[Owasp-singapore] Company network administrator hack into employee Yahoo email mailbox

FunKy chongfk98 at yahoo.com
Mon Aug 31 20:49:28 EDT 2009


Hi,

First time replying here. Just my 2 cents, I think he specifically mentioned that the Admin joined the company after the victim left the company.

If that is the case, then the Admin wouldn't have been able to hijack any session. Please correct me if I am wrong.

If there is no physical means to obtain the information (post-it notes for example =) ), then could it be possible that the company keeps a history of all information passing the gateway? I know my company keep tracks of the websites that the employee's visit. However, I do not know if they keep a log of additional information passed.

Also, considering that the victim 'left' the company, usually the Admin would be required to 'cleanup' the workstation that the victim was using. The Admin could have tapped into the PC itself to retrieve the 'remembered' passwords. The possibility is endless.

I am not a professional when it comes to security, just my 2 cents and someone please correct me if I am thinking in the wrong direction.

Thank you.

Regards,
Fong Kai



--- On Mon, 8/31/09, Winston.Leong at sg.ey.com <Winston.Leong at sg.ey.com> wrote:


    From: Winston.Leong at sg.ey.com <Winston.Leong at sg.ey.com>
    Subject: Re: [Owasp-singapore] Company network administrator hack into employee Yahoo email mailbox
    To: "Donald Ong" <donald.ong at gmail.com>
    Cc: "SIG - OWASP Singapore @MailingList" <owasp-singapore at lists.owasp.org>, owasp-singapore-bounces at lists.owasp.org
    Date: Monday, August 31, 2009, 3:20 AM

    The following could had happened:

    1. The user did not login using SSL, which makes all username and password
    non-encrypted.
    2. The administrator simple hijacked the session to obtain a valid login.
    3. The user simply pasted his password on some post-it which can be seen.

    Regards, Winston Leong
                                                                                                         
    (Embedded image moved   Winston Leong | Technology and Security Risk Services                       
    to file: pic13169.gif)                                                                               
                                                                                                         
                             Ernst & Young Risk Advisory Services Pte. Ltd                               
                                                                                                         
                             One Raffles Quay, North Tower, Level 18, Singapore 048583                   
                                                                                                         
                             Office: +65 6309 6766 | Fax: +65 6532 7662                                   
                                                                                                         
                             Mobile: +65 9028 3600                                                       
                                                                                                         
                             Website: www.ey.com                                                         
                                                                                                         
                             Thank you for considering the environmental impact of printing emails.       
                                                                                                         




    The information contained in this communication is intended solely for the
    use of the individual or entity to whom it is addressed and others
    authorized to receive it. It may contain confidential or legally privileged
    information. If you are not the intended recipient you are hereby notified
    that any disclosure, copying, distribution or taking any action in reliance
    on the contents of this information is strictly prohibited and may be
    unlawful. If you have received this communication in error, please notify
    us immediately by responding to this email and then delete it from your
    system. We are neither liable for the proper and complete transmission of
    the information contained in this communication nor for any delay in its
    receipt.

    Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
    liability partnership registered in Singapore under the Limited Liability
    Partnerships Act (Chapter 163A).

    Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
    liability partnership registered in Singapore under the Limited Liability
    Partnerships Act (Chapter 163A).

    Ernst & Young Advisory Pte. Ltd. is a company incorporated in Singapore
    with UEN 198905395E.

    Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
    Singapore with UEN 199702967E.

    Ernst & Young Customs & International Trade Services Private Limited is a
    company incorporated in Singapore with UEN 200206660G.


                                                                               
                 Donald Ong                                                   
                 <donald.ong at gmail                                             
                 .com>                                                      To
                 Sent by:                  "SIG - OWASP Singapore             
                 owasp-singapore-b         @MailingList"                       
                 ounces at lists.owas         <owasp-singapore at lists.owasp.org>   
                 p.org                                                      cc
                                                                               
                                                                       Subject
                 28/08/2009 07:56          [Owasp-singapore] Company network   
                 PM                        administrator hack into employee   
                                           Yahoo email mailbox                 
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               




    Hi everyone,


    My friend working in another company saw his network administrator hack
    into the employee yahoo email mailbox successfully. He mentioned it was
    quick and in minutes the network admin know the password of the email
    account.





    Regards,
    Donald


    ~~~~powered by Android~~~~_______________________________________________
    Owasp-singapore mailing list
    Owasp-singapore at lists.owasp.org
    https://lists.owasp.org/mailman/listinfo/owasp-singapore



    -----Inline Attachment Follows-----

    _______________________________________________
    Owasp-singapore mailing list
    Owasp-singapore at lists.owasp.org
    https://lists.owasp.org/mailman/listinfo/owasp-singapore




      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090831/9d0f923d/attachment-0001.html 


More information about the Owasp-singapore mailing list