At work, whenever we need to log into a website, it displays a custom login screen. The text box labelled “Sign in” has the following text
“Enter user name as instructed below in GREY Box”
At the bottom, there is a grey box:
“Enter the password associated with your username”
The text box actually wants your email address but tells you to enter your username but to read the grey box. The grey box tells you to enter your password.
Absolute shambles of an implementation.
After we got taken over, we were notified that our parent company has a “Retention Policy”. This is the time when information will be permanently deleted.
This affected emails, Teams messages, OneDrive files, and SharePoint data.
| Emails | 90 days |
| Archived Emails | 3 years |
| Shared emails | 3 years |
| Teams personal chats | 90 days |
| Team Channel posts | 3 years |
| OneDrive | 5 years since modified |
| Sharepoint | 1-5 years (decided via approval process) |
When we were told this, we thought it was ridiculous. How many times has someone needed to dig up an old email to determine why code was written the way it was? How many times have we dug up an old Team chat to know how to fix a random configuration error that suddenly happened?
If they are deleted after 90 days, then we will lose a lot of information.
After raising concerns, we initially got pushback along the lines of “if it’s important, then it should be in a Team Channel or on Sharepoint“.
But even then it can still be deleted after a length of time. 3 years might sound a lot but it soon passes by.
It sounded like there was no warning when information was about to be deleted either. It just disappears silently and there’s nothing you can do about it if you didn’t copy it elsewhere.
There was more pushback when some long-standing employees said they would have to go through 10 years of emails to decide what could potentially be useful and what isn’t. After a lot of pushback, we got the email policy increased to 3 years.
Recently, we received the following message sent to the entire Software Development department from a manager:
Over the last couple of days, we have witnessed multiple instances of sensitive credentials committed into GitHub. This has been noticed by chance whilst supporting teams / reviewing PRs. Instances have included an individual’s GitHub PAT & test user account password.
The security team are likely to enable a secret scanning tool in GitHub to help identify instances of this in future. However, this isn’t guaranteed to spot all issues and by the time it does; we are already potentially at risk.
Please ensure that you are vigilant in reviewing your own / other’s code before committing / merging code. If a sensitive credential is identified; please ensure that this is removed and revoked immediately to prevent misuse of the secret.
I’m really surprised if multiple people have done this, because we keep talking about improving security, and improving processes. Adding private keys/credentials etc to your repository sounds like a common cliché and is like Security Lesson 1. From the very start of the project, we have talked about having security scanners on our code from the very start.
I thought GitHub automatically scanned for credentials but it might just be for public repositories, and ours are private.
Security keys/tokens can often easily be regenerated so it’s easily fixed. However, your mistake of committing them is in the history of the file. I suppose there’s technically ways to modify the history but at a massive inconvenience.
When we got taken over, we started receiving emails from our parent company. However, we were not told what to expect in future emails and many look rather suspicious.
Some emails just go straight to Junk so they obviously haven’t communicated well with our IT department either.
As part of our security training, you are told to be wary of unexpected emails, then look for suspicious links, text calling for urgent action. These emails tick all the boxes.
One example of an email was titled “Secure: Your Security Access Request was completed“, then looked like an invoice with my name, date, a Request Id link; with a header containing the word SECURE in upper case. It had no information detailing what request was completed, making it required to click the link. I didn’t make a request, but it did say it was on my behalf.
The email address looked like our parent company’s main domain name. It was received in the same week as we got told about our new credentials to access some of their systems. So was this related or not?
When we don’t understand the new systems, know what we should be able to access, and who we need to communicate with, it would be prime-time for a malicious hacking group to try to socially engineer our credentials. This seems hypocritical when they made a big fuss when they were hit with a cyber-attack in recent times.
A few years ago, the company I work for was taken over. This was by a larger group of companies. One of the smallest companies they own was a company dealing with financial payments so was much more important than their size suggests.
My understanding that someone working for that company was “social engineered” and their password was accessed. This cyber-crime group that acquired the password then used it to install ransomware on the entire system. Sensitive information was believed to be stolen, and the systems were unable to be used; preventing millions of transactions being processed.
It was a massive hit to the reputation of the parent company, and cost millions paying out loans to those hindered, and compensation over the incident.
Even though it had nothing to do with our company, it caused instant fear that we could be next, therefore any security policy that could be changed was.
