security policy question

Root root at mikieboy.net
Tue Mar 5 23:57:05 GMT 2013 


On Tue, 5 Mar 2013, Brian Morrison wrote:

> On Mon, 4 Mar 2013 23:30:52 +0001 (GMT)
> Root wrote:
> 
> > I have no confidence that it wouldn't be trivial for someone to get
> > hold of my user-name and password by methods which don't involve me
> > being irresponsible. 
> > 
> > Any advice would be very helpful before i make a nuisance of myself.
> 
> Do you have some sort of access token, such as a smartcard or similar?
> 
> I have noticed that our local health centre people all have to insert
> their cards into a card reader slot on their keyboards, if this token
> must be present to process any transactions then it makes the task of
> keeping it out of other people's hands a little easier in that there is
> a physical device to protect rather than virtual authentication tokens
> (which will be just your password unless your user name is not related
> to your real life identity).
> 
> Do you know what else is done to protect your login details? I would
> ask about this as without knowing this information it is effectively
> impossible for you to be responsible for access to systems you don't
> know about and don't control.
> 
> -- 
> 
> Brian Morrison
> 
> 
No there are no smartcards or tokens
my username is my real name and I have unfettered access to all secondary 
services health information on everyone in a very large area. The reason 
for the new sec policy signature is because it has been decreed necessary 
to give me access to  mental health letters from psychiatrists as well 
which are stored on yet another system. (this is not something that i have 
asked for)

Authentication is based on user name and password and there has been no 
security testing (or security agenda during the design) of the systems. 
One of the major systems providers is unaware of the need for user input 
validation at login screens at senior "dev" level.

I see what they are trying to achive but am also paranoid enough to wonder 
if this is an attempt to transfer risk in the same way that the Scottish 
Government transferred the risk of not having any security criteria for 
centrally-ish commissioned systems to the individual health boards.

So I guess that i should get my red pen out. 

thank you for all the information I guess i will be difficult.

mike

More information about the ukcrypto mailing list