Security Basics mailing list archives

Determining who gave passwords to bogus site

From: Bert Knabe <bert.knabe () lubbockonline com>
Date: Thu, 19 Aug 2010 13:15:54 -0500

I¹m on the incident response team for our company (I¹m am the incident
response team on-site) and we just did a skills drill where we were given
the nature of the incident a bogus email with a bogus link and had to
determine what type of attack it was, etc. I returned my answers, and I did
ok, but I was only partially right on one of the answers. The attack was a
XSS attack. The user clicked on a link in the email which called up a page
that injected a script into the actual login page and redirected to a bogus
login page before anything was actually entered into the real login page.

The question I only partially answered was, ³How would you determine which
users gave away their passwords?²

I answered that since the user was redirected before entering anything on
the real¹ page you couldn¹t really tell who gave away their password, but
logs would tell you who had clicked on the link in the email. I was told
that there are two good ways to tell who gave up their passwords, one was
logs and the other is network based. Any way I can think of involves logs.
Is there a network based way to tell who gave up their passwords that
doesn¹t involve logs?

Bert Knabe
Technician
Lubbock Avalanche-Journal
806-766-2158

Freedom is never more than one generation away from extinction. We didn't
pass it to our children in the bloodstream. It must be fought for,
protected, and handed on for them to do the same. Ronald Reagan

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Determining who gave passwords to bogus site Bert Knabe (Aug 20)
- Re: Determining who gave passwords to bogus site Paul Johnston (Aug 23)