The stolen account didn’t have 2 factor authentication, but even if it did, the code could have also been socially engineered. I think it’s a bit naïve to assume that was the only reason it happened.
Even though we used 2FA on our accounts, products like Microsoft Teams asks you to log in then keeps you permanently logged in. So then they changed the policy so it asked you every day. As we found out, Microsoft Office doesn’t handle this well, sometimes struggling to log in to Teams and Outlook to start our days. I’m not sure what that was even trying to achieve, but it was a massive annoyance to everyone. It then got reverted after a week or so.
Other changes followed as part of what we called “The Gatekeeper Programme”.
Gatekeeper Programme Scope
What it really meant is we ended up switching to products used by the parent company, and we lost access to do certain activities. So our VPN software was changed, we had different Remote Desktop software and only certain people were allowed to use it.
In some ways this does make sense as it reduces the number of products that could have a vulnerability. Restricting privileges to only necessary staff members also reduces the number of people malicious groups can target.
Many of the changes seemed an over-reaction and the urgency we had to remove products was a massive hindrance on certain departments, mainly Group IT.
I was looking at my asset form and I saw that I had 3 devices assigned to me, 1 laptop and 2 PCs. I only own 1 laptop and 1 PC, so what is this rogue PC? Has it been assigned to me incorrectly? Is it a security risk? Could it be on the network in my name and used by a hacker.
I logged an urgent ticket with our IT department, telling them I do not recognise the device. The device name didn’t seem correct since I could not remote onto it with the usual domain name.
The response I got back from them was:
as per above details this seems to be in working.
if this is not your systme , pelase let us know for decomissioning?
What sort of question is that? If it isn’t my computer and is someone else’s, why am I in charge of deciding whether to disable it or not? Shouldn’t we work out if one of our employees own this? Could it be that a malicious person has managed to get a PC on the network and assign it to an employee? This could be a major security threat.
Turns out it was my PC, just that the same PC had been entered twice under completely different “Computer Names”. The Head of IT saw my ticket and the response I got and intervened. Surely it should have been easy to see who was signed in. The original technician should have seen I was logged in, and told me more info about the device like the IP address, Make/Model etc so I could confirm.
Recently, they made a change to remove admin access which is a problem when it comes to installing some software; but that’s their main intention. However, we often get told to update software when there are security updates, but we cannot because we aren’t admin users anymore. It’s a frustrating situation having Group IT on your back telling you to update your software but you cannot because they took admin access away. They should have made sure they can do it remotely before taking your access.
I had switched projects and needed to install some extra software as well as update the couple of Visual Studio versions I have so I logged a ticket.
Sometimes I find that you can install software and then later on realise you needed to install optional components so it was frustrating logging the ticket to do the initial install, knowing I probably need to log another ticket next week.
After speaking to other colleagues, they said they had some kind of admin access override and I needed to request that. All overrides are audited so they can see what you are doing.
I don’t understand how they can say we “can’t have admin access” then it turns out most people in the department do, but it’s inconsistently implemented.
As you may have seen in my recent Post, Group IT are now beginning the rollout of InTune Hybrid-Join across our computer estate. This is to ensure we have a consistent view of the security compliance status of our computers. Connecting them all to InTune allows us to benchmark our compliance to determine what work (if any) is needed to improve it.
A week later…
Following on from the below I can confirm that your device has already been successfully Hybrid-Joined into InTune.
This is likely due to your presence at a site where the policy has pulled through from the corporate network or regular use of the VPN in your day-today.
No further action is required on your part.
Couple of days later..
Hello!
Further to the below I can confirm that your device has been successfully imported into InTune.
Apologies in advance if this is repeat information but no further action is required on your part.
Many thanks!
Couple of days later..
Hello!
Following on from the below it looks like your device still hasn’t been imported into InTune.
If you have already followed the below instruction and had it fail, please sit tight – further instructions will follow. You do not need to reply.
If you are still to action the below, please do so ASAP.
Many thanks!
It really sounds like they have no idea if you have been added to the system or not. I think I was added straight away, but I never visited an office like they claimed.
Last year, there was a major Windows Update and Group IT stated it was a big project to update all the employees in the company (around 1500), but they had a script that can run automatically if we left our laptops on out-of-hours and would run at 7pm.
