I sent a rant on about this same sort of topic revolving an incident with
Hushmail where they MISLEAD their users. Thought the list would find some
humor/insight in it.
Original email from Hush can be seen at:
http://lists.jammed.com/ISN/2005/04/0103.html
---------- Forwarded message ----------
On Tue, 26 Apr 2005, xxxxxxxxxxxxxxxxxxxxxxx wrote:
There was no unauthorized access to any of the Hush servers. Data
managed by Hush was not compromised. During this period, however,
some users were unable to log in to their email accounts, and email
sent to Hushmail Business domains may not have been delivered.
Such a misleading statement from Hushmail when all one has to do is
consider the following... Attacker redirects users to a complete mimic of
the Hushmail website. All that would be necessary to compromise Hushmail
users' information would be a form that would take a username and password
and store it to file for later use. Talk about phishing!
Imagine the scenario of someone mimicking let's say Citibank to the wire.
Attacker redirects users for say 4 hours. That's a hell of a lot of time
to capture data for later use wouldn't you think.
I sometimes ponder how long would it be before lets say a rogue company
pops up out of the blue, performs an attack like this let's say once per
month for about an hour. Takes a year to capture data, then say files for
bankruptcy because they managed to get enough information to do whatever
they'd like to with that information.
SCENARIO: SampleSales.com which is a small ISP pops up and for one hour
per month for one year captures data for sites like say, Amazon, Ebay,
Citigroup, etc.. SampleSales.com closes shop never to be heard of again...
One year later, based on the traffic going to these sites, SampleSales.com
was able to phish out about 100,000 records. What could they do with this?
Well, they could card their sleazy little lives away to oblivion ordering
things to resell on Ebay, they could sell information on the people ala
identity theft, they could blackmail cheating scumbag spouses who say
called escort agencies and things of that sleazy nature... Hell the
possibilities are endless.
For Hushmail to mislead their users by saying nothing was compromised is
rather misleading considering Hushmail has no idea of what exactly
happened other than DNS poisoning. For them to make a public statement
showing the IP addresses of their machines as if it makes a difference, as
if people are actually going to say, "Gee Mable, is this really Hushmail,
let me do an nslookup first Ma!" is bananas.
Even if someone did, imagine that DNS poison combined with some silly
little worm that did some moronic:
Ala Wintrash
echo "HUSHMAILS.IP.ADDRESS BOGUS.ADDRESS.COM" >>
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
Ala Pwnix
echo "GOOD.IP BAD.IP" >> /etc/hosts
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x0D99C05C
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C
sil @ infiltrated . net http://www.infiltrated.net
"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
