Humans and the illusion of security

I am doing a series of blogs over at Opto 22 on network security, passwords and Wifi.
In a very timely manner this popped up in my RSS feed a few days back.

It’s a story of how this guy brought what was supposed to be an ‘as new’ returned laptop…..

So it surprised me when I booted up and saw someone else’s name and Hotmail address at the login prompt. So much for like-new!

As I stared at the full name and e-mail address of the previous owner—let’s call him David—I wondered. Could I get into this computer another way? It was mine after all. And how much more could I learn about him? How bad of a mistake had the store made?

The guy then talks about how he boots into Linux via a USB flash drive, gets the guys hashed password, downloads some open source software and reverses the hash, ends up with the clear text password and logs into his computer, but with the identity of the previous owner.
It took him all of about 20 minutes of a few web searches and 1 bit of software (if you don’t count the Linux USB stick he already had).

The illusion of security. It was a Windows 8 laptop, you would think it would take a bit more than that to break into the latest operating system….

However, this is not the point of my blog…… Its this;

I packed everything back into the box to return it to the store. The least I could do was to tell Best Buy about their mistake so it hopefully wouldn’t happen again.

As I packed up the paperwork, my eyes were drawn to the slip of paper with the ID of the person who inspected the machine. I wanted to make special note of who it was so I could report it to the manager.

[As he was packing it up, he found the original receipt, on the back of that was written the password he had just cracked] It was in the box the entire time. Not only did they sell me a computer with someone else’s data still on it, they gave me the password as well. No hacking required.

I may not be the world’s worst blackhat-wannabe, but discovering this didn’t help my ego much.

My embarrassment quickly became anger. Mistakes happen, but this was too much. The password is clearly printed on Best Buy receipt paper, so it had to be written in the store. Why would they need David’s password to reset the computer? I could understand if they were working on the machine to return it to him, but they were doing a factory reset. And how did that password and machine get taped up and put back on the floor for resale?

Humans. Humans are almost always the weak link. We write software that is too easily compromised, or has a back door, we are tricked into giving out our passwords.
beat the human with a wrench image

So yeah, we are humans, we have the illusion of security and we are the weak link.