Thursday, May 22, 2008

accept security warnings

The company that I work for is stupid.

I make no secret that I work for a network security company. I won't state the name of the company, because if I do, then I'm required to follow the company's 'blogging policy' or I could be terminated. Normally, the process leading up to termination would involve a nice beefy severance package, which I'd happily take at this moment, but if I violate this particular edict, I can be terminated without any such package offer, which would.. well.. suck.

Anyway, I digress.

This is a NETWORK SECURITY company. We ought to, oh.. I don't know.. give a rat's ass about security? But no.. Today I get in the mail a nifty little card that provides instructions and reminders for how to the use meeting tools that I've been using for about a year now. Handy little card.. it has a number of steps on how to set-up/join a conference online.

Step number 4: 'Accept Security Warnings'

Not.. 'you will see this certificate displayed', or 'you will see X signed ActiveX control ask for permission to do Y', or even 'a security popup may appear with X text, please accept to continue'. No.. just a blanket 'Accept Security Warnings'.

Now, if I was a more devious bastard than I am, I might use this information, along with the links provided and some clever scripting, to harvest authentication tokens of people in my company. Generally the folks that would be setting up online meetings are interesting people to get passwords from. Usually these would be either mid-level managers or assistants to execs.. What could I do with these tokens?

Well.. I could fire people, give myself a bonus, if not a raise... Yes, there is a required approval chain for these things to happen, but if I got auth tokens from everyone who sets up a meeting, how long do you think it would take me to get the tokens for everyone in the auth chain? The system would then automagically do its dirty work and remove my rivals as well as make me rich.

I SO should have been a criminal rather than an engineer.

No comments: