My work requires me to work with (what I believe to be) a very insecure website, what to do?











up vote
39
down vote

favorite
3












At my job, to be able to view my paychecks, vacation hours and HR data on myself I need to log into a 3rd party website.



I'm by no means a security expert or expert programmer but I could tell (simply by trying) that I could continue to try incorrect passwords without being locked out. (brute force: viable)



After logging in I was forced to select 3 pre-determined security questions in the case of a password reset (out of a total of 8!) such as my first car's licence plate (never owned a car 3/7), my spouse's 2nd name (don't have a spouse 3/6), 2nd name of my first kid (don't have kids 3/5), birthdate, name of my highschool, favorite pet, favorite film or favorite piece of music.



Most these things you can simply get from my facebook, (which, I should note, has not been updated for years!) again showing a distinct lack of understanding in basic security practices.



I also get the feeling, from looking at the site through the developer tools they use incredibly outdated software



A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
* Digest Algorithm, as defined in RFC 1321.
* Version 2.1 Copyright (C) Paul Johnston 1999 - 2002.


I reported this through my company but my superiors don't appear all that interested.



How would I go about:



A. Finding out if this site is really as insecure as I think it is?



B. if true: communicating this in an appropriate manner to the company itself
(preferably in an anonymous fashion)










share|improve this question









New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 55




    A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
    – SeeYouInDisneyland
    yesterday






  • 17




    Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
    – Nathan Cooper
    yesterday






  • 10




    MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
    – ceejayoz
    yesterday






  • 81




    That's my MD5 script they're using!
    – paj28
    23 hours ago






  • 7




    The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
    – leftaroundabout
    22 hours ago















up vote
39
down vote

favorite
3












At my job, to be able to view my paychecks, vacation hours and HR data on myself I need to log into a 3rd party website.



I'm by no means a security expert or expert programmer but I could tell (simply by trying) that I could continue to try incorrect passwords without being locked out. (brute force: viable)



After logging in I was forced to select 3 pre-determined security questions in the case of a password reset (out of a total of 8!) such as my first car's licence plate (never owned a car 3/7), my spouse's 2nd name (don't have a spouse 3/6), 2nd name of my first kid (don't have kids 3/5), birthdate, name of my highschool, favorite pet, favorite film or favorite piece of music.



Most these things you can simply get from my facebook, (which, I should note, has not been updated for years!) again showing a distinct lack of understanding in basic security practices.



I also get the feeling, from looking at the site through the developer tools they use incredibly outdated software



A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
* Digest Algorithm, as defined in RFC 1321.
* Version 2.1 Copyright (C) Paul Johnston 1999 - 2002.


I reported this through my company but my superiors don't appear all that interested.



How would I go about:



A. Finding out if this site is really as insecure as I think it is?



B. if true: communicating this in an appropriate manner to the company itself
(preferably in an anonymous fashion)










share|improve this question









New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 55




    A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
    – SeeYouInDisneyland
    yesterday






  • 17




    Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
    – Nathan Cooper
    yesterday






  • 10




    MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
    – ceejayoz
    yesterday






  • 81




    That's my MD5 script they're using!
    – paj28
    23 hours ago






  • 7




    The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
    – leftaroundabout
    22 hours ago













up vote
39
down vote

favorite
3









up vote
39
down vote

favorite
3






3





At my job, to be able to view my paychecks, vacation hours and HR data on myself I need to log into a 3rd party website.



I'm by no means a security expert or expert programmer but I could tell (simply by trying) that I could continue to try incorrect passwords without being locked out. (brute force: viable)



After logging in I was forced to select 3 pre-determined security questions in the case of a password reset (out of a total of 8!) such as my first car's licence plate (never owned a car 3/7), my spouse's 2nd name (don't have a spouse 3/6), 2nd name of my first kid (don't have kids 3/5), birthdate, name of my highschool, favorite pet, favorite film or favorite piece of music.



Most these things you can simply get from my facebook, (which, I should note, has not been updated for years!) again showing a distinct lack of understanding in basic security practices.



