Re: Is it safe to use social securty number as intranet username? (long)
From: Mathias Grimmberger (mgri@zaphod.sax.de)Date: 05/16/02
- Next message: lyal collins: "Re: Digital signature"
- Previous message: Allen L. Barker: "Re: Your Career in AI Security"
- In reply to: Barry Margolin: "Re: Is it safe to use social securty number as intranet username? (long)"
- Next in thread: MARK BURGGRAF: "Re: Is it safe to use social securty number as intranet username? (long)"
- Reply: MARK BURGGRAF: "Re: Is it safe to use social securty number as intranet username? (long)"
- Reply: Barry Margolin: "Re: Is it safe to use social securty number as intranet username? (long)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mathias Grimmberger <mgri@zaphod.sax.de> Date: Thu, 16 May 2002 20:27:47 GMT
Barry Margolin <barmar@genuity.net> writes:
> In article <zhBE8.7182$%9.1742029919@newssvr30.news.prodigy.com>,
> Alun Jones <alun@texis.com> wrote:
> >In article <ejxE8.8$GK3.50@paloalto-snr1.gtei.net>, Barry Margolin
> ><barmar@genuity.net> wrote:
> >>Note also that he's talking about an *intranet*, i.e. a server internal to
> >>the company. They're not sending payroll information to an outside agency
> >>(unless operation of the intranet is outsourced), so who is going to be
> >>defrauding them? This is information that already exists in the company's
> >>databases.
> >
> >It is, however, information that is traditionally restricted to only a few
> >people within the company - those people that file the tax forms, and thus
> >have a legitimate reason to know it - and a legal requirement, in fact, to do
> >so. Others within the firm are generally not privvy to such information, and
> >for good reason. With a little knowledge of a person's public information and
> >a SSN, you can get a credit card in their name.
> >
> >When this becomes the person's internal login name, and thus available to
> >everyone from the coffee boy on up, there's considerably greater chance of
> >fraud and identity theft against the employees.
>
> How would the coffee boy get access to the internal database of the
> intranet server?
Why would he need to?
What are the odds that the login info is transmitted in cleartext (it's
an intranet so nobody cares even if most attacks are reported to come
from insiders)?
What are the odds that the network is properly secured against sniffers
put onto it by just anyone able to physically access a host or even just
a random ethernet outlet?
What are the odds anyone would notice a sniffer at all (one with the
transmit wires intact I mean)?
Pretty slim I'd say.
> We're not talking about the person's email address.
Exactly. This is kind of the point, isn't it? :-)
MGri
-- Mathias Grimmberger <mgri@zaphod.sax.de> Eat flaming death, evil Micro$oft mongrels!
- Next message: lyal collins: "Re: Digital signature"
- Previous message: Allen L. Barker: "Re: Your Career in AI Security"
- In reply to: Barry Margolin: "Re: Is it safe to use social securty number as intranet username? (long)"
- Next in thread: MARK BURGGRAF: "Re: Is it safe to use social securty number as intranet username? (long)"
- Reply: MARK BURGGRAF: "Re: Is it safe to use social securty number as intranet username? (long)"
- Reply: Barry Margolin: "Re: Is it safe to use social securty number as intranet username? (long)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
