Employer's server is unsecure
November 18, 2007 10:39 AM   Subscribe

How do I handle this situation - I have discovered that my employer's computer systems are 100% unsecure

In doing a search for another employee online ( I knew this person previously and randomly wanted to see if there was anything interesting about them online ), I happened across a google cache of this person's login to the corporate, supposedly internal, website.

Further search of google's caches produced a list detailing the password of every employee who accesses a computer ( this is a moderately large company ).

I sat on this all day today, I have not mentioned it to anyone. I'm about as low on the corporate structure as can be; I took this job for fun, not pay. I feel that if I took this information to my manager, it would likely get to the right people, however with so many layers of management, I worry that the tale will be spun differently and I could wind up losing my job.

I am, however, somewhat close geographicly to the main corporate offices. I'm of the opinion that I should take this information to the highest possible person, and explain the situation.

I should say that late this evening I checked one of the logins, and these are valid login/password combos. I have done nothing malicious on the site, but do realize that this is essentially hacking. I doubt I would offer this information to my employers voluntarily.

So the basic question is this - what do I do now? I can not lose this job, would like to do the right thing and help them correct their holes in security, and if possible, have this come out to my advantage.

It's possible for me to take this to the corporate office as soon as Monday, so time is of the essence; I don't want to be seen as waiting on this for a long time.

Answers to possible questions to me -
This company is not a technology oriented company, only managers or higher access computers or this website at all, though more than likely I have more computer / internet knowledge than anyone at my work location.

The internet searching was done from my home computer.

My statement of having the situation end as an advantage would be along the lines of a promotion, or recognition, or possibly a brief meeting with the owner, I'm not looking to extort or hold out for money.

The company, while employing thousands, is privately held and closely managed by the founder and family.

The person whom I was orignally searching for on the internet happens to be a relative of the owner, who I knew as an aquaintance years ago.

I appreciate any advice, thank you.
posted by anonymous to Work & Money (21 answers total) 5 users marked this as a favorite
Depending on the company, I would personally take the story to the highest level IT manager you can get to, ideally someone with "Director" in their name, like "Director of IT operations" ... VP of Information Technology if you have to, but the VP level is usually where you

Sit down with him, and start out by saying, "Frankly, sir, I found a hole in the systems and it scared me shitless. I was googling names of coworkers and google's cache let me into our corporate intranet."
posted by SpecialK at 10:52 AM on November 18, 2007

If you don't want to leverage this for brownie points, just send the information to the CIO (or whoever) anonymously.
posted by hjo3 at 10:56 AM on November 18, 2007

Googling a relative of the owner could seem a little strange. Was your name and login in the google cache? Could you say that you were googling yourself?
posted by amarynth at 11:17 AM on November 18, 2007

There's an argument for reporting this anonymously. It sounds nuts, but sometimes the reporter of a security problem ends up getting blamed; usually by some amoral IT guy trying to deflect attention from his horrible mistakes.

Second the suggestion to report it to the highest IT manager you can find. Discretion is appreciated.
posted by Nelson at 11:21 AM on November 18, 2007

If not losing your job is your number one priority then I'd agree with hjo3 - find a way of letting them know anonymously. They're not likely to try and find out who let them know, and even if they did find out it was you you'll look better for not trying to score points off it. Whilst people google other people all the time it's an awkward subject to talk about - personally I'd avoid that.
posted by muteh at 11:25 AM on November 18, 2007

You say that "The internet searching was done from my home computer" but from where did you "check one of the logins" on a Saturday night? If you did that from home as well, or from your own workstation at the office, then they will presumably find that access in the logs, and you don't really have the choice of doing nothing now.