I also get the feeling, from looking at the site through the developer tools they use incredibly outdated software



A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
* Digest Algorithm, as defined in RFC 1321.
* Version 2.1 Copyright (C) Paul Johnston 1999 - 2002.


I reported this through my company but my superiors don't appear all that interested.



How would I go about:



A. Finding out if this site is really as insecure as I think it is?



B. if true: communicating this in an appropriate manner to the company itself
(preferably in an anonymous fashion)










share|improve this question









New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











At my job, to be able to view my paychecks, vacation hours and HR data on myself I need to log into a 3rd party website.



I'm by no means a security expert or expert programmer but I could tell (simply by trying) that I could continue to try incorrect passwords without being locked out. (brute force: viable)



After logging in I was forced to select 3 pre-determined security questions in the case of a password reset (out of a total of 8!) such as my first car's licence plate (never owned a car 3/7), my spouse's 2nd name (don't have a spouse 3/6), 2nd name of my first kid (don't have kids 3/5), birthdate, name of my highschool, favorite pet, favorite film or favorite piece of music.



Most these things you can simply get from my facebook, (which, I should note, has not been updated for years!) again showing a distinct lack of understanding in basic security practices.



I also get the feeling, from looking at the site through the developer tools they use incredibly outdated software



A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
* Digest Algorithm, as defined in RFC 1321.
* Version 2.1 Copyright (C) Paul Johnston 1999 - 2002.


I reported this through my company but my superiors don't appear all that interested.



How would I go about:



A. Finding out if this site is really as insecure as I think it is?



B. if true: communicating this in an appropriate manner to the company itself
(preferably in an anonymous fashion)







account-security websites






share|improve this question









New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday









schroeder

70.3k27152187




70.3k27152187






New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









A. Nony-Mous

20223




20223




New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 55




    A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
    – SeeYouInDisneyland
    yesterday






  • 17




    Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
    – Nathan Cooper
    yesterday






  • 10




    MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
    – ceejayoz
    yesterday






  • 81




    That's my MD5 script they're using!
    – paj28
    23 hours ago






  • 7




    The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
    – leftaroundabout
    22 hours ago














  • 55




    A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
    – SeeYouInDisneyland
    yesterday






  • 17




    Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
    – Nathan Cooper
    yesterday






  • 10




    MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
    – ceejayoz
    yesterday






  • 81




    That's my MD5 script they're using!
    – paj28
    23 hours ago






  • 7




    The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
    – leftaroundabout
    22 hours ago








55




55




A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
– SeeYouInDisneyland
yesterday




A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
– SeeYouInDisneyland
yesterday




17




17




Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
– Nathan Cooper
yesterday




Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
– Nathan Cooper
yesterday




10




10




MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
– ceejayoz
yesterday




MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
– ceejayoz
yesterday




81




81




That's my MD5 script they're using!
– paj28
23 hours ago




That's my MD5 script they're using!
– paj28
23 hours ago




7




7




The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
– leftaroundabout
22 hours ago




The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
– leftaroundabout
22 hours ago










4 Answers
4






active

oldest

votes

















up vote
63
down vote













To start with the easy bit: you do not have to put real information as the answers to the questions. Random strings work best if you are really paranoid and store them in a password manager just like a password.



The rest (no brute force protection, potentially outdated software) is a shame, but there is nothing that you can do, from a security perspective. I would raise the issue with HR/Payroll and ask them to investigate. If you are in Europe, then you can also talk to your DPO to suggest that their "Data Processor" has troubling account security practices that need to be investigated.



Otherwise, this is more of an internal office politics issue.






share|improve this answer

















  • 4




    There is one thing you can do about the lack of protection against brute forcing passwords: You can use a strong password.
    – kasperd
    yesterday






  • 97




    "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
    – WernerCD
    23 hours ago






  • 68




    Or you could actually name your pets and kids with a password manger.
    – Rad80
    19 hours ago






  • 29




    @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
    – IronCraftMan
    19 hours ago






  • 9




    The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
    – Hagen von Eitzen
    15 hours ago


















up vote
14
down vote













To me this says you haven't investigated enough to confidently say it's insecure. You haven't shown any particular direct exploit nor really dug into their system (in a non-hacking, poking around kind of way). Your superiors may not be interested because of the lacking direct evidence of this.