So I left it on, and so no update. Next day, same thing. Next day, same thing.
They posted an update to say what a success the rollout had been so far; 200 computers have been updated. That seems really low to me (13.3% in a month). They then declared there were some known failures but they haven’t bothered looking at why they are happening but they will continue to run the script and won’t contact affected people either. Everyone has to keep leaving their laptops on at 7pm each night.
A few people said they noticed it had failed due to low disk space and I thought that is a great point. If it’s a 5GB update, then they should state people need to ensure there is free space. As it turned out, it seemed like it downloaded 5GB or so, then was copied into a different file format, then installed. So you ended up needing around 15GB, and had to clear the 10GB of files after.
Quick heads up: we’re making some important changes to boost the security of our systems and get us closer to achieving CE+ certification. Starting tomorrow at 10:00am BST, we’re going to be removing some old .NET software from your computer.
These are versions that have reached end-of-life and are either critical or high vulnerabilities as reported by Nessus. If you’re using Visual Studio and encounter any issues after the removal, please follow this guide in order to repair your VS installations: https://learn.microsoft.com/en-us/visualstudio/install/repair-visual-studio?view=vs-2022
If you notice any other software reliant on .NET has stopped working, please log a ticket with the Group IT Service Desk. Thanks for your understanding and cooperation on this matter.
We have a few products that we make that rely on the older .Net Frameworks. I love how they assume our products are supported and give us 1 day notice. Surely they know exactly what they are removing, they’re so unspecific too; “some old .NET software”. Is it to do with: .NET Framework, Visual Studio, SQL Server?
On the same day, I got added to a chat where they were discussing how upgrading Docker Desktop has broken a tool used by our products. It’s the classic case of just assuming we can update/change things without asking the experts involved.
Anyway, later that day:
Our apologies for the promptness of the previous email, we have made a decision to postpone the scheduled removal of .NET. The decision comes after careful consideration and listening to your valuable feedback and concerns regarding the removal. We understand the importance of providing you with appropriate time to consider the impact this would have on the software you use. The postponement will also afford you the opportunity to inform us of any software currently utilising end-of-life .NET versions, allowing us to address and raise these concerns with Security where applicable. We will be sending out another email next week with comprehensive details on the specific .NET versions that are set to be removed. For now, I can tell you these will be SDK, ASP.NET and CORE versions of .NET and not Framework. Thank you for your understanding and cooperation on this. Should you have any immediate questions or concerns, please do not hesitate to reach out.
Years ago, we were allowed to change our desktop backgrounds. Some people chose cool artwork and others left it as the default Windows. One day, Group IT decided to change it to our company logo. Many people were outraged by it but I wasn’t bothered. I suppose Matt made a good point here though:
Please can you explain the best practice behind the wallpaper? Unless you do not work all day, you have programs over the top of the wallpaper, so on the rare moment you have to look at your wallpaper: why would we need the company logo? All this is doing is reducing company morale. I would have understood if you had locked down the lock screen image.
I think a sensible rationale is when we worked in the office and could have visitors from other companies. It is more professional. Now we are at home, it is less important.
Good afternoon, as per the Group IT update at the beginning of the month, today we have implemented a planned change which sets all accounts to prompt for MFA each day when accessing Microsoft 365 services. This is in line with many other products and helps improve our overall security.
Some people will have noticed (or may notice as the day progresses) they have been forced to sign out of Outlook or Teams - and may need to restart those (or other) applications to continue.
Existing meetings do not appear to be affected - users will be asked to sign in again once their current meeting ends.
Next week:
Good morning everyone,
As you will know on Thursday we implemented a change to improve our security. Please read the following information carefully to understand what happened as a result, what has happened since, and what to do if you are adversely affected.
The change had the unforeseen side-effect of requiring people to re-authenticate at the point of implementation - between 10 and 10.30 on Thursday. This also meant there would be a requirement to repeat that processes each day at the same time.
Users of Apple Mac laptops may have found themselves signed out of Teams when this happened, even if a meeting was in progress - For Windows Teams users this should not have been the case.
Over the weekend, the policy has been reset, it was re-implemented at 6pm yesterday. We updated the policy setting, to prompt every 23 hours rather than every day.
