So, you and your employer are not on good terms anymore and you think it is payback time? Here is a beginner's guide to expressing disagreement.
Disclaimer: the article does not focus on the moral and legal side of the issue, the focus is purely technical.
Note: a complementary article for employers will follow shortly, but if you're sharp enough you can derive the protection methods from this information.
The options are different, but if you're in the IT industry, the common choices are:
Change all the passwords
It is a matter of time before they find a new person who knows how to apply the password reset procedure - most (if not all) systems have one. Sometimes it is as easy as reading the manual (which they should've told you to write in the first place) and following the instructions.
As an IT expert, you are aware of the fact that if someone has full physical access to a system - they can override pretty much every security measure.
Delete all the data
This is a better approach, because in this case there is nothing to recover. They can have the passwords for every server, the key for every door - but there is nothing to be found behind any of the doors.
Encrypt all the data
This is an extension of the previous method, and it is psychologically more aggressive, because this time they know they have the files, and "all they need" is the password. This gives them the false feeling that they're almost there.
Apply subtle changes to the systems configurations, etc.
If you need an example of this, remember the movie "Office space" to get an idea about how this is done.
Share corporate secrets with the competition
If you are not bound by an NDA, they won't be able to use this against you.
All the methods above have one thing in common - you'll have to pay for it sooner or later, and there is no approach that enables you to get away scot-free.
I do not encourage employees to cheat their employers (and vice-versa), I consider that a direct dialogue is the best way to solve a problem, as well as to prevent it from happening in the first place. This article must not to be used as legal advice.
Sometimes it happens that you type a password, the system tells you it's wrong, but you are absolutely sure it is not, and that you know what you're doing.
The problem is that what you think you type is not always what gets typed.
Here is a checklist you should go through, to make sure you've got everything covered; some items may sound trivial, but you should take them seriously:
The optimal solution
If everything fails, or you are not skilled enough to check the system settings and the keyboard's internals, open up Notepad, and type your password.
Once you see that what you typed is what you thought you typed, use copy/paste to transfer the password into the entry box.
This will allow you to deal with every single item in the checklist.
What if it is still not accepted?
If you've made sure that the password is typed correctly, but the system still won't accept it, it is possible that the administrator changed it (so it's an issue on their end, not on your's).
Contact the person who controls the system you are logging on to, and ask them whether the password was changed, reset, or de-activated.
If you're monitoring the pulse of the IT world, you probably stumbled upon this story:
ElcomSoft has discovered and filed for a US patent on a breakthrough technology that will decrease the time that it takes to perform password recovery by a factor of up to 25. ElcomSoft has harnessed the combined power of a PC's Central Processing Unit and its video card's Graphics Processing Unit. The resulting hardware/software powerhouse will allow cryptology professionals to build affordable PCs that will work like supercomputers when recovering lost passwords.
Now, let me translate that into plain English - they can use the computer's video card to speed up the process of brute-forcing a password. Modern computers have powerful video cards, and it is a pity to let them do nothing while the CPU is working hard.
The part which I find funny is "discovered a breakthrough technology". Was it hidden somewhere in the snows of Siberia, or in the sands of Sahara? ... waiting for hundreds of years for someone to come and discover it... How about "develop" or "invent"?
If I ignore that and only consider the serious stuff, there are several things that I have to say:
So, if that story made you a bit worried of your privacy, you can relax now. Either of these tips will help you out:
Here is a set of points that emphasize the benefits of a smart-cart or token-based authentication solution, coupled with biometric authentication; the example is focused on Dekart Logon for Citrix, but it also applies to other user authentication software by Dekart.
Q: what are the benefits of using your product? Am I simply substituting a PIN for a user/password combination? And can an external user without a flash drive or smart card still access the server?
A: Dekart Logon for Citrix is not a server-side application, it should be used on the clients.
The benefits can be summarized as:
the software can also be used with flash disks, being entirely self-contained:
In this case the user is immune to keyloggers. Even if the keylogger manages to capture the PIN:
And as a side effect, this also means that unloyal end-users won't be able to disclose confidential data even if they want to. In other words, you can implement the "need to know" approach, by not giving users more information than they actually need to get their work done.
The data stored on USB drives are encrypted with AES-256 bit, our implementation of the algorithm is certified by NIST. This is much stronger encryption than the one used by the Citrix client itself.
Q: And can an external user without a flash drive or smart card still access the server?
A: Technically, this is possible, but you can counter that by:
You will probably want to take a look at Key Manager, this is the tool that allows you to write credentials to keys, make copies, edit contents of a key, etc.
Note - you can do these with Dekart Logon for Citrix itself, but if you're planning to operate with many keys (in a corporate environment), you'll find Key Manager very useful. A license for the tool is given for free if a certain number of licenses for Logon for Citrix is purchased.
Q: Couldn't someone with a citrix client installed on their machine get to my server logon screen on the remote machine and execute a brute force attack there?
A: Although that is technically possible, it is not an optimal scenario for the attacker to use:
In other words, a local brute-force attack can take thousands or millions of years, while doing it over the network is totally insane. It may only work for trivial passwords such as '11111' or ones that can be found in any dictionay. But even in that case, a dictionary attack won't be feasible if the network admin took the right measures and prevents one from physically connecting to the server if they've had too many unsuccessful attempts.
Finally, the last detail is that you can use randomly generated passwords, which are extremely long - brute forcing THAT is impractical.
If I were an attacker, I'd try to find alternative ways, such as social engineering applied against a naive employee.
2g 3g adapter authentication beta biometry «blue screen» bsod business cdma driver email encryption «file system» forensics form-filling google gsm howto internet keeper keylogger logon mobile name password «password carrier» portability privacy «private disk» release security seven sim «sim card» «sim manager» «sim reader» «smart card» software synchronization tips token troubleshooting usb usim vista windows «windows 7» wiping xp