Employers Forgetting to Remove Access for Ex-Employees?

This devilish Anonymous Coward asks: "Quite by accident, I misdialed the other day and wound up in the voicemail system of my ex-employer, late of some 4 months now. Curious to see what would happen, I punched in my password, and lo-and-behold, I still had access to voicemail. Curious, I checked to see what I still had access to, and discovered that my shell account, Web logins and even the root password still existed as they did when I worked there. While I would never dream of trying anything funny (since they could pretty obviously track it back to me), I'm wondering how prevalent this lax attitude is in today's workplace, particularly in Silicon Valley where employees skip from job to job like mad. I'd bet that way too many Slashdotters still have access to things months or years after they left employment... including some pretty secure things." It's all a matter of the communication channels between the IT Department and Management. Better communication channels means less chance of this sort of security hole happening...or does it?

Happened to me

[Old Man Kensey]

One former employer used passwords "bighair" and "buddy" (the owner's nickname and the owner's dog's name, respectively) for most root or root-like accounts. A few weeks after I left my replacement called to ask if I had been having any fun with the systems. "No, why?" "Baylor [the manager] thinks you've hacked us because he can't get in to the superuser account on any of the boxes."

It wasn't me, but that doesn't mean they weren't hacked either, as there was one other guy who was a walkout like me and just might have been ticked enough to do it. Plus Baylor didn't know a root prompt from a hole in the ground. One day when I came in and restarted the RADIUS server (it had died during the night), he asked "How did you fix a machine in my office while you were sitting in your office?"

Gone but not forgotten

[maggard]

I've had old voicemail accounts last at least five years after leaving (that was as-of a few years ago - I'd check again but I can't remember the extension) and email accounts from places I left over a decade ago still working.

In places I've managed one of my first changes has been to insist that HR put a message on a email distribution list every time a position is created (note this is often well before someone is hired but it gives my staff time to determine the future employee's needs), upon a hiring, and the instant they believe someone may or will be leaving. In these communications HR must specify dates and the appropriate managers to contact for direct instruction. I also put an emergency procedure in place for 'rapid-separations' where all of a person's accounts are identified, marked for immediate back-up, and locked down until the situation is clarified.

I generally drive these policies & procedures home by holding a meeting between HR, IS, and Legal with all of us asked to brainstorm on the awful things that could happen should we drop the ball on this. One can usually come up with some very nasty scenarios pretty fast. The folks involved also generally know a few real-life stories we've seen or heard of we can recount just to completely scare everyone into following these policies seriously.

What can really force these policies is privacy laws. Even though many would think that communications to someone via a companies resources would be properly a companies property this changes a bit once the person is no longer an employee. I'm not a lawyer but I do know that in most places one is on shaky ground continuing to allow the former employee's name to remain active in the email system after a reasonable amount of time. To have someone then go through a former employees communications, specifically any that are received after the employee is separated from the company, is very dangerous and just asking for a nasty lawsuit.

My own solution to moved-on employees has been to place an auto-responder on the email account indicating the person is no longer with the company, possibly listing the other person(s) who are now handling the former employees responsibilities, and referring all other communications to HR. Generally this will do for up to a year after which the account just becomes another generic dead one. For voicemail a similar procedure is used by closing the person's inbox and replacing their old greeting with a new one giving the new numbers to contact for various services.

Of course one can avoid many of these problems by encouraging the use of functional email & voicemail accounts. With these many messages go to "Department - Function" instead of individual persons. One can't (and oftentimes shouldn't) get rid of personal email accounts but by keeping much of the purely administrative email on the functional address list does. Utilizing this duplicate system can cut down enormously on mail-list administration and general administrivia.

Another problem I commonly run into is the 'legacy' account where someone has moved on but another simply assumed their accounts, oftentimes their replacement. This sort of thing leads to really confusing situations where one isn't sure who is using what accounts, which are active, and which are linked. This can become particularly problematic when trying to implement unified login systems.