As an example, my work uses a 3rd party site for scheduling vacations, I found it allows me to "recover" my password by sending my exact password back in plain-text via email, that is a direct evidence of an issue that I can report. Likewise, a site used for some IT services (SIP Trunk) had an issue where I could change the ID's in the URL and (to my surprise) view other people's account info, again, another direct line of evidence. Right now, you just have suspicions, and not obvious ones.



As an aside, all security questions for resetting passwords are insecure, as they rely on common information. As others have suggested, you can put fake answers in here (that you can still remember) or entirely randomly generated strings. You can think of the security questions as a "String" to "String" security challenge in the most generic sense.






share|improve this answer



















  • 8




    By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
    – Jarrod Christman
    23 hours ago






  • 6




    You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
    – schroeder
    22 hours ago






  • 1




    i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
    – user1067003
    14 hours ago












  • It's hard to decide which is worse: them using MD5, them rolling their own implementation of the MD5 algorithm, or them using MD5 client side. Anyone one of those is a sure sign of poor security practices.
    – Conor Mancone
    13 hours ago






  • 2




    Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
    – Kevin
    12 hours ago




















up vote
1
down vote














How would I go about:



A. Finding out if this site is really as insecure as I think it is?




You really cannot, unless you witness a concrete, exploitable problem. That's what infosec companies do, they try to actively break systems (with consent of the owners). They know many procedures and techniques to systematically take such an application appart, from simple things like using HTTP instead of HTTPS, insecure usage of cookies, XSS, SQL injection, but also other stuff like IDs being obviously simply counted up (which means you can just try them out sequentially), stuff being only checked on the browser (easily forged), and so on and so forth.



They also can combine blackbox- with whitebox-approaches (i.e., just looking from the outside, like any hacker/cracker would do, or actually studying the source code, entering the servers with provided accounts, and so on).



You could do all that yourself, but as you are asking, you obviously don't really know how. But the main problem is that if you did that, without first getting consent, you'd be at least in gray territory, if not outright breaking law.




B. if true: communicating this in an appropriate manner to the company itself (preferably in an anonymous fashion)




You cannot (anonymously, at least). If there is a dedicated CISO, he would be your first line of attack; but aside from that, especially in smaller firms, there is little you can do if your management just shrugs it off.



I guess there may be specific circumstances in which some government agency might be interested - for example if your company works for the government in an area which has strict security requirements; then obviously you might try to get an anonymous message to somewhere, but why would they care about your HR information...



But in general, for arbitrary companies, the saying "There's no fate but what we make for ourselves" would apply.






share|improve this answer




























    up vote
    -2
    down vote













    If you are an IT professional you can read the ACM Code of Ethics, which is the most comprehensive ethics code in IT today.



    Section 1.2 says:
    "A computing professional has an additional obligation to report any signs of system risks that might result in harm. If leaders do not act to curtail or mitigate such risks, it may be necessary to "blow the whistle" to reduce potential harm. However, capricious or misguided reporting of risks can itself be harmful. Before reporting risks, a computing professional should carefully assess relevant aspects of the situation."






    share|improve this answer





















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });






      A. Nony-Mous is a new contributor. Be nice, and check out our Code of Conduct.










       

      draft saved


      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197720%2fmy-work-requires-me-to-work-with-what-i-believe-to-be-a-very-insecure-website%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      63
      down vote













      To start with the easy bit: you do not have to put real information as the answers to the questions. Random strings work best if you are really paranoid and store them in a password manager just like a password.



