Snarfing passwords for fun and profit (well, fun anyway)

| No Comments | No TrackBacks
A recent flight home had me accidentally shoulder-surfing a major financial institution employee.  I managed to catch him editing an internal switch/router configuration (probably Cisco?  Although all the switch syntaxes blur together for me).

I caught a line similar to this:

enable password level 15 <pretty easy to remember password, if you've seen it>

It caught my eye enough to eavesdrop for a while longer, until I snagged a legalese logon banner in the config, as well as the switches internal IP address (172.something).

Just a reminder to not edit sensitive files when in a public place.  I'm certainly guilty as heck of this from time to time.  It's a lesson especially useful for consultants to remember, as it's very tempting to start writing up the report for the latest engagement while on the flight home.  You never know who is going to be looking over your shoulder to get a little info on a nice, juicy, target network.

The company in question has so far been cool to deal with...an IR guru and I chatted on the phone to figure who the bad employee was.  I hope they don't get in trouble, but rather treat it as a life lesson that he shouldn't work so hard.

No TrackBacks

TrackBack URL: http://www.cyberpacifists.net/mtype/mt-tb.cgi/579

Leave a comment

About this Entry

This page contains a single entry by giminy published on March 8, 2013 5:21 PM.

ASIO Wants You(r computer) was the previous entry in this blog.

SSL Wrapping is Not Good Enough is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.