Employer makes me use what I believe to be an insecure website for HR functions. What to do?











up vote
62
down vote

favorite
6












At my job, to be able to view my paychecks, vacation hours and HR data on myself I need to log into a 3rd party website.



I'm by no means a security expert or expert programmer but I could tell (simply by trying) that I could continue to try incorrect passwords without being locked out. (brute force: viable)



After logging in I was forced to select 3 pre-determined security questions in the case of a password reset (out of a total of 8!) such as my first car's licence plate (never owned a car 3/7), my spouse's 2nd name (don't have a spouse 3/6), 2nd name of my first kid (don't have kids 3/5), birthdate, name of my highschool, favorite pet, favorite film or favorite piece of music.



Most these things you can simply get from my facebook, (which, I should note, has not been updated for years!) again showing a distinct lack of understanding in basic security practices.



I also get the feeling, from looking at the site through the developer tools they use incredibly outdated software



A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
* Digest Algorithm, as defined in RFC 1321.
* Version 2.1 Copyright (C) Paul Johnston 1999 - 2002.


I reported this through my company but my superiors don't appear all that interested.



How would I go about:



A. Finding out if this site is really as insecure as I think it is?



B. if true: communicating this in an appropriate manner to the company itself
(preferably in an anonymous fashion)










share|improve this question









New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 97




    A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
    – SeeYouInDisneyland
    Nov 15 at 10:56






  • 23




    Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
    – Nathan Cooper
    Nov 15 at 14:16






  • 17




    MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
    – ceejayoz
    Nov 15 at 14:23






  • 148




    That's my MD5 script they're using!
    – paj28
    Nov 15 at 15:43






  • 14




    The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
    – leftaroundabout
    Nov 15 at 16:06















up vote
62
down vote

favorite
6












At my job, to be able to view my paychecks, vacation hours and HR data on myself I need to log into a 3rd party website.



I'm by no means a security expert or expert programmer but I could tell (simply by trying) that I could continue to try incorrect passwords without being locked out. (brute force: viable)



After logging in I was forced to select 3 pre-determined security questions in the case of a password reset (out of a total of 8!) such as my first car's licence plate (never owned a car 3/7), my spouse's 2nd name (don't have a spouse 3/6), 2nd name of my first kid (don't have kids 3/5), birthdate, name of my highschool, favorite pet, favorite film or favorite piece of music.



Most these things you can simply get from my facebook, (which, I should note, has not been updated for years!) again showing a distinct lack of understanding in basic security practices.



I also get the feeling, from looking at the site through the developer tools they use incredibly outdated software



A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
* Digest Algorithm, as defined in RFC 1321.
* Version 2.1 Copyright (C) Paul Johnston 1999 - 2002.


I reported this through my company but my superiors don't appear all that interested.



How would I go about:



A. Finding out if this site is really as insecure as I think it is?



B. if true: communicating this in an appropriate manner to the company itself
(preferably in an anonymous fashion)










share|improve this question









New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 97




    A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
    – SeeYouInDisneyland
    Nov 15 at 10:56






  • 23




    Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
    – Nathan Cooper
    Nov 15 at 14:16






  • 17




    MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
    – ceejayoz
    Nov 15 at 14:23






  • 148




    That's my MD5 script they're using!
    – paj28
    Nov 15 at 15:43






  • 14




    The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
    – leftaroundabout
    Nov 15 at 16:06













up vote
62
down vote

favorite
6









up vote
62
down vote

favorite
6






6





At my job, to be able to view my paychecks, vacation hours and HR data on myself I need to log into a 3rd party website.



I'm by no means a security expert or expert programmer but I could tell (simply by trying) that I could continue to try incorrect passwords without being locked out. (brute force: viable)



After logging in I was forced to select 3 pre-determined security questions in the case of a password reset (out of a total of 8!) such as my first car's licence plate (never owned a car 3/7), my spouse's 2nd name (don't have a spouse 3/6), 2nd name of my first kid (don't have kids 3/5), birthdate, name of my highschool, favorite pet, favorite film or favorite piece of music.



Most these things you can simply get from my facebook, (which, I should note, has not been updated for years!) again showing a distinct lack of understanding in basic security practices.



I also get the feeling, from looking at the site through the developer tools they use incredibly outdated software



A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
* Digest Algorithm, as defined in RFC 1321.
* Version 2.1 Copyright (C) Paul Johnston 1999 - 2002.


I reported this through my company but my superiors don't appear all that interested.



How would I go about:



A. Finding out if this site is really as insecure as I think it is?



B. if true: communicating this in an appropriate manner to the company itself
(preferably in an anonymous fashion)










share|improve this question









New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











At my job, to be able to view my paychecks, vacation hours and HR data on myself I need to log into a 3rd party website.



I'm by no means a security expert or expert programmer but I could tell (simply by trying) that I could continue to try incorrect passwords without being locked out. (brute force: viable)



After logging in I was forced to select 3 pre-determined security questions in the case of a password reset (out of a total of 8!) such as my first car's licence plate (never owned a car 3/7), my spouse's 2nd name (don't have a spouse 3/6), 2nd name of my first kid (don't have kids 3/5), birthdate, name of my highschool, favorite pet, favorite film or favorite piece of music.



Most these things you can simply get from my facebook, (which, I should note, has not been updated for years!) again showing a distinct lack of understanding in basic security practices.



I also get the feeling, from looking at the site through the developer tools they use incredibly outdated software



A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
* Digest Algorithm, as defined in RFC 1321.
* Version 2.1 Copyright (C) Paul Johnston 1999 - 2002.


I reported this through my company but my superiors don't appear all that interested.



