Re: Is it safe to use social securty number as intranet username? (long)

From: MARK BURGGRAF (mburggra1@prodigy.net)
Date: 05/17/02 

From: "MARK  BURGGRAF" <mburggra1@prodigy.net>
Date: Fri, 17 May 2002 00:58:22 GMT

Mathias Grimmberger <mgri@zaphod.sax.de> wrote in message
news:m3adqzsurg.fsf@zaphod.sax.de...
> Barry Margolin <barmar@genuity.net> writes:
> > In article <zhBE8.7182$%9.1742029919@newssvr30.news.prodigy.com>,
> > Alun Jones <alun@texis.com> wrote:
> > >In article <ejxE8.8$GK3.50@paloalto-snr1.gtei.net>, Barry Margolin
> > ><barmar@genuity.net> wrote:
> > >>Note also that he's talking about an *intranet*, i.e. a server
internal to
> > >>the company. They're not sending payroll information to an outside
agency
> > >>(unless operation of the intranet is outsourced), so who is going to
be
> > >>defrauding them? This is information that already exists in the
company's
> > >>databases.

Hurumphhhh!!!! Our *intranet* (and each node) has DIRECT access to the
*internet*! It's a *corporate* LAN that spans several countries! Not your
little *garage* type lan connecting two computers!

> > >It is, however, information that is traditionally restricted to only a
few
> > >people within the company - those people that file the tax forms, and
thus
> > >have a legitimate reason to know it - and a legal requirement, in fact,
to do
> > >so. Others within the firm are generally not privvy to such
information, and
> > >for good reason. With a little knowledge of a person's public
information and
> > >a SSN, you can get a credit card in their name.

Yup. Bad idea all the way 'round. Period. He shouldn't do it. Again,
period.

> > >When this becomes the person's internal login name, and thus available
to
> > >everyone from the coffee boy on up, there's considerably greater chance
of
> > >fraud and identity theft against the employees.
> >
> > How would the coffee boy get access to the internal database of the
> > intranet server?

Easy. In most cases now-a-days he doesn't even need to be an employee. Our
company uses a 'wire-less' intra-net in addition to the traditional
'hardwire'. This accomodates laptops, etc. I've written several memo's
with step by step instructions on how some one could sit in our parking lot
and hack into our net-work. I've offered a demonstation...

The response? Heh, heh... yup! 'People who don't *need* to get on our
network, won't.'

> Why would he need to?

Ahh... the corporate mindsight. 'Employee's who don't *need* to, won't.'

Ignorance... and (trust me) it's gonna cost you.

> What are the odds that the login info is transmitted in cleartext (it's
> an intranet so nobody cares even if most attacks are reported to come
> from insiders)?

Yup... nobody cares. ROTFL!!! Nope, nobody! Information isn't valuable.
Hacking a network isn't interesting... or fun... or profitable.

> What are the odds that the network is properly secured against sniffers
> put onto it by just anyone able to physically access a host or even just
> a random ethernet outlet?

I'd say about 50/50. Probably less. Our shipping clerk has access. So
does *every* employee at our location!

> What are the odds anyone would notice a sniffer at all (one with the
> transmit wires intact I mean)?
>
> Pretty slim I'd say.

Glad I don't work where you work! There's plenty of 'software' sniffers out
there! Some are *very* difficult to find and isolate.

> > We're not talking about the person's email address.
>
> Exactly. This is kind of the point, isn't it? :-)

What, exactly... is your point? That any and all personal information can
be used, transmitted, and balleyed about... without *any* fear of it being
used because 'those that don't *need* the information' won't use it?!?

Heh, heh... me thinks you might have an anterior motive?

Relevant Pages