Thursday, October 22, 2009

Belgian national infrastructure client

The last couple of days I was on site at a customer that is one of the big players in the Belgian national infrastructure. I am just there to help out roll out some systems, not as a DBA or a security guy but ... I had my little fun.

The first thing I noticed when I got in was that with just a name drop and telling that I am an IT guy the friendly guy at the front desk opened the doors. No calling to verify my story, just walked on the site to the other buildings. Always be polite and ask for directions smiling :).

Then I got to the building of the IT department and first thing I noticed where all the print outs on the walls, one of them was a procedure with a password on it ... sweeeet.

Later that day I got an email with my login credentials. Yes my dear reader, plain text passwords emailed over the dhcp network. I was asking my new colleagues if I was the only one thinking that it shouldn't be that way but apparently they did not understand the problem.

Now I have access badges and can come in through the employee entrance. At the entry point there is a security guard to open the gate for the cars and verify the people walking in. The only problem is, the guy is about 6 meters from you when you show your badge. The badge is a classic (white) RFID card with the company logo and your name printed on it. Just by curiosity I showed the guy a membership card of something else that is red and blue and got in smiling.

But the customer is security-aware ... they are doing an audit of their email system at the moment, they have firewalls, anti-virus and VPNs.