[Owasp-singapore] Company network administrator hack into employee Yahoo email mailbox

Winston.Leong at sg.ey.com Winston.Leong at sg.ey.com
Mon Aug 31 23:49:43 EDT 2009


"The possibility is endless." I can't agree more.

Just to add on,
In this situation, if I am put into the position to get the account ASAP, I
would use social engineering to archive it. One simple way is to "convince"
the (robot) administrator that you need to recover your password.

I am not sure if I should post this, but I guess it probably no longer
works anyway. One of the way to "craft" the email to the robot admin so
that it nicely gives you the (resetted) password of the target account. It
(used) to work on many mail server. Well, another common use of this
tactics also created a lot of "cases" for my friends in the SPF due to
hijacking of accounts in popular MMORPG.


Regards, Winston Leong
                                                                                                      
 (Embedded image moved   Winston Leong | Technology and Security Risk Services                        
 to file: pic14008.gif)                                                                               
                                                                                                      
                         Ernst & Young Risk Advisory Services Pte. Ltd                                
                                                                                                      
                         One Raffles Quay, North Tower, Level 18, Singapore 048583                    
                                                                                                      
                         Office: +65 6309 6766 | Fax: +65 6532 7662                                   
                                                                                                      
                         Mobile: +65 9028 3600                                                        
                                                                                                      
                         Website: www.ey.com                                                          
                                                                                                      
                         Thank you for considering the environmental impact of printing emails.       
                                                                                                      




The information contained in this communication is intended solely for the
use of the individual or entity to whom it is addressed and others
authorized to receive it. It may contain confidential or legally privileged
information. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by responding to this email and then delete it from your
system. We are neither liable for the proper and complete transmission of
the information contained in this communication nor for any delay in its
receipt.

Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Advisory Pte. Ltd. is a company incorporated in Singapore
with UEN 198905395E.

Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
Singapore with UEN 199702967E.

Ernst & Young Customs & International Trade Services Private Limited is a
company incorporated in Singapore with UEN 200206660G.


                                                                           
             FunKy                                                         
             <chongfk98 at yahoo.                                             
             com>                                                       To 
             Sent by:                  donald.ong at gmail.com                
             owasp-singapore-b                                          cc 
             ounces at lists.owas         Owasp-singapore at lists.owasp.org     
             p.org                                                 Subject 
                                       Re: [Owasp-singapore] Company       
                                       network administrator hack into     
             01/09/2009 08:49          employee Yahoo email mailbox        
             AM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




                                                                            
 Hi,                                                                        
                                                                            
 First time replying here. Just my 2 cents, I think he specifically         
 mentioned that the Admin joined the company after the victim left the      
 company.                                                                   
                                                                            
 If that is the case, then the Admin wouldn't have been able to hijack any  
 session. Please correct me if I am wrong.                                  
                                                                            
 If there is no physical means to obtain the information (post-it notes for 
 example =) ), then could it be possible that the company keeps a history   
 of all information passing the gateway? I know my company keep tracks of   
 the websites that the employee's visit. However, I do not know if they     
 keep a log of additional information passed.                               
                                                                            
 Also, considering that the victim 'left' the company, usually the Admin    
 would be required to 'cleanup' the workstation that the victim was using.  
 The Admin could have tapped into the PC itself to retrieve the             
 'remembered' passwords. The possibility is endless.                        
                                                                            
 I am not a professional when it comes to security, just my 2 cents and     
 someone please correct me if I am thinking in the wrong direction.         
                                                                            
 Thank you.                                                                 
                                                                            
 Regards,                                                                   
 Fong Kai                                                                   
                                                                            
                                                                            
                                                                            
 --- On Mon, 8/31/09, Winston.Leong at sg.ey.com <Winston.Leong at sg.ey.com>     
 wrote:                                                                     
                                                                            
                                                                            
     From: Winston.Leong at sg.ey.com <Winston.Leong at sg.ey.com>                
     Subject: Re: [Owasp-singapore] Company network administrator hack into 
 employee Yahoo email mailbox                                               
     To: "Donald Ong" <donald.ong at gmail.com>                                
     Cc: "SIG - OWASP Singapore @MailingList"                               
 <owasp-singapore at lists.owasp.org>, owasp-singapore-bounces at lists.owasp.org 
     Date: Monday, August 31, 2009, 3:20 AM                                 
                                                                            
     The following could had happened:                                      
                                                                            
