[Owasp-singapore] Company network administrator hack into employee Yahoo email mailbox

Winston.Leong at sg.ey.com Winston.Leong at sg.ey.com
Sun Aug 30 22:20:38 EDT 2009


The following could had happened:

1. The user did not login using SSL, which makes all username and password
non-encrypted.
2. The administrator simple hijacked the session to obtain a valid login.
3. The user simply pasted his password on some post-it which can be seen.

Regards, Winston Leong
                                                                                                      
 (Embedded image moved   Winston Leong | Technology and Security Risk Services                        
 to file: pic13169.gif)                                                                               
                                                                                                      
                         Ernst & Young Risk Advisory Services Pte. Ltd                                
                                                                                                      
                         One Raffles Quay, North Tower, Level 18, Singapore 048583                    
                                                                                                      
                         Office: +65 6309 6766 | Fax: +65 6532 7662                                   
                                                                                                      
                         Mobile: +65 9028 3600                                                        
                                                                                                      
                         Website: www.ey.com                                                          
                                                                                                      
                         Thank you for considering the environmental impact of printing emails.       
                                                                                                      




The information contained in this communication is intended solely for the
use of the individual or entity to whom it is addressed and others
authorized to receive it. It may contain confidential or legally privileged
information. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by responding to this email and then delete it from your
system. We are neither liable for the proper and complete transmission of
the information contained in this communication nor for any delay in its
receipt.

Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Advisory Pte. Ltd. is a company incorporated in Singapore
with UEN 198905395E.

Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
Singapore with UEN 199702967E.

Ernst & Young Customs & International Trade Services Private Limited is a
company incorporated in Singapore with UEN 200206660G.


                                                                           
             Donald Ong                                                    
             <donald.ong at gmail                                             
             .com>                                                      To 
             Sent by:                  "SIG - OWASP Singapore              
             owasp-singapore-b         @MailingList"                       
             ounces at lists.owas         <owasp-singapore at lists.owasp.org>   
             p.org                                                      cc 
                                                                           
                                                                   Subject 
             28/08/2009 07:56          [Owasp-singapore] Company network   
             PM                        administrator hack into employee    
                                       Yahoo email mailbox                 
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi everyone,


My friend working in another company saw his network administrator hack
into the employee yahoo email mailbox successfully. He mentioned it was
quick and in minutes the network admin know the password of the email
account.





Regards,
Donald


~~~~powered by Android~~~~_______________________________________________
Owasp-singapore mailing list
Owasp-singapore at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-singapore


-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic13169.gif
Type: image/gif
Size: 2521 bytes
Desc: not available
Url : https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090831/b90782f5/attachment.gif 


More information about the Owasp-singapore mailing list