      The rest (no brute force protection, potentially outdated software) is a shame, but there is nothing that you can do, from a security perspective. I would raise the issue with HR/Payroll and ask them to investigate. If you are in Europe, then you can also talk to your DPO to suggest that their "Data Processor" has troubling account security practices that need to be investigated.



      Otherwise, this is more of an internal office politics issue.






      share|improve this answer

















      • 4




        There is one thing you can do about the lack of protection against brute forcing passwords: You can use a strong password.
        – kasperd
        yesterday






      • 97




        "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
        – WernerCD
        23 hours ago






      • 68




        Or you could actually name your pets and kids with a password manger.
        – Rad80
        19 hours ago






      • 29




        @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
        – IronCraftMan
        19 hours ago






      • 9




        The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
        – Hagen von Eitzen
        15 hours ago















      up vote
      63
      down vote













      To start with the easy bit: you do not have to put real information as the answers to the questions. Random strings work best if you are really paranoid and store them in a password manager just like a password.



      The rest (no brute force protection, potentially outdated software) is a shame, but there is nothing that you can do, from a security perspective. I would raise the issue with HR/Payroll and ask them to investigate. If you are in Europe, then you can also talk to your DPO to suggest that their "Data Processor" has troubling account security practices that need to be investigated.



      Otherwise, this is more of an internal office politics issue.






      share|improve this answer

















      • 4




        There is one thing you can do about the lack of protection against brute forcing passwords: You can use a strong password.
        – kasperd
        yesterday






      • 97




        "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
        – WernerCD
        23 hours ago






      • 68




        Or you could actually name your pets and kids with a password manger.
        – Rad80
        19 hours ago






      • 29




        @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
        – IronCraftMan
        19 hours ago






      • 9




        The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
        – Hagen von Eitzen
        15 hours ago













      up vote
      63
      down vote










      up vote
      63
      down vote









      To start with the easy bit: you do not have to put real information as the answers to the questions. Random strings work best if you are really paranoid and store them in a password manager just like a password.



      The rest (no brute force protection, potentially outdated software) is a shame, but there is nothing that you can do, from a security perspective. I would raise the issue with HR/Payroll and ask them to investigate. If you are in Europe, then you can also talk to your DPO to suggest that their "Data Processor" has troubling account security practices that need to be investigated.



      Otherwise, this is more of an internal office politics issue.






      share|improve this answer












      To start with the easy bit: you do not have to put real information as the answers to the questions. Random strings work best if you are really paranoid and store them in a password manager just like a password.



      The rest (no brute force protection, potentially outdated software) is a shame, but there is nothing that you can do, from a security perspective. I would raise the issue with HR/Payroll and ask them to investigate. If you are in Europe, then you can also talk to your DPO to suggest that their "Data Processor" has troubling account security practices that need to be investigated.



      Otherwise, this is more of an internal office politics issue.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered yesterday









      schroeder

      70.3k27152187




      70.3k27152187








      • 4




        There is one thing you can do about the lack of protection against brute forcing passwords: You can use a strong password.
        – kasperd
        yesterday






      • 97




        "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
        – WernerCD
        23 hours ago






      • 68




        Or you could actually name your pets and kids with a password manger.
        – Rad80
        19 hours ago






      • 29




        @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
        – IronCraftMan
        19 hours ago






      • 9




        The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
        – Hagen von Eitzen
        15 hours ago














      • 4




        There is one thing you can do about the lack of protection against brute forcing passwords: You can use a strong password.
        – kasperd
        yesterday






      • 97




        "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
        – WernerCD
        23 hours ago






      • 68




        Or you could actually name your pets and kids with a password manger.
        – Rad80
        19 hours ago






      • 29




        @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
        – IronCraftMan
        19 hours ago






      • 9




        The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
        – Hagen von Eitzen
        15 hours ago








      4




      4




      There is one thing you can do about the lack of protection against brute forcing passwords: You can use a strong password.
      – kasperd
      yesterday




      There is one thing you can do about the lack of protection against brute forcing passwords: You can use a strong password.
      – kasperd
      yesterday




