So true, the security chhallenge always inspires us Lava Kafle Ms by Research in Computer Science Kathmandu University cell: 9841224387 9801034557
On Wed, Mar 6, 2013 at 6:17 AM, Bryan E. Wooten <bryan.woo...@utah.edu>wrote: > All, > > Last week we had an internal State security audit. > > One of their tests was to copy our CAS login page and host it on their > own server. They then sent an email to many on campus with a link asking > them to verify some information, which started with a CAS login page. Even > though Outlook marked the email a potential phishing some people clicked > the link and had their password captured. Sigh. > > We all noticed that the address bar url was suspect. I was thinking I > could put some obfusticated java script in the login page and have it > email my group in the event someone else tried this. The javascript would > detect the incorrect address in the address bar. Is this feasible? Or is it > too easily disabled? > > One of my co-workers also caught the bogus CAS page, fired up jmeter and > hit the bogus login page with 20,000 login attempts. That brought the bogus > login web server down. Got to love DDOS. The auditors said that was > unethical. Hehe. > > Also, not CAS related, they also soaked some paper in hot water and slide > it under a door. This triggered the inside infrared detector and unlocked > the door from the inside, allowing access a computer room. There they found > a laptop that was not locked and used the information on the laptop to > social engineer password resets with help desk. Evil. > > Know the enemy. > > Cheers, > > Bryan > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: lka...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
