Forwarded from: //Stany <stanyat_private> > http://www.theregister.co.uk/content/55/20928.html [...] > When the co-worker changed the password on her account, Kishi > allegedly contacted the ISP and pretended to be the woman. The > ISP, which was not identified, told her the password after she > claimed to have forgotten it. > > She then accessed the co-worker's account and read incoming and > outgoing emails between May 9 and June 1. This probably belongs on RISKS, not here, but I am lazy... ;-) People who employ me are at the moment considering an implementation of an LDAP database containing all the passwords in the company. THe logic is that with the current large number of various authentication technologies, the only way to have "single sign-on", is to have clear-text passwords somewhere, and on hourly basis generate the smb/unix/LDAP/kerberos password hashes, and push them out. Of course with the convinience of having all passwords in the clear-text, people in control can be tricked into telling the user their old password, as opposed to changing it. If the password was changed instead of revealed, then the cow-orker of Kishi might have realized that something is wrong next time she tried to log in. The other point is the one we are all painfully aware of - the weakest link tends to be human - computers on their own tend to fail to social engineering attacks much less frequently then the humans controlling the computers. Signed: //Stany -- +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+ | "Backups we have; it's restores that we find tricky." Richard Letts at ASR | | This message is powered by JOLT! For all the sugar and twice the caffeine. | +--------+ My words are my own. LARTs are provided free of charge. +---------+ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 06:53:13 PDT