      97




      97




      "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
      – WernerCD
      23 hours ago




      "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
      – WernerCD
      23 hours ago




      68




      68




      Or you could actually name your pets and kids with a password manger.
      – Rad80
      19 hours ago




      Or you could actually name your pets and kids with a password manger.
      – Rad80
      19 hours ago




      29




      29




      @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
      – IronCraftMan
      19 hours ago




      @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
      – IronCraftMan
      19 hours ago




      9




      9




      The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
      – Hagen von Eitzen
      15 hours ago




      The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
      – Hagen von Eitzen
      15 hours ago












      up vote
      14
      down vote













      To me this says you haven't investigated enough to confidently say it's insecure. You haven't shown any particular direct exploit nor really dug into their system (in a non-hacking, poking around kind of way). Your superiors may not be interested because of the lacking direct evidence of this.



      As an example, my work uses a 3rd party site for scheduling vacations, I found it allows me to "recover" my password by sending my exact password back in plain-text via email, that is a direct evidence of an issue that I can report. Likewise, a site used for some IT services (SIP Trunk) had an issue where I could change the ID's in the URL and (to my surprise) view other people's account info, again, another direct line of evidence. Right now, you just have suspicions, and not obvious ones.



      As an aside, all security questions for resetting passwords are insecure, as they rely on common information. As others have suggested, you can put fake answers in here (that you can still remember) or entirely randomly generated strings. You can think of the security questions as a "String" to "String" security challenge in the most generic sense.






      share|improve this answer



















      • 8




        By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
        – Jarrod Christman
        23 hours ago






      • 6




        You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
        – schroeder
        22 hours ago






      • 1




        i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
        – user1067003
        14 hours ago












      • It's hard to decide which is worse: them using MD5, them rolling their own implementation of the MD5 algorithm, or them using MD5 client side. Anyone one of those is a sure sign of poor security practices.
        – Conor Mancone
        13 hours ago






      • 2




        Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
        – Kevin
        12 hours ago

















      up vote
      14
      down vote













      To me this says you haven't investigated enough to confidently say it's insecure. You haven't shown any particular direct exploit nor really dug into their system (in a non-hacking, poking around kind of way). Your superiors may not be interested because of the lacking direct evidence of this.



      As an example, my work uses a 3rd party site for scheduling vacations, I found it allows me to "recover" my password by sending my exact password back in plain-text via email, that is a direct evidence of an issue that I can report. Likewise, a site used for some IT services (SIP Trunk) had an issue where I could change the ID's in the URL and (to my surprise) view other people's account info, again, another direct line of evidence. Right now, you just have suspicions, and not obvious ones.



      As an aside, all security questions for resetting passwords are insecure, as they rely on common information. As others have suggested, you can put fake answers in here (that you can still remember) or entirely randomly generated strings. You can think of the security questions as a "String" to "String" security challenge in the most generic sense.






      share|improve this answer



















      • 8




        By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
        – Jarrod Christman
        23 hours ago






      • 6




        You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
        – schroeder
        22 hours ago






      • 1




        i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
        – user1067003
        14 hours ago












      • It's hard to decide which is worse: them using MD5, them rolling their own implementation of the MD5 algorithm, or them using MD5 client side. Anyone one of those is a sure sign of poor security practices.
        – Conor Mancone
        13 hours ago






      • 2




        Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
        – Kevin
        12 hours ago















      up vote
      14
      down vote










      up vote
      14
      down vote









      To me this says you haven't investigated enough to confidently say it's insecure. You haven't shown any particular direct exploit nor really dug into their system (in a non-hacking, poking around kind of way). Your superiors may not be interested because of the lacking direct evidence of this.



      As an example, my work uses a 3rd party site for scheduling vacations, I found it allows me to "recover" my password by sending my exact password back in plain-text via email, that is a direct evidence of an issue that I can report. Likewise, a site used for some IT services (SIP Trunk) had an issue where I could change the ID's in the URL and (to my surprise) view other people's account info, again, another direct line of evidence. Right now, you just have suspicions, and not obvious ones.



