seckb*

This is a true story how a con artist used social engineering alone to steal a user's domain.  Human Security (HUMSEC) is a neglected thing in IT security though it has been regarded as a weak line of defense. Refer to  OSSTMM for guidelines on testing HUMSEC. Story Style: http://blog.jtimothyking.com/2010/03/31/grand-theft-internet Conversation Style: http://old.nabble.com/Dreamhost-account-hacked-td28062149.html

Analysis Nowadays we guys have our own web sites and remote VPSes. We all have once worked or have been working with hosting vendors. One of the worst mistakes see very often is their support personnel on web based support systems. They asked customers to provide their root password, cpanel/plesk passwords  and many. They say the reason they ask user credential is to verify the owners of domains/IPs customer claims 'ownership'. We know all these are like saving passwords in a text editor in plain text way. Avoid this kind of vendors with stupid support staffs or stay away from revealing your passwords in this plain stupid way. Risk It's been known that keeping sensitive data in plain text is an ill mistake which poses a direct 0wnage if attackers can find where they reside. Attackers who compromise one of support personnel accounts or entire web-based support application would gain access to these pile of root passwords, too. Solution Tie the support ticket authentication t...