July 26, 2008 2:28 PM PDT

'Hijacked' SF passwords made public

Only days after the city of San Francisco regained control of its computer network after an alleged hijacking, a new vulnerability has come to light--this time brought on by the city itself.

The San Francisco district attorney's office has apparently made public nearly 150 usernames and passwords used by city officials to gain access to the city's network. The list was submitted to the court as Exhibit A in a case against Terry Childs, a 43-year-old network administrator for the city who was arrested July 13 on four felony charges of tampering with the city's computer network.

Co-workers accused Childs of setting a "time bomb" that would sabotage the network the next time it went down, either for maintenance or due to a power outage.

Childs had effectively taken the city's network hostage by locking administrators out and refusing to give up the passwords needed to regain access. In a secret meeting with Mayor Gavin Newsom earlier this week, the San Francisco Chronicle reported that Childs handed them over directly to the mayor.

Later in the week, the DA's office reportedly filed a court document to argue against a reduction of the $5 million bail set for Childs, who is being held in the county jail. Exhibit A of the document contained the usernames and passwords used by nearly 150 employees to get into the city's virtual private network. And despite saying the passwords pose an "imminent threat" to the city's computer network, they are now of public record.

A source tells InfoWorld that a second password is needed to gain access to the VPN. Still, giving up these so-called phase one passwords is hardly recommended security policy.

And here I thought we San Franciscans were supposed to be good with this computer stuff.

Recent posts from News - Security
Security firm spots Chrome 'SaveAs' flaw
Microsoft: Expect four bulletins on Patch Tuesday
Protesters decry NASA hacker's extradition
Chrome suffers first security flaw
Microsoft proposes age-limited digital playgrounds
Add a Comment (Log in or register) 18 comments
by mliddekee July 26, 2008 3:53 PM PDT
Something is fishy with this whole Childs/SF story. I don't think we're getting the whole picture. If the DA's office is stupid enough to make a list of passwords public record then it sounds like this Childs guy might have been right in the first place that the city was a danger to itself.
Reply to this comment View reply
by firestarter July 26, 2008 4:05 PM PDT
this is why child didn't feel that people were worthy of the password and thanks to this DA he was just proved him right. How did he become DA and do such a stupid thing like this.
Reply to this comment
by n3td3v July 26, 2008 4:08 PM PDT
Where are the publicly available passwords???
Reply to this comment
by ralfthedog July 26, 2008 4:14 PM PDT
Re: Where are the publicly available passwords???

User Name: user1
Password: wordpass1

User Name user2
Password wordpass2

....
Reply to this comment
by SlimGem July 26, 2008 4:45 PM PDT
What does it matter now? I'm sure they are disabled. Aren't they?
Reply to this comment
by gremont2007 July 26, 2008 5:16 PM PDT
no engo la clave keys para instalar el norton...me podras con ello
Reply to this comment
by anthonysmission July 26, 2008 6:34 PM PDT
Making UN's and PW's public isn't a good thing!

Anthony Kraudelt
1332 Kruger Ave
Erie, PA 16509
Reply to this comment
by anon8mizer July 26, 2008 8:12 PM PDT
For most users, even if you need a second password (a one time password, or OTP, from a security token or whatever) to log into the SF VPN, the first password they use is still the same password they use for other personal sites, like their banks, amazon, or whatever. So knowing these users IDs and first passwords is a great thing for an ID thief.
Reply to this comment
by Astinsan July 27, 2008 8:47 AM PDT
My favorite place to look for passwords... under keyboards. on sticky notes... bottom of desk... side of desk drawers...

if it is a password for a privileged account it could bring down everything. I have seen this over and over again... for big companies... in charge of your atm cards... checking account numbers... drivers license numbers... (obviously retail)

Look what happened to Egghead, TJ Max, whoever else... I guarentee they could of stopped it but because someone with clout didn't want to change his/her password it didn't happen.
Reply to this comment View reply
by toomath July 27, 2008 9:00 PM PDT
er, mlidekee, the only reason the DA was in a position to (stupidly, yes) release those passwords was BECAUSE childs held them hostage and engaged in criminal activities...let's put the blame where it belongs.

I'd also point out that the DA was never one of the people childs complained about, he was pissed off at his supervisors.