How would I go about:



A. Finding out if this site is really as insecure as I think it is?



B. if true: communicating this in an appropriate manner to the company itself
(preferably in an anonymous fashion)







account-security websites






share|improve this question









New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday









200_success

1,48021119




1,48021119






New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Nov 15 at 10:50









A. Nony-Mous

323123




323123




New contributor




A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






A. Nony-Mous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 97




    A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
    – SeeYouInDisneyland
    Nov 15 at 10:56






  • 23




    Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
    – Nathan Cooper
    Nov 15 at 14:16






  • 17




    MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
    – ceejayoz
    Nov 15 at 14:23






  • 148




    That's my MD5 script they're using!
    – paj28
    Nov 15 at 15:43






  • 14




    The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
    – leftaroundabout
    Nov 15 at 16:06














  • 97




    A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
    – SeeYouInDisneyland
    Nov 15 at 10:56






  • 23




    Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
    – Nathan Cooper
    Nov 15 at 14:16






  • 17




    MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
    – ceejayoz
    Nov 15 at 14:23






  • 148




    That's my MD5 script they're using!
    – paj28
    Nov 15 at 15:43






  • 14




    The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
    – leftaroundabout
    Nov 15 at 16:06








97




97




A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
– SeeYouInDisneyland
Nov 15 at 10:56




A mitigation for security questions is to have randomly-generated passwords from a password manager as security "answers". That way, an adversary has no way to use OSINT against you. The rest of your question should be moved to workplace.stackexchange.com TBH
– SeeYouInDisneyland
Nov 15 at 10:56




23




23




Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
– Nathan Cooper
Nov 15 at 14:16




Your analysis may be incorrect. Doesn't hassle you after a few wrong attempts doesn't imply it's vulnerable to brute force, we have other better more user friendly ways. Captchas, rate limiting etc.
– Nathan Cooper
Nov 15 at 14:16




17




17




MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
– ceejayoz
Nov 15 at 14:23




MD5 is pretty straightforward, so it's not surprising that code built to generate an MD5 hash wouldn't have changed much since being written (and it was released in 1992). Using MD5 is potentially problematic, but it's possible to use it in safe, innocuous ways. One hopes the site's not doing password hashing client-side, for example.
– ceejayoz
Nov 15 at 14:23




148




148




That's my MD5 script they're using!
– paj28
Nov 15 at 15:43




That's my MD5 script they're using!
– paj28
Nov 15 at 15:43




14




14




The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
– leftaroundabout
Nov 15 at 16:06




The fact that you can keep entering passwords doesn't mean there's no brute-force protection. It is possible (and actually highly sensible!) to simply incur an ever bigger delay with every incorrect attempt. This makes a true brute force infeasible without locking somebody out who simply keeps mistyping their password.
– leftaroundabout
Nov 15 at 16:06










6 Answers
6






active

oldest

votes

















up vote
101
down vote













To start with the easy bit: you do not have to put real information as the answers to the questions. Random strings work best if you are really paranoid and store them in a password manager just like a password.



The rest (no brute force protection, potentially outdated software) is a shame, but there is nothing that you can do, from a security perspective. I would raise the issue with HR/Payroll and ask them to investigate. If you are in Europe, then you can also talk to your DPO to suggest that their "Data Processor" has troubling account security practices that need to be investigated.



Otherwise, this is more of an internal office politics issue.






share|improve this answer

















  • 155




    "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
    – WernerCD
    Nov 15 at 14:52






  • 136




    Or you could actually name your pets and kids with a password manger.
    – Rad80
    Nov 15 at 19:23






  • 55




    @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
    – IronCraftMan
    Nov 15 at 19:35






  • 31




    The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
    – Hagen von Eitzen
    Nov 15 at 23:39






  • 18




    @IronCraftMan you never share true names as that allows the use of magic directly on the named item. All dragons, daemons and such already practise this secuirty measure.
    – TafT
    Nov 16 at 13:15


















up vote
28
down vote













To me this says you haven't investigated enough to confidently say it's insecure. You haven't shown any particular direct exploit nor really dug into their system (in a non-hacking, poking around kind of way). Your superiors may not be interested because of the lacking direct evidence of this.



As an example, my work uses a 3rd party site for scheduling vacations, I found it allows me to "recover" my password by sending my exact password back in plain-text via email, that is a direct evidence of an issue that I can report. Likewise, a site used for some IT services (SIP Trunk) had an issue where I could change the ID's in the URL and (to my surprise) view other people's account info, again, another direct line of evidence. Right now, you just have suspicions, and not obvious ones.



As an aside, all security questions for resetting passwords are insecure, as they rely on common information. As others have suggested, you can put fake answers in here (that you can still remember) or entirely randomly generated strings. You can think of the security questions as a "String" to "String" security challenge in the most generic sense.






share|improve this answer



















  • 10




    By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
    – Jarrod Christman
    Nov 15 at 15:23






  • 10




    You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
    – schroeder
    Nov 15 at 16:36






  • 2




    i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
    – user1067003
    Nov 16 at 0:05








  • 8




    Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
    – Kevin
    Nov 16 at 2:27








  • 1




    Though, I'd agree, the line of poking around versus pen-testing is a very thin and fine one. I would relegate my poking around to normal user behavior and infer what I could, anything outside of normal user behavior you start getting questionable. Though, this is highly a matter of opinion, so I probably shouldn't recommend that.
    – Jarrod Christman
    Nov 16 at 14:56


















up vote
5
down vote














How would I go about:



A. Finding out if this site is really as insecure as I think it is?




You really cannot, unless you witness a concrete, exploitable problem. That's what infosec companies do, they try to actively break systems (with consent of the owners). They know many procedures and techniques to systematically take such an application appart, from simple things like using HTTP instead of HTTPS, insecure usage of cookies, XSS, SQL injection, but also other stuff like IDs being obviously simply counted up (which means you can just try them out sequentially), stuff being only checked on the browser (easily forged), and so on and so forth.



They also can combine blackbox- with whitebox-approaches (i.e., just looking from the outside, like any hacker/cracker would do, or actually studying the source code, entering the servers with provided accounts, and so on).



You could do all that yourself, but as you are asking, you obviously don't really know how. But the main problem is that if you did that, without first getting consent, you'd be at least in gray territory, if not outright breaking law.




B. if true: communicating this in an appropriate manner to the company itself (preferably in an anonymous fashion)




You cannot (anonymously, at least). If there is a dedicated CISO, he would be your first line of attack; but aside from that, especially in smaller firms, there is little you can do if your management just shrugs it off.



I guess there may be specific circumstances in which some government agency might be interested - for example if your company works for the government in an area which has strict security requirements; then obviously you might try to get an anonymous message to somewhere, but why would they care about your HR information...



But in general, for arbitrary companies, the saying "There's no fate but what we make for ourselves" would apply.






share|improve this answer




























    up vote
    1
    down vote













    If I had to guess, I'd bet the service is also resilient to brute force attacks, by simple virtue of being under-provisioned to handle the load involved. Go too fast with the guesses, and the server will fall over, alerting admins to what's going on. Go too slow, and you're not guessing fast enough to expect success in a reasonable period of time.



    Add this to the suggestion by others to use false information, and the service isn't vulnerable at all if you're careful... least, not in ways reported so far. Note I said, "If". It does seem like an unfortunate design that, as you alluded, doesn't build confidence in what else might be behind the scenes.



