'Hijacked' SF passwords made public
Only days after the city of San Francisco regained control of its computer network after an alleged hijacking, a new vulnerability has come to light--this time brought on by the city itself.
The San Francisco district attorney's office has apparently made public nearly 150 usernames and passwords used by city officials to gain access to the city's network. The list was submitted to the court as Exhibit A in a case against Terry Childs, a 43-year-old network administrator for the city who was arrested July 13 on four felony charges of tampering with the city's computer network.
Co-workers accused Childs of setting a "time bomb" that would sabotage the network the next time it went down, either for maintenance or due to a power outage.
Childs had effectively taken the city's network hostage by locking administrators out and refusing to give up the passwords needed to regain access. In a secret meeting with Mayor Gavin Newsom earlier this week, the San Francisco Chronicle reported that Childs handed them over directly to the mayor.
Later in the week, the DA's office reportedly filed a court document to argue against a reduction of the $5 million bail set for Childs, who is being held in the county jail. Exhibit A of the document contained the usernames and passwords used by nearly 150 employees to get into the city's virtual private network. And despite saying the passwords pose an "imminent threat" to the city's computer network, they are now of public record.
A source tells InfoWorld that a second password is needed to gain access to the VPN. Still, giving up these so-called phase one passwords is hardly recommended security policy.
And here I thought we San Franciscans were supposed to be good with this computer stuff.
User Name: user1
Password: wordpass1
User Name user2
Password wordpass2
....
Anthony Kraudelt
1332 Kruger Ave
Erie, PA 16509
if it is a password for a privileged account it could bring down everything. I have seen this over and over again... for big companies... in charge of your atm cards... checking account numbers... drivers license numbers... (obviously retail)
Look what happened to Egghead, TJ Max, whoever else... I guarentee they could of stopped it but because someone with clout didn't want to change his/her password it didn't happen.
I'd also point out that the DA was never one of the people childs complained about, he was pissed off at his supervisors.
I've worked with guys like this before. Sometimes they can be great workers--obsessed with their jobs, strong sense of ownership. But one webmaster I worked with went off in childs' direction, convinced everyone but him was incompetent, delusions of grandeur, told everyone he won the Medal of Honor (yeah, he didn't. Sort of easy to check, too.). Bragged about secret "back doors" and such. I always wondered where he ended up and what damage he might have done. This childs story brought back memories.
[CNET editors' note: personal attack deleted]. The DA did not have to submit into evidence a list of usernames and passwords. Those were not the passwords that Childs was holding "hostage." It was just superuser-level passwords that Childs did not disclose. What possible legal argument could the DA have been trying to make based on user-level passwords that required them to be submitted as evidence? There is just no excuse for incompetence to that degree.
Ultimately, Childs did the right thing. He disclosed the passwords to the highest authority in the city, the mayor. The difference between Childs and the guy you're thinking of is that Childs was surrounded by idiot administrators, whereas your guy was surrounded by idiot users, [CNET editors' note: personal attack deleted].
He never had access to the Active Directory, user names, passwords, or any of that. He managed the ROUTERS AND SWITCHES that kept the backbone up. He had no access to the servers whatsoever other than by packet sniffing hashes. They want to prove he hacked them, get IDS logs, not the UN/PW list. This is just reaffirming the case that Child's didn't do anything wrong. He held the passwords to all the routers/switches by design. When they demanded the passwords without a security policy or procedures in place, Child's didn't think they had the authorization to. They grew super paranoid and arrested him. In his place I'd do the same damn thing: These bozos are going to break something you've spent 5 years working on and don't even have the authorization or documented paper trail to demonstrate that they have authority to request these passwords, why would you give it to them?
He wasn't fired. If they fire him, he'd give them the passwords, I guarantee it. He gave it to the Mayor and told him "Ok, good luck. It's on record that you have the authority, being the mayor. When they **** it up, it's not my fault."
Now they're like "Crap, we broke something. Lets circulate a story of how it's configured as a time bomb. The court will eat it up, it's like a Hollywood hacker film, they don't know the difference. Then we'll just testify as experts and cover up our own ineptitude."
Get a real engineer, or better yet a information security specialist (aka hacker) to testify. Hell, *I* would chew them up and spit them out.