Educause Security Discussion mailing list archives
Re: consequences for student hacking
From: "Halliday,Paul" <Paul.Halliday () NSCC CA>
Date: Tue, 19 Feb 2008 23:13:36 -0400
"Let's face it, there's zillions of tools that will snarf packets literally out of thin air, without transmitting any themselves." On most networks (switched and vlan'd) you should get very little w/o injecting something. The info you do get, while somewhat useful for leveraging other attacks, will not in itself give you any passwords. Well, maybe some SNMP1/2 community strings - but that's not really a password. If someone starts flooding CAM tables or they arp poison a gateway well, that's an entirely different story - and quite easy to trace. ________________________________ From: The EDUCAUSE Security Constituent Group Listserv on behalf of Valdis Kletnieks Sent: Tue 2/19/2008 7:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] consequences for student hacking On Tue, 19 Feb 2008 14:38:00 MST, Bob Henry said:
That's the theory. I'm looking for a reality check. What do your institutions do when you catch a student sniffing the wired or wireless network for userID's and passwords?
More realistically, how *do* you determine that somebody is "sniffing"? Let's face it, there's zillions of tools that will snarf packets literally out of thin air, without transmitting any themselves. Many more will snarf stuff up, even while the machine in question is doing totally innocuous other things. At one SANS-EDU a number of years ago, I was able to set up a 'tcpdump' that determined who was using plaintext protocols (in order to specifically avoid catching user/password pairs, I narrowed the capture to only those SYN packets to ports that would have a userid/password in the clear in the next few packets (ports 21, 109, and so on). At the break, I announced "This is a class on wireless security. We have about 300 people in this room, of which some 110 have logged into something using cleartext userid/password". The room goes nuts, as the guilty 110 realize what's happened. I then said "Don't worry, I was specifically careful to only catch SYN packets". The room quiets down. I then add "But I have no idea what those 5 guys sitting out in the atrium are doing..." :) The reality check: You really don't know it happened until the perpetrator actually *uses* one of the snarfed passwords - at which point you can string them up by the whatziz for use of a stolen password.
Current thread:
- consequences for student hacking Bob Henry (Feb 19)
- <Possible follow-ups>
- Re: consequences for student hacking Valdis Kletnieks (Feb 19)
- Re: consequences for student hacking Halliday,Paul (Feb 19)
- Re: consequences for student hacking Halliday,Paul (Feb 19)
- Re: consequences for student hacking Eric Case (Feb 19)
- Re: consequences for student hacking Bob Mahoney (Feb 19)
- Re: consequences for student hacking Valdis Kletnieks (Feb 19)
- Re: consequences for student hacking Bill Brinkley (Feb 20)
- Re: consequences for student hacking Doug Markiewicz (Feb 20)
- Re: consequences for student hacking Schley Andrew Kutz (Feb 20)
- consequences for student hacking Tom Siu (Feb 20)