This means that the following should now be the case:
This morning you should have been asked to re-enter your MFA token
You should not be asked to do this again for another 23 hours
Which should therefore mean - for most - the next time you should be asked to enter your M365 MFA token is when you next sign in for work.
There is an added annoyance on the company phones as it requires your 16 character MS password prior to reauthenticating using the MFA code
I'm having to password and MFA on Outlook and Teams on my company mobile separately.
Is this the way now
Signing into Teams each day appears to take a lot longer than signing into other apps. The ‘One moment…’ dialog is on my screen for around half a minute and it takes another minute or two for Teams to fully load all new messages into it.
Wondering if it’s the same for others, is it expected to take this long?
Annoyed colleague, stating how these apps aren’t even designed for repeated sign-ins
Then a week later, it was fully reverted:
A further update to the MFA policy
On Saturday, the MFA policy was updated again. The frequency with which you should be prompted has been extended to 30 days.
This means, that anyone who authenticated prior to Saturday at 6pm, should not be prompted for 30 days from that date and time.
Anyone who authenticated this morning should not be prompted for 30 days from that time.
We hope this provides an effective balance of security and functionality.
I think AzureDevops always asked us to sign in daily, but after this new change to make things more secure, it was changed to 30 days. So was actually less secure and was probably unintentionally changed as a blanket policy.
I think these stories illustrate a point that you need to consult with the experts and understand the impact of your changes before declaring them. Having to revert policies that obviously would have a negative impact just makes the team look foolish. You also need a good balance between people being able to do their work effectively, and keeping systems safe and secure.
We’ve mainly had the usual password restrictions of having to have a capital letter, a number and a symbol in our passwords, but recently, some of the posts by IT have referenced the classic XKCD comic on passwords. xkcd: Password Strength
XKCD illustrates the point that if you have fewer characters and require symbols and numbers, then you are either gonna just put them at the end or use simple substitution like swapping a “o” for a “0”. Then it can be hard to remember, but a password is no good if you cannot remember it. So they reckon the best thing is to use a memorable combination of words without numbers or symbols; and the combination of words makes it a long password that is hard to crack.
However, despite referencing XKCD, our IT still force the old ideas into it; so bastardising their advice:
20 characters sounds like a lot to remember for a password, so the best method to use is the “4 Words” method. Choose 4 random words (not your kids’ names), add a year (not your birth year), and put a symbol in there somewhere. This gives us something like:
IT
Bird%CardPortBook3925
Then they make the claim it’s easy to remember.
Hard to type passwords, combined with having a strict timeout on our laptops when we work at home quickly becomes infuriating:
“Anyone else need a time card for logging back into laptop 50 times a day with a new 16 digit sign in password?
Angry Colleague
Seriously, why is the fingerprint & facial recognition login disabled on the laptops, or is the way to change the autosleep setting to more than 10 mins”
Aside from our password to log into our laptops, IT do recommend using a Password Manager and using that to generate and store passwords. That is common advice from modern security professionals so they definitely have at least partly understood best and modernised practices.
When I downloaded Keeper to use at work, I chose a master password and it showed:
Password Strength: Strong
<click next>
"Password must contain 1 digit"
Those restrictions also don’t make a great password. You can often set an incredibly bad password on many websites. For example:
P@ssw0rd
This will pass many password complexity criteria (uppercase, lowercase, number, non-alphanumeric character, 8 chars long) but is clearly terrible.
There’s this website that catalogues poor password rules:
https://dumbpasswordrules.com/sites/
We used to recommend LastPass and despite some security incidents at LastPass, there was a time where IT still would approve LastPass. I think it was the usual terrible slow process in procurement so we couldn’t switch over to Keeper at that time. One colleague made this interesting claim:
“Not sure how LastPass can be recommended when there are alternatives that haven’t been breached ever, but LastPass has on more than one occasion. They’ve been breached before, they can’t be trusted anymore.”
Doubtful colleague
How does he know for sure they haven’t been breached? A breach could have happened and it’s not publicly known. A breach could be happening right now.
Many years ago there was a period of a few months where we used to get a certain style of spam email daily.
Although it seemed to get to our email inbox (so got past any spam filter we had), they often didn’t seem to have any suspicious link or obvious element of scam.
After a few months, Group IT managed to successfully filter them out.
Here are a couple of examples I still had in my Inbox.
Title: Benjamin Cory Elementary School billboard.
