lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: security at 303underground.com (Scott Taylor)
Subject: Wireless ISPs

On Tue, 2004-05-11 at 15:15, D B wrote:
> --- Frank Knobbe <frank@...bbe.us> wrote:
> > On Tue, 2004-05-11 at 13:33, D B wrote:
> > > All transactions done via secure websites are
> > secure,
> > 
> > No, they are not. It's just harder to intercept the
> > data.
> 
> The level of knowledge it takes to penetrate a SSL
> style transaction puts it beyond most peoples scope of
> abilities

The data in transit from SSL websites is rather secure. But that does
nobody any good if its saved on an unpatched M$/SQL Server.

> > 
> > > A wired internet connection
> > > limits the number of people who have access to
> > this
> > > data simply by the nature of the internet putting
> > it
> > > within acceptable risk.
> > 
> > Same can be said for wireless. (Except that the
> > perimeter of the attack
> > arena is defined by the wireless emissions instead
> > of cable runs.)
> 
> ... look at the aspect of what points does one have to
> have access to gain the amount of data on a wired
> network in comparison to the same level on a wireless
> AP... unless you can spoof to the gateways IP  / MAC
> or actually get access to the gateway it isnt
> possible, and on a switched network odds are if you
> spoof to that MAC  / IP you will confuse the network
> enough to be noticeable
> 
> a high gain antenna attached to a laptop / PDA and a
> wireless AP such as an internet provider would mount
> would give access in some cases up to 17 miles away
> with no trace ....without a high gain antenna im
> getting ranges of about a half a  mile away ... plus
> spoofing to the gateways IP isnt noticeable to anyone
> unless they are watching that gateways logs complain
> about a duplicate IP /MAC ( yes i did try this on my
> own AP )

There are ways to eavesdrop on anything. People who sign up with large
ISPs like to think they can get lost in the shuffle, without realizing
there are techs and admins all across the country that can view data off
sniffers located across their infrastructure. Plus theres the
possibility that someone hacks a machine on a business/isp network and
uses it as a remote password sniffer, etc. With wireless, many similar
things can be accomplished without the need of expensive hardware or
difficult hacks, and can be done from the comfort of a nice air
conditioned car. But either way, once the data leaves your computer and
goes across the air or even a landline network - its out of your hands
and you must evaluate the risk and know that it exists. No method of
transit is immune. But many simple steps can be taken to reduce the
risk.


> > Maybe, INAL. But it is illegal to commit fraud with
> > the data gathered by
> > eavesdropping.
> >
> 
> and someone after credit card #'s is worried about
> legal ?
> 
>  
> > 
> > Uhm... someone that accesses and uses the data is
> > already prosecutable.
> 
> point being it is preventable and not being done so
> ... or at least preventable to a level beyond the
> scope of running a program and watching the data flow
> 
> netstumbler on windows is quite simple to run
> 
> 
> all I am after is raising the level of knowledge
> needed to access the data beyond that of an 8 year old
> with windows on a laptop running netstumbler and a
> wifi card
> 
> do u not agree this would be prudent ?
> 
> 
> Dan Becker
> 
> 
> 
> 
> 	
> 		
> __________________________________
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs  
> http://hotjobs.sweepstakes.yahoo.com/careermakeover
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
Scott Taylor - <security@...underground.com> 

scribline, n.:
	The blank area on the back of credit cards where one's signature goes.
		-- "Sniglets", Rich Hall & Friends

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