All, Last week we had an internal State security audit.
One of their tests was to copy our CAS login page and host it on their own server. They then sent an email to many on campus with a link asking them to verify some information, which started with a CAS login page. Even though Outlook marked the email a potential phishing some people clicked the link and had their password captured. Sigh. We all noticed that the address bar url was suspect. I was thinking I could put some obfusticated java script in the login page and have it email my group in the event someone else tried this. The javascript would detect the incorrect address in the address bar. Is this feasible? Or is it too easily disabled? One of my co-workers also caught the bogus CAS page, fired up jmeter and hit the bogus login page with 20,000 login attempts. That brought the bogus login web server down. Got to love DDOS. The auditors said that was unethical. Hehe. Also, not CAS related, they also soaked some paper in hot water and slide it under a door. This triggered the inside infrared detector and unlocked the door from the inside, allowing access a computer room. There they found a laptop that was not locked and used the information on the laptop to social engineer password resets with help desk. Evil. Know the enemy. Cheers, Bryan -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
