Tech workers - what did your IT Security team do that made your life hell and had no practical benefit?

SHITPOSTING_ACCOUNT, 1 year ago

Endless approval processes are a good one. They don’t even have to be nonsensical. Just unnecessarily manual, tedious, applied to the simplest changes, with long wait times and multiple steps. Add time zone differences and pile up many different ones, and life becomes hell.

RozhkiNozhki, 1 year ago

It took them three weeks to have my super secure voicemail PIN reset, only for me to set it to whatever I wanted.

AstralWeekends, 1 year ago

Made me write SQL updates that had to be run by someone in a different state with pretty much no knowledge of SQL.

GissaMittJobb, 1 year ago

Access to change production systems was limited to a single team, which was tasked with doing all deploys by hand, for an engineering organisation of 50+ people. Quickly becoming overloaded, they limited deploy frequency to five deploys per day, organisation-wide.

Bit of a shit-show, that one.

DaneGerous, 1 year ago

Disabled “unnecessary” services on all member servers including netlogon. That was a fun couple of weeks.

Krudler, 1 year ago

The “we’ll just disable everything until somebody complains” strategy. Idiots!

teichflamme, 1 year ago

Often times it’s the only strategy because most admins or system owners have no clue what services they actually need

Merwyn, 1 year ago

They forbid us to add our ssh keys in some server machines, and force us to log in these servers with the non-personal admin account, with a password that is super easy to guess and haven’t been changed in 5 years.

PoolloverNathan, 1 year ago

VPN to another country and pretend to crack it. Repeat this until IT changes their mind.

Rolive, 1 year ago

Chaotic good.

d00phy, 1 year ago

The IT company I work for purchased me, along with some number of my coworkers and our product line from my former employer. Leading up to the cut over, we’re told that on midnight of the change, our company email will stop working. No forwarders or anything. BUT, we will get a new email that consists of gibberish@stupidsubdomain.company.com. When the password on this new account expires, because we can’t change it because we’re no longer employees, we have to go to a website to request a password change. This emails us a link to our new company email address, but we can’t use that link. We have to manually change part of the URL for it to work. I had them manually change my password twice before I gave up on the whole process. Figured I didn’t work for them anymore. What would they do if I stopped using this bogus account/email address, fire me?

RogueBanana, 1 year ago

Is it actually gibberish? I have never seen a company use anything other than parts of first name last name at company.

d00phy, 1 year ago

I’m sure it meant something to someone, but it was just letters and numbers to me.

AtHeartEngineer, 1 year ago

SSL proxy, in a company full of developers, so they could sniff traffic. It broke everything. It’s one of the reasons I left that company.

_haha_oh_wow_, 1 year ago

I used to work with a guy who glued the USB ports shut on his labs. I asked him why he didn’t just turn them off in BIOS and then lock BIOS behind a password and he just kinda shrugged. He wasn’t security, but it’s kinda related to your story.

¯_(ツ)_/¯

Security where I work is pretty decent really, I don’t recall them ever doing any dumb crazy stuff. There were some things that were unpopular with some people but they had good reasons that far outweighed any complaints.

afraid_of_zombies, 1 year ago

I just wrote a script that let me know if usb devices changed and emailed me. It was kinda funny the one time someone unplugged a USB hub to run a vacuum. I came running as like 20 messages popped up at once.

Krudler, 1 year ago (edited 1 year ago)

I completely hear you.

When they did this for the stated reason of preventing data theft via thumb drive, the mice & keyboards were still plugged into their respective USB ports, and if I really wanted I could just unplug my keyboard and pop in a thumb drive. Drag, drop, data theft, done.

Further to this madness, half of the staff had USB hubs attached to their machines within a week which they had purchased at dollar stores. Like…?

At any time, if I had wanted to steal data I could have just zipped it and uploaded it to a sharing site. Or transferred it to my home PC through a virtual machine and VPN. Or burned it using the optical drive. Or come up with 50 other ways to do it under their noses and not be caught.

Basically just a bunch of dingbat IT guys in a contest to see who could find a threat behind every bush. IT policy via SlashDot articles. And the assumption that the very employees that have physical access to the computers… are the enemy.

