O'Reilly logo

Enemy at the Water Cooler by Brian T Contos

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Mixing Revenge
and Passwords—
A Utility Company
in Brazil
“…the next generation of terrorists will grow
up in a digital world, with ever more powerful
and easy-to-use hacking tools at their
disposal.”
—Dorothy Denning
Chapter 9
137
424_Wtr_Clr_09.qxd 7/27/06 9:32 AM Page 137
I’ve spent a great deal of my career working in South America, and I always
look forward to my trips to Brazil. While its economic center, Sao Paulo, is
one of the biggest cities in the world and not without crime, pollution, and
corruption, I never get over the fact that while most Brazilians don’t have
much in terms of material wealth, they will spend everything they’ve got in
order to throw a party to entertain friends.
At theses parties I’m talking about, there is always plenty of pinga. Pinga is
an incredibly popular alcoholic drink in Southern Brazil. It’s made from cane
sugar and is basically Brazil’s brandy. It is more formally called cachaca, but
everybody I’ve known just calls it “pinga. It can be mixed with ice, lime, and
sugar to make caipirinha, which is one of Brazil’s most traditional drinks.
Everywhere you go—restaurants, clubs, people’s houses—it is there. So why
am I going on like this? Because in addition to being a popular drink, “pinga”
was one of the most common passwords I’ve run across in Brazil. I found it
used not just by an isolated system administrator, IT team, or company here
and there; it was used on an epidemic scale. Some time has passed, and I’d like
to think that this has been remedied by now, and so I don’t think I’m giving
away any Brazilian national secrets.
It was once common—although never a good idea—for users, especially a
network or system administrator, to use the same password throughout the
entire organization and likely outside the organization too. Unless there was a
central access control system that allowed for two-factor authentication, or, at
a minimum, a mechanism in place to enforce the use of strong passwords,
password management was difficult. If somebody needed to remember many
passwords without an organization-wide password management system, they
would likely write them down. I don’t think that writing down a password is
necessarily that bad—not as long as it’s kept safe—but the idea gets a pretty
bad response from many security experts. However, writing them down
clearly isn’t as good as having strong authentication solutions. Instead of
writing passwords down, and short of having a better password management
solution—in many cases, a single password is used everywhere. When this
happens, and a malicious individual learns an administrator-level password, he
basically has the keys to the kingdom.
www.syngress.com
138 Chapter 9 • Mixing Revenge and Passwords—A Utility Company in Brazil
424_Wtr_Clr_09.qxd 7/27/06 9:32 AM Page 138

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required