Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: keyloggers? - dont doit

from [James . Barkley] Network Security [Permanent Link]
Subject: Re: keyloggers? - dont doit
Date: Thu, 07 Apr 2005 01:23:27 -0500 

The two major attacks you have to look at:

1.  Spyware/keylogger - very real threat
  If your provider offers secure auth mechanism such as OTP (one-time 
password) this is no threat.  Dual authentication means nothing if you 
have a keystroke logger.  Also, if OTP is used, you have to be sure 
that your provider codes against race conditions (e.g. I keylog 95% of 
your OTP and brute force the other 5%).  

2.  Man-in-the-middle attack - less real but real threat (IMHO)
  First, you can verify with an individual provider (cybercafe, etc.) 
if they provide their own DNS and what they do to protect against 
spoofing.  Second, if you cannot verify this, then you are susceptible 
to Man-in-the-middle-attack (I establish ssl and joe-hacker intercepts, 
establishes ssl with me and also establishes ssl with end host, then 
translates from me to end host).  Someone has to be dedicated to 
perform this, but in public spaces it is more right than wrong to 
expect a dedicated hacker.  If someone performs man-in-the-middle I 
don't know what you can do.

my 2 cents

-Jim

----- Original Message -----
From: "lyal.collins" <lyal.collins@key2it.com.au>
Date: Wednesday, April 6, 2005 11:37 pm
Subject: Re: keyloggers? - dont doit


SSL falls to spoofed certs/trust lists and or DNS poisoning to 
create MITM
attacks.
Cybercafes can run their own DNS and routing mechanisms, enabling 
the latter.
They run and manage their own browsers and trusted cert lists, 
enabing a fake
'root CA" cert to be laoded into browsers, enabing the former.

SSL is a dead duck in every environment unless DNS is known to be 100%
accurate, and no ARP sppofing  tricks are happening.

yal



On Apr 6, 2005 7:23 AM, Alvin Oga
<alvin.sec@virtual.linux-consulting.com> wrote:

        - anything sent over the internet is sniffable from
        anywhere in the world


Delurking just to mention that this isn't correct. Online 

banking (and

other security-sensitive activities) aren't a good idea from shared
sites like a cybercafe for all the reasons others have 

mentioned, but

this isn't it. From my desktop here, I almost certainly have no 

way of

sniffing your traffic to your bank, unless I happen to be somewhere
along your path.

I'd also like to know about SSL being broken. I think you mean 

one of

the common ciphers is broken, which would be substantial news 

indeed.> 

Your conclusion is right but your reasoning is completely wrong 

AFAICT.> 

-- 
Kyle Maxwell
[krmaxwell@gmail.com]




--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: keyloggers?, Mehmet Buyukozer
Next by Date:  Web Application Testing with SPI Fuzzer white paper, SPI Labs
Previous by Thread:  Re: keyloggers? - dont doit, lyal.collins
Next by Thread:  Web Application Testing with SPI Fuzzer white paper, SPI Labs
Indexes:  [Date] [Thread] [Top] [All Lists]