[AusNOG] MelbourneIT stores domain passwords in cleartext - iTnews.com.au

Joseph Goldman joe at apcs.com.au
Thu Mar 20 17:22:56 EST 2014 

This is largely turning into a SysAdmin or even more specific Security 
or Programming topic - but to obtain multiple asetts - if security is 
set up right, would require a more comprehensive and full access 
exploit/hack, i.e. maybe a root shell, vs more common hacks to web-apps 
where you can 'trick' the app to expose raw database data. Obviously 
every proprietary system and every language is different  so its no use 
speculating on each registrars security implementation.

  But consider Credit Card data a good comparison - you only store this 
if you need to be able to retrieve this (auto billing etc), although you 
wouldn't store this in clear-text, and would take measures to make it as 
hard as possible for hackers to obtain this information. If the company 
wanted, technically they could retrieve and provide these details in 
cleartext.

  Anyways - enough veering off-topic (for the list) for me today.

On 20/03/14 17:01, Robert Hudson wrote:
>
> Technically, yes there is a difference.
>
> Once a system is compromised and the encryption key available, there 
> is no difference as far as the end result is concerned.
>
> On 20/03/2014 4:54 PM, "Joseph Goldman" <joe at apcs.com.au 
> <mailto:joe at apcs.com.au>> wrote:
>
>     There is also a difference between storing in clear text and
>     retrieving back to clear text.
>
>     A database exposure may not give a hacker any useful data, and a
>     more in-depth knowledge of how the particular registrars and/or
>     auDA's systems are run, along with hacking/retrieval of multiple
>     assets may be needed to successfully compromise customer passwords.
>
>     I think the news article in question is more referencing that
>     Melbourne IT store the password in cleartext in the DB, so only DB
>     data exposure would be required to compromise customers domains.
>
>     On 20/03/14 16:45, Seamus Ryan wrote:
>>
>>     Yup
>>
>>     http://www.ausregistry.com.au/tools/recover-password
>>
>>     Sends the password to the registrant, via email, in plain text.
>>     MelbourneIT (or any registrar for that matter) could do all the
>>     hashing or encrypting of the domain password they want, you would
>>     still be able to use that Ausregistry page to obtain the password
>>     in plain text. Granted there have been recent improvements to .au
>>     domain security (such as .auLOCKDOWN) to protect against
>>     unauthorised domain modifications, that isn't what we are talking
>>     about here.
>>
>>     It's nothing new.
>>
>>     -Seamus
>>
>>     *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf
>>     Of *Shane Short
>>     *Sent:* Thursday, 20 March 2014 4:34 PM
>>     *To:* Robert Hudson
>>     *Cc:* ausnog at lists.ausnog.net <mailto:ausnog at lists.ausnog.net>
>>     *Subject:* Re: [AusNOG] MelbourneIT stores domain passwords in
>>     cleartext - iTnews.com.au <http://iTnews.com.au>
>>
>>     I think you'll find Ausregistry stores them in plain text, too. I
>>     had one for a domain I'd planned to transfer a while ago.. went
>>     to the Ausreg page to get it sent to me and I got the same
>>     password sent to me (so it's obviously not regenerated when you
>>     request it). I think it's probably unfair to target Melbourne IT
>>     specifically.
>>
>>
>>
>>         *Robert Hudson* <mailto:hudrob at gmail.com>
>>
>>         20 March 2014 9:47 am
>>
>>         Sorry to drag this old thread up - but I can confirm that
>>         MelbourneIT aren't alone in storing domain auth passwords in
>>         cleartext - I've just received an email from Europe Registry
>>         (http://www.europeregistry.com/) with a domain auth password
>>         contained within it in cleartext.
>>
>>
>>
>>         _______________________________________________
>>         AusNOG mailing list
>>         AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>         http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>         *Peter Lawler* <mailto:ausnog at bleeter.id.au>
>>
>>         11 March 2014 4:45 am
>>
>>         It occurs to me that some on noggers may not have previously
>>         been aware of this. But now that it's 'in the news', etc.
>>
>>         http://www.itnews.com.au/News/374095,melbourneit-stores-domain-passwords-in-cleartext.aspx
>>
>>         _______________________________________________
>>         AusNOG mailing list
>>         AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>         http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>>     _______________________________________________
>>     AusNOG mailing list
>>     AusNOG at lists.ausnog.net  <mailto:AusNOG at lists.ausnog.net>
>>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140320/ac301e2f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 144de0e4d3ea8bf6_compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140320/ac301e2f/attachment.jpg>

More information about the AusNOG mailing list