Finally there's the nightmare of IS staff leaving. Oftentimes we know waaay too many passwords, particularly the 'deep-mojo' ones. To help expedite these transitions I generally try to keep a list of all the primary accounts (passwords stored seperately in a secure place)and a instruction sheet on changing them all at need. It's also simply good practice to discourage users from giving passwords to IS staff and simply requiring them to enter themselves when needed.

Matter of policy

[Magus311X]

It's all a matter of the communication channels between the IT Department and Management. Better communication channels means less chance of this sort of security hole happening...or does it?

I've been at enough places to say that a lot of procedure indeed has to do with policy. If it isn't written down and enforced, more often than not it isn't executed.

Yes, things like this do happen, often because its not written in stone. You might think about changing the root password, but then you're just lazy, too comfortable typing it in during the blink of an eye, or too confident that since nothing has happened yet, nothing will happen.

Of course, we all know what happens when you do that - It leaves the potential for something to happen. This is why the manangerial staff that does know what they're doing gets on your case. Because unless you really care (and yes, plenty of IT staffers who give a damn, do), it might not get done.
-----

SSH with keys

[Rob Kaper]

We mainly use SSH with keys at work. No direct root access, you must first login as user with your key. From the outside, only one machine is accessable through SSH, so removing an employee from the list of allowed remote logins is as simple as removing his/her public key from that server. Surely works a lot better than all the hassle with passwords.. we still update the root password regularly, but if an ex-employee still knows it, that's not immediately a problem.

Is 50%pa turnover high?

[Kris_J]

We have a high staff turnover and a lack of clear policies. I always disable any individual remote access when I'm informed that a person has left, but otherwise most of our codes remain the same. The problem is that staff share their passwords a bit frequently and I'd really have to do a localised audit as each person left. Many passwords would have to change 2 or 3 times a month and remaining staff would start forgetting them (increasing turnover that bit more again).

But since staff are given full afterhours access to the building's main doors and our floor on the day they arrive (I was!) I think that outgoing IT security is the least of our worries...

"Why is this filing cabinet empty?"

*sigh*

[LWolenczak]

In all companys there are allways communication problems between managment and MIS. In the company I work for, there are even Communication problems between the owner and Office and Department Managers. Anyway, When people leave the Headquarters, Their accounts are allways locked and latter deleted. Voicemail is another story, we dont really change somebody's voicemail password till somebody moves into that cubical. Now, with other Offices, Its another story. I know that some offices only have 10 or 15 ppl there, but we have like 30 logins that are associated with their office. I find it annoying that nobody bothers to email or call me when somebody leaves an office. I guess as revenge, I will send them all linux file servers.

Re:Insist your accounts are deleted

[LWolenczak]

This is very true, You should quietly email whoever else has the root password (preferable a MIS staff member or manager) and get them to do it. So you cannot be blamed for anything down the road.

Sometimes, continuing access is on purpose

[KyleCordes]

Sometimes, when an employee leaves on good terms, there is a full intention that they will dial in or whatever from time to time to help transition responsbilities to other people... so ongoing access is not necessarily always an oversight or mistake.

What it means.

[mindstrm]

It means... that the IT manager doesn't know his job, and is not properly auditing security. Period.

For all the toys, code, and technology us IT people get to 'play' with at work, the bottom line is all too often forgotten: IT is there to provide computing facilities for a company and to maintain them appropriately.
If the IT staff left a hole like this, they should be yelled at.

Curiously enough, this problem is especially prevalent at shops WITHOUT senior type systems people. Lots of kids.

It's funny how hacker kids seem to know everything about security, but put them in an IT department, and they 'forget' all kinds of things like voicemail, door entry codes, leaving terminals logged in. Of course, they are REALLY busy fuckign with all the unix boxes 'just in case'.

Re:have hr email hiring/firings

[titus-g]

*Of course our environment is still like swiss cheese when it comes to security. *

Might I recommend a silenced pistol, after they get home of course... :)

have hr email hiring/firings

[malice95]

We have HR email the admin mailing list every time
they hire or fire someone. It is basically someones responsbility in our group to watch
for this email and add/remove accounts as necessary. If an admin or network person leaves
that might have critical passwords.. we immediatly
change all passwords in the company and remove all
access before they walk out the door.

