Forgot your password?
typodupeerror
Privacy Security IT Your Rights Online

IT Pros Can't Resist Peeking At Privileged Info 388

Posted by samzenpus
from the pandora's-email dept.
Orome1 writes "IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people's Christmas bonus details."
This discussion has been archived. No new comments can be posted.

IT Pros Can't Resist Peeking At Privileged Info

Comments Filter:
  • Only 26%? (Score:3, Interesting)

    by netwarerip (2221204) on Monday December 05, 2011 @11:42AM (#38267174)
    I find that hard to believe. I would have put it well above 50. Years back I ran an MDaemon mail server and let users have the IM client. Was pretty interesting reading, to say the least.
  • by Anonymous Coward on Monday December 05, 2011 @11:44AM (#38267210)
    That's a bit of an overgeneralization though. My boss at my last job used to do this all the time. Blatantly. He'd call me over to look at an e-mail someone had sent. I explained to him that it made me uncomfortable, but he'd still try to get me to join in the invasion of privacy with him time-after-time. However, I always refused and never went any further than I needed to to get the job done. The article says about 1 in 4 admins do this, so it would seem only a minority abuse their privileges whenever they can.
  • Facebook (Score:5, Interesting)

    by Gavin Scott (15916) on Monday December 05, 2011 @11:48AM (#38267274)

    I recall reading an article that said that all of Facebook's (then) hundreds of programmers all have full access to the live system data. Especially on top of the announcement that they want to double their employees in the next year or whatever, it sort of makes it hopeless to expect any sort of privacy there if anyone actually gets interested in you.

    G.

  • by 1s44c (552956) on Monday December 05, 2011 @11:59AM (#38267508)

    I disagree.... a person lacking confidence would probably be pissed no matter what and was just looking for validation. My friends and I in the same field openly discuss our wages/benefits only to know what's available out there. Am I getting screwed? Why is my pay lower? Is the grass *really* greener? No one openly gets upset with it.

    You have a point. I was thinking about talking about pay with people who do a similar job in the same company. Everywhere I've ever worked pay had nothing to do with skills or work throughput but only how much you demanded when they interviewed you and how old you are. I'm really glad I became a contractor because permanent staff are just abused.

  • by Anonymous Coward on Monday December 05, 2011 @12:16PM (#38267742)

    It's not limited to IT either. A friend of mine, who works in HR, as a Temp, basically gets work handed to her that other people don't have time to do. This includes expenses, and occasionally allows her to view peoples salaries, and, scarily, who's getting made redundant. She's a Temp, paid about £16k/y (having been made redundant a few years ago having been making ~22k, she took anything she could get) and has access to her superiors and co-workers salaries, expenses and even their original interview records.
    Some would say that's just rubbing her nose in it.
    But the reality is that some companies just circumvent internal rules in order to get things done.

    and all this she freely shares with me as idle chatter.

  • by Threni (635302) on Monday December 05, 2011 @12:23PM (#38267864)

    So what `absolute moral authority` should we use? What IS the correct answer to:

    should the state kill people to punish them for doing wrong
    should gays be allowed to marry
    can i take drugs in my own home
    should be outlaw the termination of disabled embryos
    can i physically punish my children
    can i carry a gun
    should kosher/halal food be allowed

    etc etc

  • I call "bullshit". (Score:4, Interesting)

    by Dagmar d'Surreal (5939) on Monday December 05, 2011 @12:23PM (#38267872) Journal
    Lieberman Software is in the business of selling IT security products. Is it really that hard to believe that they've sufficient incentive to "creatively restate" the parameters of the their testing in order to sell more product? Bias matters, and that study is not unbiased.

    Net-security.org, for their part, are only inflaming matters further by restating things an even more inflammatory manner.

    Basically, you need to ask something that this article neglects to question: Did 26% of the respondents merely say they were aware of other employees *using* the shared passwords, or did it specifically detail abuse of a shared password to gain unauthorized access to information that ethically-speaking, they shouldn't be going anywhere near. Both of those are cases are considered felonies, by the way. It's very easy for someone to argue that *any* shared password use is an "abuse" and that any information access from that point is "illicit"--but without knowing specifically what question was asked, these "results" are more likely just a distortion of fact in order to sell products and services.

    I am personally aware of shared passwords in many organizations. I am also occasionally privy to information I shouldn't be--specifically, people's emails. The key difference being, I *don't want to know*. I, and thousands of admins like me, wind up seeing your boring little emails while trying to figure out why they didn't arrive in your inbox already. Over time, we develop the ability to be self-redacting and immediately forget what was just on our screens--because not being able to do that means being burdened with other people's secrets that you'd feel better not knowing. This is a far, far cry from the sort of "abuse" this report pretends to show, but vendors loooove to construe one as the other in order to sell service contracts.

