Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ZipTorrent 1.3.7.3 Discloses Proxy Passwords to Local Users

from [Nick Boyce] Network Security [Permanent Link]
Subject: Re: ZipTorrent 1.3.7.3 Discloses Proxy Passwords to Local Users
Date: Thu, 25 Aug 2005 17:33:57 +0000 
On 8/24/05, Allen Parker <infowolfe@gmail.com> wrote:


On 23 Aug 2005 13:21:23 -0000, kozan@spyinstructors.com
<kozan@spyinstructors.com> wrote:


[...]

ZipTorrent stores proxy server information and password in
X:\\[Program_Files_Path]\[ZipTorrent_Path]\pref.txt
in plain text. A local user can read passwords and others.

[...]

... I haven't seen many programs making use of
proxies where the username/password pairs were obfuscated in any
way... 


Indeed - unless the proxy and all clients have some agreed protocol
for exchanging some kind of encrypted / hashed password, then the
password *must* be stored in plain text of some sort (even if it is
obfuscated) on the client host, so that it can be made available
later, in plain text, for the automatic password exchange.  There is
no way out of this, and no way to completely secure the stored
password

Surely this is just another rehash of the same old debate that appears
here every now and then - the conclusion will always be that stored
passwords are inherently vulnerable.   They can be obfuscated as much
as you like, but it only needs one successful piece of R&D to render
the whole obfuscation scheme useless for everybody.

See 
   http://marc.theaimsgroup.com/?t=92420089800002&r=1&w=2 
   http://marc.theaimsgroup.com/?t=94570694700003&r=1&w=2
for a couple of useful Bugtraq debates on this topic. 
[both in 1999 ... was that _really_ the last time this came up ?]

Nick Boyce
-- 
Never fdisk after midnight.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  An Illustrated Guide to IPSec, Steve Friedl
Next by Date:  RE: unload event in ie/mozilla/opera, Early, Clint
Previous by Thread:  Re: ZipTorrent 1.3.7.3 Discloses Proxy Passwords to Local Users, Allen Parker
Next by Thread:  Re: ZipTorrent 1.3.7.3 Discloses Proxy Passwords to Local Users, Nicholas Knight
Indexes:  [Date] [Thread] [Top] [All Lists]