Has worked pretty well for us so far.. Of course
our environment is still like swiss cheese when
it comes to security.

Malice95

Re:Sometimes, continuing access is on purpose

[Steve B]

Sometimes, when an employee leaves on good terms, there is a full intention that they will dial in or whatever from time to time to help transition responsbilities to other people

Then they should say so.
/.

Appropriate responses

[DaveHowe]

I think a lot depends on the circumstances. At our company, voicemail tends to be tied to individual handsets - so that stays until the desk is reassigned, at which point any outstanding voicemail is cleared, a new announce for the new user is set up and so forth.
Email is more marginal - if we are informed of a leaver, email is disconnected from the external gateway (internet email inbound will bounce) but is left in existance for a few weeks - many managers will have access to their leaver's account to clear up any outstanding stuff in the system. Unless requested otherwise, the email account is deleted when the network account is deleted.
Network accounts are disabled when a given user leaves (again, provided we are notified!) In addition, we audit account use - any Network account that hasn't been used in two months flags up an alert, and we contact the department to ask why.

Obviously, all of this applies to ordinary user accounts. for Techie accounts, it becomes more interesting. Email and network are disabled, as above, and any remote access keys are disabled too. However, there are three possibilities.

1. The techie left on friendly terms
   Any user accounts he held have their passwords disabled, but root accounts are left to expire and be cycled normally; Unless given a good reason to assume otherwise, this techie may want to look for references from us, possibly even another job in the future.
2. Techie left on unfriendly terms, without warning
   Unfriendly does not have to mean removed for cause; redundancy is equally valid. In this case, all root passwords (even ones he theoretically didn't know) are changed at once; account lists are searched for dubious accounts with either permissions they shouldn't have or with access entries matching the techie's pc.
3. Techie left on unfriendly terms with unsupervised access to machines
   nightmare scenario; User has been expelled from the building for cause, has resigned for reasons that are likely to indicate resentment of the company or individual managers (contributatory dismissal for example) or knew he was being downsized in advance and wasn't happy about it.
   This has to be any sysadmin's worst nightmare - the system is totally screwed. any or all servers may be rootkitted; timebombs or backdoors may exist in any utility or system program, backups may be corrupt, deliberate errors added in data that may take years to identify and fix.
   Procedure if this ever happened would be extreme - backup server (normally used for development testing) would be backed up then completely reinstalled from original media; new accounts set up and validated, software reinstalled and databases transferred. Backup server would become live server, live server pair would go offline and suffer similar indignities, after forensic examination by contract experts; user would be carried on payroll and his user accounts left untouched until the whole of SAP R/3's user code was validated by the DEV team; and even then, you could never be 100% sure.

Luckily we have never had a case of the nightmare scenario - but the procedures we could not afford to not follow would be massively more expensive and disruptive than even our worst-case disaster recovery plan.
--

Insist your accounts are deleted

[eap]

As an outgoing employee, you should make sure your own access to sensitive resources is eliminated when you leave. By knowing root passwords, you are placing yourself in a position of vulnerability if any systems are compromised.

It could be very easy for a disgruntled sysadmin to blame hacked system on you, when you aren't there to defend yourself.

At the least, it could mean a bad rec for you when you try to find another job, or worse, you could expose yourself to a lawsuit.

If you aren't sure your access is going to be cut off, then obtain proof that you attempted to have it removed by sending a letter to the appropriate mgmt body.

Equally disturbing...

[Lish]

..is that I know any number of people, including myself, who have left an internship and their employer blithely continues to pay them. Some are more honest than others in reporting the error. Interesting when you consider how tight a grip most companies keep on the $$$ while you're there. (God forbid you lost the receipt for dinner on a business trip.) Makes you wonder what else they've forgotten to stop (like the aforementioned account privileges).

Note to self: try sending email to old address, see if it bounces....

