San Francisco DA Discloses City's Passwords

snydeq writes "The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's VPN. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case against Terry Childs. Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive. InfoWorld's Paul Venezia, who has been following the case closely, provides further analysis of the technical details in the city's case. 'By themselves, [the passwords] would not be enough to allow anyone to access the network via VPN,' Venezia writes, 'but the fact that the city entered them into evidence is quite shocking. At the very least, they'll have to shut down their VPN access for awhile until they've changed them all and modified the configurations of some large number of VPN clients.'"

Re:An idiot playing a semantic game.

[techno-vampire]

No, he wasn't an asshole. He had a very good point that has just gone over your head. To elucidate, if you add too many requirements to user's passwords they can't remember them and need to write them down. Once you get to that point, the passwords aren't strong any more and you've created a security hole by trying to avoid one. There's a limit on how much you can expect the average user to remember when it comes to passwords; go past that and their passwords get less, not more secure.

These are group passwords in IPSEC profiles

[colinmcnamara]

From the referenced article - "The passwords are so-called "phase one" passwords, and must be combined with a second password to access the network, the source said. " 99% chance they are using some form of Cisco device as their VPN concentrator (most like a VPN3030, ASA or 7200 series router). If they are these passwords (one per group) are in what is called a pcf file in every employees computer that is allowed to connect. Heck, if you use a Cisco vpn it is on your computer in the following location - C:\Program Files\Cisco Systems\VPN Client\Profiles . The group pass is encrypted with weak encryption that is commonly cracked to allow linux laptops to connect using vpnc. You can do it on the web here - http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode [uni-kl.de]

The thing is, this group password's primary use is to segregate users into different buckets. E.G contractors may have on password, with different authentication methods, while permanent employees are in a different bucket, with their own authentication methods. The key thing, is that once this first password is provided, the end user still has to provide a unique username and password to gain access. So in effect, having the group password alone is meaningless.

On top of that, I frankly would not be surprised or peeved if a network engineer had possession of PCF files for the network he is responsible for. What is next? Is the DA going to try to prosecute him for having diagrams and configs of the network he is managing on his laptop?

RTFA

[Estanislao Martínez]

Why did the DA even have access to these passwords? Why were they not in hash form? Did Child's have anything to do with that part?

From the article:

The passwords, discovered on Childs' computer, pose an "imminent threat" to the city's computer network, according to the court filing. Childs could use the names and passwords to "impersonate any of the legitimate users in the City by using their password to gain access to the system," the motion against the bail reduction states.

So, in answer to your questions: probably because the police found them as a result of their investigation, because Childs allegedly kept them in plaintext, and yes, allegedly, Childs had plenty to do with it.

Do you have any other questions? Perhaps the article answers them.

The reason for password disclosure

[Hanzie]

from TFA --

The username/password combos were apparently functioning sets. The DA is saying they found them on Child's own computer. The DA is all in a tizzy because Child's could then use these accounts to sneak into the system and cause mischief without getting tracked back.

Right. The only guy in the world with God level access to this network needs fake usernames/passwords so he can 'cause mischief'?

Give me a fucking break. I can think of many reasons for him to have those combos on his personal system.

1. He's checking to see what naughtiness has already happened with those accounts
2. He's got accounts so he can log in with a lower level of access and see what's accessible
3. These are usernames/password combos that he sniffed off the network, during routine security testing.
4. These are people with accounts that have had some kind of trouble, and he's got them so he can attempt to diagnose problems linked to user level access.
5. It's a list of post-it pad's he's seen while walking around at work, and he'd been planning to inform the users to change their passwords.
6. They're the output list of a password security checker.

Apparently the less than brilliant DA's office is unaware that the GOD level admin has the ability to do anything at all on the network and REMOVE ALL TRACES IN THE LOGS afterwards. It's trivial, when you're the one who runs the tattletales.

Dear DA office: IF YOU LOOK HARD YOU'LL UNDOUBTEDLY FIND EVIDENCE TRACY EAVESDROPPING ON THE NETWORK SNIFFING AND ATTEMPTING TO ILLEGALLY PENETRATE THE SYSTEM. IT'S PART OF HIS JOB, MORONS. IF YOU KEEP BRINGING THIS CRAP UP, YOU'LL ONLY LOOK STUPIDER.

Keep this up, and Nifong will have company in the 'worlds dumbest DA's club'

Re:Another interesting thing came out in the filin

[bugs2squash]

I've run networks where the router config did not fit into the flash. It had to be loaded from an external server.

Not having the config in flash need not make the device a brick.

Re:Password sniffing

[Opportunist]

Accusing an administrator of password sniffing is usually pretty dumb, unless you're dumb enough to use the same password internally and for private, external applications. A top level admin has access to all your files if he wants to, without your password. Because (drumroll) he can simply log in as administrator with the according privileges. I.e. ALL privileges to view ALL files and do with them what he pleases. At least technically, legally you can have his hide, depending on contract.

I spent a few years as the security head honcho of a bank auditing company. It amazed and puzzled me to no end what people considered "secret" or, the more paranoid ones, what they thought I'd do.

Here's a secret for you C?Os out there: If you do not trust your admin, fire him. He knows more about the system than you do and he usually has pretty much total access to everything. He can read your files and if he wants to, your correspondence. If you do not have faith in his integrity and do not trust him, fire him and hire one you do trust. Because one thing stands and cannot be changed: You have to trust your administrator. If you don't, get rid of computers or start digging into the matter so you can do it yourself.

Here's another secret: We usually don't snoop. We got better things to do. Like, keeping your machines running and fixing yours when you managed to FUBAR it (again). Few admins play the "I know something about my boss and that breaks his neck" game.

Unless you give us reason to. Basically, if we do something like that, it's for defense.

Re:RTFA

[TubeSteak]

On another note, isn't the POINT of the 8th amendment to stop bail deliberately set so high that the person being held cannot hope to post it? (which seems to be what the DA here wants)

Bail is considered excessive in relation to the crime alleged, not to the means of the defendant, even though the means of the defendant is considered when setting bail.

In other words, your inability to afford bail is not one of the defining characteristics of "excessive bail".

Re:Ah HA!

[OnlineAlias]

Your comment is true, and so few IT organizations actually understand what you have said. However, these are "phase one" passwords. These particular passwords are the ones that allow a system to communicate with the network to even begin the process of authenticating a user. Any good admin must have these, as it is the admin that creates them and they cannot be changed after the fact. If you change one, you will have to go through and rebuild the certificate on the other device that is requesting access.

Interestingly, the DA is exposing the network even more than people know. Since this is essentially a defense in depth strategy, a lot of times the secondary password measures put in place (ie, authenticating the users) are weaker and more hackable. As admins know the first phase one measure is in place, the second one usually isn't as strong or monitored as well. After all, it isn't usually subject to brute force attacks.

Now San Fransisco's weakest and most sensitive set of passwords are subject to brute force attacks in a free-for-all on the internet. Since there are so many passwords published, quite possibly the attacks could be from multiple vectors to multiple edge devices. Seems the DA is either wildly incompetent (by virtue of not getting high end consulting advice on this subject) or has some legal reason to ensure the network is hacked. Either way, yikes.