Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Re:multi billion dollar corporation hasnt blah bla

from [Anders B Jansson] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Re:multi billion dollar corporation hasnt blah blah
Date: Mon, 28 Aug 2006 21:55:06 +0200 
Oh, something almost comprehensible from a surprising source.

However, I think you need some ABC in corporate security.

Jeb Bush wrote: 
The flaw allows you to read the victim's status message.

This means telephone numbers.... etc.... whatever the victim adds to
their status message is disclosed.
Oh, the horror. 

In short, you can read your victims ignore list. This is very useful
to launch attacks with.

Usually when the victim removes you from their list and adds you to
their ignore list, their online status goes offline forever.

However, if attacker goes to
http://manage.members.yahoo.com/index_listprofiles.html and create a
secondry yahoo i.d on the same account and the attacker logs back into
yahoo messenger on the new second yahoo i.d on the same account, then
everyone who ignored you reappears as online with telephone numbers,
corporate links....corporate info thats in the employees status
message.

you can use this to

detect all your yahoo i.d's a person has ignore

read someones status message with confidential info 
Why in the world would anyone put 'confidential' information in their status?
On an Internet wide service?

If any corporation anywhere allows their employees to use yahoo for corporate 
use they soo deep in the yoghurt that this is the smallest of their issues.

this has been vulnerable for years and years

yahoo are well aware of it 
And so is anyone engaged in corporate security.
Many companies use various 'messenger' software internally, but only on secure 
corporate nets, against secure corporate servers.
Connecting to any form of external platform is 1, against corporate policy, 2, 
denied by firewalls and proxies.

You can of course bypass that, but that is equal to industrial sabotage and 
leads to 1, you're fired, 2, you're sued for damage.

There's tons of security issues with every online 'communtity' service.
But they're personal security issues, not a corporate security issue.

And as stated, if an issue like this would ever touch corporate security than 
that corporation is soo deep in yoghurt that this would be the least of the 
problems.

--
// hdw

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Re: Re: George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment, Benjamin Franz
Next by Date:  Re: [Full-disclosure] Re: Re: George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment, Paul Schmehl
Previous by Thread:  Re: [Full-disclosure] Re:multi billion dollar corporation hasnt blah blah, Jeb Bush
Next by Thread:  Re: [Full-disclosure] Re:multi billion dollar corporation hasnt blah blah, Jeb Bush
Indexes:  [Date] [Thread] [Top] [All Lists]