What do the experts here think of a policy of requiring an employee to
log on to an intranet using a social security number as a username?

My employer wants me to complete an online training course and they have
set up a system where we can log onto their intranet individually, but
they expect us to use our social security number as a username. I asked
my supervisor if it were possible to change my username to something less
personally vital as my SS# and said she didn't think so and she was NOT
very civilized about it.

I have learned the hard way to be very stingy about giving out my ss# and
am very concerned about the security implications of using my ss# as a
computer password or logon name. I'd be more willing to use a credit card
# because if there were a problem I could at least cancel the card. I do
not carry my ss# on my person, it has never been on the hd of my computer
and I
have never used it on a website. I do not access any of my financial
information online because many such sites seem to require it.

I plan to email the administrator of the training program and ask about
changing my username. If they are unwilling or unable to change it, what
sort of questions should I ask about the security of their network?  All
I know about intranet security I got from this page:
http://intranetjournal.com/features/isecurity.shtml
I know intranets can use ssl/128 bit encryption so I plan to ask about
that. If they don't use that, what are some other ways to secure an
intranet? Should I ask them about their firewall, How often the system is
scanned for trojans?
If anyone here is in charge of an intranet, what sort of security setup
would make you willing to use your SS# as a username?

We were given a url to use if we wanted to try accessing the training
course from home. I checked the url with Neotrace and now have the names
of the network administrator and coordinator. Would one of these 2 be in
charge of assigning or changing user names? Should I direct my questions
to them. Do you think they'd be pissed to get an email from me?
I entered the url on my computer and got this message:

Enter Network password

  please type your username and password
  Site: joe.shmo.com
  Relm: HTTP Authentication(ID#####)

I typed nothing, hit enter and got this:

Error: Authen Rejected.

No 401 or 403 message. Does this give any hints as to how the network is
secured.

Finally, the company has a web page where you can apply for a job with
them online. They ask for your name, address, phone number and you can
even upload your resume. THE PAGE IS NOT SECURE! No "https" in the url,
no little yellow padlock at the bottom of the screen! I think you'd have
to be pretty foolish or desperate for a job to use this page. It only
heightened my concerns about the security of their network.

This company is a huge corporation, they are listed on the NYSE. You
think they'd have better sense than to use SS#s to log on to a network.
Sorry to go on so long and the crossposts.
TIA for any advice or help.
 m.m.

Give them a SS # for your login ID.  Just make sure it's a phony. Here's
one....

510-38-5354   belongs to a guy in Kansas.  The internet is full of them
if you know where to look. unless they match your real SS# to your name
they'll never know it is a "utility SS#!"

-CJ

In article <ue33vfbn8tc...@corp.supernews.com>, h...@westpoint.edu
says...
Hi CJ,
Thanks for the reply. Bogus ss# won't work, they've already set it up
only to accept MY ss#.
I have Richard Nixon's SS# stashed away in a file somewhere. I've
downloaded a few pages about how to create a valid but fake SS#. Been
thinking of giving my self one from Guam.
mm

I do find these kinds of posts a bit amusing. Yes, it is a serious issue but
you and others who worry about using their
SS# really should take a different approach to the problem. Your SS# is
already on hundreds of documents and databases that
are not safely guarded. The same with mine and every other American.

Your best defense is to assume you information is already out there and
monitor your credit history for the first sign
of trouble that someone has taken advantage of your information. There are
services that will alert to anyone accessing
your credit report. People may argue that you should not have to pay for
such a service but you don't have to. Neither
do you have to pay for an alarm system or insurance.

Go ahead and use your SS# as an ID. I have to do it on some web sites for
testing at times.

Universities have been sued for using SSN#'s for student ID's and have been
forced to issue alternatives for student ID's, it gets even worse that
student ID databases have been stolen from servers with student info
including name, address, and SSN#. There are also some states in legal
trouble for requiring a persons SSN# on drivers license, which has been
found to violate a persons privacy.

It's not a good idea for you employer to require this.
--

news:34gE8.39238$G%3.17713193@typhoon.columbus.rr.com...

Why?  Any one serious about getting your ssn can get it by querying
one of the credit agencies.   Or perhaps a little social engineering
by calling your old college.  Hell, some states used to use your SSN
number on your drivers license.

