. More
> accurately, we got a verbal OK from someone in human resources who was
> either overworked or taking too much cold medicine that day. We
> accepted it instead of waiting for written authorization from our
> background-check source because we were understaffed and anxious to
> hire. After we hired the guy, following up on the written
> authorization was quickly forgotten and, in the end, the paperwork was
> never received.
>
> Memo to self: Be more careful with background checks. Make sure you
> get more than a verbal authorization. Go to the source -- don't rely
> on an intermediary.
>
> How can you go to the source, you ask? Inquire with local law
> enforcement. Frequently, background checks can be done for citizen
> businesses both inexpensively (where I live, it costs five bucks -- a
> pittance well spent) and authoritatively.


----------
Patrick Campbell
HOME http://wwp.icq.com/217718
WORK http://wwp.icq.com/21604900
http://profiles.yahoo.com/jp_campbell
http://photos.yahoo.com/jp_campbell
+33 (0)612153264
Send a text message to my cellphone :
http://195.115.48.10/flash/data/html/offre/services/texto/texto.html
My number is 0612153264
http://rainforest.care2.com/front.html/player156759
http://www.processtree.com/?sponsor=79783

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".