I've worked with guys like this before. Sometimes they can be great workers--obsessed with their jobs, strong sense of ownership. But one webmaster I worked with went off in childs' direction, convinced everyone but him was incompetent, delusions of grandeur, told everyone he won the Medal of Honor (yeah, he didn't. Sort of easy to check, too.). Bragged about secret "back doors" and such. I always wondered where he ended up and what damage he might have done. This childs story brought back memories.
Reply to this comment
by DavoRider July 27, 2008 9:07 PM PDT
Typical San Francisco politics. Sadly, The City seems incapable of electing competent officials. Kamila Harris is just another example of this.
Reply to this comment
by chlimouj July 27, 2008 11:13 PM PDT
toomath:

[CNET editors' note: personal attack deleted]. The DA did not have to submit into evidence a list of usernames and passwords. Those were not the passwords that Childs was holding "hostage." It was just superuser-level passwords that Childs did not disclose. What possible legal argument could the DA have been trying to make based on user-level passwords that required them to be submitted as evidence? There is just no excuse for incompetence to that degree.

Ultimately, Childs did the right thing. He disclosed the passwords to the highest authority in the city, the mayor. The difference between Childs and the guy you're thinking of is that Childs was surrounded by idiot administrators, whereas your guy was surrounded by idiot users, [CNET editors' note: personal attack deleted].
Reply to this comment
by Michichael July 28, 2008 11:59 AM PDT
Ok, this is hilarious. This guy was a NETWORK ENGINEER. NOT A SYSTEMS ADMINISTRATOR.

He never had access to the Active Directory, user names, passwords, or any of that. He managed the ROUTERS AND SWITCHES that kept the backbone up. He had no access to the servers whatsoever other than by packet sniffing hashes. They want to prove he hacked them, get IDS logs, not the UN/PW list. This is just reaffirming the case that Child's didn't do anything wrong. He held the passwords to all the routers/switches by design. When they demanded the passwords without a security policy or procedures in place, Child's didn't think they had the authorization to. They grew super paranoid and arrested him. In his place I'd do the same damn thing: These bozos are going to break something you've spent 5 years working on and don't even have the authorization or documented paper trail to demonstrate that they have authority to request these passwords, why would you give it to them?

He wasn't fired. If they fire him, he'd give them the passwords, I guarantee it. He gave it to the Mayor and told him "Ok, good luck. It's on record that you have the authority, being the mayor. When they **** it up, it's not my fault."

Now they're like "Crap, we broke something. Lets circulate a story of how it's configured as a time bomb. The court will eat it up, it's like a Hollywood hacker film, they don't know the difference. Then we'll just testify as experts and cover up our own ineptitude."

Get a real engineer, or better yet a information security specialist (aka hacker) to testify. Hell, *I* would chew them up and spit them out.
Reply to this comment
by vintagegeek July 28, 2008 12:38 PM PDT
The more you hear on this case the more you feel Childs might have some valid points. "Trust No One"...oooh where have I seen that phrase before. Time to bring in some top-notch 3rd party experts to document the who what where of this network. But don't let the DA's office see it. They sound a bit loosy goosy.
Reply to this comment
by Serenity3000 July 28, 2008 12:58 PM PDT
His name is Nick and he's MY network administrator. From the description alone, its GOTTA be him. Especially the delusions of grandeur. You also forgot "likely to sneak off and burn on on their lunch break" and "chews his nails until they're bleeding!"

:D
Reply to this comment
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
Same great protection. Reengineered for speed.
Norton Internet Security™2008

Click Here!
Norton still delivers award-winning protection and now uses 83% less memory and scans 48% faster than the competitor average. Get a FREE trial today!

Click Here!
Norton Beats the Competition

See how Norton Internet Security™2008 uses less memory, while scanning and booting faster than the competitor average.

Norton Protection Blog

Read the latest from our security experts as they help protect people from evolving online threats.

Protect Your Bluetooth Connection

Don't let fraudsters sink their teeth into your Bluetooth connection.

Vishing - What you need to know

Meet the latest ID theft scam: Voice Phishing.

Take Norton for a Test Drive Today!

Act now to get your FREE trial of Norton Internet Security 2008.

About News - Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

News - Security topics

Featured blogs

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
  • News - Business Tech

    Chrome's JavaScript challenge to Silverlight

    The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Outside the Lines

    EIC Squared: Chrome, iPods, and a Dell-Salesforce union

    On this week's EIC Squared podcast CNET's Dan Farber and ZDNet's Larry Dignan discuss Google's latest rocket launch--the Chrome browser--as well as Apple's iPod event next week and a Dell-Salesforce.com union.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    At 10 years old, whither Google?

    Daniel Sieberg of CBS News looks at how the company grew exponentially from start-up to superstar and part of our culture, but what's ahead?

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Webware

    Mozilla releases second Firefox 3.1 alpha

    Added features include support for a new video tag element introduced with the HTML 5 standard, along with some speed enhancements.

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.