lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <eds641$c6a$1@sea.gmane.org>
Date: Fri, 8 Sep 2006 17:35:13 +0100
From: "Dave \"No, not that one\" Korn" <davek_throwaway@...mail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: HP execs phone hack - SSNs *still* not secure for
	authentication


  Haven't seen this mentioned before, but it's part of AT&T's explanation of 
how a PI was able to falsely obtain the phone records of Thomas J. Perkins, 
the board member who resigned over the illegal investigation:

http://www.thesmokinggun.com/archive/0905061hp3.html

[transcribed by me from the jpg, any typos are my fault]

"  First, with respect to your "local" residential telephone account with 
the former SBC (now AT&T), an online account was established on January 30, 
2006. [ ... ]  The person registering the online account did so through the 
Internet and provided your telephone number and the last four digits of your 
Social Security Number to identify himself/herself as the authorized account 
holder.  We have no way of determining how the person obtained this Social 
Security Number information.  "

  How many more times are we going to see this exact same mistake over and 
over again?  SSNs are not secure and they are not proof of authority or 
identity.  AT&T have now locked the online account facility for Mr. Perkins. 
That leaves ..  let me see...  every single customer except one still 
vulnerable to having their accounts stolen in this way.

  AT&T should disable this facility at once and not bring it back online 
until it is secured.


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