    Frankly, this doesn't sound any more realistic than the old one about employees giving up their passwords for a candy bar. What you don't get told about those is that the employees are usually being told they have to give their password up to their immediate supervisor, and not being given any guidance as to why they're being directly ordered to violate company policy. In most offices, people who ignore direct orders being given by a live person over something written on a policy paper tend to suffer bouts of sudden and chronic unemployment--so... plenty of reason to "violate policy" there, normally "secure" employees are going to capitulate for that kind of request. Then the people doing the "analysis" stand around later and say "oh my gosh people give up their passwords for no reason!". I've personally, been given such a request in the past, and frankly since I was being directly instructed to do so, I turned over a hand-written copy of my password on the form provided...or at least, what my password was at that specific moment in time. Since I'm a twisted bastard I made up a new password just for them, set it in the system and then filled in the blank. ...and since the one written down was now "compromised", I then made up another password and changed it in the system again. I was unamused to find out later that someone was doing this as a "survey".

    Don't be a gullible noob. Trust no "survey" coming from a vendor selling a related product unless you are being shown the exact details of the survey--because they're going to lie about it. Of that you can be sure.
  • by Pieroxy (222434) on Monday December 05, 2011 @12:26PM (#38267912) Homepage

    Right. You should come home to your wife and tell her "I quit my job because my boss wanted me to do something unethical. I know you're pregnant and we just bought a house, but you know, ethics is everything. Now pack your bags, there's a nice bridge down the highway under which there is a patch of grass that'll be nice for us."

  • This is news ? (Score:5, Interesting)

    by mbone (558574) on Monday December 05, 2011 @12:41PM (#38268138)

    The switchboard was listening in to calls 100 years ago. The mail room was looking at letters 150 years ago. Heck, I'm sure the equivalent was going on in ancient Sumer (sneaking a peak in those sealed clay tablets). "The help" is always going to eavesdrop. Not all of them, not all the time, but it happens.

  • by Penguinisto (415985) on Monday December 05, 2011 @12:43PM (#38268166) Journal

    Agreed, and would like to add spam filtering to the pile. Training the filters effectively (to weed out false positives, catch the sneakier spam, etc) means seeing practically everyone's inbound emails until the initial tuning is done, and once in a great while after that for maintenance and upkeep. You just maintain the confidentiality required to know that yeah it's ugly and it's in there, but it's nobody's business. I only interacted with these mails enough to make my job more effective, and after that it all got forgotten and ignored.

    Doing this helped me better tune the filters to block the political crap (DU, Limbaugh, etc) while at the same time allowing exceptions for a couple of execs in the company who actually did lobby in Washington DC, the state capital, etc. It allowed me to block the dating site and sex site emails (you'd be amazed unless you're an email admin, in which case you'd probably know already) while at the same time allowing the usual spousal romantic emails.

    I didn't give a damn about the messages - I was in there to analyze content in order to catch spammers. The result was a happier group of employees who rarely if ever saw any spam, but at the same time could do most things within reason and company policy (it was fairly loose) and not lose any email.

    I considered the whole thing subject to the same confidentiality restrictions as a doctor - yeah, you see the naughty bits in the full glory, but so what? You've got a job to do, so there's no real time or cause for you to be titillated, angry, outraged, or whatever. If you are, there'd better be a cause to inform the corp legal department and then the cops, because otherwise you're obviously not doing your job.

    All said and done, at least in this aspect the AUP covers it perfectly - expect the contents of any email or data on the company wires to be seen by anyone. Of course that doesn't mean you get to go snooping around - violating trust is a great way to obliterate a career. OTOH, don't expect it to remain a perfect secret, either, because not all of us are going to be as professional about it.

  • by billybob_jcv (967047) on Monday December 05, 2011 @02:06PM (#38269458)

    ... was combing through the new server-side SPAM filter to look for false positives and forward "legitimate" email to the rightful owners. I saw racist jokes sent between executives and their buddies, wives & girlfriends talking dirty and scheduling "play dates", job hunting employees, back-stabbing gossip and internal/external confidential information. Payroll information would have been the least of the issues...
       

  • by gstrickler (920733) on Monday December 05, 2011 @02:59PM (#38270530)

    And right there is the fundamental flaw. Most people don't make rational decisions, even if they have all the necessary information (which they almost never do). It is for that reason that "free markets" as espoused by most proponents of free markets are unrealistic. Free markets are an ideal that should guide your regulation of the markets, but the markets can never really be free.

  • by roguegramma (982660) on Monday December 05, 2011 @03:25PM (#38271004) Journal

    You never know what the IT guy is worth until you replace him. Preferably with someone new on the job.

    And then you go and complain about schools, and ask for more H1B visa ;-)

    It is also very hard for the IT guy to know what he is worth.

    For the sales guy it is easy because he just adds up all money he has raked in. Probably he will even have a tendency to overestimate because he doesn't know at what cost the company is producing its goods and services.

    A manager with access to financial data, knows when the company is doing well financially, and knows when his pay is tiny in comparison to the turnover of his department.

    Both are obviously in a better position to negotiate, unless the IT guy analyzes the company's data, for which most IT guys neither have the time nor the desire.

    75% didn't look at confidential data, and of the 25% who admitted to peeking, you don't know how much they strayed from their tasks.

Many people are unenthusiastic about their work.

Working...