Re: Japan arrests woman for email snooping

[InfoSec News <isn () c4i org>]

Forwarded from: //Stany <stany () NotBSD org>

> http://www.theregister.co.uk/content/55/20928.html

[...]

> When the co-worker changed the password on her account, Kishi
> allegedly contacted the ISP and pretended to be the woman. The
> ISP, which was not identified, told her the password after she
> claimed to have forgotten it.
>
> She then accessed the co-worker's account and read incoming and
> outgoing emails between May 9 and June 1.

This probably belongs on RISKS, not here, but I am lazy... ;-)

People who employ me are at the moment considering an implementation
of an LDAP database containing all the passwords in the company.  THe
logic is that with the current large number of various authentication
technologies, the only way to have "single sign-on", is to have
clear-text passwords somewhere, and on hourly basis generate the
smb/unix/LDAP/kerberos password hashes, and push them out.

Of course with the convinience of having all passwords in the
clear-text, people in control can be tricked into telling the user
their old password, as opposed to changing it.  If the password was
changed instead of revealed, then the cow-orker of Kishi might have
realized that something is wrong next time she tried to log in.

The other point is the one we are all painfully aware of - the weakest
link tends to be human - computers on their own tend to fail to social
engineering attacks much less frequently then the humans controlling
the computers.

Signed:
//Stany
-- 
+-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+
| "Backups we have; it's restores that we find tricky." Richard Letts at ASR  |
| This message is powered by JOLT!  For all the sugar and twice the caffeine. |
+--------+ My words are my own.  LARTs are provided free of charge. +---------+



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.