Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

A constant state of insecurity

From: David Farber <dave () farber net>
Date: Mon, 7 Nov 2005 23:11:39 -0500


Begin forwarded message:

From: Dewayne Hendricks <dewayne () warpspeed com>
Date: November 7, 2005 7:05:28 PM EST
To: Dewayne-Net Technology List <dewayne-net () warpspeed com>
Subject: [Dewayne-Net] A constant state of insecurity
Reply-To: dewayne () warpspeed com

[Note:  This item comes from reader Brian Berg.  DLH]


From: Brian Berg <brianberg () gmail com>
Date: November 7, 2005 2:01:22 PM PST
To: Dewayne Hendricks <dewayne () warpspeed com>
Subject: A constant state of insecurity

FYI.  Brian
A constant state of insecurity Passwords are in the air, and it isn't even spring 

Security Adviser, By  Roger A. Grimes
November 04, 2005
For the past few months an acquaintance of mine has been sniffing various public wireless and wired networks around the world, looking to see what plain text passwords are visible. It was an eye- opening experiment.
She used a bunch of different tools, but mostly Cain. At the moment, it collects 18 different passwords or password representations, including plain text passwords sent over HTTP, FTP, ICQ, and SIP protocols, and will automatically collect the user's log-in name, password (or password representation), and access location.
Other than a few simple validity reviews and summary counts, my friend doesn't look at the log-in names or passwords, and she deletes any collected information after obtaining the counts. She hasn't used ARP (Address Resolution Protocol) poisoning or done anything other than to count plain text passwords passing by her traveling laptop's NIC when she's in a hotel, airport, or other public network.
Although some -- including me -- might question her ethics, the information she shared is useful in understanding our true state of insecurity.
She said about half the hotels use shared network media (i.e., a hub versus an Ethernet switch), so any plain text password you transmit is sniffable by any like-minded person in the hotel. Most wireless access points are shared media as well; even networks requiring a WEP key often allow the common users to sniff each other's passwords.
She said the average number of passwords collected in an overnight hotel stay was 118, if you throw out the 50 percent of connections that used an Ethernet switch and did not broadcast passwords.
The vast majority, 41 percent, were HTTP-based passwords, followed by e-mail (SMTP, POP2, IMAP) at 40 percent. The last 19 percent were composed of FTP, ICQ, SNMP, SIP, Telnet, and a few other types. 

More at:
<http://www.infoworld.com/article/05/11/04/45OPsecadvise_1.html>




Weblog at: <http://weblog.warpspeed.com>


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: