Lazybit

So, you and your employer are not on good terms anymore and you think it is payback time? Here is a beginner's guide to expressing disagreement.

Disclaimer: the article does not focus on the moral and legal side of the issue, the focus is purely technical.

Note: a complementary article for employers will follow shortly, but if you're sharp enough you can derive the protection methods from this information.

The options are different, but if you're in the IT industry, the common choices are:

• change all the passwords and do not disclose them;
• delete all the data;
• encrypt all the data;
• apply subtle changes to the systems configurations, so that they seem to be working right, but somewhere deep inside a problem is waiting to happen;
• share private data with your employer's worst enemy.

Change all the passwords

It is a matter of time before they find a new person who knows how to apply the password reset procedure - most (if not all) systems have one. Sometimes it is as easy as reading the manual (which they should've told you to write in the first place) and following the instructions.

As an IT expert, you are aware of the fact that if someone has full physical access to a system - they can override pretty much every security measure.

Cons:

• it is a matter of time before they reclaim access to the resources. Since the bridges are already burnt down - your image suffers badly, your future employment opportunities are quite shady. You gained nothing.

Pros:

• easy to implement;
• it is more difficult and time consuming to get past this if there are remote resources (ex: servers) controlled by other companies, in other timezones;
• once they get everything back and sue you, you can say "I didn't want it to be serious, so I chose this trivial method" [then pray they'll buy that].

Delete all the data

This is a better approach, because in this case there is nothing to recover. They can have the passwords for every server, the key for every door - but there is nothing to be found behind any of the doors.

Cons:

• there are backups, you'll have to delete those too, thus there is more work to be done;
• there are data recovery techniques, you'll have to make sure they won't work
  • destroy the data (crash the hard disks; burn the DVDs, literally);
  • wipe the data - wiping is the process of deleting data, then overwriting it with other data, to prevent recovery software from being able to retrieve the original files. In spite of the belief that you need multiple overwrite-passes to make a file impossible to recover - even one pass is good enough.

Pros:

• the more time passes since the files were deleted, the more difficult it is to recover them. The employer will feel a lot of pressure because they have to do everything fast, or they'll have to disrupt the service for a while. This should make it evident for them that they should've given you the raise you asked for, it would've cost them less;
• if you were unprofessional enough to not make those regular backups, the employer will understand that they made more mistakes than they originally thought, one of them was that of employing you in the first place.

Encrypt all the data

This is an extension of the previous method, and it is psychologically more aggressive, because this time they know they have the files, and "all they need" is the password. This gives them the false feeling that they're almost there.

Cons:

• encrypting data takes time, especially if there are large amounts of it;
• you may be foolish enough to use an encryption program that has backdoors in it - which makes your effort useless;
• the employer may have keyloggers installed on your systems, thus they will be able to find the password - rendering the exercise useless again;
• if you use a weak password - they can guess it or brute-force it.

Pros:

• the method is meaner than simply deleting the data;
• even if they have full physical access to the system - it does not help them;
• if you are sure that you are using the best encryption program that does not have any backdoors and employs the best encryption algorithm, you're safe;
• if you use a smart card to encrypt the data, any brute-force or dictionary attack attempts will be futile.

Apply subtle changes to the systems configurations, etc.

If you need an example of this, remember the movie "Office space" to get an idea about how this is done.

Cons:

• they won't know you've had them, because these backdoors are so subtle - thus you lose some of the moral satisfaction;

Pros:

• when the new guy shows up, it may take a long time until the flaws are revealed (especially if you were insightful and weren't kind enough to document what you were working on, making it difficult to understand the system you left behind);
• you can exploit these flaws for many years, and perhaps get some benefits out of it. If you're not greedy and keep everything below the radar, you may never get caught.

Share corporate secrets with the competition

If you are not bound by an NDA, they won't be able to use this against you.

Cons:

• if you don't keep this low profile, future employers won't be able to trust you, and your career may not get far from where you're standing.

Pros:

• if there were no NDAs, technically you succeeded in making them suffer without breaking the law.

Final thoughts

All the methods above have one thing in common - you'll have to pay for it sooner or later, and there is no approach that enables you to get away scot-free.

I do not encourage employees to cheat their employers (and vice-versa), I consider that a direct dialogue is the best way to solve a problem, as well as to prevent it from happening in the first place. This article must not to be used as legal advice.

Sometimes it happens that you type a password, the system tells you it's wrong, but you are absolutely sure it is not, and that you know what you're doing.

The problem is that what you think you type is not always what gets typed.

Here is a checklist you should go through, to make sure you've got everything covered; some items may sound trivial, but you should take them seriously:

• CapsLock is pressed
  • or the LED of the keyboard is broken and you can't see that the button is pressed
  • or maybe there is a program that artificially changes the state of the LED
• Keyboard layout - you think you're typing Latin characters, but are you?
  • check if another language is currently set as the default one
  • don't be fooled by languages that use the same character sets - the German "qwertz" and the English "qwerty" will appear identical, until you press 'y' or 'z'
  • what if you're using the same language but with a different layout? (ex: "English - Dvorak" and "English - Qwerty" will both look as "EN" in the language bar)
• Keyboard mechanics
  • the Shift button sometimes presses itself
  • someone changed the buttons on the keyboard so it appears that you press on 'A' but a 'D' is typed instead

The optimal solution

If everything fails, or you are not skilled enough to check the system settings and the keyboard's internals, open up Notepad, and type your password.

Once you see that what you typed is what you thought you typed, use copy/paste to transfer the password into the entry box.

This will allow you to deal with every single item in the checklist.

What if it is still not accepted?

If you've made sure that the password is typed correctly, but the system still won't accept it, it is possible that the administrator changed it (so it's an issue on their end, not on your's).