Okay I’ll concede that SOMEWHERE in the world there exists a condition where somebody has to prevent the insertion of an unauthorized thumb drive, they don’t have access to the BIOS, they don’t have the password, or that model does not allow the disabling of the ports. No other necessary devices are plugged in by USB. Policy isn’t or can’t be set to prevent new USB devices from being added to the system. And this whole enchilada is in a high-traffic area with no physical security and many with unknown actors.

Right.

argentcorvid, 1 year ago

Gotta put something good on the monthly/ quarterly activity report/personnel review!

csm10495, 1 year ago

In high school they blocked dictionary.com for some reason.

SgtAStrawberry, 1 year ago

I’m going to guess either because it starts with dic or because you can look up dirty words on it.

willis936, 1 year ago

You wouldn’t want high school boys running around with enlarged dictions.

ElderWendigo, 1 year ago

Worse yet, the girls might become cunning linguists.

glue_snorter, 1 year ago

Think of the lexiconsequences

disconnectikacio, 1 year ago

Very short screensaver timeouts, useless proxy, short timeouts from intranet pages, disabled browser extensions, to make impossible to automatize our very repetitive work, daily DB access requests for work, etc.

AstralWeekends, 1 year ago

Screensaver?

tslnox, 1 year ago

Our IT mandated 15 character long passwords. Many people in manufacturing (the guys who make the stuff we produce or setup and fix the machines) have the passwords in the format: “Somename123456…” You get the picture. When the passwords are forced to change? Yeah, just add “a,b,c,d…” at the end. Many have it written down on some post-it note on the notebook or desk. Security my ass.

I wouldn’t be surprised if I found that office guys have it too.

Fosheze, 1 year ago

At a place I used to work one of my coworkers just had their password as a barcode taped to their desk. Now to be fair we worked in the extra high security room so even getting access to that desk would be a little tricky and we had about 20 unlabeled barcoded taped to each of our desks for various inventory locations and functions. So if someone wanted to get into their account they would still have to guess which barcode it was and get into a room only like 10 people had access to. It still felt pretty damn sketchy though.

send_me_your_ink, 1 year ago

If you feel like poking a bear. NIST 800-63B is the US Federal guidance on passwords. In the past this guidance said to have long passwords and rotate them. Now they say 8 characters and never change (along with using MFA).

tslnox, 1 year ago

Don’t even start me on MFA. It routinely happens to me and all coworkers that it’s not enough to type in the code from the authenticator once, not twice, not even three times. You log in to windows, code prompt. You open Outlook, code prompt. You open SharePoint, another one. OneDrive? Another.

send_me_your_ink, 1 year ago

As someone who manages multiple identity systems - tell your IT to get their act together. Most of my environments we force reaith once a week (and that just a quick enter your password/TOTP code). Otherwise if you can log into your computer we trust you are who you say you are (note: we have some downright scary and invasive stuff on the network so we know if you start accessing stuff you should not). The sensitive/scary stuff is a lot faster (activity timers), but the teams involved know why it’s set this way (and where involved in setting the maximum durations).

_dev_null, 1 year ago

machine had a RW optical drive

Ah, the Private Manning protocol.

Krudler, 1 year ago

Less the Lady Gaga obfuscation.

We had 40,000 blank discs laying around at all times… because they were a regular part of sending art/data proofs to customers.

o_O

tsz, 1 year ago

Mine refuses to use ipmi. Also all switches use the same password.

thisbenzingring, 1 year ago

I was a network administrator at a site, which just made me a glorified system admin with responsibility for the network and switches.

Everyone in the IT Dept had the password for the switches. After one person gave a 3rd party vendor the password, I had to change the passwords and exclude him from having it… but then everyone else got the password.

That place was nuts, between that and a few other stupid boss actions, I just moved on. Found a much better job and it was for the best.

vivadanang, 1 year ago

I dunno, gluing usb’s in a super sensitive environment like that is actually logical; on the disc drives - they could disable autoplay as well though removing or gluing them closed would be preferable. USB is just such an easy attack vector where the individual plugging it in may not have skills themselves - it might be easier to bribe cleaning folks for example - or inject a person into a cleaning team. Ideally they would attack multiple nodes of your target’s network via as many avenues as possible; which makes the network and vpn thing just silly indeed; perhaps they were waiting for someone to try something with excellent infosec / firewalls / traffic shaping. yeeeeah lol.

