lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <PLEIIGNDLGEDDKABPLHBOEDFCFAA.dparis@w3works.com>
Date: Tue, 13 Jan 2004 12:10:36 -0500
From: "Dave Paris" <dparis@...orks.com>
To: <John.Airey@...b.org.uk>, <ge@...tistical.reprehensible.net>,
   <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.netsys.com>
Subject: RE: [Fwd: [TH-research] OT: Israeli Post Office break-in]


> I can't resist any longer. I have to ask a few questions.
>
> 1. How did they know which switch to connect to? Wouldn't this require
> some knowledge of network topology.

.. makes sense.

> 2. If it is indeed a switch and not a hub, how did they obtain access
> to set this port to monitor traffic?

if it's a managed switch, most have SPAN (or RSPAN) port capability.  mirror
other ports to the sniffer port as appropriate.

> 3. How did they get access to the switch. Shouldn't it have been locked
> away.

.. never underestimate the power of stupidity. :-)

> 4. How did they convert electrons to money? Was this by raiding bank
> accounts or collecting credit card numbers?

.. any number of ways

> 5. How could they be unable to hide a WAP in a rack (assuming the switch
> was in a rack)? I can think of several ways to hide one without it being
> visible.

.. see comment to #4, then comment to #3.  To be fair, it would greatly
depend on the physical configuration of hardware in the rack, the size/shape
of the WAP device, it's power requirements, etc.

Assuming that it was a managed switch and physical access was achived:
At the end of the day, a simple system which checks the configuration for
managed switches vs. a stored configuration (not unlike a tripwire
implimentation) every N hours would have nailed a scheme like this quickly.
Better switch management (MAC-locking access ports, centralized
authentication, etc) may have even prevented the problem in the first
place - unless they had an insider who had priv's on the switch and physical
access to the device.  As a wise man once said .. if you've got physical
access, the rest is academic.

>
> Seems like a bit of an inside job to me, but I'm no Dick Tracy...

.. on the whole, I'd have to agree there's much better than even odds of at
least insider help.

Kind Regards,
-dsp


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