    I wouldn't attempt to actually test anything further myself, but if this is a product that is used by many other companies, you might try to put a bug in the ear of an actual security researches, who will know how to test it in an ethical way and be better prepared to deal with any legal fallout. If you're the only technically-minded person in your area at work, you might want to also alert co-workers for how to use the service "safely".






    share|improve this answer




























      up vote
      1
      down vote













      I think you're right - it sounds like, probably, the site is potentially pretty insecure. Those are some red flags, and the whole thing sounds a bit smelly. MD5 is widely considered cryptographically insecure.



      That being said, the question of "what do I do?" is one that plagues a lot of security-related scenarios. There's a cost and a benefit to any action you take, and the right choice of action depends heavily on your environment and the nuances of your individual scenario. What kind of industry do you work in? How valuable is the information you're storing on the system? Perhaps most importantly, how receptive is your company to changing security practices?



      These are all the relevant questions for you to answer, and ones which none of us here on The Internet™ are able to help with. In every question of how to handle a situation involving insecure practices, knowing the subtleties of a corporate environment - individuals' work histories, the nature of their company connections, the level of risk of souring relationships - defines what to do next.



      What I'm trying to get at is, it seems to me like none of us are really qualified to answer this for you. There's an infinite array of potential options, and the best course of action truly depends on your situation at a level of detail that's not really conveyable here.



      Good luck!






      share|improve this answer




























        up vote
        -2
        down vote













        If you are an IT professional you can read the ACM Code of Ethics, which is the most comprehensive ethics code in IT today.



        Section 1.2 says:
        "A computing professional has an additional obligation to report any signs of system risks that might result in harm. If leaders do not act to curtail or mitigate such risks, it may be necessary to "blow the whistle" to reduce potential harm. However, capricious or misguided reporting of risks can itself be harmful. Before reporting risks, a computing professional should carefully assess relevant aspects of the situation."






        share|improve this answer

















        • 2




          Be very careful to understand what rights a whistleblower in your country/state has before you make that call. You may perceive what your employer is doing as immoral, but whistleblowing is often an illegal breach of contract unless you can prove your employer is doing something illegal themselves. Shitty security is not illegal in most cases unless you are handling data that is protected under HIPPA, PCI, GDPR, or some other similar regulation. Employers actually have very little government oversight regarding how they store employee information, at least in the USA.
          – Nosajimiki
          Nov 16 at 21:20










        • Well, ACM is the biggest global IT organization, and this Code of Ethics has emerged after a lot of discussions and objections from members worldwide. If you abide to the code as an IT professional, it is an ethical guideline. What you will do is of course something entirely personal. Knowing something is wrong and not doing anything is the root of evil in our society.
          – Peter Papadopoulos
          2 days ago










        • How does this answer the questions asked?
          – reinierpost
          16 hours ago











        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "162"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        noCode: true, onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });






        A. Nony-Mous is a new contributor. Be nice, and check out our Code of Conduct.










         

        draft saved


        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197720%2femployer-makes-me-use-what-i-believe-to-be-an-insecure-website-for-hr-functions%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        6 Answers
        6






        active

        oldest

        votes








        6 Answers
        6






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes








        up vote
        101
        down vote













        To start with the easy bit: you do not have to put real information as the answers to the questions. Random strings work best if you are really paranoid and store them in a password manager just like a password.



        The rest (no brute force protection, potentially outdated software) is a shame, but there is nothing that you can do, from a security perspective. I would raise the issue with HR/Payroll and ask them to investigate. If you are in Europe, then you can also talk to your DPO to suggest that their "Data Processor" has troubling account security practices that need to be investigated.



        Otherwise, this is more of an internal office politics issue.






        share|improve this answer

















        • 155




          "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
          – WernerCD
          Nov 15 at 14:52






        • 136




          Or you could actually name your pets and kids with a password manger.
          – Rad80
          Nov 15 at 19:23






        • 55




          @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
          – IronCraftMan
          Nov 15 at 19:35






        • 31




          The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
          – Hagen von Eitzen
          Nov 15 at 23:39






        • 18




          @IronCraftMan you never share true names as that allows the use of magic directly on the named item. All dragons, daemons and such already practise this secuirty measure.
          – TafT
          Nov 16 at 13:15















        up vote
        101
        down vote













        To start with the easy bit: you do not have to put real information as the answers to the questions. Random strings work best if you are really paranoid and store them in a password manager just like a password.



        The rest (no brute force protection, potentially outdated software) is a shame, but there is nothing that you can do, from a security perspective. I would raise the issue with HR/Payroll and ask them to investigate. If you are in Europe, then you can also talk to your DPO to suggest that their "Data Processor" has troubling account security practices that need to be investigated.



        Otherwise, this is more of an internal office politics issue.






        share|improve this answer

















        • 155




          "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
          – WernerCD
          Nov 15 at 14:52






        • 136




          Or you could actually name your pets and kids with a password manger.
          – Rad80
          Nov 15 at 19:23






        • 55




          @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
          – IronCraftMan
          Nov 15 at 19:35






        • 31




          The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
          – Hagen von Eitzen
          Nov 15 at 23:39






        • 18




          @IronCraftMan you never share true names as that allows the use of magic directly on the named item. All dragons, daemons and such already practise this secuirty measure.
          – TafT
          Nov 16 at 13:15













        up vote
        101
        down vote










        up vote
        101
        down vote









        To start with the easy bit: you do not have to put real information as the answers to the questions. Random strings work best if you are really paranoid and store them in a password manager just like a password.



        The rest (no brute force protection, potentially outdated software) is a shame, but there is nothing that you can do, from a security perspective. I would raise the issue with HR/Payroll and ask them to investigate. If you are in Europe, then you can also talk to your DPO to suggest that their "Data Processor" has troubling account security practices that need to be investigated.



        Otherwise, this is more of an internal office politics issue.






        share|improve this answer












        To start with the easy bit: you do not have to put real information as the answers to the questions. Random strings work best if you are really paranoid and store them in a password manager just like a password.



        The rest (no brute force protection, potentially outdated software) is a shame, but there is nothing that you can do, from a security perspective. I would raise the issue with HR/Payroll and ask them to investigate. If you are in Europe, then you can also talk to your DPO to suggest that their "Data Processor" has troubling account security practices that need to be investigated.



