DA in SF Makes City Passwords Public

Readers who have computer security expertise might be able to shed some light on whether it was smart of the San Francisco District Attorney's office to make public "150 usernames and passwords used by various departments to connect to the city's virtual private network" (VPN).

The passwords were filed this week as Exhibit A in a court document arguing against a reduction in $5 million bail in the case of Terry Childs, who is accused of holding the city's network hostage by refusing to give up administrative networking passwords. Childs was arrested July 12 on charges of computer tampering and is being held in the county jail.

While "city prosecutors do seem to think that they are sensitive," the disclosure seems difficult to reconcile with claims that the City is making against Childs. [more ...]

The passwords, discovered on Childs' computer, pose an "imminent threat" to the city's computer network, according to the court filing. Childs could use the names and passwords to "impersonate any of the legitimate users in the City by using their password to gain access to the system," the motion against the bail reduction states.

The passwords are used for logging into the City's VPN, and they require a second password to access the network. Childs had the passwords because he was the City's network administrator.

Rather than arguing against a bail reduction for a man who allegedly committed a nonviolent crime, the City ought to change the passwords, especially now that it made the "phase one" passwords a matter of public record.

To change the passwords, the city will have to reconfigure the VPN software running on every PC that connects remotely, which it has not yet done, the source said. Some of the passwords would benefit from a change because they are identical to the VPN log-in name or extremely easy to guess.

It would have been easy for the District Attorney's office to file the passwords under seal, thus keeping them out of the public record, accompanied by a motion asking the judge to keep them under seal. It's difficult to believe that motion wouldn't have been granted.

< What "Egregious Crimes?" Part 3 | A World Without Prisons? >
  • The Online Magazine with Liberal coverage of crime-related political and injustice news

  • Contribute To TalkLeft

  • Display: Sort:
    Insane. (5.00 / 1) (#1)
    by LarryInNYC on Sat Jul 26, 2008 at 10:42:21 AM EST
    About the same as taking any computer inside a city office, attaching a really long ethernet cable to it, and leaving the computer out in the alley behind the office building 24/7.  Yes, you still need an employee userid and password to log in, but we all know how secure those are.

    To make it worse, the VPN acts as a "virtual" very long ethernet cable that stretches all the way to, say, Russia.  You can bet there are folks there doing two things there right now -- trying to hack into accounts and port-scanning the network to find vulnerabilities that don't even require a password hack.

    PS. (5.00 / 1) (#2)
    by LarryInNYC on Sat Jul 26, 2008 at 10:43:44 AM EST
    They will almost certainly have to pull the plug on the VPN, fix it up, then bring it back when the security hole is plugged.

    It's possible that the VPN requires (5.00 / 1) (#3)
    by andgarden on Sat Jul 26, 2008 at 10:44:37 AM EST
    a dongle. They better hope it does. . .

    I was gojng to say the same thing (5.00 / 2) (#4)
    by ruffian on Sat Jul 26, 2008 at 10:56:19 AM EST
    Where I work, getting my password to the VPN would not help anyone if they don't have my dongle, as well as the specially configured VPN connection software we use.

    Still I'm sure they should and will shut everything down to reconfigure. It is not the end of the world, but it was a stupid thing to do if it was at all avoidable


    Depends where the second factor (5.00 / 2) (#5)
    by LarryInNYC on Sat Jul 26, 2008 at 11:11:24 AM EST
    is implemented.

    If the VPN itself requires two phase authentication then yes, they haven't completely comprised the VPN by releasing the passwords, only given hackers a leg up.

    But if the two phase authentication is used for the network login behind the VPN, then access to the VPN will at the very least expose the open ports on the network that can be targeted for entry.

    I'm working on a project right now where we're using RSA token protected remote terminal sessions to replace a VPN for off-site access.  The hardware guys, however, suggested we keep the VPN simply to hide the existence of the open RDC port on the server.


    We use the tokens also (5.00 / 1) (#6)
    by ruffian on Sat Jul 26, 2008 at 11:26:22 AM EST
    in some cases.

    Certainly is good to add as many protective layers as are feasible.

    I can't believe they released those passwords. <she shakes her head>


    Um...I have to ask (none / 0) (#7)
    by Radiowalla on Sat Jul 26, 2008 at 11:33:20 AM EST
    what is a "dongle?"

    It sounds quite foreboding...and somewhat louche.


    It can take many forms (5.00 / 1) (#8)
    by andgarden on Sat Jul 26, 2008 at 11:42:52 AM EST
    but essentially it's a piece of hardware that you have to be in physical possession of to use a particular piece of software. With a VPN, it will typically produce time sensitive passwords that only someone who actually has the dongle could know.

    Thank you! (none / 0) (#19)
    by Radiowalla on Sat Jul 26, 2008 at 06:23:34 PM EST
    How interesting.
    See, you learn lots of stuff right here on TalkLeft!

    A dongle is a device. . . (5.00 / 2) (#9)
    by LarryInNYC on Sat Jul 26, 2008 at 11:46:30 AM EST
    that you plug into your computer.  It's used as a form of copy protection for some expensive programs (so that simply installing the program is not sufficient to use the program) and also to "prove" that you're a certain person when logging into systems.