      As an aside, all security questions for resetting passwords are insecure, as they rely on common information. As others have suggested, you can put fake answers in here (that you can still remember) or entirely randomly generated strings. You can think of the security questions as a "String" to "String" security challenge in the most generic sense.






      share|improve this answer














      To me this says you haven't investigated enough to confidently say it's insecure. You haven't shown any particular direct exploit nor really dug into their system (in a non-hacking, poking around kind of way). Your superiors may not be interested because of the lacking direct evidence of this.



      As an example, my work uses a 3rd party site for scheduling vacations, I found it allows me to "recover" my password by sending my exact password back in plain-text via email, that is a direct evidence of an issue that I can report. Likewise, a site used for some IT services (SIP Trunk) had an issue where I could change the ID's in the URL and (to my surprise) view other people's account info, again, another direct line of evidence. Right now, you just have suspicions, and not obvious ones.



      As an aside, all security questions for resetting passwords are insecure, as they rely on common information. As others have suggested, you can put fake answers in here (that you can still remember) or entirely randomly generated strings. You can think of the security questions as a "String" to "String" security challenge in the most generic sense.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited 22 hours ago









      schroeder

      70.3k27152187




      70.3k27152187










      answered 23 hours ago









      Jarrod Christman

      37716




      37716








      • 8




        By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
        – Jarrod Christman
        23 hours ago






      • 6




        You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
        – schroeder
        22 hours ago






      • 1




        i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
        – user1067003
        14 hours ago












      • It's hard to decide which is worse: them using MD5, them rolling their own implementation of the MD5 algorithm, or them using MD5 client side. Anyone one of those is a sure sign of poor security practices.
        – Conor Mancone
        13 hours ago






      • 2




        Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
        – Kevin
        12 hours ago
















      • 8




        By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
        – Jarrod Christman
        23 hours ago






      • 6




        You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
        – schroeder
        22 hours ago






      • 1




        i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
        – user1067003
        14 hours ago












      • It's hard to decide which is worse: them using MD5, them rolling their own implementation of the MD5 algorithm, or them using MD5 client side. Anyone one of those is a sure sign of poor security practices.
        – Conor Mancone
        13 hours ago






      • 2




        Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
        – Kevin
        12 hours ago










      8




      8




      By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
      – Jarrod Christman
      23 hours ago




      By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
      – Jarrod Christman
      23 hours ago




      6




      6




      You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
      – schroeder
      22 hours ago




      You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
      – schroeder
      22 hours ago




      1




      1




      i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
      – user1067003
      14 hours ago






      i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
      – user1067003
      14 hours ago














      It's hard to decide which is worse: them using MD5, them rolling their own implementation of the MD5 algorithm, or them using MD5 client side. Anyone one of those is a sure sign of poor security practices.
      – Conor Mancone
      13 hours ago




      It's hard to decide which is worse: them using MD5, them rolling their own implementation of the MD5 algorithm, or them using MD5 client side. Anyone one of those is a sure sign of poor security practices.
      – Conor Mancone
      13 hours ago




      2




      2




      Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
      – Kevin
      12 hours ago






      Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
      – Kevin
      12 hours ago












      up vote
      1
      down vote














      How would I go about:



      A. Finding out if this site is really as insecure as I think it is?




      You really cannot, unless you witness a concrete, exploitable problem. That's what infosec companies do, they try to actively break systems (with consent of the owners). They know many procedures and techniques to systematically take such an application appart, from simple things like using HTTP instead of HTTPS, insecure usage of cookies, XSS, SQL injection, but also other stuff like IDs being obviously simply counted up (which means you can just try them out sequentially), stuff being only checked on the browser (easily forged), and so on and so forth.



      They also can combine blackbox- with whitebox-approaches (i.e., just looking from the outside, like any hacker/cracker would do, or actually studying the source code, entering the servers with provided accounts, and so on).