        Otherwise, this is more of an internal office politics issue.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 15 at 11:00









        schroeder

        70.9k29154190




        70.9k29154190








        • 155




          "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
          – WernerCD
          Nov 15 at 14:52






        • 136




          Or you could actually name your pets and kids with a password manger.
          – Rad80
          Nov 15 at 19:23






        • 55




          @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
          – IronCraftMan
          Nov 15 at 19:35






        • 31




          The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
          – Hagen von Eitzen
          Nov 15 at 23:39






        • 18




          @IronCraftMan you never share true names as that allows the use of magic directly on the named item. All dragons, daemons and such already practise this secuirty measure.
          – TafT
          Nov 16 at 13:15














        • 155




          "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
          – WernerCD
          Nov 15 at 14:52






        • 136




          Or you could actually name your pets and kids with a password manger.
          – Rad80
          Nov 15 at 19:23






        • 55




          @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
          – IronCraftMan
          Nov 15 at 19:35






        • 31




          The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
          – Hagen von Eitzen
          Nov 15 at 23:39






        • 18




          @IronCraftMan you never share true names as that allows the use of magic directly on the named item. All dragons, daemons and such already practise this secuirty measure.
          – TafT
          Nov 16 at 13:15








        155




        155




        "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
        – WernerCD
        Nov 15 at 14:52




        "you do not have to put real information" Are you trying to tell me my First Pets Name isn't LRnq98FHk63FbrdYbJHvMRRe? I miss LRnq...
        – WernerCD
        Nov 15 at 14:52




        136




        136




        Or you could actually name your pets and kids with a password manger.
        – Rad80
        Nov 15 at 19:23




        Or you could actually name your pets and kids with a password manger.
        – Rad80
        Nov 15 at 19:23




        55




        55




        @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
        – IronCraftMan
        Nov 15 at 19:35




        @Rad80 but then people would know the answer to your security questions. You should really name your pets and kids with a password manager, but put in real/normal names in the security questions.
        – IronCraftMan
        Nov 15 at 19:35




        31




        31




        The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
        – Hagen von Eitzen
        Nov 15 at 23:39




        The problem with this approach is of course: You will need to supply the security answers only in situations where you have lost the password itself. The only way I can imagine how you lost it is by corrupting your password manager (or by not habing access to it from far away) - in which case you won't have access to your random pet names stored in the same password manager, either.
        – Hagen von Eitzen
        Nov 15 at 23:39




        18




        18




        @IronCraftMan you never share true names as that allows the use of magic directly on the named item. All dragons, daemons and such already practise this secuirty measure.
        – TafT
        Nov 16 at 13:15




        @IronCraftMan you never share true names as that allows the use of magic directly on the named item. All dragons, daemons and such already practise this secuirty measure.
        – TafT
        Nov 16 at 13:15












        up vote
        28
        down vote













        To me this says you haven't investigated enough to confidently say it's insecure. You haven't shown any particular direct exploit nor really dug into their system (in a non-hacking, poking around kind of way). Your superiors may not be interested because of the lacking direct evidence of this.



        As an example, my work uses a 3rd party site for scheduling vacations, I found it allows me to "recover" my password by sending my exact password back in plain-text via email, that is a direct evidence of an issue that I can report. Likewise, a site used for some IT services (SIP Trunk) had an issue where I could change the ID's in the URL and (to my surprise) view other people's account info, again, another direct line of evidence. Right now, you just have suspicions, and not obvious ones.



        As an aside, all security questions for resetting passwords are insecure, as they rely on common information. As others have suggested, you can put fake answers in here (that you can still remember) or entirely randomly generated strings. You can think of the security questions as a "String" to "String" security challenge in the most generic sense.






        share|improve this answer



















        • 10




          By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
          – Jarrod Christman
          Nov 15 at 15:23






        • 10




          You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
          – schroeder
          Nov 15 at 16:36






        • 2




          i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
          – user1067003
          Nov 16 at 0:05








        • 8




          Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
          – Kevin
          Nov 16 at 2:27








        • 1




          Though, I'd agree, the line of poking around versus pen-testing is a very thin and fine one. I would relegate my poking around to normal user behavior and infer what I could, anything outside of normal user behavior you start getting questionable. Though, this is highly a matter of opinion, so I probably shouldn't recommend that.
          – Jarrod Christman
          Nov 16 at 14:56















        up vote
        28
        down vote













        To me this says you haven't investigated enough to confidently say it's insecure. You haven't shown any particular direct exploit nor really dug into their system (in a non-hacking, poking around kind of way). Your superiors may not be interested because of the lacking direct evidence of this.



        As an example, my work uses a 3rd party site for scheduling vacations, I found it allows me to "recover" my password by sending my exact password back in plain-text via email, that is a direct evidence of an issue that I can report. Likewise, a site used for some IT services (SIP Trunk) had an issue where I could change the ID's in the URL and (to my surprise) view other people's account info, again, another direct line of evidence. Right now, you just have suspicions, and not obvious ones.



        As an aside, all security questions for resetting passwords are insecure, as they rely on common information. As others have suggested, you can put fake answers in here (that you can still remember) or entirely randomly generated strings. You can think of the security questions as a "String" to "String" security challenge in the most generic sense.






        share|improve this answer



















        • 10




          By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
          – Jarrod Christman
          Nov 15 at 15:23






        • 10




          You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
          – schroeder
          Nov 15 at 16:36






        • 2




          i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
          – user1067003
          Nov 16 at 0:05








        • 8




          Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
          – Kevin
          Nov 16 at 2:27








        • 1




          Though, I'd agree, the line of poking around versus pen-testing is a very thin and fine one. I would relegate my poking around to normal user behavior and infer what I could, anything outside of normal user behavior you start getting questionable. Though, this is highly a matter of opinion, so I probably shouldn't recommend that.
          – Jarrod Christman
          Nov 16 at 14:56













        up vote
        28
        down vote










        up vote
        28
        down vote









        To me this says you haven't investigated enough to confidently say it's insecure. You haven't shown any particular direct exploit nor really dug into their system (in a non-hacking, poking around kind of way). Your superiors may not be interested because of the lacking direct evidence of this.



        As an example, my work uses a 3rd party site for scheduling vacations, I found it allows me to "recover" my password by sending my exact password back in plain-text via email, that is a direct evidence of an issue that I can report. Likewise, a site used for some IT services (SIP Trunk) had an issue where I could change the ID's in the URL and (to my surprise) view other people's account info, again, another direct line of evidence. Right now, you just have suspicions, and not obvious ones.



        As an aside, all security questions for resetting passwords are insecure, as they rely on common information. As others have suggested, you can put fake answers in here (that you can still remember) or entirely randomly generated strings. You can think of the security questions as a "String" to "String" security challenge in the most generic sense.






        share|improve this answer














        To me this says you haven't investigated enough to confidently say it's insecure. You haven't shown any particular direct exploit nor really dug into their system (in a non-hacking, poking around kind of way). Your superiors may not be interested because of the lacking direct evidence of this.



