Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: keyloggers? - dont doit

Re: keyloggers? - dont doit

From: <James.Barkley_at_noaa.gov>
Date: Thu, 07 Apr 2005 01:23:27 -0500

The two major attacks you have to look at:

1. Spyware/keylogger - very real threat
  If your provider offers secure auth mechanism such as OTP (one-time
password) this is no threat. Dual authentication means nothing if you
have a keystroke logger. Also, if OTP is used, you have to be sure
that your provider codes against race conditions (e.g. I keylog 95% of
your OTP and brute force the other 5%).

2. Man-in-the-middle attack - less real but real threat (IMHO)
  First, you can verify with an individual provider (cybercafe, etc.)
if they provide their own DNS and what they do to protect against
spoofing. Second, if you cannot verify this, then you are susceptible
to Man-in-the-middle-attack (I establish ssl and joe-hacker intercepts,
establishes ssl with me and also establishes ssl with end host, then
translates from me to end host). Someone has to be dedicated to
perform this, but in public spaces it is more right than wrong to
expect a dedicated hacker. If someone performs man-in-the-middle I
don't know what you can do.

my 2 cents

-Jim

----- Original Message -----
From: "lyal.collins" <lyal.collins_at_key2it.com.au>
Date: Wednesday, April 6, 2005 11:37 pm
Subject: Re: keyloggers? - dont doit

> SSL falls to spoofed certs/trust lists and or DNS poisoning to
> create MITM
> attacks.
> Cybercafes can run their own DNS and routing mechanisms, enabling
> the latter.
> They run and manage their own browsers and trusted cert lists,
> enabing a fake
> 'root CA" cert to be laoded into browsers, enabing the former.
>
> SSL is a dead duck in every environment unless DNS is known to be 100%
> accurate, and no ARP sppofing tricks are happening.
>
> yal
>
>
> > On Apr 6, 2005 7:23 AM, Alvin Oga
> > <alvin.sec_at_virtual.linux-consulting.com> wrote:
> > > - anything sent over the internet is sniffable from
> > > anywhere in the world
> >
> > Delurking just to mention that this isn't correct. Online
> banking (and
> > other security-sensitive activities) aren't a good idea from shared
> > sites like a cybercafe for all the reasons others have
> mentioned, but
> > this isn't it. From my desktop here, I almost certainly have no
> way of
> > sniffing your traffic to your bank, unless I happen to be somewhere
> > along your path.
> >
> > I'd also like to know about SSL being broken. I think you mean
> one of
> > the common ciphers is broken, which would be substantial news
> indeed.>
> > Your conclusion is right but your reasoning is completely wrong
> AFAICT.>
> > --
> > Kyle Maxwell
> > [krmaxwell_at_gmail.com]
>
>
>
> --
>
>
>
Received on Apr 06 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]