From: Ziana Astralos (ziana@extrotech.net)
Date: Sun Feb 23 2003 - 16:50:20 MST
(02/23/2003 17:05) "gts" <gts_2000@yahoo.com> wrote:
> ...
> And yet my low-security password was still hacked remotely. I can
> only hope and pray that my hi-security password wasn't.
> ...
Depending on what kind of site this is (the one at which your account
was broken into and abused), it is possible that the perpetrator did
not need any access to your local system to get into your account on
that website. There are unfortunately a number of older programs still
in use for user management (forums and such) which use minimal or
completely nonexistent encryption on the database of users' passwords.
In that case all the perpetrator would have to do is break into that
server (or bribe an admin) and gain access to that password list. This
is one of the main reasons for using different passwords at each place
you register-- you usually can't be sure how secure the software
behind the site is, or how much the admins bother to keep the system
up to date on security patches and such. The SQL worm a few weeks ago
would not have been able to do any damage if so many admins had not
neglected to apply a patch for the vulnerability exploited by that
worm-- a patch which has been available since last June or July.
-- Aumentar! Onward, Ziana Astralos - ziana@extrotech.net - http://www.extrotech.net/ GCS/MC/IT/L/O d- s-:- a? C++++ W+++ K++ UL w+ M-- PS+++ PE Y+ DI++++
This archive was generated by hypermail 2.1.5 : Sun Feb 23 2003 - 16:50:04 MST