A Glaring Lesson In Shared Passwords

Vodafones embarrassing breach should serve as a wake-up call for enterprises that also engage in the dangerous practice of credential-sharing

With dissolution of channel partner contracts and staff firings under way, as well as reactive executive orders snowballing from the corner offices, Australian wireless carrier Vodafone is feeling the full force of consequences stemming from the very common but unsafe practice of allowing shared passwords within enterprise accounts. Most enterprises turn a blind eye to shared account information, particularly among privileged accounts, experts say, and so plenty more IT staffers could face the same fate as their fired Vodafone cohorts should the shared passwords at their organizations be publicly exposed.
In the case of Vodafone, company officials were left red-faced earlier this month when they were informed by a journalist that she was able to log into their most sensitive customer database using legitimate credentials. What followed was a cascading torrent of bad news stemming from rampant password-sharing within the organization.
Earlier in the month, Australian Privacy Commissioner Timothy Pilgrim announced an investigation into the breach; Vodafone officials sent a letter to customers warning of the problem and also stated it fired a number of employees in connection to the potential breach. According to reports in
The Sunday Age
, Vodafone partners and employees frequently gave out shared passwords to those outside the circle of company trust as favors, and that the rampant account abuse could have put the names, home addresses, phone logs, drivers license numbers, and credit-card details of 4 million Vodafone customers at risk.
According to Vodafone executives, the company is acting quickly to shut down improper access. Vodafones customer details are not publicly available on the Internet, a Vodafone spokesperson said in a statement last week. Customer information is stored on Vodafones internal systems and accessed through a secure Web portal, accessible to authorized employees and dealers via a secure login and password. Any unauthorized access to the portal will be taken very seriously and would constitute a breach of employment or dealer agreement and possibly a criminal offence.
More recently, Vodafone CEO Nigel Dews laid out the companys reaction to the breach in another statement to the press: Weve made swift progress. Weve terminated the employment of a number of staff, weve undertaken a review of the security systems and processes, and were implementing some of the initiatives straightaway.
Vodafone officials made good on the promises for changes late last week when it terminated its dealer agreement with Communications Direct, which, according to
The Age
, engaged in improper access of customer information in order to improve its commissions from Vodafone.
Dews also assured the public that the firm has already changed passwords across the board and implemented more stringent password policies, including more frequent changes. However, Dews denied that the damages are as sweeping to affect millions of customers and claims that the breach and password-sharing practices are a one-off event.
But account credential sharing is hardly a one-off problem in any enterprise, says Adam Bosnian, executive vice president of Americas and corporate development for Cyber-Ark. Often in a retail environment, you do see it because in that retail environment the workforce is more transient, he says. And if I dont have an easy way to create and delete accounts when people join or leave the organization, sometimes the efficient approach is to just have a generic account. But that efficiency is creating an insecure environment and youre leaving yourself open for being exploited. A shared account of any kind is inherently risky.
Phil Lieberman, an identity management expert and CEO of Lieberman Software, agrees that password-sharing is a rampant problem, and can be particularly troublesome within databases accessed by Web applications such as the one that powers Internet access to Vodafones customer database.
What happens is that there are certain high-powered accounts that are used by applications and also by users -- call them generic accounts because they end up being shared, Lieberman explains. So, for example, a root account or an administrator account might be used by a Web application or a super-user account used by a line of business application. One of the issues is that when you see these things in the log, you see all of these accesses being done but you dont know whether this is being done by the applications or this account is being used by a human user. The account shows up as root, root, and root, but you dont understand if anybody actually had access to the root account and for how long.
According to Gunnar Peterson of Securosis, this gray area within accounts shared by people and machines is tricky. The question about what constitutes a user seems simple, and on one level it is. Most likely a user is an account in the corporate or customer directory, such as Active Directory or LDAP, he wrote recently. But sometimes there are accounts for non-human system users, such as service accounts and machine accounts. In many systems service accounts, machine accounts, and other forms of automated batch processing can do just as much damage as any other account/function. After all, these features were programmed and configured by humans, and are subject to misuse like any other accounts, so likely are worth monitoring as well.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
A Glaring Lesson In Shared Passwords