Your SSN is not as sacred as you might think. You should be more
worried about the waitress you stiffed on the tip snagging your credit
card info which is far more useful.

-Chris

Stupid.

If they can set up a username, there is no need for insisting on the
SSN. If they are so brain dead that they can't manage usernames derived
from real names, they could use the employee number, for example.

-- Lassi

In article <f6s3eu8rh6vg1c8j9aams94mvm2dg31...@4ax.com>, ch...@nospam.com
says...
snip

Snip
I know that.
You can ask, and I have, the credit agencies not to release your info
unless YOU specifically have requested more credit or have a potential
employer doing a backround check on you. Really cuts down of junk mail.

Snip

snip

Mine was sued and they no longer post student SS#s for all to see. They
won't release such info now w/o a court order or written request from me.
Snip

 Hell, some states used to use your SSN

snip

My state will remove it for $15. If someone needs a number for me I give
them the drivers licence #.

snip

Snip

 I don't let go of my credit or debit card. I only do business where I
can run the card tru the reader myself. I love self check out. The law
protects us from unauthorized use of a credit card. You can close the
account and get a new card with a different number. Try getting a new
ss#. I also had my spending limits on my cards reduced to a very low
level. They couldn't have too much fum before maxing out the card.

snip
I guess I should metioned that I've been robbed 3 times and have learned
to be wary about personal data.
mm

In article <3CE21C8E.38450...@ieee.orgies.invalid>,
lahip...@ieee.orgies.invalid says...
Hi Lassi,
thanks for the reply.
The want us to use ss# as username and payroll pin # as password.
mm

In article <f6s3eu8rh6vg1c8j9aams94mvm2dg31...@4ax.com>, ch...@nospam.com
wrote:

Here's the whole point - the SSN _should_ be as sacred as you might think.  It
_should_ be used only where taxes may need to be assessed against an
individual.  It should _not_ be used as a unique identifier for any other
purpose.  By saying "foo, it's already used as a unique identifier", you
aren't helping to solve the problem, you're just saying "problem?  I don't see
a problem."

With an SSN, and just a little further information even more public than your
SSN, that same waitress could open a new credit card in your name.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email a...@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.

In article <MPG.174c2ad4b3b1bf7f98968b@news-server>, Machine Messiah

This sounds like they want to take information that you use to access the
payroll system, and pass it to more people than is required for just accessing
the payroll system.  Sounds like an excellent way for the company to find
themselves defrauded.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email a...@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.

In article <tYuE8.21712$_Z4.2761464...@newssvr12.news.prodigy.com>,

But also an excellent way to avoid being defrauded.

The payroll system already has a list of valid employees, along with unique
identifiers (SSN) and an authenticator (PIN).  If they use something else
for the intranet, they have to devise a new way to identify and
authenticate the users.  This provides an opportunity for errors,
mismatches between the systems, etc.

Note also that he's talking about an *intranet*, i.e. a server internal to
the company.  They're not sending payroll information to an outside agency
(unless operation of the intranet is outsourced), so who is going to be
defrauding them?  This is information that already exists in the company's
databases.

--
Barry Margolin, bar...@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

In article <ejxE8.8$GK3...@paloalto-snr1.gtei.net>, Barry Margolin

It is, however, information that is traditionally restricted to only a few
people within the company - those people that file the tax forms, and thus
have a legitimate reason to know it - and a legal requirement, in fact, to do
so.  Others within the firm are generally not privvy to such information, and
for good reason.  With a little knowledge of a person's public information and
a SSN, you can get a credit card in their name.

When this becomes the person's internal login name, and thus available to
everyone from the coffee boy on up, there's considerably greater chance of
fraud and identity theft against the employees.

The OP noted that he also was required to login with his payroll system's PIN
as his password on the Intranet.  Why does anyone other than himself know
_his_ PIN?  Presumably he's given a PIN number to the company's payroll system
so that he can do something with his payroll.  Who should have access to that
employee's data in the payroll system?  The accountants, who are presumably
vetted in some manner (even if it's just a handshake and a smile), and the
employee, one would assume.  Now, that information has been given to another
person or group - the one setting up accounts in the intranet.  What could
someone do in the payroll system?  This is where I see a vague possibility for
defrauding the company _and_ the employee.