    In the second use it's a form of what's called "two factor authentication".  It's not enough to know the password you also have to have a physical "key" to the system.  Using two phases means it not enough to simply learn a userid and password, nor is it sufficient to simply acquire the key.  You need both.

    Actual dongles (which plug in to the machine) are rarely used in two-phase authentication.  Instead people are given a "token generator" that they put on their key ring.  This is a small device that displays a number which changes every fifteen seconds.  When you log on you have to supply the currently displayed number as well as your userid and password.


    Exactly (5.00 / 1) (#10)
    by andgarden on Sat Jul 26, 2008 at 11:53:10 AM EST
    But most people I know have taken to calling the "token generator" a dongle.

    That's the youth for you today. . . (none / 0) (#22)
    by LarryInNYC on Sun Jul 27, 2008 at 06:23:52 AM EST
    everything's a dongle to them.

    Thanks to you as well. (none / 0) (#20)
    by Radiowalla on Sat Jul 26, 2008 at 06:25:13 PM EST
    The well dressed man (or woman) should never go out without his (or her) dongle.

    Put into simple language (none / 0) (#13)
    by dianem on Sat Jul 26, 2008 at 12:52:32 PM EST
    It's a gizmo roughly the size of a matchbook that you plug into the USB port of your computer. It has a program that contains permission for you to use the computer it's attached to do something, usually accessing some kind of license or connecting to a network. The more expensive software companies use dongles to ensure that people don't install software  on different computers without paying.

    It does sound rather indecent, doesn't it?


    Yes, it sounds rather indecent (5.00 / 1) (#21)
    by Radiowalla on Sat Jul 26, 2008 at 06:26:20 PM EST
    and one has to wonder how it came to be named as thus.

    and nobody every reuses passwords (5.00 / 1) (#11)
    by VelvetElvis on Sat Jul 26, 2008 at 12:17:29 PM EST
    Secure passwords are enough of a PITA that people tend to reuse them once they have one committed to memory.  One of the first things people are going to try is using those login/password combinations against, say, Gmail.

    not the brightest move (none / 0) (#12)
    by cpinva on Sat Jul 26, 2008 at 12:26:26 PM EST
    on their part. but then, i suspect these guys are, shall we say, somewhat computer "challenged", to be kind. i'm sure as well that the city IT dept. is showing them a whole lot of love right now too! lol

    actually, a dongle is merely a piece of hardware, that can be configured to provide an additional firewall type of security, or not.

    many moons ago, i used a dongle to connect my company laptop to the company LAN, because the laptop didn't have an RJ-45 port (i said it was many moons ago!), only a regular phone socket. it didn't, itself, provide any additional security, just a connection. you can buy one anywhere that sells computer equipment.

    Why is he under arrest? (none / 0) (#14)
    by dianem on Sat Jul 26, 2008 at 12:56:37 PM EST
    I read the article, and the best I can figure is that he's under arrest because he refused to hand over passwords because he said that the network wasn't secure. It's an administrators job to secure networks, so it sounds as if he was within his right to do so. But if he weren't, then the appropriate thing to do would be to bring in a security specialist to secure the system and then fire him, not arrest him. People should know their own passwords, and I'm sure at least one other person knows the primary password (unless this guy installed all of the VPN system himself).

    The guy locked everyone out (none / 0) (#16)
    by Prabhata on Sat Jul 26, 2008 at 01:26:50 PM EST
    Not end users, but other IT analysts.

    Terry Childs Background (none / 0) (#17)
    by TChris on Sat Jul 26, 2008 at 01:34:47 PM EST
    The San Francisco Chronicle has a series of articles, collected here, on the Terry Childs case, which has been going on for a few days now.  It is strange, to say the least.  Some people think he was just doing his job, although he may have gone overboard if that's the case.  Others (including the DA's office) think he's malicious.  For the technically minded who want a more complete explanation of what he actually did or how he did it (the details aren't entirely clear), you can find some speculation here.

    Strange and frightening (none / 0) (#18)
    by dianem on Sat Jul 26, 2008 at 03:46:25 PM EST
    Was he a sysadmin doing his job in creative ways that ended up endangering the system, or a rogue who set up back doors to take revenge on bosses he didn't like? The evidence seems incriminating, but I know first hand how paranoid management can get over IT issues that they don't understand - and how quickly IT people get blamed when something unavoidable goes wrong.  It's also not unheard of, though, that IT people put in back doors with the intent of attaining revenge if they are mistreated. It will be an interesting case - and I'm going to make sure my husband follows it closely. I'm sure a lot of IT people are going to follow it closely. It's getting so that IT people have to spend as much time covering their own backs as they do protecting the systems they are responsible for.

    SF DA is not stupid (none / 0) (#15)
    by Prabhata on Sat Jul 26, 2008 at 01:20:33 PM EST
    She is very capable and I have confidence that making the password public posed no threat to the system.  But if she proves me wrong, she's lost her job because she won't be reelected.