Sunday, July 27, 2008

'Hijacked' SF Passwords Made Public By DA

Via CNet -

Only days after the city of San Francisco regained control of its computer network after an alleged hijacking, a new vulnerability has come to light--this time brought on by the city itself.

The San Francisco district attorney's office has apparently made public nearly 150 usernames and passwords used by city officials to gain access to the city's network. The list was submitted to the court as Exhibit A in a case against Terry Childs, a 43-year-old network administrator for the city who was arrested July 13 on four felony charges of tampering with the city's computer network.

Co-workers accused Childs of setting a "time bomb" that would sabotage the network the next time it went down, either for maintenance or due to a power outage.

Childs had effectively taken the city's network hostage by locking administrators out and refusing to give up the passwords needed to regain access. In a secret meeting with Mayor Gavin Newsom earlier this week, the San Francisco Chronicle reported that Childs handed them over directly to the mayor.

Later in the week, the DA's office reportedly filed a court document to argue against a reduction of the $5 million bail set for Childs, who is being held in the county jail. Exhibit A of the document contained the usernames and passwords used by nearly 150 employees to get into the city's virtual private network. And despite saying the passwords pose an "imminent threat" to the city's computer network, they are now of public record.

A source tells InfoWorld that a second password is needed to gain access to the VPN. Still, giving up these so-called phase one passwords is hardly recommended security policy.

And here I thought we San Franciscans were supposed to be good with this computer stuff.

-----------------------------------

Wow...

Srsly.

1 comment:

  1. I hate to think what percentage will go unchanged even after the disclosure...

    ReplyDelete