[Owasp-leaders] *READ THIS* OWASP eMail Account Holders

Rory McCune rorym at nmrconsult.net
Sun Nov 6 13:57:48 EST 2011


Hi All,

One thing that's worth considering for this is that google apps setup
that we use supports Googles 2-factor authentication.  I've used it
for a while on some of my gmail accounts and just set it up on the
others.  It works pretty well and isn't too much hassle to use (needs
either a mobile phone for SMS or a android/iOS device to receive
codes).  Definitely recommended for any administrative level accounts
as well.

Cheers

Rory

On Sat, Nov 5, 2011 at 8:31 PM, Thomas Brennan <tomb at owasp.org> wrote:
> That is not it.. My bad for not providing clarification so here it goes.
>
> An administrator account was used to access and deliberately forward copies
> of other owasp individual emails to: lglaporte at googlemail.com
> To date no one has claimed responsibility for this account or provide a
> answer to why hence likely an account compromise and compromise of the
> confidentially of emails. (aren't you glad it's OWASP everything is "open"
> right...  ) This has been resolved and all 621 accounts and associated
> settings manually verified (or 2 glasses of Jameson 18)
> In addition, there are currently 621 @owasp email accounts. Many had no
> activity, never logged in and or had a blank, default and password that have
> not been changed since inception in 2008. So change your passwords as this
> will quickly let me see what accounts are active so we can remove the
> inactive accounts in the near future.
> As a glutton for punishment and for the lulz I  have taken over the primary
> unpaid sysop/administration of the googleapps and have delegated user
> creation, password resets and group management to Kelly, Kate and Sarah. We
> have 1500+ members 130 chapters and 621 @owasp associated accounts...
> We will continue to offer @owasp email accounts to all members and those
> that want to use them to evangelize OWASP and we will manage them
> accordingly.
> In other admin news we are spinning up Akamai and moving Owasp.org to
> Rackspace.  For those that have cycles are welcomed to help out as part of
> the hands on decentralized team
> Now back to a family Saturday... Enjoy your weekend too.
>
>
>
> On Nov 5, 2011, at 3:29 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
> To my knowledge there is no way for an attacker to reveal/expose a
>
> google password. If an attacker compromised our administration
>
> console, they could reset passwords or change permissions, but not
>
> uncover current passwords.
>
> Has anyone had their password changed unexpectedly, recently?
>
> --
>
> Jim Manico
>
> (808) 652-3805
>
> On Nov 5, 2011, at 9:07 AM, David Montero Abujas
>
> <david.montero at owasp.org> wrote:
>
> Same question.
>
> David Montero "Raistlin", CISA, CISM, CRISC
>
> OWASP Andalucia
>
> Chapter Leader
>
> -----Original Message-----
>
> From: dinis cruz <dinis.cruz at owasp.org>
>
> Sender: owasp-leaders-bounces at lists.owasp.org
>
> Date: Sat, 5 Nov 2011 19:06:39
>
> To: Tom Brennan<tomb at owasp.org>
>
> Cc: owasp-leaders at lists.owasp.org<owasp-leaders at lists.owasp.org>
>
> Subject: Re: [Owasp-leaders] *READ THIS* OWASP eMail Account Holders
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


More information about the OWASP-Leaders mailing list