Re: [ISN] Japan arrests woman for email snooping

From: InfoSec News (isnat_private)
Date: Tue Aug 14 2001 - 03:00:30 PDT

  • Next message: InfoSec News: "[ISN] [defaced-commentary] LinuxSecurity Brasil defaced"

    Forwarded from: //Stany <stanyat_private>
    > When the co-worker changed the password on her account, Kishi
    > allegedly contacted the ISP and pretended to be the woman. The
    > ISP, which was not identified, told her the password after she
    > claimed to have forgotten it.
    > She then accessed the co-worker's account and read incoming and
    > outgoing emails between May 9 and June 1.
    This probably belongs on RISKS, not here, but I am lazy... ;-)
    People who employ me are at the moment considering an implementation
    of an LDAP database containing all the passwords in the company.  THe
    logic is that with the current large number of various authentication
    technologies, the only way to have "single sign-on", is to have
    clear-text passwords somewhere, and on hourly basis generate the
    smb/unix/LDAP/kerberos password hashes, and push them out.
    Of course with the convinience of having all passwords in the
    clear-text, people in control can be tricked into telling the user
    their old password, as opposed to changing it.  If the password was
    changed instead of revealed, then the cow-orker of Kishi might have
    realized that something is wrong next time she tried to log in.
    The other point is the one we are all painfully aware of - the weakest
    link tends to be human - computers on their own tend to fail to social
    engineering attacks much less frequently then the humans controlling
    the computers.
    +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+
    | "Backups we have; it's restores that we find tricky." Richard Letts at ASR  |
    | This message is powered by JOLT!  For all the sugar and twice the caffeine. |
    +--------+ My words are my own.  LARTs are provided free of charge. +---------+
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 06:53:13 PDT