[Owasp-singapore] Company network administrator hack into employee Yahoo email mailbox

Winston.Leong at sg.ey.com Winston.Leong at sg.ey.com
Tue Sep 1 01:43:35 EDT 2009


Using the same password is a HIGH possibility. Ask around, I am sure most
of us is guilty to some extend.
However, I want to point out that what the admin is doing is probably in
some grey area or already considered illegal. The company has every right
to investigate the corporate email etc, but hacking into the employee's
personal email would probably be very hard to justify, especially if it is
done without the knowledge of the ex-employee.

Regards, Winston Leong
                                                                                                      
 (Embedded image moved   Winston Leong | Technology and Security Risk Services                        
 to file: pic01012.gif)                                                                               
                                                                                                      
                         Ernst & Young Risk Advisory Services Pte. Ltd                                
                                                                                                      
                         One Raffles Quay, North Tower, Level 18, Singapore 048583                    
                                                                                                      
                         Office: +65 6309 6766 | Fax: +65 6532 7662                                   
                                                                                                      
                         Mobile: +65 9028 3600                                                        
                                                                                                      
                         Website: www.ey.com                                                          
                                                                                                      
                         Thank you for considering the environmental impact of printing emails.       
                                                                                                      




The information contained in this communication is intended solely for the
use of the individual or entity to whom it is addressed and others
authorized to receive it. It may contain confidential or legally privileged
information. If you are not the intended recipient you are hereby notified
that any disclosure, copying, distribution or taking any action in reliance
on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify
us immediately by responding to this email and then delete it from your
system. We are neither liable for the proper and complete transmission of
the information contained in this communication nor for any delay in its
receipt.

Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
liability partnership registered in Singapore under the Limited Liability
Partnerships Act (Chapter 163A).

Ernst & Young Advisory Pte. Ltd. is a company incorporated in Singapore
with UEN 198905395E.

Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
Singapore with UEN 199702967E.

Ernst & Young Customs & International Trade Services Private Limited is a
company incorporated in Singapore with UEN 200206660G.


                                                                           
             Donald Ong                                                    
             <donald.ong at gmail                                             
             .com>                                                      To 
             Sent by:                  Winston.Leong at sg.ey.com             
             owasp-singapore-b                                          cc 
             ounces at lists.owas         Owasp-singapore at lists.owasp.org,    
             p.org                     owasp-singapore-bounces at lists.owasp 
                                       .org                                
                                                                   Subject 
             01/09/2009 01:17          Re: [Owasp-singapore] Company       
             PM                        network administrator hack into     
                                       employee Yahoo email mailbox        
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi Fong Kai,

Yes, you are right. The network admin joined the company 1 week later after
the employee left the company. It would be quite impossible to hijack the
user session since they don't even met before. My friend told me the
network admin was tasked to carry out an investigation on the ex-exmployee
on any unauthorized email sent to his personal email.

Could it be possible that the network admin the employee windows domain
password, and then found the domain password works for his yahoo email
account? I believe most of the people would use the same password for most
of his email accounts.

---
Hi all,

Yup, I also agree the possibility is endless. It is scary for the company
to be able to hack into the employee personal email because he/she has
accessed it before in the company network. Does the company network logged
such sensitive information in the network traffics? Any network admin can
comments on this? Is it even possible to find the user email and password
even if it is SSL encrypted using the network log?

Recently, I found a youtube clip on hacking into someone's yahoo email
account using the profile view method via yahoo messenger. I wonder if this
clip something that is real or a fake. Anyone came by this clip before? Is
it real?

It seems to be becoming very real that accessing personal email via the
company network is a dangerous and insecure even if the site is SSL
encrypted. One would never know if someone is watching on his network
access without his/her knowledge.


Regards,
Donald


On Tue, Sep 1, 2009 at 11:49 AM, <Winston.Leong at sg.ey.com> wrote:
  "The possibility is endless." I can't agree more.

  Just to add on,
  In this situation, if I am put into the position to get the account ASAP,
  I
  would use social engineering to archive it. One simple way is to
  "convince"
  the (robot) administrator that you need to recover your password.

  I am not sure if I should post this, but I guess it probably no longer
  works anyway. One of the way to "craft" the email to the robot admin so
  that it nicely gives you the (resetted) password of the target account.
  It
  (used) to work on many mail server. Well, another common use of this
  tactics also created a lot of "cases" for my friends in the SPF due to
  hijacking of accounts in popular MMORPG.


  Regards, Winston Leong

   (Embedded image moved   Winston Leong | Technology and Security Risk
  Services
   to file: pic14008.gif)

                          Ernst & Young Risk Advisory Services Pte. Ltd

                          One Raffles Quay, North Tower, Level 18,
  Singapore 048583

                          Office: +65 6309 6766 | Fax: +65 6532 7662

                          Mobile: +65 9028 3600

                          Website: www.ey.com

                          Thank you for considering the environmental
  impact of printing emails.





  The information contained in this communication is intended solely for
  the
  use of the individual or entity to whom it is addressed and others
  authorized to receive it. It may contain confidential or legally
  privileged
  information. If you are not the intended recipient you are hereby
  notified
  that any disclosure, copying, distribution or taking any action in
  reliance
  on the contents of this information is strictly prohibited and may be
  unlawful. If you have received this communication in error, please notify
  us immediately by responding to this email and then delete it from your
  system. We are neither liable for the proper and complete transmission of
  the information contained in this communication nor for any delay in its
  receipt.

  Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
  liability partnership registered in Singapore under the Limited Liability
  Partnerships Act (Chapter 163A).

  Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
  liability partnership registered in Singapore under the Limited Liability
  Partnerships Act (Chapter 163A).

  Ernst & Young Advisory Pte. Ltd. is a company incorporated in Singapore
  with UEN 198905395E.

  Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
  Singapore with UEN 199702967E.

  Ernst & Young Customs & International Trade Services Private Limited is a
  company incorporated in Singapore with UEN 200206660G.



              FunKy
              <chongfk98 at yahoo.
              com>                                                       To
              Sent by:                  donald.ong at gmail.com
              owasp-singapore-b                                          cc
              ounces at lists.owas         Owasp-singapore at lists.owasp.org
              p.org                                                 Subject
                                        Re: [Owasp-singapore] Company
                                        network administrator hack into
              01/09/2009 08:49          employee Yahoo email mailbox
              AM










   Hi,

   First time replying here. Just my 2 cents, I think he specifically
   mentioned that the Admin joined the company after the victim left the
   company.

   If that is the case, then the Admin wouldn't have been able to hijack
  any
   session. Please correct me if I am wrong.

   If there is no physical means to obtain the information (post-it notes
  for
   example =) ), then could it be possible that the company keeps a history
   of all information passing the gateway? I know my company keep tracks of
   the websites that the employee's visit. However, I do not know if they
   keep a log of additional information passed.

   Also, considering that the victim 'left' the company, usually the Admin
   would be required to 'cleanup' the workstation that the victim was
  using.
   The Admin could have tapped into the PC itself to retrieve the
   'remembered' passwords. The possibility is endless.

   I am not a professional when it comes to security, just my 2 cents and
   someone please correct me if I am thinking in the wrong direction.

   Thank you.

   Regards,
   Fong Kai



   --- On Mon, 8/31/09, Winston.Leong at sg.ey.com <Winston.Leong at sg.ey.com>
   wrote:


      From: Winston.Leong at sg.ey.com <Winston.Leong at sg.ey.com>
      Subject: Re: [Owasp-singapore] Company network administrator hack
  into
   employee Yahoo email mailbox
      To: "Donald Ong" <donald.ong at gmail.com>
      Cc: "SIG - OWASP Singapore @MailingList"
   <owasp-singapore at lists.owasp.org>,
  owasp-singapore-bounces at lists.owasp.org
      Date: Monday, August 31, 2009, 3:20 AM

      The following could had happened:

      1. The user did not login using SSL, which makes all username and
   password
      non-encrypted.
      2. The administrator simple hijacked the session to obtain a valid
   login.
      3. The user simply pasted his password on some post-it which can be
   seen.

      Regards, Winston Leong

      (Embedded image moved   Winston Leong | Technology and Security Risk
   Services
      to file: pic13169.gif)


                               Ernst & Young Risk Advisory Services Pte.
  Ltd


                               One Raffles Quay, North Tower, Level 18,
   Singapore 048583

                               Office: +65 6309 6766 | Fax: +65 6532 7662


                               Mobile: +65 9028 3600


                               Website: www.ey.com


                               Thank you for considering the environmental
   impact of printing emails.





      The information contained in this communication is intended solely
  for
   the
      use of the individual or entity to whom it is addressed and others
      authorized to receive it. It may contain confidential or legally
   privileged
      information. If you are not the intended recipient you are hereby
   notified
      that any disclosure, copying, distribution or taking any action in
   reliance
      on the contents of this information is strictly prohibited and may be
      unlawful. If you have received this communication in error, please
   notify
      us immediately by responding to this email and then delete it from
   your
      system. We are neither liable for the proper and complete
  transmission
   of
      the information contained in this communication nor for any delay in
   its
      receipt.

      Ernst & Young LLP (UEN T08LL0859H) is an accounting limited
      liability partnership registered in Singapore under the Limited
   Liability
      Partnerships Act (Chapter 163A).

      Ernst & Young Solutions LLP (UEN T08LL0784H) is a limited
      liability partnership registered in Singapore under the Limited
   Liability
      Partnerships Act (Chapter 163A).

      Ernst & Young Advisory Pte. Ltd. is a company incorporated in
   Singapore
      with UEN 198905395E.

      Ernst & Young Corporate Finance Pte Ltd is a company incorporated in
      Singapore with UEN 199702967E.

      Ernst & Young Customs & International Trade Services Private Limited
   is a
      company incorporated in Singapore with UEN 200206660G.



                   Donald Ong

                   <donald.ong at gmail

                   .com>
   To
                   Sent by:                  "SIG - OWASP Singapore

                   owasp-singapore-b         @MailingList"

                   ounces at lists.owas
   <owasp-singapore at lists.owasp.org>
                   p.org
   cc


   Subject
                   28/08/2009 07:56          [Owasp-singapore] Company
   network
                   PM                        administrator hack into
   employee
                                             Yahoo email mailbox











      Hi everyone,


      My friend working in another company saw his network administrator
   hack
      into the employee yahoo email mailbox successfully. He mentioned it
   was
      quick and in minutes the network admin know the password of the email
      account.





      Regards,
      Donald


      ~~~~powered by
   Android~~~~_______________________________________________
      Owasp-singapore mailing list
      Owasp-singapore at lists.owasp.org
      https://lists.owasp.org/mailman/listinfo/owasp-singapore



      -----Inline Attachment Follows-----

      _______________________________________________
      Owasp-singapore mailing list
      Owasp-singapore at lists.owasp.org
      https://lists.owasp.org/mailman/listinfo/owasp-singapore




  _______________________________________________
  Owasp-singapore mailing list
  Owasp-singapore at lists.owasp.org
  https://lists.owasp.org/mailman/listinfo/owasp-singapore
_______________________________________________
Owasp-singapore mailing list
Owasp-singapore at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-singapore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic01012.gif
Type: image/gif
Size: 2521 bytes
Desc: not available
Url : https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090901/8a8745f3/attachment.gif 


More information about the Owasp-singapore mailing list