        As an example, my work uses a 3rd party site for scheduling vacations, I found it allows me to "recover" my password by sending my exact password back in plain-text via email, that is a direct evidence of an issue that I can report. Likewise, a site used for some IT services (SIP Trunk) had an issue where I could change the ID's in the URL and (to my surprise) view other people's account info, again, another direct line of evidence. Right now, you just have suspicions, and not obvious ones.



        As an aside, all security questions for resetting passwords are insecure, as they rely on common information. As others have suggested, you can put fake answers in here (that you can still remember) or entirely randomly generated strings. You can think of the security questions as a "String" to "String" security challenge in the most generic sense.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 15 at 16:34









        schroeder

        70.9k29154190




        70.9k29154190










        answered Nov 15 at 15:10









        Jarrod Christman

        53336




        53336








        • 10




          By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
          – Jarrod Christman
          Nov 15 at 15:23






        • 10




          You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
          – schroeder
          Nov 15 at 16:36






        • 2




          i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
          – user1067003
          Nov 16 at 0:05








        • 8




          Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
          – Kevin
          Nov 16 at 2:27








        • 1




          Though, I'd agree, the line of poking around versus pen-testing is a very thin and fine one. I would relegate my poking around to normal user behavior and infer what I could, anything outside of normal user behavior you start getting questionable. Though, this is highly a matter of opinion, so I probably shouldn't recommend that.
          – Jarrod Christman
          Nov 16 at 14:56














        • 10




          By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
          – Jarrod Christman
          Nov 15 at 15:23






        • 10




          You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
          – schroeder
          Nov 15 at 16:36






        • 2




          i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
          – user1067003
          Nov 16 at 0:05








        • 8




          Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
          – Kevin
          Nov 16 at 2:27








        • 1




          Though, I'd agree, the line of poking around versus pen-testing is a very thin and fine one. I would relegate my poking around to normal user behavior and infer what I could, anything outside of normal user behavior you start getting questionable. Though, this is highly a matter of opinion, so I probably shouldn't recommend that.
          – Jarrod Christman
          Nov 16 at 14:56








        10




        10




        By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
        – Jarrod Christman
        Nov 15 at 15:23




        By the way, any down votes are welcome, as long as an explanation is given. We're all only posting here to help, so helping the help get better at helping is helpful ;-)
        – Jarrod Christman
        Nov 15 at 15:23




        10




        10




        You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
        – schroeder
        Nov 15 at 16:36




        You are confusing hazards with exploits. The hazards are clear and understandable. Also, you have not answered the question (you reiterated the question). "How would I go about: A. Finding out if this site is really as insecure as I think it is?" Your answer says, "you need to find out if the site is insecure"
        – schroeder
        Nov 15 at 16:36




        2




        2




        i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
        – user1067003
        Nov 16 at 0:05






        i didn't downvote, but login system is not protected against bruteforce / dictionary attacks is a very real direct problem. i would also check if the system is vulnerable against timing attacks (which can massively speed up a bruteforce attack), but that's just me.
        – user1067003
        Nov 16 at 0:05






        8




        8




        Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
        – Kevin
        Nov 16 at 2:27






        Many employers will be greatly annoyed if they discover you pen-testing their systems without advance knowledge and permission, and some might even try to bust you for violating hacking laws. Of course, if you ask "Can I spend my working hours on pen-testing this system I'm not responsible for?" the answer may well be no.
        – Kevin
        Nov 16 at 2:27






        1




        1




        Though, I'd agree, the line of poking around versus pen-testing is a very thin and fine one. I would relegate my poking around to normal user behavior and infer what I could, anything outside of normal user behavior you start getting questionable. Though, this is highly a matter of opinion, so I probably shouldn't recommend that.
        – Jarrod Christman
        Nov 16 at 14:56




        Though, I'd agree, the line of poking around versus pen-testing is a very thin and fine one. I would relegate my poking around to normal user behavior and infer what I could, anything outside of normal user behavior you start getting questionable. Though, this is highly a matter of opinion, so I probably shouldn't recommend that.
        – Jarrod Christman
        Nov 16 at 14:56










        up vote
        5
        down vote














        How would I go about:



        A. Finding out if this site is really as insecure as I think it is?




        You really cannot, unless you witness a concrete, exploitable problem. That's what infosec companies do, they try to actively break systems (with consent of the owners). They know many procedures and techniques to systematically take such an application appart, from simple things like using HTTP instead of HTTPS, insecure usage of cookies, XSS, SQL injection, but also other stuff like IDs being obviously simply counted up (which means you can just try them out sequentially), stuff being only checked on the browser (easily forged), and so on and so forth.



        They also can combine blackbox- with whitebox-approaches (i.e., just looking from the outside, like any hacker/cracker would do, or actually studying the source code, entering the servers with provided accounts, and so on).



        You could do all that yourself, but as you are asking, you obviously don't really know how. But the main problem is that if you did that, without first getting consent, you'd be at least in gray territory, if not outright breaking law.




        B. if true: communicating this in an appropriate manner to the company itself (preferably in an anonymous fashion)




        You cannot (anonymously, at least). If there is a dedicated CISO, he would be your first line of attack; but aside from that, especially in smaller firms, there is little you can do if your management just shrugs it off.



        I guess there may be specific circumstances in which some government agency might be interested - for example if your company works for the government in an area which has strict security requirements; then obviously you might try to get an anonymous message to somewhere, but why would they care about your HR information...



        But in general, for arbitrary companies, the saying "There's no fate but what we make for ourselves" would apply.






        share|improve this answer

























          up vote
          5
          down vote














          How would I go about:



          A. Finding out if this site is really as insecure as I think it is?




          You really cannot, unless you witness a concrete, exploitable problem. That's what infosec companies do, they try to actively break systems (with consent of the owners). They know many procedures and techniques to systematically take such an application appart, from simple things like using HTTP instead of HTTPS, insecure usage of cookies, XSS, SQL injection, but also other stuff like IDs being obviously simply counted up (which means you can just try them out sequentially), stuff being only checked on the browser (easily forged), and so on and so forth.



          They also can combine blackbox- with whitebox-approaches (i.e., just looking from the outside, like any hacker/cracker would do, or actually studying the source code, entering the servers with provided accounts, and so on).



          You could do all that yourself, but as you are asking, you obviously don't really know how. But the main problem is that if you did that, without first getting consent, you'd be at least in gray territory, if not outright breaking law.




          B. if true: communicating this in an appropriate manner to the company itself (preferably in an anonymous fashion)




          You cannot (anonymously, at least). If there is a dedicated CISO, he would be your first line of attack; but aside from that, especially in smaller firms, there is little you can do if your management just shrugs it off.