There's an assumption that when you join a company, the company will keep your
financial information secret, and use it only in the manner necessary to
employ you.  It appears that there is ample opportunity here for that
financial information to be exposed to a greater number of people than those
who strictly need it.  That can't be good.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email a...@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.

In article <zhBE8.7182$%9.1742029...@newssvr30.news.prodigy.com>,
:The OP noted that he also was required to login with his payroll system's PIN
:as his password on the Intranet.  Why does anyone other than himself know
:_his_ PIN?  Presumably he's given a PIN number to the company's payroll system
:so that he can do something with his payroll.  Who should have access to that
:employee's data in the payroll system?  The accountants, who are presumably
:vetted in some manner (even if it's just a handshake and a smile), and the
:employee, one would assume.  Now, that information has been given to another
:person or group - the one setting up accounts in the intranet.

Unless, that is, that what they did was just copy the password file
with encrypted passwords -- or perhaps they are using the same NT
domain (or other Single Signon system) for credentials.  Thus, it is
not -necessarily- the case that anyone extra has deliberately been
given access to the information.

Mind you, employee logins to check payroll are likely relatively
uncommon, whereas on-line course logins are likely to happen several
times a day, so sniffing becomes a bigger risk...

ch...@nospam.com wrote
the credit agencies.

That's not as easy as it used to be since the passage of the
Gramm-Leach-Bliley Act.  So the replace "anyone serious" in the sentence
with "anyone willing to break the law, and bribe others to break the law..."

about the waitress you stiffed on the tip snagging your credit card info
which is far more useful.

Exactly.

unless YOU specifically have requested more credit or have a potential
employer doing a backround check on you.

You can ask, but it wont matter one iota.

The permissible purpose standard for obtaining consumer credit reports is
articulated in the Fair Credit Reporting Act (FCRA).  There are about a
dozen different circumstances which allow someone else to pull a consumer
credit report about you (technically not "your report"), and most of these
reasons do not require your permission.   Examples include in response to an
order from a court having competent jurisdiction, in response to a subpoena
from a federal grand jury, in connection with collecting an existing debt,
for use in determining or enforcing child support, for use by the FBI in
connection with certain counter-terror investigations, etc.

In article <zhBE8.7182$%9.1742029...@newssvr30.news.prodigy.com>,

How would the coffee boy get access to the internal database of the
intranet server?  We're not talking about the person's email address.

I'm guessing that he's referring to automated system for entering
time-sheet data, expense reports, and/or W-4 withholding information.

And the system administrators of the payroll system.

Of course, if the system administrators of the payroll system are the same
people who also operate the intranet servers, they already have that access.

My company has a number of different intranet servers.  One for time and
expense reporting, others for various technical tasks.  We also have
extranets implemented by our benefits providers (one for 401k and stock
options, another for medical insurance).  It sure is confusing to have
different ID's for each (the benefits providers need to have the SSNs for
tax purposes, so they use it as the user ID as well).

--
Barry Margolin, bar...@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

In article <sZBE8.10898$9z5.1211...@typhoon.austin.rr.com>,

If you're worried about identity theft, then you're already presuming that
they're willing to break the law.

--
Barry Margolin, bar...@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

<...>

This is one of the things that I object to. Easing the work of the
computer room clergy isn't the prime motive when choosing security
features. Using the SSN is just an attempt to assign the management of
uniqueness to someone else.

If the employees have access to the corporate intranet, they should have
a single identity for the intranet - not for each service. My employer
has about 60'000 employees, most of which have intranet access, and runs
a global intranet with innumerable services. We have a single network
logon. Some strictly limited databases have their own passwords and
access lists as extra protection, but those are so limited that they can
be managed by the ownners of those services.

The intranet identity should not be overloaded with uses that are
independent of intranet access. The SSN is certainly something that has
its own separate use, independent of the company. It even is outside the
authority of the company. In a multinational company it simply won't
work, because the SSNs of different countries have different formats.
That's why I called it stupid.

-- Lassi

In article <3CE351F4.E128...@ieee.orgies.invalid>,
Lassi Hippeläinen  <lahip...@ieee.orgies.invalid> wrote:

I think of it as taking advantage of the fact that you already have a
working list of unique IDs and passwords.

