Slashdot Mirror
Even My Mom Could Hack These Sites
I figured that if I wrote to them saying "I forgot my password, please mail it to me," that would be too obvious. Instead, at the time I had set up shop with these hosting companies, I entered a domain name at the time of creating my account, and asked them to register it on my behalf (long before I had this experiment in mind). Then when I wrote to them recently from my Hotmail address, I sent each of them a message saying: I need to transfer this domain somewhere else, can you give me the login at the registrar where you registered the domain, so I can change the domain settings. Five of the ten companies either (a) gave me the registrar login, (b) transferred the domain to my registrar account on request (even though I never provided any proof that the owner of that registrar account was really me, either), or (c) changed the domain to point to a new IP address that I specified -- all of which, of course, would allow an attacker to take over a site temporarily or even permanently, if it hadn't really been me writing from the Hotmail address.
But slow down before you go off to try this out on Yahoo, eBay or Google hoping to get the same 50% success rate. First, these were all low-budget hosting companies, so the people handling my queries were likely not highly trained professionals who would have developed all the right habits about when to get suspicious. Second, this ruse only worked because the hosting companies registered the domains on my behalf. Most sites that are really worth taking over, are hosted on dedicated servers, and this trick wouldn't work on a dedicated hosting company because they usually don't register domains on behalf of customers; they assume that anybody buying an expensive dedicated server, knows enough to buy the domain and point it at the server that the company gives them.
But even for small-time hosting, a 50% success rate for a trick like this is uncomfortably high. So what can we do about it? Well, every problem has a non-solution that requires changing human nature ("People should just stop buying from spammers and they'd go out of business!") and a non-solution that ignores the economics of the situation ("ISPs should devote more resources to stopping spammers on their own network!"). In this case, the corresponding non-solutions would be (a) "People who work for hosting companies should be less gullible" and (b) "ISPs should hire smarter people, without charging more to their hosting customers".
The solution that doesn't require any cheating, though, is to have procedures in place for anything remotely security-related, and drum into employees' heads that they have to follow those procedures. Here's some good news: Of the five companies that fell for the ruse asking for my registrar login information, when I followed up with them saying "Hey, I forgot my account password, can you mail it to me", only two of them actually sent my password to the Hotmail account. To those two, I replied with some terse words about having a six-inch-thick steel door while leaving the window wide open. But at least it was only two out of ten that fell for that ruse, compared to five out of ten that fell for the registrar trick. The difference is that hosting companies have procedures in place to deal with password resets -- a script that sends the existing password, or sends a reset-password link, only to the customer's e-mail address on file.
Similarly, any hosting company that registers domains on behalf of users, should have procedures in place for transferring the domains to users or letting them change domain settings. In fact, of the five companies that didn't fall for the ruse, most of them said "Go to the customer control panel here and log in" -- it wasn't that their guard went up because I was writing from a Hotmail account, it was that they already had procedures in place for a customer wanting to change domain settings, and what's what the idiot-proof book told them to do. Kevin Mitnick always said that the weakest link in any security chain was people. Sometimes the way for ISPs to tighten security is to make the people in the chain act more like machines.
Until then, there are probably many sites out there that are this easy to "hack", using a method that could charitably be called low-tech. After seeing which hosting companies fell for the trick, I pointed out that they had sent the login information to an unverified address and admonished them to be more careful in the future, but I didn't storm out vowing to take all of my business elsewhere -- after all, if 50% of all low-budget hosting companies out there fall for this, what would be the point?
Now my hosting company won't email my password to my Hotmail account anymore!
To be fair, your mom isn't too shabby at social engineering.
"Even my mom could hack these sites" ???
As a 48 yo grandmother, I am offended that technical incompetance is equated with being a mother. I don't think anyone would have said "even my dad could hack these sites".
I am incidentally, a C programmer of 20+ years.
"Even George W. Bush could hack these sites"
;-)
There, that should be inoffensive enough for everyone now.
-(Anonymous for safety)
"...Anyway, I'm retarted. I just reset my password,..."
Did she ask what your new tart looked like?
so I can check the veracity of this story.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
So easy a cave man could hack it.
My boss still refers to AOL as "the Internet". I was finally able to force her to upgrade her windows 98 machine. as I setup XP and firefox I set firefox's icon to that of AOL's, set the Homepage to www.aol.com and changed the icon's name. I installed aim. She is annoyed that the "new" aol isn't quite the same as the old one but is dealing with it.
never underestimate a person's unwillingness to learn something new.
i thought once I was found, but it was only a dream.
It's obvious that you're a C programmer, since a C++ programmer would have immediately recognized the difference between a class and an instance of that class.
You just offended everyone's mother.
It's almost as if society is continuously replacing itself with people who have no knowledge of history...
Modern copyright is theft of culture from everyone and it retards the progress of the useful arts and sciences.
So I change my Caller ID to 1800MASTERCARD and call a ranDumb stranger "Hi this is Jesse James from Mastercard calling to confirm your credit card number..." Think it doesn't work. Can't blame people for being trusting/stupid.
Infiltrated dot Net
Well, we all know asians are good with computers, blacks steal them but don't know how to use them, and mexicans are too damned lazy to do anything with the ones they buy with the money they earn from working the jobs americans won't.
How was that?
Not a Twitter sockpuppet... but I wish I was.
How was that?
That was horribly offensive. As a white I feel very excluded.
Thank God for evolution.
Maybe I'm "retarted"...but I thought that's exactly what the guy did. That was the point of calling from his boss' phone, right?
Hmm.*peeks out of cubicle at boss' office and notices it's empty* Hmmmmmmmm.
Great men are almost always bad men--Lord Acton's Corollary
Even a nappy-headed ho could hack these sites.
Yours truly,
D. Imus
Today it's a troll. Tomorrow it's the next "In Soviet Russia" joke.
!#@%*)anks for hanging up the phone, dear.