Give up on getting some "advantage" out of this; just cover your ass. Make sure that the person you choose to tell is not someone who stands to be embarrassed by the bad security, and would be motivated to look for a scapegoat; I'd tell someone in top management but outside the CTO's or CIO's office.
posted by nicwolff at 11:30 AM on November 18, 2007

I would write a printed memo - NOT an email - detailing that you have "discovered" (non-specifically) this security vulnerability. Address it to the highest-ranking IT person at corporate headquarters, ie the VP of IT, and cc the VP of HR. Provide some transparency and evidence of goodwill by volunteering to demonstrate the search method you used.

Hand deliver it to the front desk at corporate. Sign it and provide all your contact details.
posted by DarlingBri at 11:30 AM on November 18, 2007

You might consider cc'ing the General Counsel too.
posted by Jahaza at 11:58 AM on November 18, 2007

This is one of those times to use an anonymous remailer. Send an anonymous message to the Director of IT (or whomever is acting in that capacity), and probably one or two others at that level of the company (especially if their login credentials are there)

Include your summary of the situation ("There's a page on the internet with all of our logins and passwords"), give links to the content (or describe exactly how to search for it). Don't explain what you were doing when you found it. Don't mention the fact that you tried to use one or more of the passwords (and don't do that again).

Do mention that you haven't shared this page with anyone outside the company, and are bringing it to their attention solely because they have the power to get it fixed. It's worth saying something like: "I have my own reasons for sending this anonymously, and I would appreciate it if you would respect that."

Send that off, then forget about it.

And change your password.
posted by toxic at 12:37 PM on November 18, 2007 [1 favorite]

I might leverage that acquaintance of yours who's a relative of the owner. Call him up, drop by his house, and show him how to do it on his computer with his own login.

Of course, he'll probably go to the owner and take the credit ....
posted by dhartung at 12:42 PM on November 18, 2007

I don't know if I would submit this anonymously. First off, it's a feather in your cap to have found this and realize that it is a problem. More pragmatically your home IP is in the most recent searches.

Your statement about "advantage" comes across as a little strange. I wouldn't expect a promotion out of this, though being seen as a competent, stand up person goes a long way. I think any talk about expecting something out of reporting this will come off sounding very weird.

How would you approach going to the company about a broken lock on the back door? How much credit or recognition would you expect? It's not quite the same situation, but similar enough in my opinion.

Go to the CIO or head of IT. The longer you wait (or if you go anonymously) the more likely it is that someone else finds the same hole and you are left looking like you were gaining access without permission.
posted by bottlebrushtree at 1:04 PM on November 18, 2007

While this may not seem like a direct answer to your question, it's gold to the admin who has to clean it up. These pages, if not readily publicly accessible, are being cached by google via someone reading them with the Google Web Accelerator. SA had a similar problem:

I'm having to pay a coder just to figure out how to prevent Google from caching all the webpages on our forums. Why is this a problem? Well first of all, it's a giant security hole, as private forums for mods and admins can now be viewed by anybody. Thanks Google, thank you very much for sharing our sensitive information with the entire Internet, without even giving warning or notice to any parties involved! Secondly, our forums offer a private messaging feature, where users can send messages to each other which can only be read by them. It's like AIM or ICQ, but through a webpage. If you're using Google's Web Accelerator - guess what? - now anybody can read your private messages! Cookies, logins, sensitive information, private messages - they're all stored on Google's servers now, and they're all available for anybody on the Internet to read.

Google is cool about pulling such pages and I believe they've acknowledged the problem. As for your quandry, I'd say it's your duty to report it quietly and directly to higher ups in the organization. Do not tell the web folks, do not tell the IT guys - tell a C*O. Only they will be able to broadly and discreetly sweep through IT and ensure that it gets expunged. They can also bring legal resources to bear if need be. If you're worried about those who may now be screwed because their passwords are public, ensure that whoever you talk to promises to address that as well.
posted by datacenter refugee at 1:17 PM on November 18, 2007 [1 favorite]

