Re: CRIME EarthLink Password Security Story

From: Lyle Leavitt (lylel@private)
Date: Wed Jun 19 2002 - 03:42:09 PDT

  • Next message: Heidi Henry: "CRIME More SPAM"

    Whoa! Mike, you found another sore spot. I did a Google search for
    attbi.+com + portland 
    
    I selected several email addresses from the results. I then tried
    logging into their email with password as the password. Sure enough I
    got in 2 out of the 8 that I tried. 
    
    I have contacted a local TV station about this problem. I figure these
    users that have never bothered changing their password are obviously
    not reading Security Focus. Maybe I can get their attention on the 11
    o'clock news. Maybe I need a commercial spot during the Simpsons. This
    is turning into a full-time campaign.
    
    -Lyle
    
    "Myers, Mike" wrote:
    > 
    > Which reminds me...
    > 
    > The tech (AT&T contractor) who set up a cable modem for me graciously
    > selected "password" as my initial password.  Being fairly paranoid I went to
    > change it immediately upon his departure.  When I entered my name, I
    > mistyped it and lo and behold, I logged in...to someone else's account with
    > the password "password".  This was a fellow in Plano Texas with a similar
    > name to my own.  I had his address and phone and could have set up his
    > account (including email) if I'd wished...I thought about calling him but I
    > figured it would just confuse him...
    > 
    > If attbi has the plain text stored they might want to see how many of them
    > are "password".  I thought about trying to login as "john.smith",
    > "bob.jones", etc. with "password" just to see how far I could get but
    > decided they may have something watching failed logins and I didn't really
    > want to be tagged with that...
    > 
    > Another story for Security Focus anyone? :)
    > 
    > Cheers,
    >  - Mike.Myers@private-lmco.com
    > 
    > -----Original Message-----
    > From: MAGEE Rob [mailto:Rob.Magee@ODE-EX1.ODE.STATE.OR.US]
    > Sent: Tuesday, June 18, 2002 7:15 AM
    > To: CRIME
    > Subject: RE: CRIME EarthLink Password Security Story
    > 
    > The same policy is in force at ATTBI's support group.
    > Two days ago I was asked for my password.
    > 
    > -----Original Message-----
    > From: Lyle Leavitt [mailto:lylel@private]
    > Sent: Monday, June 17, 2002 4:38 PM
    > To: CRIME
    > Subject: CRIME EarthLink Password Security Story
    > 
    > FYI, the EarthLink password security story ran today at Wired News:
    > 
    > http://www.wired.com/news/privacy/0,1848,53208,00.html
    



    This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 05:16:12 PDT