     1. The user did not login using SSL, which makes all username and      
 password                                                                   
     non-encrypted.                                                         
     2. The administrator simple hijacked the session to obtain a valid     
 login.                                                                     
     3. The user simply pasted his password on some post-it which can be    
 seen.                                                                      
                                                                            
     Regards, Winston Leong                                                 
                                                                            
     (Embedded image moved   Winston Leong | Technology and Security Risk   
 Services                                                                   
     to file: pic13169.gif)                                                 
                                                                            
                                                                            
                              Ernst & Young Risk Advisory Services Pte. Ltd 
                                                                            
                                                                            
                              One Raffles Quay, North Tower, Level 18,      
 Singapore 048583                                                           
                                                                            
                              Office: +65 6309 6766 | Fax: +65 6532 7662    
                                                                            
                                                                            
                              Mobile: +65 9028 3600                         
                                                                            
                                                                            
                              Website: www.ey.com                           
                                                                            
                                                                            
                              Thank you for considering the environmental   
 impact of printing emails.                                                 
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
     The information contained in this communication is intended solely for 
 the                                                                        
     use of the individual or entity to whom it is addressed and others     
     authorized to receive it. It may contain confidential or legally       
 privileged                                                                 
     information. If you are not the intended recipient you are hereby      
 notified                                                                   
     that any disclosure, copying, distribution or taking any action in     
 reliance                                                                   
     on the contents of this information is strictly prohibited and may be  
     unlawful. If you have received this communication in error, please     
 notify                                                                     
     us immediately by responding to this email and then delete it from     
 your                                                                       
     system. We are neither liable for the proper and complete transmission 
 of                                                                         
     the information contained in this communication nor for any delay in   
 its                                                                        
     receipt.                                                               
                                                                            
     Ernst & Young LLP (UEN T08LL0859H) is an accounting limited            
     liability partnership registered in Singapore under the Limited        
 Liability                                                                  
     Partnerships Act (Chapter 163A).                                       
                                                                            
     Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited              
     liability partnership registered in Singapore under the Limited        
 Liability                                                                  
     Partnerships Act (Chapter 163A).                                       
                                                                            
     Ernst & Young Advisory Pte. Ltd. is a company incorporated in          
 Singapore                                                                  
     with UEN 198905395E.                                                   
                                                                            
     Ernst & Young Corporate Finance Pte Ltd is a company incorporated in   
     Singapore with UEN 199702967E.                                         
                                                                            
     Ernst & Young Customs & International Trade Services Private Limited   
 is a                                                                       
     company incorporated in Singapore with UEN 200206660G.                 
                                                                            
                                                                            
                                                                            
                  Donald Ong                                                
                                                                            
                  <donald.ong at gmail                                         
                                                                            
                  .com>                                                     
 To                                                                         
                  Sent by:                  "SIG - OWASP Singapore          
                                                                            
                  owasp-singapore-b         @MailingList"                   
                                                                            
                  ounces at lists.owas                                         
 <owasp-singapore at lists.owasp.org>                                          
                  p.org                                                     
 cc                                                                         
                                                                            
                                                                            
 Subject                                                                    
                  28/08/2009 07:56          [Owasp-singapore] Company       
 network                                                                    
                  PM                        administrator hack into         
 employee                                                                   
                                            Yahoo email mailbox             
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
     Hi everyone,                                                           
                                                                            
                                                                            
     My friend working in another company saw his network administrator     
 hack                                                                       
     into the employee yahoo email mailbox successfully. He mentioned it    
 was                                                                        
     quick and in minutes the network admin know the password of the email  
     account.                                                               
                                                                            
                                                                            
                                                                            
                                                                            
                                                                            
     Regards,                                                               
     Donald                                                                 
                                                                            
                                                                            
     ~~~~powered by                                                         
 Android~~~~_______________________________________________                 
     Owasp-singapore mailing list                                           
     Owasp-singapore at lists.owasp.org                                        
     https://lists.owasp.org/mailman/listinfo/owasp-singapore               
                                                                            
                                                                            
                                                                            
     -----Inline Attachment Follows-----                                    
                                                                            
     _______________________________________________                        
     Owasp-singapore mailing list                                           
     Owasp-singapore at lists.owasp.org                                        
     https://lists.owasp.org/mailman/listinfo/owasp-singapore               
                                                                            
                                                                            


_______________________________________________
Owasp-singapore mailing list
Owasp-singapore at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-singapore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic14008.gif
Type: image/gif
Size: 2521 bytes
Desc: not available
Url : https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090901/54310bc5/attachment.gif 


More information about the Owasp-singapore mailing list