SendMePhotos, 1 year ago

So like… Unplug the mouse and plug in the thumb drive… Bam!

Hobo, 1 year ago

That’s obvious when a mouse or keyboard doesn’t work. OP, and clealy other people in here, don’t really understand the actual attack vector in play. They aren’t using the USB as data storage, they are using as a cellular connected RAT and/or a tool to deploy a RAT to a workstation.

I think gluing usbs is dumb in just about any environment (disable them on the BIOS is the right answer), but attackers aren’t using it to drag and drop files and then physically take the usb with them. They are plugging them into a workstation, or just leaving them in the parking lot and letting other people plug them in, leveraging them to get initial access, and then essentially abandoning them.

For example see stuxnet: en.m.wikipedia.org/wiki/Stuxnet

MrMcGasion, 1 year ago

Pretty easy to make a hub device that you can plug the keyboard into and make it transparent to the user. Could even build in a keylogger to capture direct from the keyboard. The attacker would likely need physical access for that, so it wouldn’t be as convenient as the thumb drive in the parking lot attack vector, but unless you’re using PS/2 peripherals (or gluing those USB devices in too somehow), there’s still a fairly open attack vector there, even if you are disabling unused ports in BIOS.

mystik, 1 year ago

If it’s a secure enough environment, I imagine that there will be monitoring on the device, and the moment a hub shows up that’s not supposed to be there, or any other USB device tree that doesn’t match the approved list, , alarm bells ought to go off. If it’s valuable enough; the attack would be to use a passive device picking up leaky signals on the wire, or even hidden camera watching screen/keyboard.

Hobo, 1 year ago

Yep you’re right, but at least that adds another layer of complexity to their attack. A lot of security controls are at least somewhat situational, and most non-draconian companies have a process to put further mitigations around those exceptions either from increased monitoring or adding additional supplemental controls.

There’s no such thing at perfect security, just better risk mitigation. Slipping in a usb hub between the computer and keyboard while someone isn’t looking is a bit trickier then just plugging in a usb stick. If you disable unused usbs in the bios, instead of trying to do silly stuff like glue them shut, then the attacker has at least been temporarily thwarted if they slot it into a dead port. Aside from the high traffic areas, disabling ALL usb ports in places like datacenters and especially colocated datacenters, can thwart the attack outright as well.

Really from looking through this thread a lot of people seem to be under the misconception that security that isn’t perfect is pointless. It’s like claiming that locking your doors is pointless because lockpicks exists. The point isn’t to keep a sophisticated attack at bay, but rather to keep script kiddies and drive-by attacks from hitting your network. To defend against sophisticated attacks you really have to go a bit crazy, and even then very small slip ups can be disastrous. Ask Microsoft about their root cert getting leaked via a core dump!

I fully acknowledge that many people also work for places with dumbass security controls. Gluing usbs is WAYYYY up there on that list in my opinion. It also looks like a lot of people work at places that have really shitty security teams that haven’t quite figured out that controls are situational and require more thought then, “see checkbox, execute checkbox.”

tractus, 1 year ago

I’m sure there are more elegant ways they could have disabled the USB ports, but this might have been partially to avoid users being able to accidentally compromise their device by sticking a thumb drive they found in the parking lot in to see what was on it. For exfiltration and VPN usage over the network there are other controls they can/likely had put in place that you may just not have known about

AtariDump, 1 year ago

Users would just unplug the keyboard and plug in the USB stick.

Krudler, 1 year ago

They were just paranoid dopes.

I would hear them talking about IT security the way 10 year old boys talk about defending their fort from zombies.

totallynotarobot, 1 year ago

So… what was the zombie situation tho? Were they at least on top of that?

Krudler, 1 year ago

Well if we’re following the metaphor, yes they were completely on top of preventing imaginary threats that wouldn’t realistically ever materialize lol