Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Re:multi billion dollar corporation hasnt blah bla

from [Jeb Bush] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Re:multi billion dollar corporation hasnt blah blah
Date: Mon, 28 Aug 2006 22:04:21 +0100
On 8/28/06, Anders B Jansson <hdw@kallisti.se> wrote: 
Oh, something almost comprehensible from a surprising source.

However, I think you need some ABC in corporate security.

Jeb Bush wrote:
> The flaw allows you to read the victim's status message.
>
> This means telephone numbers.... etc.... whatever the victim adds to
> their status message is disclosed.
Oh, the horror.
>
> In short, you can read your victims ignore list. This is very useful
> to launch attacks with.
>
> Usually when the victim removes you from their list and adds you to
> their ignore list, their online status goes offline forever.
>
> However, if attacker goes to
> http://manage.members.yahoo.com/index_listprofiles.html and create a
> secondry yahoo i.d on the same account and the attacker logs back into
> yahoo messenger on the new second yahoo i.d on the same account, then
> everyone who ignored you reappears as online with telephone numbers,
> corporate links....corporate info thats in the employees status
> message.
>
> you can use this to
>
> detect all your yahoo i.d's a person has ignore
>
> read someones status message with confidential info
Why in the world would anyone put 'confidential' information in their status?
On an Internet wide service?


you tell me i don't admin/decide corporate policy for yahoo, or tell
yahoo's employees where to chat or which application they use, but
this is whats going on. i've seen it with my own eyes over a prolonged
period, as in ever since yahoo has been around. i'm friends with yahoo
employees... some talk to me....some put me on ignore, therefore this
flaw comes in handy.


If any corporation anywhere allows their employees to use yahoo for 
corporate use they soo deep in the yoghurt that this is the smallest of their 
issues.

> this has been vulnerable for years and years
>
> yahoo are well aware of it
And so is anyone engaged in corporate security.
Many companies use various 'messenger' software internally, but only on secure 
corporate nets, against secure corporate servers.
Connecting to any form of external platform is 1, against corporate policy, 2, 
denied by firewalls and proxies.


yahoo employees use the standard yahoo messenger (without
encryption)...there is no alternative available to yahoo employees
"officially"....to communicate business and personal information
across the www. they use the same standard yahoo messenger for
employee-to-employee chats too, the same bog standard yahoo messenger
without encryption is used.


There's tons of security issues with every online 'communtity' service.
But they're personal security issues, not a corporate security issue.


oh this one is very much a corporate security issue


And as stated, if an issue like this would ever touch corporate security than that corporation is soo deep in yoghurt that this would be the least of the problems. 

thats yahoo.

this isn't theory chat i was talking, this is actual *experience*
talking from actual situations that have arisen with this flaw.

you can't say its not a corporate issue, when it is and continues to be...

when i say things i *mean* them... it doesn't mean *corporate info
could be taken, i'm saying *corporate info has been taken, and
continues to be taken*

yes its sloppy yahoo employees use the bog standard messenger, yes its
sloppy they put corporate info on their status messages.... but thats
yahoo.

fix the flaw, fix the security...one step to a more secure instant
messenger....for everyone....not just yahoo employees.

of course, you can use eavesdropping software to spy on yahoo
employees via yahoo messenger if you want to widen the scope of
things... but that doesn't say this flaw should be left to fester for
many more years... especially now where yahoo messenger team have just
introduced voice over internet protocol to its messenger... and yahoo
employees are using this as well to communiate on the bog standard
yahoo messenger without encrpytion.

this opens up a can of worms...way beyond the intial flaw i was
talking about, but yahoo's actual policy on yahoo employees and the
tools they use to communicate and the lack of encryption and the high
accessability for hackers to eaves drop.

-Jeb

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Re: Re: George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment, Paul Schmehl
Next by Date:  Re: [Full-disclosure] Re: Re: George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment, Peter Besenbruch
Previous by Thread:  Re: [Full-disclosure] Re:multi billion dollar corporation hasnt blah blah, Anders B Jansson
Next by Thread:  [Full-disclosure] [vuln.sg] Cybozu Products Arbitrary File Retrieval Vulnerability, TAN Chew Keong
Indexes:  [Date] [Thread] [Top] [All Lists]