Re: CRIME EarthLink Password Security Story

From: Steve Beattie (steve@private)
Date: Tue Jun 18 2002 - 17:18:44 PDT

  • Next message: Jimmy S.: "CRIME Who is controling SPAM on our list?"

    On Tue, Jun 18, 2002 at 03:25:21PM -0700, Crispin Cowan wrote:
    > Seth does raise a good point: the *other* social engineering attack is 
    > to call up tech support in the name of some other user, and start 
    > messing with the account. Current common authentication practice is to 
    > ask for a zip code and a social security number. That sucks, because 
    > I've already seen at least one on-line service that will cough up zip 
    > codes for arbitrary people's names.
    > 
    > Fortunately for me, that service had data-mined my zip from a false 
    > entry that I gave Yahoo :)
    
    You're obviously not referring to google, which uses relatively
    up-to-date phone records. For example, searching for "Crispin Cowan
    Oregon" gives:
    
    	<http://www.google.com/search?hl=en&lr=&q=Crispin+Cowan+Oregon>
    
    which pretty clearly lists your home zip code + rest of your address.
    
    -- 
    Steve Beattie                               Don't trust programmers? 
    <steve@private>                         Complete StackGuard distro at
    http://NxNW.org/~steve/                            immunix.org
    http://www.personaltelco.net -- overthrowing QWest, one block at a time.
    
    
    



    This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 17:50:30 PDT