RE: Password trading problem

["Barber, Chris Mr. ATEC/Contractor" <Chris.M.Barber () atec army mil>]

Best way to defend against this is to require password changes every so many
days, 90 is a good practice.  If the account was noticed to have a large
number of simultaneous logins and that is against the acceptable use policy
then disable the login and notify the owner.  I was part of an investigation
on a CC Scam where the IDs for "Adult Sites" were created strictly for
distribution,  the cc numbers were stolen and several account were created
for each "Adult Site" on each of the CC numbers.  Then through IRC lists
when requests cam in for Free Access the Perps delivered one of theses
accounts.  The Site owners were glad to assist and put up policies to
require password changes and enforce them.


Chris.

-----Original Message-----
From: pingywon MCSE [mailto:pingywon () gmail com] 
Sent: Wednesday, August 04, 2004 4:28 PM
To: Jason Humes
Cc: security-basics () securityfocus com
Subject: Re: Password trading problem

It is my experience that most of these "groups" do not operate off of
websites. That is way too static a media for them. Most of the operate off
off IRC. Now tracking them down and locating what sites they have is another
story.

Finally I also know that some of these groups dont have "lists" at all but
rather work strickly off of "requests" by thier users.

Good Luck 

~pingywon MCSE, CIWA, DCSE

On Tue, 3 Aug 2004 15:50:19 -0400 , Jason Humes <jhumes () acs on ca> wrote:
> Hi
> I've got a client who has an adult themed, password protected, web 
> site and I'm in charge of doing a security review of it.  This was 
> brought about by the admin noticing a huge amount of logins from a 
> single account across many different IP addresses.  I imagine that 
> this is the result of password trading online and as part of my 
> security audit I would like to develop a list of these sites which 
> offer message forums for password 'testing', adult 'testing', web 
> 'testing' etc...meaning password cracking, and scan for my clients 
> site within their lists to make sure no passwords/accounts have been
cracked and being shared.  Does anyone have any ideas?  Thanks.
> --
>
> Jason D. Humes
>
> Applied Computer Solutions Inc.
> 3020 St. Etienne Blvd.
> Windsor, Ontario
> Phone: (519) 944-4300 x211
> Fax    : (519) 944-4247
> Email : jhumes () acs on ca
>
> **********************************************************************
>
> Confidentiality Notice:
>
> The information contained in this e-mail and any attachments may be 
> legally privileged and confidential. If you are not an intended 
> recipient, you are hereby notified that any dissemination, 
> distribution or copying of this e-mail and any attachments is strictly 
> prohibited. If you received this e-mail in error, please notify the 
> sender and permanently delete the e-mail and any attachments 
> immediately. You should not retain, copy or use this e-mail or any 
> attachment for any purpose, nor disclose all or any part of the contents
to any other person.
> Thank you.
>
> ----------------------------------------------------------------------
> ----- Ethical Hacking at the InfoSec Institute. Mention this ad and 
> get $545 off any course! All of our class sizes are guaranteed to be 
> 10 students or less to facilitate one-on-one interaction with one of 
> our expert instructors.
> Attend a course taught by an expert instructor with years of 
> in-the-field pen testing experience in our state of the art hacking 
> lab. Master the skills of an Ethical Hacker to better assess the security
of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------
> ------


-- 


~pingywon MCSE
http://www.pingywon.com

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills of an Ethical Hacker to better assess the security of your
organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------