RE: Cell phone access to email
From: David B. Harrison (hdavid11580@qwest.net)Date: 08/27/01
- Previous message: Martin Markgraf: "CodeRed wormcatcher found on the net"
- Maybe in reply to: David B. Harrison: "Cell phone access to email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Aug 2001 19:20:56 -0600 Message-ID: <01C12E64.3BE11AA0.hdavid11580@qwest.net> From: "David B. Harrison" <hdavid11580@qwest.net> To: "'Thor@HammerofGod.com'" <Thor@HammerofGod.com> Subject: RE: Cell phone access to email
Now that I have been on site and got a good look at this I can give out
some more info. First the systems is something new Qwest is offering to
customers. They install a small client on their Email server this gets
past the password and forwards all email back to a qwest storage client
waiting for the Cell phone to register. This is where the problem comes
in, any phone on the system that knows the server/domain can register and
re-register with different clients names and gets their email to the phone.
The Authentication is just that you know the server/domain name and select
a username. Giving access to any one in the company's email.
My customer turned the phones back in after we found out how it worked.
Dave H
-----Original Message-----
From: Thor@HammerofGod.com [SMTP:Thor@HammerofGod.com]
Sent: Wednesday, August 22, 2001 9:31 AM
To: hdavid11580@qwest.net
Cc: VULN-DEV@securityfocus.com
Subject: Re: Cell phone access to email
Are you saying that they can check email on their phones for accounts that
already existed or something? Not new, special accounts for the phones
themselves? Your email really doesn't give up too much information...
----- Original Message -----
From: "David B. Harrison" <hdavid11580@qwest.net>
To: <steve@java2000.com>; <vuln-dev@securityfocus.com>
Sent: Wednesday, August 22, 2001 7:11 AM
Subject: RE: Cell phone access to email
> The problem is that the customer never gave out the passwords and the
> server is behind a firewall not controlled by Qwest so how do the phones
> have access to the server for email without ever asking for a password
> during setup or at time of request?
> Dave H
>
> -----Original Message-----
> From: Stephen A Santos [SMTP:steve@java2000.com]
> Sent: Wednesday, August 22, 2001 6:26 AM
> To: 'David B. Harrison'; vuln-dev@securityfocus.com
> Subject: RE: Cell phone access to email
>
> If it is anything like Nextels system the password information is stored
> on their end and authentication is made the same way the system knows
> which number goes with which phone. So yes, anyone with a cloned cell
> can get the email.
>
>
> ===================
> Stephen A Santos
> 63 W Fountainhead Dr #107
> Westmont, IL 60559
> H: 630-241-0493
> M: 630-561-9368
>
> -----Original Message-----
> From: David B. Harrison [mailto:hdavid11580@qwest.net]
> Sent: Tuesday, August 21, 2001 11:07 PM
> To: vuln-dev@securityfocus.com
> Subject: Cell phone access to email
>
>
> I am hoping someone can answer a question for me. A customer of mine is
>
> testing a new cell phone from Qwest. It gives them access to cheap cell
>
> phone connection and Internet mail. The problem is it connects to
> exchange
> without a password. I can see if qwest was the server location and they
>
> were doing a copy of some sort, but the server is behind a firewall from
>
> Qwest yet they are getting email to the phone both external and local.
>
> Any Ideas?
> Dave H
>
- Previous message: Martin Markgraf: "CodeRed wormcatcher found on the net"
- Maybe in reply to: David B. Harrison: "Cell phone access to email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
