[plug] Trade [flame alert]

Tue Feb 29 11:19:06 WST 2000

Jeremy Malcolm wrote:
> > Would it?  To sniff the passwords you would need to a) compromise a
> > machine on the same physical network or b) compromise a router
> somewhere
> > between where someone logs into your systems remotely using a
> plaintext
> > password exchange (e.g., telnet). ... Incidentally this confirms my
> > earlier suspicion that there would be little value in your
> reciprocal
> > penetration attempt.
> 
> Well, it has worked for me before (strictly on a consensual level!).
> Admittedly, in that case the sucker used Windoze on his personal
> machine and I was able to fool him into installing BO on it.  I logged
> his keystrokes, and voila, all his passwords are mine. :-)
> I'm not implying that anyone on this list would be so stupid, but
> there are other ways of fooling people into giving you their passwords
> (a good one is to set up a Webring and invite them to add their Web
> site to it... as the ring administrator you get to see their
> password).  There is only a 10% chance that anyone will be stupid
> enough, but it is still worth the attempt.

First attack: ask administrator (who knows that you're testing out his
security) to install some arbitrary program.  Chance of success?  None,
I would hope!

Second attack: ask someone to join webring (umm, ok!  system admins are
known to be big fans of web rings... NOT.) and hope that they use the
same password for this as they do for their Unix account (root/user). 
Chance of success?  Once again, hopefully, none.

Both of these are essentially social engineering attacks and certainly
this is an area of security that needs to be addressed.  I can also
understand why you think you cannot test our your own security
yourself... a social engineering attack hopefully would not be
successful against yourself!  However, I don't think it is quite as
useful information as proper attempt at a security audit by yourself
would gain.

Anyway, on a completely different topic...  I've got a really neat
program that you should install on your system.  It will test out all
the security for you and notify you if there is ever a problem -- you'll
never have to worry about security again!  Oh yeah, and it needs to run
as root and I can't give you the source code.  Also, you should do up a
web page on how great you think this program is (we need to spread the
word!) and join my web ring... just send me the username and password
you'd like to use... *grin*

> > What sort of link is the machine on?  What networks are immediately
> > upstream of it?  What are its uptime stats like?  How powerful is
> the
> > machine?
> 
> I could tell you, but then I would have to kill you. :-)

Hmmm... I'm afraid I can't really consider the offer of running a slave
server for us then... the price seems a little too high! ;-)

Regards,

Christian.