          I guess there may be specific circumstances in which some government agency might be interested - for example if your company works for the government in an area which has strict security requirements; then obviously you might try to get an anonymous message to somewhere, but why would they care about your HR information...



          But in general, for arbitrary companies, the saying "There's no fate but what we make for ourselves" would apply.






          share|improve this answer























            up vote
            5
            down vote










            up vote
            5
            down vote










            How would I go about:



            A. Finding out if this site is really as insecure as I think it is?




            You really cannot, unless you witness a concrete, exploitable problem. That's what infosec companies do, they try to actively break systems (with consent of the owners). They know many procedures and techniques to systematically take such an application appart, from simple things like using HTTP instead of HTTPS, insecure usage of cookies, XSS, SQL injection, but also other stuff like IDs being obviously simply counted up (which means you can just try them out sequentially), stuff being only checked on the browser (easily forged), and so on and so forth.



            They also can combine blackbox- with whitebox-approaches (i.e., just looking from the outside, like any hacker/cracker would do, or actually studying the source code, entering the servers with provided accounts, and so on).



            You could do all that yourself, but as you are asking, you obviously don't really know how. But the main problem is that if you did that, without first getting consent, you'd be at least in gray territory, if not outright breaking law.




            B. if true: communicating this in an appropriate manner to the company itself (preferably in an anonymous fashion)




            You cannot (anonymously, at least). If there is a dedicated CISO, he would be your first line of attack; but aside from that, especially in smaller firms, there is little you can do if your management just shrugs it off.



            I guess there may be specific circumstances in which some government agency might be interested - for example if your company works for the government in an area which has strict security requirements; then obviously you might try to get an anonymous message to somewhere, but why would they care about your HR information...



            But in general, for arbitrary companies, the saying "There's no fate but what we make for ourselves" would apply.






            share|improve this answer













            How would I go about:



            A. Finding out if this site is really as insecure as I think it is?




            You really cannot, unless you witness a concrete, exploitable problem. That's what infosec companies do, they try to actively break systems (with consent of the owners). They know many procedures and techniques to systematically take such an application appart, from simple things like using HTTP instead of HTTPS, insecure usage of cookies, XSS, SQL injection, but also other stuff like IDs being obviously simply counted up (which means you can just try them out sequentially), stuff being only checked on the browser (easily forged), and so on and so forth.



            They also can combine blackbox- with whitebox-approaches (i.e., just looking from the outside, like any hacker/cracker would do, or actually studying the source code, entering the servers with provided accounts, and so on).



            You could do all that yourself, but as you are asking, you obviously don't really know how. But the main problem is that if you did that, without first getting consent, you'd be at least in gray territory, if not outright breaking law.




            B. if true: communicating this in an appropriate manner to the company itself (preferably in an anonymous fashion)




            You cannot (anonymously, at least). If there is a dedicated CISO, he would be your first line of attack; but aside from that, especially in smaller firms, there is little you can do if your management just shrugs it off.



            I guess there may be specific circumstances in which some government agency might be interested - for example if your company works for the government in an area which has strict security requirements; then obviously you might try to get an anonymous message to somewhere, but why would they care about your HR information...



            But in general, for arbitrary companies, the saying "There's no fate but what we make for ourselves" would apply.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 15 at 23:24









            AnoE

            2,0421311




            2,0421311






















                up vote
                1
                down vote













                If I had to guess, I'd bet the service is also resilient to brute force attacks, by simple virtue of being under-provisioned to handle the load involved. Go too fast with the guesses, and the server will fall over, alerting admins to what's going on. Go too slow, and you're not guessing fast enough to expect success in a reasonable period of time.



                Add this to the suggestion by others to use false information, and the service isn't vulnerable at all if you're careful... least, not in ways reported so far. Note I said, "If". It does seem like an unfortunate design that, as you alluded, doesn't build confidence in what else might be behind the scenes.



                I wouldn't attempt to actually test anything further myself, but if this is a product that is used by many other companies, you might try to put a bug in the ear of an actual security researches, who will know how to test it in an ethical way and be better prepared to deal with any legal fallout. If you're the only technically-minded person in your area at work, you might want to also alert co-workers for how to use the service "safely".






                share|improve this answer

























                  up vote
                  1
                  down vote













                  If I had to guess, I'd bet the service is also resilient to brute force attacks, by simple virtue of being under-provisioned to handle the load involved. Go too fast with the guesses, and the server will fall over, alerting admins to what's going on. Go too slow, and you're not guessing fast enough to expect success in a reasonable period of time.



                  Add this to the suggestion by others to use false information, and the service isn't vulnerable at all if you're careful... least, not in ways reported so far. Note I said, "If". It does seem like an unfortunate design that, as you alluded, doesn't build confidence in what else might be behind the scenes.



                  I wouldn't attempt to actually test anything further myself, but if this is a product that is used by many other companies, you might try to put a bug in the ear of an actual security researches, who will know how to test it in an ethical way and be better prepared to deal with any legal fallout. If you're the only technically-minded person in your area at work, you might want to also alert co-workers for how to use the service "safely".






                  share|improve this answer























                    up vote
                    1
                    down vote










                    up vote
                    1
                    down vote









                    If I had to guess, I'd bet the service is also resilient to brute force attacks, by simple virtue of being under-provisioned to handle the load involved. Go too fast with the guesses, and the server will fall over, alerting admins to what's going on. Go too slow, and you're not guessing fast enough to expect success in a reasonable period of time.



                    Add this to the suggestion by others to use false information, and the service isn't vulnerable at all if you're careful... least, not in ways reported so far. Note I said, "If". It does seem like an unfortunate design that, as you alluded, doesn't build confidence in what else might be behind the scenes.



                    I wouldn't attempt to actually test anything further myself, but if this is a product that is used by many other companies, you might try to put a bug in the ear of an actual security researches, who will know how to test it in an ethical way and be better prepared to deal with any legal fallout. If you're the only technically-minded person in your area at work, you might want to also alert co-workers for how to use the service "safely".






                    share|improve this answer












                    If I had to guess, I'd bet the service is also resilient to brute force attacks, by simple virtue of being under-provisioned to handle the load involved. Go too fast with the guesses, and the server will fall over, alerting admins to what's going on. Go too slow, and you're not guessing fast enough to expect success in a reasonable period of time.



                    Add this to the suggestion by others to use false information, and the service isn't vulnerable at all if you're careful... least, not in ways reported so far. Note I said, "If". It does seem like an unfortunate design that, as you alluded, doesn't build confidence in what else might be behind the scenes.



