Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: keyloggers? - dont doit

from [lyal.collins] Network Security [Permanent Link]
Subject: Re: keyloggers? - dont doit
Date: Thu, 07 Apr 2005 13:37:55 +1000 
SSL falls to spoofed certs/trust lists and or DNS poisoning to create MITM
attacks.
Cybercafes can run their own DNS and routing mechanisms, enabling the latter.
They run and manage their own browsers and trusted cert lists, enabing a fake
 'root CA" cert to be laoded into browsers, enabing the former.

SSL is a dead duck in every environment unless DNS is known to be 100%
accurate, and no ARP sppofing  tricks are happening.

yal



On Apr 6, 2005 7:23 AM, Alvin Oga
<alvin.sec@virtual.linux-consulting.com> wrote:

        - anything sent over the internet is sniffable from
        anywhere in the world


Delurking just to mention that this isn't correct. Online banking (and
other security-sensitive activities) aren't a good idea from shared
sites like a cybercafe for all the reasons others have mentioned, but
this isn't it. From my desktop here, I almost certainly have no way of
sniffing your traffic to your bank, unless I happen to be somewhere
along your path.

I'd also like to know about SSL being broken. I think you mean one of
the common ciphers is broken, which would be substantial news indeed.

Your conclusion is right but your reasoning is completely wrong AFAICT.

-- 
Kyle Maxwell
[krmaxwell@gmail.com]




--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: keyloggers?, Antonio Fontes
Next by Date:  Re: keyloggers?, Michael Silk
Previous by Thread:  RE: Phishing scam using Microsoft name, Michael Howard
Next by Thread:  Re: keyloggers? - dont doit, James . Barkley
Indexes:  [Date] [Thread] [Top] [All Lists]