
Our security auditor is an idiot. How do I give him the information he wants? - splattne
http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants
======
DanBlake
Definitely seems less like a auditor (I believe asking for some of that is
flat out illegal) and more like a hacker posing as a auditor, trying to get
passwords/creditcard #'s.

~~~
antihero
Bang on. Most likely social engineering. If this were actually an employee,
they should be fired/told to fuck off.

~~~
d2
A social engineer wouldn't try for this much data. One SSH key or password
would be enough. I'm going with the fucking-retarded-auditor theory.

~~~
w1ntermute
Then again, it could be a social engineer trying to play off the commonly-held
belief that an actual social engineer wouldn't ask for something so blatantly
illegal.

~~~
SeoxyS
You think too much. Usually, the simplest explanation is also the correct one.
I put my money on retarded auditor who thinks he's more clever and powerful
than he is.

~~~
w1ntermute
It never hurts to be careful. When it comes to security, defense requires
closing all possible holes, while offense requires finding only one. It would
be irresponsible for the employee not to at least be cautious when dealing
with this auditor. It's worth taking a few minutes to call the company
performing the audits and verify that the auditor is who he says he is.

~~~
Retric
IMO, that should actually be part of the process of passing a security audit.
Which suggests someone who is doing an audit will ask for information that if
given to him will cause you to fail the audit.

~~~
dspeyer
Confirming that he is an auditor is insufficient. A sufficiently clever
legitimate auditor might attempt social engineering attacks and fail you if
they succeed.

In fact, this seems like a more effective way to sniff out plaintext password
storage than saying "show me everywhere you touch passwords and how they're
encrypted".

~~~
Retric
Sorry, if I was unclear. Confirming that he is an auditor should be a checkbox
in an audit as should be limiting the information provided to an auditor.
While I like your idea that it would show if they could get access to users
passwords even handing out the salted password list is a bad idea.

One of the more interesting government audits I have heard about was the
auditor did a basic internal audit and said he was part of physical secuity
ect so people knew he was part of the audit team. He then showed up late,
turning off the power supply to the building and then pointing at people who
show up at the generator and saying "bang your dead" this is part of an audit
etc. If they failed to call security before everyone was "dead" they where
considered to have failed that part of the audit. He also attempted to get
into the building without showing up on camera's ect. All of which sounds like
a fun job and a good idea.

------
blackboxxx
This is a case of social engineering, not of a security auditor, but of the
poster. The poster wants to know an easy way to collect public and private SSH
keys and fake 6 months of inbound traffic. There is no auditor.

Maybe the poster is writing a book on cracking systems? Who knows. But it
smells like a hoax.

~~~
pyre
What is 'hard' about harvesting public and private keys? Especially if you are
the sysadmin.

What purpose would faking 6 months of inbound traffic serve? If he just wanted
to cover his tracks, wouldn't he just erase logs rather than trying to make
them look legit? That would seem like doing things the hard way.

------
ChristianMarks
This is suspicious:

    
    
      *The "new security policies" were introduced two weeks  
       before our audit, and the six months historical logging
       was not required before the policy changes.
    
    

These "policies" were introduced by whom? His payment processor or by his
company on the advice of this "auditor"? Or did the OP make this up?

    
    
      In short, I need;
    
        A way to 'fake' six months worth of password changes 
        and make it look valid
        
        A way to 'fake' six months of inbound file transfers
    
    

Why is the poster requesting help generating plausible fake data? Is he naive?
Afraid of losing his job? Unaware of the legal implications?

~~~
drunkpotato
Yes, I wondered the same thing! Aside from the legal implications, the OP
seems to have some questionable ethics as well.

~~~
lukeschlather
What's unethical about that? If politics have required him to do provide
information he can't legally provide, falsifying the information seems like
the only reasonable course of action.

Of course, quitting is the other out, but I do think he has a moral obligation
to prevent his company from handing any of this information over to the
auditor.

