Snippets

That's just about it for the November IT Governance Letter. 

But just before we go, we thought we should share a couple of brief points:

Value in Obsolescence?

We all know that some organisations have kept old systems - hardware and software, running way beyond their "use by date".  It's a practice that's been going on for years, and despite our best efforts to improve governance, it will continue.

What's amazing is the length that some organisations will go to to keep their clapped out systems running - and the money they will spend to do this.  We've heard in the past of banks buying pallet loads of teller terminals from South America.  Recently, we had a close-to-home experience.  Somewhere along the way, the Infonomics storeroom had captured a perfectly good, but utterly useless IBM PS/2 computer.  We had a cleanout and despatched said computer to the recyclers.  A week later, we learned of a local organisation that has software that will only run on that model, and they had just paid $3,000 each for 12 of them.  That's three times as much as a contemporary basic PC!  Surely it's time for that organisation to bite the bullet, and rework the software so it's able to run on modern, cheap hardware.

Passwords Unsecured?

During the 1980's, I was working in the UK, and became a customer of one of the major UK banks.  Their ATMs offered a facility for selecting your own PIN, and of course, I employed it.  At the time, I was horrified to see that, having entered the secret new PIN, the ATM then asked me to confirm that it was what I had entered, by displaying it back to me - in nice big clear numerals that could be seen by anybody watching me.  Of course, we all know now that the proper way to verify secret things like that is to enter them twice.

That applies to user selected passwords too, doesn't it?

And having entered a new password twice, isn't it fair to assume that we can remember what it is?

Some web sites seem to still use the practice of sending an email to registered users, to inform the user of the password that has been chosen.  In one case we experienced recently, the email gave me my user id and password, together in a single email.

Why worry you say?  Well consider this:

• Emails are not secure.  They can be intercepted en route, and copies are often retained at waypoints.  Any number of people can, and possibly have read that email, and have access to my user id and password for that web site.

• Many people make extensive use of the internet, and so are registered on many web sites.  It is very difficult to manage the establishment of unique user ids and passwords for so many sites - so a lot of people use a standard practice of using a standard name and password.  That's fine, as long as the user id and password are going to remain secret.

• But as soon as one website operator releases the username and password together in an email, that user's access to all websites with that identifier becomes open season.

The lessons here are twofold.

• Don't trust website operators to keep your data confidential; and

• take great care to use unique, and truly secret passwords on all websites of importance, such as your bank!