Re: CRIME EarthLink Password Security Story

From: Lyle Leavitt (lylel@private)
Date: Wed Jun 19 2002 - 03:42:09 PDT

Next message: Heidi Henry: "CRIME More SPAM"

Previous message: Crispin Cowan: "Re: CRIME Who is controling SPAM on our list?"
In reply to: Myers, Mike: "RE: CRIME EarthLink Password Security Story"
Next in thread: Seth Arnold: "Re: CRIME EarthLink Password Security Story"
Next in thread: Christiansen, John (SEA): "RE: CRIME EarthLink Password Security Story"
Reply: Seth Arnold: "Re: CRIME EarthLink Password Security Story"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Whoa! Mike, you found another sore spot. I did a Google search for
attbi.+com + portland 

I selected several email addresses from the results. I then tried
logging into their email with password as the password. Sure enough I
got in 2 out of the 8 that I tried. 

I have contacted a local TV station about this problem. I figure these
users that have never bothered changing their password are obviously
not reading Security Focus. Maybe I can get their attention on the 11
o'clock news. Maybe I need a commercial spot during the Simpsons. This
is turning into a full-time campaign.

-Lyle

"Myers, Mike" wrote:
> 
> Which reminds me...
> 
> The tech (AT&T contractor) who set up a cable modem for me graciously
> selected "password" as my initial password.  Being fairly paranoid I went to
> change it immediately upon his departure.  When I entered my name, I
> mistyped it and lo and behold, I logged in...to someone else's account with
> the password "password".  This was a fellow in Plano Texas with a similar
> name to my own.  I had his address and phone and could have set up his
> account (including email) if I'd wished...I thought about calling him but I
> figured it would just confuse him...
> 
> If attbi has the plain text stored they might want to see how many of them
> are "password".  I thought about trying to login as "john.smith",
> "bob.jones", etc. with "password" just to see how far I could get but
> decided they may have something watching failed logins and I didn't really
> want to be tagged with that...
> 
> Another story for Security Focus anyone? :)
> 
> Cheers,
>  - Mike.Myers@private-lmco.com
> 
> -----Original Message-----
> From: MAGEE Rob [mailto:Rob.Magee@ODE-EX1.ODE.STATE.OR.US]
> Sent: Tuesday, June 18, 2002 7:15 AM
> To: CRIME
> Subject: RE: CRIME EarthLink Password Security Story
> 
> The same policy is in force at ATTBI's support group.
> Two days ago I was asked for my password.
> 
> -----Original Message-----
> From: Lyle Leavitt [mailto:lylel@private]
> Sent: Monday, June 17, 2002 4:38 PM
> To: CRIME
> Subject: CRIME EarthLink Password Security Story
> 
> FYI, the EarthLink password security story ran today at Wired News:
> 
> http://www.wired.com/news/privacy/0,1848,53208,00.html

Next message: Heidi Henry: "CRIME More SPAM"
Previous message: Crispin Cowan: "Re: CRIME Who is controling SPAM on our list?"
In reply to: Myers, Mike: "RE: CRIME EarthLink Password Security Story"
Next in thread: Seth Arnold: "Re: CRIME EarthLink Password Security Story"
Next in thread: Christiansen, John (SEA): "RE: CRIME EarthLink Password Security Story"
Reply: Seth Arnold: "Re: CRIME EarthLink Password Security Story"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 05:16:12 PDT