Definitely seems less like a auditor (I believe asking for some of that is flat out illegal) and more like a hacker posing as a auditor, trying to get passwords/creditcard #'s.
In the same way, shoplifters would never try to steal anything larger than something they can fit in their hand. In reality, they walk out of retail stores with objects as large as kayaks everyday -- often with the assistance of store staff. Why? Because everyone assumes no way this guy isn't legit because a bad guy would never attempt something so blatant.
Asking for everything might sound more legitimate than asking for one small thing. Perps generally go with their gut. In this case, this "auditor" shot for the moon with the wrong mark.
Then again, it could be a social engineer trying to play off the commonly-held belief that an actual social engineer wouldn't ask for something so blatantly illegal.
You think too much. Usually, the simplest explanation is also the correct one. I put my money on retarded auditor who thinks he's more clever and powerful than he is.
It never hurts to be careful. When it comes to security, defense requires closing all possible holes, while offense requires finding only one. It would be irresponsible for the employee not to at least be cautious when dealing with this auditor. It's worth taking a few minutes to call the company performing the audits and verify that the auditor is who he says he is.
IMO, that should actually be part of the process of passing a security audit. Which suggests someone who is doing an audit will ask for information that if given to him will cause you to fail the audit.
Confirming that he is an auditor is insufficient. A sufficiently clever legitimate auditor might attempt social engineering attacks and fail you if they succeed.
In fact, this seems like a more effective way to sniff out plaintext password storage than saying "show me everywhere you touch passwords and how they're encrypted".
Sorry, if I was unclear. Confirming that he is an auditor should be a checkbox in an audit as should be limiting the information provided to an auditor. While I like your idea that it would show if they could get access to users passwords even handing out the salted password list is a bad idea.
One of the more interesting government audits I have heard about was the auditor did a basic internal audit and said he was part of physical secuity ect so people knew he was part of the audit team. He then showed up late, turning off the power supply to the building and then pointing at people who show up at the generator and saying "bang your dead" this is part of an audit etc. If they failed to call security before everyone was "dead" they where considered to have failed that part of the audit. He also attempted to get into the building without showing up on camera's ect. All of which sounds like a fun job and a good idea.
This is a case of social engineering, not of a security auditor, but of the poster. The poster wants to know an easy way to collect public and private SSH keys and fake 6 months of inbound traffic. There is no auditor.
Maybe the poster is writing a book on cracking systems? Who knows. But it smells like a hoax.
What is 'hard' about harvesting public and private keys? Especially if you are the sysadmin.
What purpose would faking 6 months of inbound traffic serve? If he just wanted to cover his tracks, wouldn't he just erase logs rather than trying to make them look legit? That would seem like doing things the hard way.
*The "new security policies" were introduced two weeks
before our audit, and the six months historical logging
was not required before the policy changes.
These "policies" were introduced by whom? His payment processor or by his company on the advice of this "auditor"?
Or did the OP make this up?
In short, I need;
A way to 'fake' six months worth of password changes
and make it look valid
A way to 'fake' six months of inbound file transfers
Why is the poster requesting help generating plausible fake data? Is he naive? Afraid of losing his job? Unaware of the legal implications?
What's unethical about that? If politics have required him to do provide information he can't legally provide, falsifying the information seems like the only reasonable course of action.
Of course, quitting is the other out, but I do think he has a moral obligation to prevent his company from handing any of this information over to the auditor.
Am I the only one who thinks the story is a little too perfect and ridiculous? It is much more likely that the author simply fabricated the story.
He did manage to start a very popular thread, and get a ton of people with really high rep to respond AND get a link on HN. He just threw out some bait, and the community swarmed like starving fish.
He just threw out some bait, and the community swarmed like starving fish.
This is true of all "light" SO/SF posts. Nobody gets excited about answering someone's obscure apt-get question. Everyone gets excited when they can spend their boring workday telling some dude that his security consultant is fucking him. It's the same reason people read "People Magazine" instead of "Purely Functional Data Structures".
Everyone so far has focused on the auditor, but I want to know why the OP thinks faking the requested data is an acceptable response. That disturbs me and nobody else commented on it!
Handing over the data is certainly not an acceptable response. If it's the sort of organization that makes saying no very hard, and leaving looks impractical, this may be the best option. Sometimes all you can do with a prestigious idiot is work around him.
Because this guy shouldn't be allowed to have that information and unless he was going to use it for nefarious purposes, he wouldn't be using any of it at all.
Perhaps the auditor is smarter than everyone thinks and is expecting the sysadmin to come to him empty handed and with an explanation as to why the requirements aren't reasonable.
The poster has already tried that, which is when the "auditor" replied with the "10 years experience" rant. If this actually is his tactic, then he should be fired simply on the principle that his modus operandi will cost the company clients, as it seems to be in this case. If he just has his head up his ass, then he needs to be fired for gross incompetence and the company may need to notify anyone that he's previously certified that they need to be recertified or at least notify them that there's a potential problem.
The "social engineering" idea is definitely worth considering, and the poster definitely needs to run this up the flag pole to his senior management. Preferably, this email would also have the words "contact our legal counsel" prominently displayed.
I flagged this. The likely explanation is that this is just a troll -- 2-day-old account, this is the only question that's been asked on it. There's no way that somebody that's been doing audits for 10 years would ask for this stuff, and there's no way any server admin would even consider providing the information. ...At least, any server admin that shouldn't be yoinked back down to making patch cables.
It's a throwaway account. It has "throwaway" in its name. The question ends with the asker explaining that he's posting it from a throwaway account because he doesn't want his real name associated with it. How many questions would you expect a throwaway account to have?
Regarding the age of the account, there is a note at the end of the post: "Sidenote; I'm posting from a throw-away account to (mostly) dis-associate my name from this post"
I wonder if, when confronted about how ridiculous the requests were, the auditor will claim to have been testing how well the admins resisted social engineering?
I was in exactly that situation myself recently. However I was hungry and the auditor was cute and I told her I would give her the root password in exchange for a donut. Which she dutifully wrote down on her clipboard. Now the whole company has to go on training. I don't even know the root password!
That "auditor" is an idiot as some of the posters have mentioned already. I was like "No" and then I got to the "both private and public keys" and I was like "Hell no!".