If this puts the company in violation of the law (HIPAA, Sarbanes-Oxley, etc.) it might be a good idea to document that you reported the problem, in case it gets investigated in the future.
posted by penguinicity at 1:31 PM on November 18, 2007

sometimes the reporter of a security problem ends up getting blamed

This could be misinterpreted as a black-hat scenario. Anonymity is the best approach.
posted by KokuRyu at 2:09 PM on November 18, 2007

Look to people in the Security division/department. Innocent Google of a name leads to OMGWTF. Happens more often than anybody would like you to know. Better if you can say that an old friend Googled you and found you and also said OMGWTF. Google exploits are old hat to any real IT Security department....
posted by zengargoyle at 3:00 PM on November 18, 2007

The health care company I work for has a Compliance Hotline for just this sort of thing. That's probably not as common in other (i.e., non-HIPAA-regulated) fields, but you might see if there's an established channel for reporting security and privacy problems.

I don't know how you can leverage this to your own advantage without seeming like you are doing exactly that -- I mean, it's not like you discovered the breach while doing your actual job. Virtue might have to be its own reward this time around.
posted by climalene at 4:33 PM on November 18, 2007

nth-ing reporting this anonymously. There are countless documented cases of innocent people who have "discovered" security vulnerabilities and reported it to their IT department, only to find themselves accused of "hacking" because of it. Clueless and/or malicious IT guys may use you as a scapegoat to cover their asses, should this information find its way to HR or other higher ups.

The fact that you tried out one of the login/password combos is probably enough to technically charge you with "trespass", so you're already on shaky footing.

Unless you seriously need "a feather in your cap" in order to further your career, there's nothing to be gained and a lot te be lost by not reporting this anonymously.
posted by melorama at 6:53 PM on November 18, 2007

i agree with the above: report it anonymously, but give them enough information so they can doublecheck and follow up on their own.

the only snag is that maybe it's this IT manager's fault that this happened, so he might just fix it and never tell anyone. you should cc the company's lawyer too.

i don't think there's any advantage in this for you, unfortunately. you might identify yourself to counsel, who should be obliged to maintain confidentiality, just to know what legal ramifications you may face, but i wouldn't identify myself to management.
posted by thinkingwoman at 7:31 PM on November 18, 2007

Don't be a puss... Deal with it. Send some email to local .edu security people. abuse@somwhere.edu, security@somewhere.edu. Trust, half a dozen messages from random .edu folks about some random Google thing will get fixed, pronto.....

(i get a couple Google exploits per week, totally pedestrian sh*t).
posted by zengargoyle at 7:37 PM on November 18, 2007

You screwed yourself by checking one of the accounts from home. They might have poor security, but that doesn't mean that they aren't logging.

If I was called in by a company after something like this was reported, the first thing I would do would be to check all of the logs.

Document every single thing you have done. Put as much as you can down on paper, date it, and have it notarized. Do this before you report anything to the company.

The IT people are going to hate you for making them look bad.

Your best bet is to find someone that doesn't need to cover their own ass to avoid the fallout from this. Go as high up as you can, with the angle that you are a dedicated employee that was worried about corporate espionage. You came across the login details accidentally, and figured they were fake. You tried one of the passwords and you were shocked when it worked. You don't want to go to IT now because you fear reprisal. You tried (but failed) to contact the company over the weekend.

It wouldn't hurt to talk to a lawyer. A major security hole like this can get people fired. They probably should be fired, but they are not going to be happy about it, and they might try to take you down with them.

Next time use a laptop with a fake MAC in a parking lot near a coffee place that offers free wireless.
posted by bh at 7:39 PM on November 18, 2007

You're all over thinking this. I can't count on two hands the number of random PHP/supposedly safe software that is vulnerable to miss-configured servers. Crap like this happens every other day. The larger and more diverse your environment, the more likely that some idiot will do something stupid.
posted by zengargoyle at 8:09 PM on November 18, 2007

« Older Why am I so perverse?   |   Patent Attorney Needed: San Francisco Newer »
This thread is closed to new comments.