funsec mailing list archives

Police secret password blunder

From: "Kane Lightowler" <Kane.Lightowler () contentsecurity com au>
Date: Wed, 5 Apr 2006 15:12:46 +1000

Police secret password blunder

 

http://smh.com.au/articles/2006/04/05/1143916569155.html

 

A NSW Police blunder has led to a database of email passwords -
including those of the anti-terrorism commander and hundreds of
journalists - published on the internet.

 

The names, email addresses and passwords of as many as 800 people who
signed up to receive NSW Police media releases are listed on the
database.

 

Among the exposed passwords is that of Detective Chief Superintendent
Mark Jenkins, the man responsible for the state's Counter Terrorist
Co-ordination Command unit.

 

This morning, smh.com.au alerted Mr Jenkins to the fact that his
password had been compromised.

 

He said he had no idea it was available on the internet.

 

"I'd like to make some inquiries with our media unit before I make any
comment whatsoever," he said.

 

The database also includes passwords belonging to well-known journalists
at The Sydney Morning Herald, The Daily Telegraph, the ABC and the
commercial TV networks as well as regional newspapers and radio
stations.

 

The database appears to have been taken offline within the past month,
but it can still be accessed through Google.

 

NSW Police have not contacted its media release subscribers over the
apparent breach of privacy and security.

 

While some of the passwords would be used only for subscribing to the
NSW Police media releases, many appear to be the secret codes
journalists use to access their email accounts and other
password-dependent information.

 

The more sophisticated passwords are a combination of letters and
numerals, while others are people's names.

 

There are also bizarre passwords such as "smellyundies", "enforcer",
"chunder" and "crunchymaggots".

 

NSW Police could contact Google to ask for the cache of compromising
details to be taken off its site, as smh.com.au does when it has to
remove archived stories from its website for legal reasons.

 

The exposure of the email addresses also gives spammers access to
private accounts.

 

Comment is being awaited from NSW Police.

 

 

Regards, 

Kane Lightowler 
Network Security Consultant 

Content Security 
Level 3, Suite 32 
203 Castlereagh Street 
Sydney 2000 

phone +61 2 9267 9911 
mobile +61 413 114 186 
fax +61 2 9261 2378 
www.contentsecurity.com.au

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Police secret password blunder Kane Lightowler (Apr 04)
- Re: Police secret password blunder Blue Boar (Apr 04)
  - Re: Police secret password blunder Valdis . Kletnieks (Apr 04)
  - Re: Police secret password blunder George Bakos (Apr 04)
    - Re: Police secret password blunder Jeff Rosowski (Apr 05)
    - Re: Police secret password blunder Stephen J. Smoogen (Apr 05)
    - Re: Police secret password blunder Valdis . Kletnieks (Apr 05)
    - Re: Police secret password blunder Brian Loe (Apr 05)
    - Re: Police secret password blunder Anthony Rodgers (Apr 05)
  - Re: Police secret password blunder Drsolly (Apr 05)
- <Possible follow-ups>
- RE: Police secret password blunder Kane Lightowler (Apr 04)

(Thread continues...)