A recently published issue with a Security Auditor has highlighted just how much potential there is for the worst to happen when information is requested by someone with a level of authority. In this particular case, the person being asked for the information had the sense to challenge the request, but it's easy to believe that many others would have simply attempted to comply.
The Security Auditor in question was insisting that the following be provided;
-
A list of current user-names and plain-text passwords for all user accounts on all servers
-
A list of all password changes for the past six months, again in plain-text
-
A list of “every file added to the server from remote devices” in the past six months
-
The public and private keys of an SSH keys
-
An email sent to him every time a user changes their password, containing the plain-text password.
It should be pretty clear to most that this presents a huge security issue, but faced with a Payment Card Industry (PCI) Auditor making the request, how many would simply assume that he “must know what he's doing”?