Segesta became a marked enemy of Sicilian Greeks, and Selinus attacked and defeated Segesta in 411 BC. This source mentioned of Majapahit expansions has marked the greatest extent of Majapahit empire.
Although the weather was good, the jet was operating under simulated blackout conditions. Listen to local ABC Radio for emergency updates.
Tallinn and 6 km near Mao. Routes 20A and 246.
UFOs had an objective physical reality, let alone to confirm their origins or motives. HeM as HoM and HeW. The town has a population of 1,193.
Title: Caulker playing for Swansea.
Helen Carter on bass guitar and Stephen Philip on guitar. He went on to set records for distance swimming into the 1920s.
Destiny Mission to Mars. He was later reprimanded by the Secretary of the Navy for verbally abusing a fellow officer who testified in the matter.
Connecticut, although they were on the rebound by that point, in part due to state regulations to protect them. Barry Reder, The Obligation of a Director of a Delaware Corporation to Act as an Auctioneer, 44 Bus.
Aviation, both are now stored. Windsor was an important British stronghold. His books have been translated into a number of languages.
We did occasionally get ones with links but targeting a group mailbox didn’t make much sense in context:
hello controlledrollout!
I remember you asked me how I lost weight so quickly?
answer is here
I heard from a few security podcasts that Microsoft wanted to have exclusive rights to manage the security of the kernel on Windows machines. However, due to the EU’s competition laws, they don’t like monopolies so want an open market of security software. In most cases, competition is good, but this could actually be one area where you do want a closed system. The more companies that have control in something fundamental as the kernel, then the greater risk of threats.
A kernel driver has very intimate access to the system’s most inner workings. If anything goes wrong with the kernel driver; the system must blue screen to prevent further damage to the user settings, files, security and so on.
Crowdstrike released a faulty update in their software update, which caused the infamous blue screen of death in many Windows systems across the globe. Microsoft must have been fuming, because they knew this wouldn’t have happened with a closed system, and the media kept on reporting on it as if it was a Windows problem. Sure, it only affected Windows PCs, but it had nothing to do with Microsoft.
If I understand correctly, the driver was signed off by Microsoft but the update involved a “channel file” which just contained loads of zeros. So when the driver used it, it had no choice but to blue-screen. It makes you wonder what kind of testing processes they have at Crowdstrike if they can release an update like that.
When I logged in at work, our Group IT announced that some colleagues will be affected by a Crowdstrike problem and would be acting quickly to get people back up and running. It was only a bit later when someone sent me a screenshot of some of our users complaining on X did I realise that it wasn’t just an internal problem. When I went on X, I saw reports of the problem affecting banks, airlines, supermarkets and more; and had a live news page on the BBC. I still didn’t understand the severity of the problem until I saw that Troy Hunt had declared it as one of the severest problems we have ever seen.
Despite Group IT making it sound easy to restore, when I heard others talk about it, I got the impression that it was fairly straightforward to revert the update on a single computer, but when you have hundreds of computers; then it is a problem. In companies where they only have a few IT staff; it is crippling. You may think that people could fix the problem themselves but many people aren’t tech-savvy, and plus, many companies lock down access so you don’t have any advanced features like Administrator mode.
Furthermore, it sounded like servers “in the cloud” were even more difficult to restore; or it was more cumbersome at least.
Ironically, in recent years, we have moved a lot of our live infrastructure from our own data centres and into the cloud; citing benefits of reliability. However, this problem meant our users were impacted for a day or so; when we could have got them up and running within an hour or so if the servers were still internally hosted.
Crowdstrike released an update to prevent more machines from being brought down, and had sent customers mitigation steps and tools to identify impacted hosts. The new update wouldn’t fix the broken machines though; that required manual fix involving booting into safe mode, locating the dodgy file, and removing it.
Companies purchase security software to prevent system outages, and causing a global system outage is a massive PR blunder for Crowdstrike and security software in general. It’s gonna be tough rebuilding trust, but many of the every-day people will probably blame Microsoft because that’s the name that was initially stated in the media.
It must have been brutal for the upper management, and a disaster when they turn up fatigued and under pressure on live TV.
Troy Hunt documented the story as he learned more:
A few years ago, we were told we must use two-factor authentication. (I’m sure I had a blog on that but can’t find it). Two factor authentication is much more secure because even if someone has your username and password, then they cannot get in without being able to generate your codes.
