Security Basics mailing list archives
Re: Am I over reacting?
From: Leo <thehobbit () altern org>
Date: Fri, 12 Mar 2004 21:53:30 +0100
On Wed, Mar 10, 2004 at 11:19:45AM -0800, Michael Horn wrote:
I'm not sure if I'm over reacting on this or not since I'm new to the security scene. This morning during an on-line seminar that one of our customers was holding; the presenter had his desktop shared out (so you could see everything). One thing I noticed about the web meeting software was that it was showing everybody's IP. I've used other web meeting companies and none of them showed the IP's. From my understanding if you have the IP your halfway to getting into their system. If I was a bad boy I could run a port scan to see what they where running and then exploit it. Is my thinking correct or am I off base and over reacting? Thank you for your input, Michael Horn
Hi, The short answer is... yes, you are. First of all, if there is a TCP connection, then the system _must_ know the peer IP addres. This means that you can always access it using netstat or similar. Second, to say that "if you have the IP your halfway to getting into their system." is the same as "If you know the street address of someone you are halfway of robbing him/her". While certanly you can not enter into my sistem without knowing my IP, knowing it is far from giving you access to my sistem. Of course, you may "run a port scan to see what they where running and then exploit it.", but the whole point in security is that you'll not be able to get into my system even though you can access it in a leggitimate way (such as desktop sharing), doing which requires you (or at least your system) to know my IP. My 5cents... Cheers -- Leo "TheHobbit" --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Am I over reacting? Michael Horn (Mar 11)
- Re: Am I over reacting? Leo (Mar 12)
- <Possible follow-ups>
- RE: Am I over reacting? James . Fields (Mar 12)
- RE: Am I over reacting? Michael Horn (Mar 12)