[clug] Hack attack on University of East Anglia's Climatic Research Unit
Lana Brindley
lanabrindley at gmail.com
Mon Nov 23 00:29:35 MST 2009
2009/11/23 Steve Walsh <steve at nerdvana.org.au>:
>
> On 11/21/2009 05:07 PM, Daniel Pittman wrote:
>>
>> Nope. It is pretty much impossible to know without access to the
>> technical
>> details from the site.
>>
>> If you are looking for a general lesson to take home, the most commonly
>> disclosed causes of attacks like this are:
>>
>> 1. Someone uses the same username and password for their corporate or
>> University login that they do for a low-value online site, and someone
>> obtains those credentials.
>>
>> 2. Someone uses a weak password, full stop.
>>
>> 3. Someone didn't keep patches up to date, so a three year old
>> vulnerability
>> got exploited for the attacker to get in.
>>
>
> or
>
> 4. Someone got phished with the "please update your webmail records" email,
> and they just logged in and got what they needed that way.
>
> Not every hack requires bad username/password policy or lack of patch plan,
> the old ways are still the best (Hi, Sylvia, it's Chris from the helpdesk.
> I'm updating records, and the details I have for your username and password
> don't match, can I get them again? Ok, so it's sysmith, yep, got that and
> the password is...? RodgerDodger78? Oh, ok, I see what happened, we had 87.
> thanks! )
>
Otherwise known as the "Kevin Mitnick school of hacking and other
social engineering trickery".
There's a lot to be learned from that guy for any organisation that
thinks their information is safe.
L
--
Cheers! Lana
Whatever women do they must do twice as well as men to be thought half
as good. Luckily this is not difficult.
- Charlotte Whitton
-----------------------------------------------
http://lanabrindley.blogspot.com
-----------------------------------------------
Please avoid sending me Word, Powerpoint or Windows Media attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html for more information.
------------------------------------------------
More information about the linux
mailing list