      You could do all that yourself, but as you are asking, you obviously don't really know how. But the main problem is that if you did that, without first getting consent, you'd be at least in gray territory, if not outright breaking law.




      B. if true: communicating this in an appropriate manner to the company itself (preferably in an anonymous fashion)




      You cannot (anonymously, at least). If there is a dedicated CISO, he would be your first line of attack; but aside from that, especially in smaller firms, there is little you can do if your management just shrugs it off.



      I guess there may be specific circumstances in which some government agency might be interested - for example if your company works for the government in an area which has strict security requirements; then obviously you might try to get an anonymous message to somewhere, but why would they care about your HR information...



      But in general, for arbitrary companies, the saying "There's no fate but what we make for ourselves" would apply.






      share|improve this answer

























        up vote
        1
        down vote














        How would I go about:



        A. Finding out if this site is really as insecure as I think it is?




        You really cannot, unless you witness a concrete, exploitable problem. That's what infosec companies do, they try to actively break systems (with consent of the owners). They know many procedures and techniques to systematically take such an application appart, from simple things like using HTTP instead of HTTPS, insecure usage of cookies, XSS, SQL injection, but also other stuff like IDs being obviously simply counted up (which means you can just try them out sequentially), stuff being only checked on the browser (easily forged), and so on and so forth.



        They also can combine blackbox- with whitebox-approaches (i.e., just looking from the outside, like any hacker/cracker would do, or actually studying the source code, entering the servers with provided accounts, and so on).



        You could do all that yourself, but as you are asking, you obviously don't really know how. But the main problem is that if you did that, without first getting consent, you'd be at least in gray territory, if not outright breaking law.




        B. if true: communicating this in an appropriate manner to the company itself (preferably in an anonymous fashion)




        You cannot (anonymously, at least). If there is a dedicated CISO, he would be your first line of attack; but aside from that, especially in smaller firms, there is little you can do if your management just shrugs it off.



        I guess there may be specific circumstances in which some government agency might be interested - for example if your company works for the government in an area which has strict security requirements; then obviously you might try to get an anonymous message to somewhere, but why would they care about your HR information...



        But in general, for arbitrary companies, the saying "There's no fate but what we make for ourselves" would apply.






        share|improve this answer























          up vote
          1
          down vote










          up vote
          1
          down vote










          How would I go about:



          A. Finding out if this site is really as insecure as I think it is?




          You really cannot, unless you witness a concrete, exploitable problem. That's what infosec companies do, they try to actively break systems (with consent of the owners). They know many procedures and techniques to systematically take such an application appart, from simple things like using HTTP instead of HTTPS, insecure usage of cookies, XSS, SQL injection, but also other stuff like IDs being obviously simply counted up (which means you can just try them out sequentially), stuff being only checked on the browser (easily forged), and so on and so forth.



          They also can combine blackbox- with whitebox-approaches (i.e., just looking from the outside, like any hacker/cracker would do, or actually studying the source code, entering the servers with provided accounts, and so on).



          You could do all that yourself, but as you are asking, you obviously don't really know how. But the main problem is that if you did that, without first getting consent, you'd be at least in gray territory, if not outright breaking law.




          B. if true: communicating this in an appropriate manner to the company itself (preferably in an anonymous fashion)




          You cannot (anonymously, at least). If there is a dedicated CISO, he would be your first line of attack; but aside from that, especially in smaller firms, there is little you can do if your management just shrugs it off.



          I guess there may be specific circumstances in which some government agency might be interested - for example if your company works for the government in an area which has strict security requirements; then obviously you might try to get an anonymous message to somewhere, but why would they care about your HR information...



          But in general, for arbitrary companies, the saying "There's no fate but what we make for ourselves" would apply.






          share|improve this answer













          How would I go about:



          A. Finding out if this site is really as insecure as I think it is?




          You really cannot, unless you witness a concrete, exploitable problem. That's what infosec companies do, they try to actively break systems (with consent of the owners). They know many procedures and techniques to systematically take such an application appart, from simple things like using HTTP instead of HTTPS, insecure usage of cookies, XSS, SQL injection, but also other stuff like IDs being obviously simply counted up (which means you can just try them out sequentially), stuff being only checked on the browser (easily forged), and so on and so forth.



