<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
This is largely turning into a SysAdmin or even more specific
Security or Programming topic - but to obtain multiple asetts - if
security is set up right, would require a more comprehensive and
full access exploit/hack, i.e. maybe a root shell, vs more common
hacks to web-apps where you can 'trick' the app to expose raw
database data. Obviously every proprietary system and every language
is different so its no use speculating on each registrars security
implementation.<br>
<br>
But consider Credit Card data a good comparison - you only store
this if you need to be able to retrieve this (auto billing etc),
although you wouldn't store this in clear-text, and would take
measures to make it as hard as possible for hackers to obtain this
information. If the company wanted, technically they could retrieve
and provide these details in cleartext.<br>
<br>
Anyways - enough veering off-topic (for the list) for me today.<br>
<br>
<div class="moz-cite-prefix">On 20/03/14 17:01, Robert Hudson wrote:<br>
</div>
<blockquote
cite="mid:CAOu9xNLVQF3=vs6nXCu_ZSv3828-u=k+iFdkJQ3inve_=qsJ3g@mail.gmail.com"
type="cite">
<p dir="ltr">Technically, yes there is a difference. </p>
<p dir="ltr">Once a system is compromised and the encryption key
available, there is no difference as far as the end result is
concerned.</p>
<div class="gmail_quote">On 20/03/2014 4:54 PM, "Joseph Goldman"
<<a moz-do-not-send="true" href="mailto:joe@apcs.com.au">joe@apcs.com.au</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> There is also a
difference between storing in clear text and retrieving back
to clear text.<br>
<br>
A database exposure may not give a hacker any useful data,
and a more in-depth knowledge of how the particular
registrars and/or auDA's systems are run, along with
hacking/retrieval of multiple assets may be needed to
successfully compromise customer passwords.<br>
<br>
I think the news article in question is more referencing
that Melbourne IT store the password in cleartext in the DB,
so only DB data exposure would be required to compromise
customers domains.<br>
<br>
<div>On 20/03/14 16:45, Seamus Ryan wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Yup</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a
moz-do-not-send="true"
href="http://www.ausregistry.com.au/tools/recover-password"
target="_blank">http://www.ausregistry.com.au/tools/recover-password</a></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Sends
the password to the registrant, via email, in plain
text. MelbourneIT (or any registrar for that matter)
could do all the hashing or encrypting of the domain
password they want, you would still be able to use
that Ausregistry page to obtain the password in
plain text. Granted there have been recent
improvements to .au domain security (such as
.auLOCKDOWN) to protect against unauthorised domain
modifications, that isn’t what we are talking about
here.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">It’s
nothing new.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>-<span
style="font:7.0pt "Times New Roman"">
</span></span></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Seamus</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext"
lang="EN-US"> AusNOG [<a moz-do-not-send="true"
href="mailto:ausnog-bounces@lists.ausnog.net"
target="_blank">mailto:ausnog-bounces@lists.ausnog.net</a>]
<b>On Behalf Of </b>Shane Short<br>
<b>Sent:</b> Thursday, 20 March 2014 4:34 PM<br>
<b>To:</b> Robert Hudson<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:ausnog@lists.ausnog.net"
target="_blank">ausnog@lists.ausnog.net</a><br>
<b>Subject:</b> Re: [AusNOG] MelbourneIT stores
domain passwords in cleartext - <a
moz-do-not-send="true"
href="http://iTnews.com.au" target="_blank">iTnews.com.au</a></span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I think you'll find Ausregistry
stores them in plain text, too. I had one for a domain
I'd planned to transfer a while ago.. went to the
Ausreg page to get it sent to me and I got the same
password sent to me (so it's obviously not regenerated
when you request it). I think it's probably unfair to
target Melbourne IT specifically.<br>
<br>
<br>
<br>
</p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div
style="margin-left:18.75pt;margin-top:22.5pt;margin-right:18.75pt;margin-bottom:7.5pt">
<div style="border:none;border-top:solid #edeef0
1.0pt;padding:4.0pt 0cm 0cm 0cm;display:table">
<div>
<p class="MsoNormal"
style="vertical-align:middle"><img
src="cid:part6.01010609.00040601@apcs.com.au"
name="144de0e4d3ea8bf6_compose-unknown-contact.jpg" height="25"
width="25" border="0"></p>
</div>
<div>
<p class="MsoNormal"
style="vertical-align:middle"><a
moz-do-not-send="true"
href="mailto:hudrob@gmail.com"
target="_blank"><b>Robert Hudson</b></a></p>
</div>
<div>
<p class="MsoNormal"
style="vertical-align:middle"><span
style="color:#9fa2a5">20 March 2014 9:47 am</span></p>
</div>
</div>
</div>
<div style="margin-left:18.0pt;margin-right:18.0pt">
<div>
<p class="MsoNormal"><span style="color:#888888">Sorry
to drag this old thread up - but I can confirm
that MelbourneIT aren't alone in storing
domain auth passwords in cleartext - I've just
received an email from Europe Registry (<a
moz-do-not-send="true"
href="http://www.europeregistry.com/"
target="_blank">http://www.europeregistry.com/</a>)
with a domain auth password contained within
it in cleartext.</span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="color:#888888"><br>
<br>
</span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888">_______________________________________________<br>
AusNOG mailing list<br>
<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net"
target="_blank">AusNOG@lists.ausnog.net</a><br>
<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a></span></p>
</div>
</div>
<div
style="margin-left:18.75pt;margin-top:22.5pt;margin-right:18.75pt;margin-bottom:7.5pt">
<div style="border:none;border-top:solid #edeef0
1.0pt;padding:4.0pt 0cm 0cm 0cm;display:table">
<div>
<p class="MsoNormal"
style="vertical-align:middle"><img
src="cid:part6.01010609.00040601@apcs.com.au"
name="144de0e4d3ea8bf6_compose-unknown-contact.jpg" height="25"
width="25" border="0"></p>
</div>
<div>
<p class="MsoNormal"
style="vertical-align:middle"><a
moz-do-not-send="true"
href="mailto:ausnog@bleeter.id.au"
target="_blank"><b>Peter Lawler</b></a></p>
</div>
<div>
<p class="MsoNormal"
style="vertical-align:middle"><span
style="color:#9fa2a5">11 March 2014 4:45 am</span></p>
</div>
</div>
</div>
<div style="margin-left:18.0pt;margin-right:18.0pt">
<p class="MsoNormal"><span style="color:#888888">It
occurs to me that some on noggers may not have
previously been aware of this. But now that it's
'in the news', etc. <br>
<br>
<a moz-do-not-send="true"
href="http://www.itnews.com.au/News/374095,melbourneit-stores-domain-passwords-in-cleartext.aspx"
target="_blank">http://www.itnews.com.au/News/374095,melbourneit-stores-domain-passwords-in-cleartext.aspx</a>
<br>
_______________________________________________
<br>
AusNOG mailing list <br>
<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net"
target="_blank">AusNOG@lists.ausnog.net</a> <br>
<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</span></p>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
AusNOG mailing list
<a moz-do-not-send="true" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a moz-do-not-send="true" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>