~~~
div
The only ethical course of action is to stop the circus and explain to your
manager:

\- what this guy is asking for

\- how that is in violation of the PCI data security standard

\- explain that you are not able, and not allowed to provide this information

\- explain that this likely means the auditor is a hack and steps need to be
taken to get a proper auditor

~~~
nl
I suspect either his manager knows, or he is in a position where he doesn't
have a manager.

To quote: _if I don't provide this information we loose access to our payments
platform_

------
mv
Am I the only one who thinks the story is a little too perfect and ridiculous?
It is much more likely that the author simply fabricated the story.

He did manage to start a very popular thread, and get a ton of people with
really high rep to respond AND get a link on HN. He just threw out some bait,
and the community swarmed like starving fish.

~~~
SeoxyS
And he gains what, exactly, from doing this? Posting anonymously, he doesn't
get any credit from posting the story.

~~~
thaumaturgy
It's called trolling. It's been done since there were bangs in people's email
addresses.

The modern currency for trolls is "lulz".

------
drunkpotato
Everyone so far has focused on the auditor, but I want to know why the OP
thinks faking the requested data is an acceptable response. That disturbs me
and nobody else commented on it!

~~~
dspeyer
Handing over the data is certainly not an acceptable response. If it's the
sort of organization that makes saying no very hard, and leaving looks
impractical, this may be the best option. Sometimes all you can do with a
prestigious idiot is work around him.

------
philjackson
Perhaps the auditor is smarter than everyone thinks and is expecting the
sysadmin to come to him empty handed and with an explanation as to why the
requirements aren't reasonable.

~~~
AgentConundrum
The poster has already tried that, which is when the "auditor" replied with
the "10 years experience" rant. If this actually is his tactic, then he should
be fired simply on the principle that his modus operandi _will_ cost the
company clients, as it seems to be in this case. If he just has his head up
his ass, then he needs to be fired for gross incompetence and the company may
need to notify anyone that he's previously certified that they need to be
recertified or at least notify them that there's a potential problem.

The "social engineering" idea is definitely worth considering, and the poster
definitely needs to run this up the flag pole to his senior management.
Preferably, this email would also have the words "contact our legal counsel"
prominently displayed.

~~~
astrodust
Allegedly ten years of experience is more than anyone on Stack Overflow. I had
no idea the site was populated by only teenagers.

------
thaumaturgy
I flagged this. The likely explanation is that this is just a troll -- 2-day-
old account, this is the only question that's been asked on it. There's no way
that somebody that's been doing audits for 10 years would ask for this stuff,
and there's no way any server admin would even consider providing the
information. ...At least, any server admin that shouldn't be yoinked back down
to making patch cables.

~~~
DrJokepu
It's a throwaway account. It has "throwaway" in its name. The question ends
with the asker explaining that he's posting it from a throwaway account
because he doesn't want his real name associated with it. How many questions
would you expect a throwaway account to have?

~~~
thaumaturgy
I know what throwaway accounts are, and I read his username.

It's still a troll.

~~~
bartl
If there's a kind of person on the internet that I dislike more than trolls,
it is people who see trolls in everyone.

~~~
freejack
The Internet is a great opportunity for everyone to form relationships and
build bridges with one another. Every bridge has a troll.

------
giardini
Please post the name of the company that the security auditor works for.

~~~
molecule
Please post the name of the security auditor. This is completely
unprofessional and insecure.

------
Natsu
I wonder if, when confronted about how ridiculous the requests were, the
auditor will claim to have been testing how well the admins resisted social
engineering?

~~~
gaius
I was in exactly that situation myself recently. However I was hungry and the
auditor was cute and I told her I would give her the root password in exchange
for a donut. Which she dutifully wrote down on her clipboard. Now the whole
company has to go on training. I don't even know the root password!

------
sigzero
That "auditor" is an idiot as some of the posters have mentioned already. I
was like "No" and then I got to the "both private and public keys" and I was
like "Hell no!".

