security policy question
Root
root at mikieboy.net
Tue Mar 5 23:57:05 GMT 2013
On Tue, 5 Mar 2013, Brian Morrison wrote:
> On Mon, 4 Mar 2013 23:30:52 +0001 (GMT)
> Root wrote:
>
> > I have no confidence that it wouldn't be trivial for someone to get
> > hold of my user-name and password by methods which don't involve me
> > being irresponsible.
> >
> > Any advice would be very helpful before i make a nuisance of myself.
>
> Do you have some sort of access token, such as a smartcard or similar?
>
> I have noticed that our local health centre people all have to insert
> their cards into a card reader slot on their keyboards, if this token
> must be present to process any transactions then it makes the task of
> keeping it out of other people's hands a little easier in that there is
> a physical device to protect rather than virtual authentication tokens
> (which will be just your password unless your user name is not related
> to your real life identity).
>
> Do you know what else is done to protect your login details? I would
> ask about this as without knowing this information it is effectively
> impossible for you to be responsible for access to systems you don't
> know about and don't control.
>
> --
>
> Brian Morrison
>
>
No there are no smartcards or tokens
my username is my real name and I have unfettered access to all secondary
services health information on everyone in a very large area. The reason
for the new sec policy signature is because it has been decreed necessary
to give me access to mental health letters from psychiatrists as well
which are stored on yet another system. (this is not something that i have
asked for)
Authentication is based on user name and password and there has been no
security testing (or security agenda during the design) of the systems.
One of the major systems providers is unaware of the need for user input
validation at login screens at senior "dev" level.
I see what they are trying to achive but am also paranoid enough to wonder
if this is an attempt to transfer risk in the same way that the Scottish
Government transferred the risk of not having any security criteria for
centrally-ish commissioned systems to the individual health boards.
So I guess that i should get my red pen out.
thank you for all the information I guess i will be difficult.
mike
More information about the ukcrypto
mailing list