Re:Some companies are concerned

[fliplap]

To think changing passwords is going to it is naive. If thier violations of policy were this severe a total security audit would be appropriate. I used to work for a telemarketing firm (eww, yes it was that bad) Our admin had so many backdoors installed when I left, 6 monthes ago, it was obscene. A few minutes ago every last one was still there. The best solution would be to take all those backup tapes, put them in a safe place, and reinstall everything. Granted this can be a costly decision, sometimes its faster than fixing everything.

Monitor HR

[perigeeV]

I could never trust to be "kept informed" of recent firings, etc. so I just wrote a script that monitored certain aspects of the human resources employee database and diff'ed it. You can be sure of one thing: the first thing Management does upon termination of an employee is to stop any future salary disbursements!

Communication Breakdown

[nobody69]

At the company I work for the problem is predominantly communication-related. I've got about 200 users, lots of whom are independent contractors and their assistants. The contractors go through assistants with astonishing speed (Note: If you've had 4 people for one position in 6 weeks, you may want to examine their working conditions.), but don't feel bound by any company policies regarding notifying anybody about changes. Usually, I find out there's somebody new when they call and complain about voice(or e)-mail problems.
However, the worst problem I've had was when I got a call from the manager at a remote site called and said Employee A was let go and took it pretty hard, so could I please change her passwords etc. Sure, no problem. The next week the boss calls again and says they are having lots or problems with lost database info. I restore most of it from the backup tapes, but not all. About a month later I'm over in that office to replace a bad NIC and ask for Employee B (who did most of the work in the database), to commiserate about the database problems. I find out she got let go at the same time that Employee A did, but no one thought it was an issue since she didn't leave in a huff, so why should they tell me? They just left her logged in all the time, so they could learn how to use the DB. None of them could understand why I was so cranky at them.

Pretty lax administration..

[Tairan]

The company I work for has a problem communicating. I (the sys.admin) do not hear about people leaving for a while after they are gone. At that point, I quickly remove all their accounts, and change any password they might know.

I've heard of other sys.admins who like to keep old employees email accounts and such around, just to see what mail they get. Whenever I leave a job, I promptly subscribe my old email address to every spambot I can find..

we NEVER disable accounts

[MrDingDong]

When I took this job several years ago as a Unix SA, I looked into why disk space was so tight. It turned out that we have online many accounts of people who have left, some over five years ago!

Everything is like in suspended animation - passwords the same as the day people left, all their files are still out there, etc.

I've repeatedly asked my bosses over the years why we can't get rid of this old junk, and each boss has told me that we can't inconvenience the users. They MIGHT need instantaneous access to this old stuff someday. At least that's what the users keep saying to us.

Passwords here are likewise very static. Even the root password, which is used by many users for "convenience sake", is still the same as it was years ago. What a mess and I'm making no progress in changing the mindset here and this is a Fortune 100 corporation!

The database "sa" password is so engrained - it is coded in programs, scripts, etc. that it is really virtually impossible to change. A million things would break and guess who'd bear the brunt of that ?

And you think you had a mess of a situation...

Re:Gone but not forgotten

[dvd_maximus]

put an emergency procedure in place for 'rapid-separations' where all of a person's accounts are identified, marked for immediate back-up, and locked down until the situation is clarified

Sound housekeeping, of course -- but I think it has to be used with discretion. Just off the top of my head I can think of two hypothetical scenarios where prematurely activating such a procedure could have a negative outcome:

(S)he's such a valuable employee (eg only geek in the shop who knows how the server works) that on consideration mgt decides to overlook the gigabytes of pr0n -- but employee finds accts frozen and quits in a huff. Next day server crashes and outside consultants take a week to rebuild it.

Employee given "final warning" and told to return to work -- finds accts frozen and sues for harrassment.

Of course IANAL, nor even an HR person....

Some companies are concerned

[Suds9]

I just experienced a situation like this.

Both members of our two person IT department (I'm a finance geek) were recently found to violating several major company policies. Management decided the infractions were too serious to keep them on board. Our biggest concern after the decision was made was how we could secure our systems (internal network, internet site, ERP system, PBX system, etc.).

While the two were separately being told of the decision, several trusted IT consultants were in disconnecting our T-1s, disconnecting modems, and changing system passwords. By the time the two were escorted from the building, our systems were secured.