[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: <nettime> hotmail's hacked

To: debate@fitug.de
Subject: Re: <nettime> hotmail's hacked
From: tab@gmx.net (Thilo Barth)
Date: Sat, 04 Sep 1999 13:00:52 +0200
Comment: This message comes from the debate mailing list.
Organization: Cluttered Desk
References: <3.0.2.32.19990830203848.0371a430@pop.gmx.net>
Sender: owner-debate@fitug.de

Wau Holland <wau@minos.trend.jena.thur.de> wrote:

[cgi-bin/start]
>Beim CCC kam von Pirx folgendes forward mit gleicher Aussage:

So weit ich das sehe war das Entscheidende an diesem start-Skript das
Besetzen des HTTP_REFERERs mit einem spezifischen hotmail-URL, dann
fand die Authentifizierung per Passwort fahrlässigerweise nicht mehr
statt.

>> Mal sehen, ob sich noch etwas tut mit Haftungsansprüchen gegenüber
>> Hotmail und so.
>
>Hmmm.
>Dafuer haette ich gern ein Skript.
>Welches Leistungsversprechen gibt Hotmail denn ab?
>
>Vermutlich kann man einem Richter erklaeren, dass eine Tuersprechanlage,
>die bereits bei korrekter Aussprache des Namens die Tuer oeffnet, eher
>saugrob fahrlaessig als nur grob fahrlaessig die Tuer oeffnet.

Erste Auswirkungen der Türsprechanlage mit Insider-Knopf werden bekannt
(s.u.), Kläger fehlen aber noch.

Einige Web-Schnipsel:

=-=-=-=-=-=-=-=-=-=
http://www.heise.de/newsticker/data/cp-03.09.99-002/

   Nach dem Einbruch in den E-Mail-Dienst Hotmail von Microsoft haben
   Hacker die Namen von schwedischen Bordellkunden im Internet
   veröffentlicht. Wie die Stockholmer Zeitung "Expressen" am Freitag
   meldete, fanden die Hacker alle E- Mails von zwei Stockholmer
   Prostituierten mit ihrer männlichen Kundschaft. Sie veröffentlichten
   diese auf einer frei zugänglichen Homepage mit Namen und
   Telefonnummern der Freier. Zu den Kunden, die an den Pranger gestellt
   wurden, gehört laut "Expressen" auch der Vorstandschef eines namhaften
   schwedischen Medienkonzerns.

   Auch Details über die gewünschte Form sexueller Dienste von Kunden
   wurden veröffentlicht.
=-=-=-=-=-=-=-=-=-=
http://www.wired.com/news/news/technology/story/21503.html

   A previously unknown group known as Hackers Unite has claimed
   responsibility for publicizing Hotmail's security breach, which
   Microsoft vehemently denied was the result of a backdoor oversight.

[...]
   "We did not do this hack to destroy, we want to show the world how
   bad the security on Microsoft really is, and that company nearly have
   monopoly on [all] the computer software," a 21-year-old Swedish
   member of the group said Monday.

   Göteborg resident Lasse Ljung, who goes by the nickname of DarkWing
   on Internet relay chat, said he was speaking on behalf of Hackers
   Unite.

[...]
   Ljung said that Hackers Unite is composed of one Swedish citizen and
   seven Americans. The group declined to communicate directly with
   Wired News, which could not positively confirm their identities.

   The handful of lines of simple HTML code that constitute the exploit
   took advantage of a Hotmail login script called "start" that is not
   currently used on the Hotmail welcome page, and the password "eh."

   After examining that code early Monday, outside security experts
   suggested that the problem might have been a backdoor inadvertently
   left open on Hotmail servers by Microsoft engineers.

   Microsoft vehemently denied the backdoor suggestions, and instead
   described the problem as "an unknown security issue."

   "There is nothing to these allegations [of a backdoor in Hotmail],"
   said MSN marketing director Rob Bennett. "It is not true. Microsoft
   values the security and privacy of our users above all."

   However, Jon Thompson, administrator of one of the sites that hosted
   the Hotmail exploit, told MSNBC.com that his associates had known
   about the vulnerability -- and had access to Hotmail accounts -- for
   about eight weeks.

=-=-=-=-=-=-=-=-=-=
http://wired.com/news/news/politics/story/21525.html

   Tempted by Hotmail's recent gaping security hole to sneak a peek at
   your friend's email? Did you actually take a look?

   Logic says you'd be in big trouble if you got caught. But logic is
   not the same as the law ... because there really isn't one.

   That's why the breach [...] probably won't produce a tide of
   litigation or lead to arrests of email peepers, say lawyers who
   specialize in Net privacy issues.

[...]
   Besides, somebody has to complain first, and that hasn't happened,
   Microsoft officials say.

[...]
   "You're speculating with old laws that come up in new ways," Merrill
   said. "We have to have a few case before we can be sure how they're
   going to be applied."

[...]
   "You need a complaining party," said Peter Brown, a partner at Brown
   Raysman Millstein Felder & Steiner, a New York law firm.

   Hotmail's security hole could still be the event that triggers a test
   case, despite the initial lack of complaints.

=-=-=-=-=-=-=-=-=-=

Am bemerkenswertesten finde ich die Aussage von Jon Thompson, dass
die Lücke bereits acht Wochen bestand - von wegen 10 Stunden.

-tab

Prev by Date: Re: Internet Explorer 5.0 Bedenken
Next by Date: Requested Information
Prev by thread: Re: <nettime> hotmail's hacked
Next by thread: Internet Explorer 5.0 Bedenken
Index(es):
- Date
- Thread