[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: <nettime> hotmail's hacked
- To: debate@fitug.de
- Subject: Re: <nettime> hotmail's hacked
- From: tab@gmx.net (Thilo Barth)
- Date: Sat, 04 Sep 1999 13:00:52 +0200
- Comment: This message comes from the debate mailing list.
- Organization: Cluttered Desk
- References: <3.0.2.32.19990830203848.0371a430@pop.gmx.net>
- Sender: owner-debate@fitug.de
Wau Holland <wau@minos.trend.jena.thur.de> wrote:
[cgi-bin/start]
>Beim CCC kam von Pirx folgendes forward mit gleicher Aussage:
So weit ich das sehe war das Entscheidende an diesem start-Skript das
Besetzen des HTTP_REFERERs mit einem spezifischen hotmail-URL, dann
fand die Authentifizierung per Passwort fahrlässigerweise nicht mehr
statt.
>> Mal sehen, ob sich noch etwas tut mit Haftungsansprüchen gegenüber
>> Hotmail und so.
>
>Hmmm.
>Dafuer haette ich gern ein Skript.
>Welches Leistungsversprechen gibt Hotmail denn ab?
>
>Vermutlich kann man einem Richter erklaeren, dass eine Tuersprechanlage,
>die bereits bei korrekter Aussprache des Namens die Tuer oeffnet, eher
>saugrob fahrlaessig als nur grob fahrlaessig die Tuer oeffnet.
Erste Auswirkungen der Türsprechanlage mit Insider-Knopf werden bekannt
(s.u.), Kläger fehlen aber noch.
Einige Web-Schnipsel:
=-=-=-=-=-=-=-=-=-=
http://www.heise.de/newsticker/data/cp-03.09.99-002/
Nach dem Einbruch in den E-Mail-Dienst Hotmail von Microsoft haben
Hacker die Namen von schwedischen Bordellkunden im Internet
veröffentlicht. Wie die Stockholmer Zeitung "Expressen" am Freitag
meldete, fanden die Hacker alle E- Mails von zwei Stockholmer
Prostituierten mit ihrer männlichen Kundschaft. Sie veröffentlichten
diese auf einer frei zugänglichen Homepage mit Namen und
Telefonnummern der Freier. Zu den Kunden, die an den Pranger gestellt
wurden, gehört laut "Expressen" auch der Vorstandschef eines namhaften
schwedischen Medienkonzerns.
Auch Details über die gewünschte Form sexueller Dienste von Kunden
wurden veröffentlicht.
=-=-=-=-=-=-=-=-=-=
http://www.wired.com/news/news/technology/story/21503.html
A previously unknown group known as Hackers Unite has claimed
responsibility for publicizing Hotmail's security breach, which
Microsoft vehemently denied was the result of a backdoor oversight.
[...]
"We did not do this hack to destroy, we want to show the world how
bad the security on Microsoft really is, and that company nearly have
monopoly on [all] the computer software," a 21-year-old Swedish
member of the group said Monday.
Göteborg resident Lasse Ljung, who goes by the nickname of DarkWing
on Internet relay chat, said he was speaking on behalf of Hackers
Unite.
[...]
Ljung said that Hackers Unite is composed of one Swedish citizen and
seven Americans. The group declined to communicate directly with
Wired News, which could not positively confirm their identities.
The handful of lines of simple HTML code that constitute the exploit
took advantage of a Hotmail login script called "start" that is not
currently used on the Hotmail welcome page, and the password "eh."
After examining that code early Monday, outside security experts
suggested that the problem might have been a backdoor inadvertently
left open on Hotmail servers by Microsoft engineers.
Microsoft vehemently denied the backdoor suggestions, and instead
described the problem as "an unknown security issue."
"There is nothing to these allegations [of a backdoor in Hotmail],"
said MSN marketing director Rob Bennett. "It is not true. Microsoft
values the security and privacy of our users above all."
However, Jon Thompson, administrator of one of the sites that hosted
the Hotmail exploit, told MSNBC.com that his associates had known
about the vulnerability -- and had access to Hotmail accounts -- for
about eight weeks.
=-=-=-=-=-=-=-=-=-=
http://wired.com/news/news/politics/story/21525.html
Tempted by Hotmail's recent gaping security hole to sneak a peek at
your friend's email? Did you actually take a look?
Logic says you'd be in big trouble if you got caught. But logic is
not the same as the law ... because there really isn't one.
That's why the breach [...] probably won't produce a tide of
litigation or lead to arrests of email peepers, say lawyers who
specialize in Net privacy issues.
[...]
Besides, somebody has to complain first, and that hasn't happened,
Microsoft officials say.
[...]
"You're speculating with old laws that come up in new ways," Merrill
said. "We have to have a few case before we can be sure how they're
going to be applied."
[...]
"You need a complaining party," said Peter Brown, a partner at Brown
Raysman Millstein Felder & Steiner, a New York law firm.
Hotmail's security hole could still be the event that triggers a test
case, despite the initial lack of complaints.
=-=-=-=-=-=-=-=-=-=
Am bemerkenswertesten finde ich die Aussage von Jon Thompson, dass
die Lücke bereits acht Wochen bestand - von wegen 10 Stunden.
-tab