Security Basics mailing list archives
RE: Password trading problem
From: "Barber, Chris Mr. ATEC/Contractor" <Chris.M.Barber () atec army mil>
Date: Thu, 5 Aug 2004 06:05:34 -0400
Best way to defend against this is to require password changes every so many days, 90 is a good practice. If the account was noticed to have a large number of simultaneous logins and that is against the acceptable use policy then disable the login and notify the owner. I was part of an investigation on a CC Scam where the IDs for "Adult Sites" were created strictly for distribution, the cc numbers were stolen and several account were created for each "Adult Site" on each of the CC numbers. Then through IRC lists when requests cam in for Free Access the Perps delivered one of theses accounts. The Site owners were glad to assist and put up policies to require password changes and enforce them. Chris. -----Original Message----- From: pingywon MCSE [mailto:pingywon () gmail com] Sent: Wednesday, August 04, 2004 4:28 PM To: Jason Humes Cc: security-basics () securityfocus com Subject: Re: Password trading problem It is my experience that most of these "groups" do not operate off of websites. That is way too static a media for them. Most of the operate off off IRC. Now tracking them down and locating what sites they have is another story. Finally I also know that some of these groups dont have "lists" at all but rather work strickly off of "requests" by thier users. Good Luck ~pingywon MCSE, CIWA, DCSE On Tue, 3 Aug 2004 15:50:19 -0400 , Jason Humes <jhumes () acs on ca> wrote:
Hi I've got a client who has an adult themed, password protected, web site and I'm in charge of doing a security review of it. This was brought about by the admin noticing a huge amount of logins from a single account across many different IP addresses. I imagine that this is the result of password trading online and as part of my security audit I would like to develop a list of these sites which offer message forums for password 'testing', adult 'testing', web 'testing' etc...meaning password cracking, and scan for my clients site within their lists to make sure no passwords/accounts have been
cracked and being shared. Does anyone have any ideas? Thanks.
-- Jason D. Humes Applied Computer Solutions Inc. 3020 St. Etienne Blvd. Windsor, Ontario Phone: (519) 944-4300 x211 Fax : (519) 944-4247 Email : jhumes () acs on ca ********************************************************************** Confidentiality Notice: The information contained in this e-mail and any attachments may be legally privileged and confidential. If you are not an intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachments is strictly prohibited. If you received this e-mail in error, please notify the sender and permanently delete the e-mail and any attachments immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents
to any other person.
Thank you. ---------------------------------------------------------------------- ----- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security
of your organization.
Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------- ------
-- ~pingywon MCSE http://www.pingywon.com --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Password trading problem Jason Humes (Aug 04)
- Re: Password trading problem John S . Whitford (Aug 04)
- Re: Password trading problem pingywon MCSE (Aug 04)
- Re: Password trading problem Tomek Perlak (Aug 05)
- <Possible follow-ups>
- RE: Password trading problem Barber, Chris Mr. ATEC/Contractor (Aug 05)
- RE: Password trading problem Hamish Stanaway (Aug 05)