          They also can combine blackbox- with whitebox-approaches (i.e., just looking from the outside, like any hacker/cracker would do, or actually studying the source code, entering the servers with provided accounts, and so on).



          You could do all that yourself, but as you are asking, you obviously don't really know how. But the main problem is that if you did that, without first getting consent, you'd be at least in gray territory, if not outright breaking law.




          B. if true: communicating this in an appropriate manner to the company itself (preferably in an anonymous fashion)




          You cannot (anonymously, at least). If there is a dedicated CISO, he would be your first line of attack; but aside from that, especially in smaller firms, there is little you can do if your management just shrugs it off.



          I guess there may be specific circumstances in which some government agency might be interested - for example if your company works for the government in an area which has strict security requirements; then obviously you might try to get an anonymous message to somewhere, but why would they care about your HR information...



          But in general, for arbitrary companies, the saying "There's no fate but what we make for ourselves" would apply.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 15 hours ago









          AnoE

          2,0021311




          2,0021311






















              up vote
              -2
              down vote













              If you are an IT professional you can read the ACM Code of Ethics, which is the most comprehensive ethics code in IT today.



              Section 1.2 says:
              "A computing professional has an additional obligation to report any signs of system risks that might result in harm. If leaders do not act to curtail or mitigate such risks, it may be necessary to "blow the whistle" to reduce potential harm. However, capricious or misguided reporting of risks can itself be harmful. Before reporting risks, a computing professional should carefully assess relevant aspects of the situation."






              share|improve this answer

























                up vote
                -2
                down vote













                If you are an IT professional you can read the ACM Code of Ethics, which is the most comprehensive ethics code in IT today.



                Section 1.2 says:
                "A computing professional has an additional obligation to report any signs of system risks that might result in harm. If leaders do not act to curtail or mitigate such risks, it may be necessary to "blow the whistle" to reduce potential harm. However, capricious or misguided reporting of risks can itself be harmful. Before reporting risks, a computing professional should carefully assess relevant aspects of the situation."






                share|improve this answer























                  up vote
                  -2
                  down vote










                  up vote
                  -2
                  down vote









                  If you are an IT professional you can read the ACM Code of Ethics, which is the most comprehensive ethics code in IT today.



                  Section 1.2 says:
                  "A computing professional has an additional obligation to report any signs of system risks that might result in harm. If leaders do not act to curtail or mitigate such risks, it may be necessary to "blow the whistle" to reduce potential harm. However, capricious or misguided reporting of risks can itself be harmful. Before reporting risks, a computing professional should carefully assess relevant aspects of the situation."






                  share|improve this answer












                  If you are an IT professional you can read the ACM Code of Ethics, which is the most comprehensive ethics code in IT today.



                  Section 1.2 says:
                  "A computing professional has an additional obligation to report any signs of system risks that might result in harm. If leaders do not act to curtail or mitigate such risks, it may be necessary to "blow the whistle" to reduce potential harm. However, capricious or misguided reporting of risks can itself be harmful. Before reporting risks, a computing professional should carefully assess relevant aspects of the situation."







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered yesterday









                  Peter Papadopoulos

                  1936




                  1936






















                      A. Nony-Mous is a new contributor. Be nice, and check out our Code of Conduct.










                       

                      draft saved


                      draft discarded


















                      A. Nony-Mous is a new contributor. Be nice, and check out our Code of Conduct.













                      A. Nony-Mous is a new contributor. Be nice, and check out our Code of Conduct.












                      A. Nony-Mous is a new contributor. Be nice, and check out our Code of Conduct.















                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197720%2fmy-work-requires-me-to-work-with-what-i-believe-to-be-a-very-insecure-website%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      數位音樂下載

                      When can things happen in Etherscan, such as the picture below?

                      格利澤436b