How to get the secrets of a large company in 5 steps
I just read a terrific (geeky) article - The Anatomy Of The Twitter Attack , about how one hacker got access to tons of confidential information from the entire Twitter company in a fairly simple way. But it seems to me that the conclusions will be interesting to many.
So, 5 steps:
1) We take a personal box of a not particularly paranoid employee (on GMail), poke the “forgot password” button. The password recovery system sends a one-time link to the secondary address *** @ h ***.
2) We guess that this address (about a miracle!) On hotmail.com, which no longer exists and is free to register . Of course, we register and get access to the first mailbox on GMail.
3) Now I have to say thanks to the services that send the password after registration, and now they are in our hands (ie, the victim is in the box). Oh miracle, again, the password is almost the same everywhere, for example, god14. Most likely, this password was originally on GMail, we put it back. The victim does not guess anything.
4) Again a miracle! The corporate box has the same password as the personal box.
5) Take a good Internet and merge all mail along with applications (read - important financial documents) to yourself.
This is about the same as in all aviation accidents. The combination of factors, each of which in itself does not matter much, leads to a catastrophe. The factors are simple:
1) The bad habit of having the same password everywhere (they say, now the most fashionable one is “password1”).
2) The moronic services that send the password in its pure form after registration (I suspect they still keep it in their unencrypted form).
3) Excessive honesty when answering the “Secret question for password recovery” in the spirit of “My cat's name is Masha”. Guessing is not very difficult.
')
I suspect that many repeat their passwords in different places (otherwise they will not go a long way) and have a dozen emails from friendly services that sent the password after registration. Be carefull :)
So, 5 steps:
1) We take a personal box of a not particularly paranoid employee (on GMail), poke the “forgot password” button. The password recovery system sends a one-time link to the secondary address *** @ h ***.
2) We guess that this address (about a miracle!) On hotmail.com, which no longer exists and is free to register . Of course, we register and get access to the first mailbox on GMail.
3) Now I have to say thanks to the services that send the password after registration, and now they are in our hands (ie, the victim is in the box). Oh miracle, again, the password is almost the same everywhere, for example, god14. Most likely, this password was originally on GMail, we put it back. The victim does not guess anything.
4) Again a miracle! The corporate box has the same password as the personal box.
5) Take a good Internet and merge all mail along with applications (read - important financial documents) to yourself.
This is about the same as in all aviation accidents. The combination of factors, each of which in itself does not matter much, leads to a catastrophe. The factors are simple:
1) The bad habit of having the same password everywhere (they say, now the most fashionable one is “password1”).
2) The moronic services that send the password in its pure form after registration (I suspect they still keep it in their unencrypted form).
3) Excessive honesty when answering the “Secret question for password recovery” in the spirit of “My cat's name is Masha”. Guessing is not very difficult.
')
I suspect that many repeat their passwords in different places (otherwise they will not go a long way) and have a dozen emails from friendly services that sent the password after registration. Be carefull :)
Source: https://habr.com/ru/post/64920/
All Articles