Tuesday, April 03, 2007

You just have to hope it isn't really true...

Sometimes, you read something and just think to yourself "this cannot really have happened". but in the back of your head, you just know "of course it did".

Unique passwords system wide. Stored in clear text. Used as primary/foreign keys even (a password??!?!). Massive update cascade problems - just to update your password. Never mind that once you know that passwords must be unique and that you get an error message to the effect "that password is already in use", you can start building a dictionary to attack with pretty easily.

You probably cannot make that story up :)

On another note

Here is an interesting approach to phishing. Instead of trying to "trick" me out of money, this fellow is just asking me for some, very politely and all - but still. Does this stuff actually work? I mean - who would actually give them something. I have to think that someone smart enough to initiate an electronic payment like that would be/should be smart enough to just say "no" :)

Good day to you.

I work in a telecommunication company and to be specific,I work as an information system Auditor in the company.

I am a holder of certificates in the field of Information Technology and Accounting. I have registered for CISA examination{Certified information system auditor}. A friend of mine living in US have assisted me by sending a total of 390 dollars into the CISA account due to the difficulty faced in my country in sending money out of the country.It is not easy sending money out of the country.I am expected to send 480 dollars.It means I have a balance of 90 dollas to send to CISA in US.The deadline for the payment is 11th of Afril. Please I will be glad if I could be assisted by you paying in 90 dollas into the account.The bank name:Lasalle national Bank Chicago,Illinois USA. ABA numb.000000000. ISACA a/c 00-0000-00. SWIFT code:XXX0000X. My ID:00000000. The three names are, XXXXXXXXX.I will be glad to hear from you even if it will not be possible for you to send so that I can look for another alternative.




Anonymous Anonymous said....

Maybe some one made this up for April 1st?

Tue Apr 03, 02:40:00 PM EDT  

Blogger Kim Anthonisen said....

Maybe they are fishing for active email accounts. So in case You are polite and answers, next You know, Your mailbox explodes with spammails?

Tue Apr 03, 02:47:00 PM EDT  

Anonymous RobH said....

you can start building a dictionary to attack with pretty easily.

You just ruined my master plan, I was SO close.


Tue Apr 03, 03:14:00 PM EDT  

Blogger Pete_S said....

All they needed to do was to swap the labels for user name and password on the web form ;-)

Tue Apr 03, 03:32:00 PM EDT  

Anonymous Anonymous said....

I used to have an account with morgan stanley

I signed up for online access to my financial accounts.

they mailed me a text version of my password.

i have cancelled my account.

Tue Apr 03, 05:27:00 PM EDT  

Blogger Noons said....

It's amazing how most security break methods are so simple. One springs to mind: run a net sniffer in your LAN at work. Try it.

There is one included with the default distro of just about any Linux flavour.

Last time I did it, there were all the Oracle logon passwords for the world to see.

Password encryption during authentication should be a default, not an option!

and so on....

Tue Apr 03, 05:45:00 PM EDT  

Anonymous Tom Fox said....

Noons said....

It's amazing how most security break methods are so simple. One springs to mind: run a net sniffer in your LAN at work. Try it.

There is one included with the default distro of just about any Linux flavour.


It depends on how your network is configured. If each workstation has its own link to a switch, and the switch is configured properly so that no workstation is either a trunk port or a monitor port, you will not be able to see other nodes traffic.

This is because the switch filters the traffic so that only the destination node receives the packet.

However, if you run the network sniffer directly on the database server, you'll see all traffic destined to it. If you are plugged directly into a switch, can see everyone's traffic, and you're not on an IDS machine, you have a misconfigured switch.

Tue Apr 03, 07:15:00 PM EDT  

Blogger Bryan said....

This comment has been removed by the author.

Tue Apr 03, 09:37:00 PM EDT  

Blogger Bryan said....


Maybe the reason you cannot change your email address on the OTN forums is that it is used for the PK?

Makes you wonder...

Tue Apr 03, 09:38:00 PM EDT  

Anonymous Anonymous said....

...massive cascade issue -- you mean like the fact that all the encyrpted user passwords in EBS (FND_USER) need to be re-computed when the APPS schema password changes because the latter is hashed into the reversible encryption scheme? :-)

Wed Apr 04, 12:27:00 AM EDT  

Anonymous Uday said....

This stuff actually works.

Yesterday I was listening on NPR about scam similiar to this (Nigeria - help me transfer huge amount money etc). The NPR report was on Nigerian police man who was able to recover $750 million (Yes, thats huge amount!). Money is returned to the one the who transfered.

Listen to this audio (8min):

Wed Apr 04, 03:42:00 PM EDT  

Anonymous Shari said....

As hard as it is to believe people still fall for the Nigerian scams, they do. And, the scams don't just arrive by email. Try posting an ad for a roommate on Craigslist - you'll get people who will respond with a version of the Nigerian scam - they'll give you a deposit for more than you asked, asking you to wire the difference to them. After you wire the difference you find out the check they sent bounced and you're out the money.

And, if you've watched Dateline's "To Catch an Identity Thief" you find out yet another way they are scamming people - by posting on dating sites and luring someone in with promises of marriage, meanwhile having you, the victim, participate in their identity theft ring.

People have got to stop being duped.

Safety Tips 411

Thu Apr 05, 02:29:00 PM EDT  


<< Home