The idea of a Desktop-based authenticator is absolute nonsense to me, because if you want to log into a website on a different device, you cannot because your authentication codes are on your main device. Maybe you could install on multiple devices? But even if that is allowed, then isn’t that still increasing the risk? So if you are restricted to only using your computer where the authentication codes are, then if the malicious user has got access to your computer – they also have access to all your authentication codes.
A few years ago, we got a new security expert, and have been increasing security over time. Recently, one of the companies we own was hit by a ransomware attack so security has increased once again.
We were told there would be placing more restrictions on personal use of company devices, and instead, we should buy our own tablet/laptop/computer for internet browsing.
I was really surprised that they are only now advising getting rid of the desktop based authentication, and now say that we all need to install it on our phones. I did that years ago.
“Having a desktop based authenticator is no longer an appropriate feature as unfortunately external threats are becoming extremely more clever and a compromised laptop or workstation would mean the authenticator could be accessed and that would lead to credential compromise and extremely damaging to our organisation hence the authenticator is no longer deemed safe on the same device.”
They also stated that authenticator apps are “required everywhere”.
One employee launched into an absolute tirade about it. He did make some good points about how necessary equipment should be provided and managed by the employer.
I have to disagree that authenticator apps are used everywhere. I only need it for work. My bank uses my biometrics for authentication, it is the same for my bitwarden (password vault), health app interactions and credit card companies. I feel you are trying to use grammar to try and mitigate the fact that this is an app I only need for work vs a "work app". The reality for me is this is an app I need only for work purposes, and whether I call it a work app or an app I need for work, it is the same thing.
It seems hypocritical that at a time when we are being told that no personal use can be made of work laptops and that we should use the new benefit introduced to buy a personal laptop, that the organisation is forcing us to install applications for work onto our personal phones. My wife is the Pro vice-chancellor at a university that was hit (last year) with a cyber attack and they are still recovering from that incident now. The impact has been devastating. They use MFA for access to all their systems and the university has provided devices to all staff to ensure that they can continue to access the systems they need to without the need to purchase personal equipment for work or use personal devices to enable them to work, because they understand that securing their systems requires investment.
The reality for me is I already have a number of work apps on my personal mobile phone... whatsapp for Business Continuity purposes, webexpenses to be able to claim expenses and now Authy. It is becoming increasingly difficult to have a clear distinction between work and personal life. I can totally understand why some people may be unhappy with this continued blurring of the lines on mental health grounds, but there are also those who have reverted back to unsmart phones - I considered this at one point when I decided the toxic nature of social media platforms was extremely unhealthy. In the end I just removed all those apps from my phone because I decided the value the other applications was worth sticking with a smartphone. If you don't own a smartphone are you now expected to buy one to do the job? If we lose our smartphone, do we need to inform IT that our work authenticator has been lost and therefore potentially compromised? There needs to be a clear policy on expectations above and beyond the "just do it" messaging so far.
There have also, unsurprisingly, been a number of cases taken to court in recent years for people unwilling to install applications on personal phones that are required to perform work functions. Most cases have ruled in favour of the employee with advice given such as:"[...]Secondly, employers facing resistance from employees about the use of technology should explore whether any other solutions are available. In this case, the issue may have been swiftly resolved by providing a work phone or installing the app on a laptop. Had the Claimant continued to refuse to use the app in those circumstances, it is likely that the employer could have fairly dismissed for misconduct, subject to following a fair procedure.[...]"So are there alternatives available? I know we have a huge number of work mobile phones that are unused - couldn't these be provided to those wanting that work/life separation protected? They wouldn't need a SIM as the app will work over WiFI, so the cost is minimal.
Personally, it’s not a big deal for me because I do use an authenticator app for everything that supports it, and I only have maybe 4 codes for work-related websites. I think it would be more inconvenient to have a separate device, and if I did, I would end up leaving it next to my laptop. So if the laptop was stolen from my house (where I work), then they would steal the phone next to it too; therefore it is like the Desktop-based authentication scenario. Although if the phone has password/biometrics to access, then it will be secure. If I only have 1 phone, then the phone will leave the house with me, having the benefit of security and not being as much of a pain to replace.
Stranger Coding Tings 