                    I wouldn't attempt to actually test anything further myself, but if this is a product that is used by many other companies, you might try to put a bug in the ear of an actual security researches, who will know how to test it in an ethical way and be better prepared to deal with any legal fallout. If you're the only technically-minded person in your area at work, you might want to also alert co-workers for how to use the service "safely".







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Nov 16 at 20:19









                    Joel Coehoorn

                    1,2951912




                    1,2951912






















                        up vote
                        1
                        down vote













                        I think you're right - it sounds like, probably, the site is potentially pretty insecure. Those are some red flags, and the whole thing sounds a bit smelly. MD5 is widely considered cryptographically insecure.



                        That being said, the question of "what do I do?" is one that plagues a lot of security-related scenarios. There's a cost and a benefit to any action you take, and the right choice of action depends heavily on your environment and the nuances of your individual scenario. What kind of industry do you work in? How valuable is the information you're storing on the system? Perhaps most importantly, how receptive is your company to changing security practices?



                        These are all the relevant questions for you to answer, and ones which none of us here on The Internet™ are able to help with. In every question of how to handle a situation involving insecure practices, knowing the subtleties of a corporate environment - individuals' work histories, the nature of their company connections, the level of risk of souring relationships - defines what to do next.



                        What I'm trying to get at is, it seems to me like none of us are really qualified to answer this for you. There's an infinite array of potential options, and the best course of action truly depends on your situation at a level of detail that's not really conveyable here.



                        Good luck!






                        share|improve this answer

























                          up vote
                          1
                          down vote













                          I think you're right - it sounds like, probably, the site is potentially pretty insecure. Those are some red flags, and the whole thing sounds a bit smelly. MD5 is widely considered cryptographically insecure.



                          That being said, the question of "what do I do?" is one that plagues a lot of security-related scenarios. There's a cost and a benefit to any action you take, and the right choice of action depends heavily on your environment and the nuances of your individual scenario. What kind of industry do you work in? How valuable is the information you're storing on the system? Perhaps most importantly, how receptive is your company to changing security practices?



                          These are all the relevant questions for you to answer, and ones which none of us here on The Internet™ are able to help with. In every question of how to handle a situation involving insecure practices, knowing the subtleties of a corporate environment - individuals' work histories, the nature of their company connections, the level of risk of souring relationships - defines what to do next.



                          What I'm trying to get at is, it seems to me like none of us are really qualified to answer this for you. There's an infinite array of potential options, and the best course of action truly depends on your situation at a level of detail that's not really conveyable here.



                          Good luck!






                          share|improve this answer























                            up vote
                            1
                            down vote










                            up vote
                            1
                            down vote









                            I think you're right - it sounds like, probably, the site is potentially pretty insecure. Those are some red flags, and the whole thing sounds a bit smelly. MD5 is widely considered cryptographically insecure.



                            That being said, the question of "what do I do?" is one that plagues a lot of security-related scenarios. There's a cost and a benefit to any action you take, and the right choice of action depends heavily on your environment and the nuances of your individual scenario. What kind of industry do you work in? How valuable is the information you're storing on the system? Perhaps most importantly, how receptive is your company to changing security practices?



                            These are all the relevant questions for you to answer, and ones which none of us here on The Internet™ are able to help with. In every question of how to handle a situation involving insecure practices, knowing the subtleties of a corporate environment - individuals' work histories, the nature of their company connections, the level of risk of souring relationships - defines what to do next.



                            What I'm trying to get at is, it seems to me like none of us are really qualified to answer this for you. There's an infinite array of potential options, and the best course of action truly depends on your situation at a level of detail that's not really conveyable here.



                            Good luck!






                            share|improve this answer












                            I think you're right - it sounds like, probably, the site is potentially pretty insecure. Those are some red flags, and the whole thing sounds a bit smelly. MD5 is widely considered cryptographically insecure.



                            That being said, the question of "what do I do?" is one that plagues a lot of security-related scenarios. There's a cost and a benefit to any action you take, and the right choice of action depends heavily on your environment and the nuances of your individual scenario. What kind of industry do you work in? How valuable is the information you're storing on the system? Perhaps most importantly, how receptive is your company to changing security practices?



                            These are all the relevant questions for you to answer, and ones which none of us here on The Internet™ are able to help with. In every question of how to handle a situation involving insecure practices, knowing the subtleties of a corporate environment - individuals' work histories, the nature of their company connections, the level of risk of souring relationships - defines what to do next.



                            What I'm trying to get at is, it seems to me like none of us are really qualified to answer this for you. There's an infinite array of potential options, and the best course of action truly depends on your situation at a level of detail that's not really conveyable here.



                            Good luck!







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Nov 17 at 1:02









                            securityOrange

                            1895




                            1895






















                                up vote
                                -2
                                down vote













                                If you are an IT professional you can read the ACM Code of Ethics, which is the most comprehensive ethics code in IT today.



                                Section 1.2 says:
                                "A computing professional has an additional obligation to report any signs of system risks that might result in harm. If leaders do not act to curtail or mitigate such risks, it may be necessary to "blow the whistle" to reduce potential harm. However, capricious or misguided reporting of risks can itself be harmful. Before reporting risks, a computing professional should carefully assess relevant aspects of the situation."






                                share|improve this answer

















                                • 2




                                  Be very careful to understand what rights a whistleblower in your country/state has before you make that call. You may perceive what your employer is doing as immoral, but whistleblowing is often an illegal breach of contract unless you can prove your employer is doing something illegal themselves. Shitty security is not illegal in most cases unless you are handling data that is protected under HIPPA, PCI, GDPR, or some other similar regulation. Employers actually have very little government oversight regarding how they store employee information, at least in the USA.
                                  – Nosajimiki
                                  Nov 16 at 21:20










                                • Well, ACM is the biggest global IT organization, and this Code of Ethics has emerged after a lot of discussions and objections from members worldwide. If you abide to the code as an IT professional, it is an ethical guideline. What you will do is of course something entirely personal. Knowing something is wrong and not doing anything is the root of evil in our society.
                                  – Peter Papadopoulos
                                  2 days ago










                                • How does this answer the questions asked?
                                  – reinierpost
                                  16 hours ago















                                up vote
                                -2
                                down vote













                                If you are an IT professional you can read the ACM Code of Ethics, which is the most comprehensive ethics code in IT today.



                                Section 1.2 says:
                                "A computing professional has an additional obligation to report any signs of system risks that might result in harm. If leaders do not act to curtail or mitigate such risks, it may be necessary to "blow the whistle" to reduce potential harm. However, capricious or misguided reporting of risks can itself be harmful. Before reporting risks, a computing professional should carefully assess relevant aspects of the situation."