The alternative is assigning new IDs and passwords, and somehow
communicating them to all the employees.  Letting the users know their new
passwords is the really tricky part.  One common strategies is to assign
initial passwords algorithmically, but these are then easily guessed by
other employees; more popular these days is to send email telling the
employee their initial password.  The way to assign passwords securely is
to require the employee to physically sit down at a console when the IT
staff is creating their account; this is usually done when creating
accounts for new employees, since the volume is manageable, but it's rarely
practical when installing thousands of accounts all at once.

The reason things are so messy here is because there isn't a single,
centrally-managed intranet server.  There are lots of independent servers
that have been set up by different groups, because the bureaucratic hassle
of getting content added to centrally-managed servers is too much of a
bother.

--
Barry Margolin, bar...@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Why would he need to?

What are the odds that the login info is transmitted in cleartext (it's
an intranet so nobody cares even if most attacks are reported to come
from insiders)?

What are the odds that the network is properly secured against sniffers
put onto it by just anyone able to physically access a host or even just
a random ethernet outlet?

What are the odds anyone would notice a sniffer at all (one with the
transmit wires intact I mean)?

Pretty slim I'd say.

Exactly. This is kind of the point, isn't it? :-)

MGri
--
Mathias Grimmberger <m...@zaphod.sax.de>
Eat flaming death, evil Micro$oft mongrels!

news:m3adqzsurg.fsf@zaphod.sax.de...

Hurumphhhh!!!!  Our *intranet* (and each node) has DIRECT access to the
*internet*!  It's a *corporate* LAN that spans several countries!  Not your
little *garage* type lan connecting two computers!

Yup.  Bad idea all the way 'round.  Period.  He shouldn't do it.  Again,
period.

Easy.  In most cases now-a-days he doesn't even need to be an employee.  Our
company uses a 'wire-less' intra-net in addition to the traditional
'hardwire'.  This accomodates laptops, etc.  I've written several memo's
with step by step instructions on how some one could sit in our parking lot
and hack into our net-work.  I've offered a demonstation...

The response?  Heh, heh... yup!  'People who don't *need* to get on our
network, won't.'

Ahh... the corporate mindsight.  'Employee's who don't *need* to, won't.'

Ignorance... and (trust me) it's gonna cost you.

Yup... nobody cares.   ROTFL!!!  Nope, nobody!  Information isn't valuable.
Hacking a network isn't interesting... or fun... or profitable.

I'd say about 50/50.  Probably less.  Our shipping clerk has access.  So
does *every* employee at our location!

Glad I don't work where you work!  There's plenty of 'software' sniffers out
there!  Some are *very* difficult to find and isolate.

What, exactly... is your point?  That any and all personal information can
be used, transmitted, and balleyed about... without *any* fear of it being
used because 'those that don't *need* the information' won't use it?!?

Heh, heh... me thinks you might have an anterior motive?

Agreed. This reminds me of the controversy last year when one of the Bush
daughters was busted for underage drinking. The manager who called the cops
soon found her credit report details spread all over the Internet
(specifically in regards to a bankruptcy, IIRC). It was all done very
quickly  -- and illegally.

In article <OAYE8.6474$v23.189769...@newssvr17.news.prodigy.com>,

Access to the network is not the same as access to the internal database of
the server.  If the machine is properly secured, people with access to the
network should only be able to access their own accounts.

If people can hack into servers with important data on it, then you have a
far bigger problem.

--
Barry Margolin, bar...@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Of course.

This doesn't mean that in some company this isn't exactly the state of
affairs, i.e. anyone with network access can run sniffers and all login
data is transmitted in cleartext and "Switch" is an unknown concept.

But whatever security is in place I still don't believe that exposing
sensitive information (a SSN AFAIK is sensitive info) without any need
is a clever idea. KISS applies to security.

MGri
--
Mathias Grimmberger <m...@zaphod.sax.de>
Eat flaming death, evil Micro$oft mongrels!

"MARK  BURGGRAF" <mburgg...@prodigy.net> writes:
[snip]

Please, you seem to be a bit confused about how Usenet News works. Pay
attention to the attributions and who said what. These were three
different people you answered to.

No this was not my point. If you had paid attention you probably would
have noticed.

MGri
--
Mathias Grimmberger <m...@zaphod.sax.de>
Eat flaming death, evil Micro$oft mongrels!