Contact the person who controls the system you are logging on to, and ask them whether the password was changed, reset, or de-activated.

If you're monitoring the pulse of the IT world, you probably stumbled upon this story:

ElcomSoft has discovered and filed for a US patent on a breakthrough technology that will decrease the time that it takes to perform password recovery by a factor of up to 25. ElcomSoft has harnessed the combined power of a PC's Central Processing Unit and its video card's Graphics Processing Unit. The resulting hardware/software powerhouse will allow cryptology professionals to build affordable PCs that will work like supercomputers when recovering lost passwords.

Now, let me translate that into plain English - they can use the computer's video card to speed up the process of brute-forcing a password. Modern computers have powerful video cards, and it is a pity to let them do nothing while the CPU is working hard.

The part which I find funny is "discovered a breakthrough technology". Was it hidden somewhere in the snows of Siberia, or in the sands of Sahara? ... waiting for hundreds of years for someone to come and discover it... How about "develop" or "invent"?

If I ignore that and only consider the serious stuff, there are several things that I have to say:

• This is not new, and others have been using the GPU to process data for quite some time;
• While this does make things a bit faster for the attacker, you should not worry - just add one more letter to your password and you've made their job 26 times slower. And that's a conservative estimate, because we're only dealing with letters. How about making it a bit more complicated and using small-case and upcase letters? How about signs like these: "!#%^*@?", numbers, foreign languages? If you use a character-set that goes beyond the 26 small latin letters, making the password one character longer makes the promised x25 speed-up completely useless;
• Another thing is that a video card with plenty of horse power is very expensive, so it is difficult to imagine how such a "supercomputer" is affordable. Finally, I would rather invest my funds into more RAM or a better CPU, instead of getting a better video card (but that's me, a 99% non-gamer).

So, if that story made you a bit worried of your privacy, you can relax now. Either of these tips will help you out:

• Use a stronger password (either longer, or use one with unusual characters, or do both);
• Switch to smart-cards and tokens, coupled with biometric authentication;

Here is a set of points that emphasize the benefits of a smart-cart or token-based authentication solution, coupled with biometric authentication; the example is focused on Dekart Logon for Citrix, but it also applies to other user authentication software by Dekart.

Q: what are the benefits of using your product? Am I simply substituting a PIN for a user/password combination? And can an external user without a flash drive or smart card still access the server?
A: Dekart Logon for Citrix is not a server-side application, it should be used on the clients.

The benefits can be summarized as:

• users don't have to enter passwords manually
• therefore you can use extremely complex passwords (they won't have to memorize them anyway)
• since they don't have to memorize them, you can be sure your passwords won't show up in clear-text on sticky notes, or written somewhere under the keyboard, etc
• the fact that the credentials are stored on a smart card means that brute-force attacks are out of the question
• optional biometric authentication takes that one step further

• the software can also be used with flash disks, being entirely self-contained:

  • the Citrix client itself can be migrated to the USB disk
  • and the same applies to our program
  • as a result, an end-user can plug the USB drive into any computer (even where the Citrix ICA Client is absent), and log on to the Citrix server. (Of course, this is also possible if you use a web-based client, but in that case you have to beware of keyloggers [note: we have a solution for that too])

In this case the user is immune to keyloggers. Even if the keylogger manages to capture the PIN:

• they won't obtain the connection credentials themselves, therefore they won't be able to connect to the server without actually having the smart card (token, or USB drive)
• and even if they do - you can use biometry as an added layer of security
• further, the program can be installed in 'simple' and 'advanced' modes. In the first case, end-users can only connect to predefined servers, they cannot change the credentials, nor see the connection details - this makes the system fool-proof.

And as a side effect, this also means that unloyal end-users won't be able to disclose confidential data even if they want to. In other words, you can implement the "need to know" approach, by not giving users more information than they actually need to get their work done.

The data stored on USB drives are encrypted with AES-256 bit, our implementation of the algorithm is certified by NIST. This is much stronger encryption than the one used by the Citrix client itself.

Q: And can an external user without a flash drive or smart card still access the server?
A: Technically, this is possible, but you can counter that by:

• using extremely complex passwords, or randomly generated ones
• not disclosing them (just write the credentials to a key and issue it to an end-user)

You will probably want to take a look at Key Manager, this is the tool that allows you to write credentials to keys, make copies, edit contents of a key, etc.

Note - you can do these with Dekart Logon for Citrix itself, but if you're planning to operate with many keys (in a corporate environment), you'll find Key Manager very useful. A license for the tool is given for free if a certain number of licenses for Logon for Citrix is purchased.

Q: Couldn't someone with a citrix client installed on their machine get to my server logon screen on the remote machine and execute a brute force attack there?
A: Although that is technically possible, it is not an optimal scenario for the attacker to use:

• most network admins configure the servers in a way that prevents any host from connecting again if they've connected N times during the last M minutes (to prevent brute force attacks, conserve CPU cycles and network bandwidth, thus avoid denial-of-service attacks)
• from the attacker's point of view, the bottleneck of the procedure is the network bandwidth. When brute forcing a local resource, it goes much quicker because reading/writing RAM is much faster than crafting a packet, sending it over the network, then waiting for a response from the server, etc.

In other words, a local brute-force attack can take thousands or millions of years, while doing it over the network is totally insane. It may only work for trivial passwords such as '11111' or ones that can be found in any dictionay. But even in that case, a dictionary attack won't be feasible if the network admin took the right measures and prevents one from physically connecting to the server if they've had too many unsuccessful attempts.

Finally, the last detail is that you can use randomly generated passwords, which are extremely long - brute forcing THAT is impractical.

If I were an attacker, I'd try to find alternative ways, such as social engineering applied against a naive employee.