                                share|improve this answer

















                                • 2




                                  Be very careful to understand what rights a whistleblower in your country/state has before you make that call. You may perceive what your employer is doing as immoral, but whistleblowing is often an illegal breach of contract unless you can prove your employer is doing something illegal themselves. Shitty security is not illegal in most cases unless you are handling data that is protected under HIPPA, PCI, GDPR, or some other similar regulation. Employers actually have very little government oversight regarding how they store employee information, at least in the USA.
                                  – Nosajimiki
                                  Nov 16 at 21:20










                                • Well, ACM is the biggest global IT organization, and this Code of Ethics has emerged after a lot of discussions and objections from members worldwide. If you abide to the code as an IT professional, it is an ethical guideline. What you will do is of course something entirely personal. Knowing something is wrong and not doing anything is the root of evil in our society.
                                  – Peter Papadopoulos
                                  2 days ago










                                • How does this answer the questions asked?
                                  – reinierpost
                                  16 hours ago













                                up vote
                                -2
                                down vote










                                up vote
                                -2
                                down vote









                                If you are an IT professional you can read the ACM Code of Ethics, which is the most comprehensive ethics code in IT today.



                                Section 1.2 says:
                                "A computing professional has an additional obligation to report any signs of system risks that might result in harm. If leaders do not act to curtail or mitigate such risks, it may be necessary to "blow the whistle" to reduce potential harm. However, capricious or misguided reporting of risks can itself be harmful. Before reporting risks, a computing professional should carefully assess relevant aspects of the situation."






                                share|improve this answer












                                If you are an IT professional you can read the ACM Code of Ethics, which is the most comprehensive ethics code in IT today.



                                Section 1.2 says:
                                "A computing professional has an additional obligation to report any signs of system risks that might result in harm. If leaders do not act to curtail or mitigate such risks, it may be necessary to "blow the whistle" to reduce potential harm. However, capricious or misguided reporting of risks can itself be harmful. Before reporting risks, a computing professional should carefully assess relevant aspects of the situation."







                                share|improve this answer












                                share|improve this answer



                                share|improve this answer










                                answered Nov 15 at 14:43









                                Peter Papadopoulos

                                3296




                                3296








                                • 2




                                  Be very careful to understand what rights a whistleblower in your country/state has before you make that call. You may perceive what your employer is doing as immoral, but whistleblowing is often an illegal breach of contract unless you can prove your employer is doing something illegal themselves. Shitty security is not illegal in most cases unless you are handling data that is protected under HIPPA, PCI, GDPR, or some other similar regulation. Employers actually have very little government oversight regarding how they store employee information, at least in the USA.
                                  – Nosajimiki
                                  Nov 16 at 21:20










                                • Well, ACM is the biggest global IT organization, and this Code of Ethics has emerged after a lot of discussions and objections from members worldwide. If you abide to the code as an IT professional, it is an ethical guideline. What you will do is of course something entirely personal. Knowing something is wrong and not doing anything is the root of evil in our society.
                                  – Peter Papadopoulos
                                  2 days ago










                                • How does this answer the questions asked?
                                  – reinierpost
                                  16 hours ago














                                • 2




                                  Be very careful to understand what rights a whistleblower in your country/state has before you make that call. You may perceive what your employer is doing as immoral, but whistleblowing is often an illegal breach of contract unless you can prove your employer is doing something illegal themselves. Shitty security is not illegal in most cases unless you are handling data that is protected under HIPPA, PCI, GDPR, or some other similar regulation. Employers actually have very little government oversight regarding how they store employee information, at least in the USA.
                                  – Nosajimiki
                                  Nov 16 at 21:20










                                • Well, ACM is the biggest global IT organization, and this Code of Ethics has emerged after a lot of discussions and objections from members worldwide. If you abide to the code as an IT professional, it is an ethical guideline. What you will do is of course something entirely personal. Knowing something is wrong and not doing anything is the root of evil in our society.
                                  – Peter Papadopoulos
                                  2 days ago










                                • How does this answer the questions asked?
                                  – reinierpost
                                  16 hours ago








                                2




                                2




                                Be very careful to understand what rights a whistleblower in your country/state has before you make that call. You may perceive what your employer is doing as immoral, but whistleblowing is often an illegal breach of contract unless you can prove your employer is doing something illegal themselves. Shitty security is not illegal in most cases unless you are handling data that is protected under HIPPA, PCI, GDPR, or some other similar regulation. Employers actually have very little government oversight regarding how they store employee information, at least in the USA.
                                – Nosajimiki
                                Nov 16 at 21:20




                                Be very careful to understand what rights a whistleblower in your country/state has before you make that call. You may perceive what your employer is doing as immoral, but whistleblowing is often an illegal breach of contract unless you can prove your employer is doing something illegal themselves. Shitty security is not illegal in most cases unless you are handling data that is protected under HIPPA, PCI, GDPR, or some other similar regulation. Employers actually have very little government oversight regarding how they store employee information, at least in the USA.
                                – Nosajimiki
                                Nov 16 at 21:20












                                Well, ACM is the biggest global IT organization, and this Code of Ethics has emerged after a lot of discussions and objections from members worldwide. If you abide to the code as an IT professional, it is an ethical guideline. What you will do is of course something entirely personal. Knowing something is wrong and not doing anything is the root of evil in our society.
                                – Peter Papadopoulos
                                2 days ago




                                Well, ACM is the biggest global IT organization, and this Code of Ethics has emerged after a lot of discussions and objections from members worldwide. If you abide to the code as an IT professional, it is an ethical guideline. What you will do is of course something entirely personal. Knowing something is wrong and not doing anything is the root of evil in our society.
                                – Peter Papadopoulos
                                2 days ago












                                How does this answer the questions asked?
                                – reinierpost
                                16 hours ago




                                How does this answer the questions asked?
                                – reinierpost
                                16 hours ago










                                A. Nony-Mous is a new contributor. Be nice, and check out our Code of Conduct.










                                 

                                draft saved


                                draft discarded


















                                A. Nony-Mous is a new contributor. Be nice, and check out our Code of Conduct.













                                A. Nony-Mous is a new contributor. Be nice, and check out our Code of Conduct.












                                A. Nony-Mous is a new contributor. Be nice, and check out our Code of Conduct.















                                 


                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197720%2femployer-makes-me-use-what-i-believe-to-be-an-insecure-website-for-hr-functions%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                Morgemoulin

                                Scott Moir

                                Souastre