[IP] A constant state of insecurity

To: ip@xxxxxxxxxxxxxx
Subject: [IP] A constant state of insecurity
From: David Farber <dave@xxxxxxxxxx>
Date: Mon, 7 Nov 2005 23:11:39 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <5773F659-997F-420A-A412-CD603900FB2C@xxxxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:

From: Dewayne Hendricks <dewayne@xxxxxxxxxxxxx>
Date: November 7, 2005 7:05:28 PM EST
To: Dewayne-Net Technology List <dewayne-net@xxxxxxxxxxxxx>
Subject: [Dewayne-Net] A constant state of insecurity
Reply-To: dewayne@xxxxxxxxxxxxx

[Note:  This item comes from reader Brian Berg.  DLH]

From: Brian Berg <brianberg@xxxxxxxxx>
Date: November 7, 2005 2:01:22 PM PST
To: Dewayne Hendricks <dewayne@xxxxxxxxxxxxx>
Subject: A constant state of insecurity

FYI.  Brian
A constant state of insecurity Passwords are in the air, and itisn't even spring
Security Adviser, By  Roger A. Grimes
November 04, 2005
For the past few months an acquaintance of mine has been sniffingvarious public wireless and wired networks around the world,looking to see what plain text passwords are visible. It was an eye-opening experiment.
She used a bunch of different tools, but mostly Cain. At themoment, it collects 18 different passwords or passwordrepresentations, including plain text passwords sent over HTTP,FTP, ICQ, and SIP protocols, and will automatically collect theuser's log-in name, password (or password representation), andaccess location.
Other than a few simple validity reviews and summary counts, myfriend doesn't look at the log-in names or passwords, and shedeletes any collected information after obtaining the counts. Shehasn't used ARP (Address Resolution Protocol) poisoning or doneanything other than to count plain text passwords passing by hertraveling laptop's NIC when she's in a hotel, airport, or otherpublic network.
Although some -- including me -- might question her ethics, theinformation she shared is useful in understanding our true state ofinsecurity.
She said about half the hotels use shared network media (i.e., ahub versus an Ethernet switch), so any plain text password youtransmit is sniffable by any like-minded person in the hotel. Mostwireless access points are shared media as well; even networksrequiring a WEP key often allow the common users to sniff eachother's passwords.
She said the average number of passwords collected in an overnighthotel stay was 118, if you throw out the 50 percent of connectionsthat used an Ethernet switch and did not broadcast passwords.
The vast majority, 41 percent, were HTTP-based passwords, followedby e-mail (SMTP, POP2, IMAP) at 40 percent. The last 19 percentwere composed of FTP, ICQ, SNMP, SIP, Telnet, and a few other types.
More at:
<http://www.infoworld.com/article/05/11/04/45OPsecadvise_1.html>



Weblog at: <http://weblog.warpspeed.com>


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Qualcomm sues Nokia over GSM tech
Next by Date: [IP] A missing package
Previous by thread: [IP] Qualcomm sues Nokia over GSM tech
Next by thread: [IP] A missing package
Index(es):
- Date
- Thread