lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Apr 2014 16:06:52 -0700
From: Tim <tim-security@...tinelchicken.org>
To: Reindl Harald <h.reindl@...lounge.net>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Audit: don't only focus on heartbleed issue


> and the others need a MITM attack which is not *that* easy
> as connect to a server and send a heartbleed-packet without
> anything in the logs of the attacked server

I agree with you here.  It seems that Lucky13 requires much more
access and is much harder to pull off in practice.  Unless there's
new techniques out there that I haven't kept up on

> frankly outside a public hotspot / untrusted network nobody
> but the NSA and otehr agencies are able to really to MITM

This I think is a misconception, or at least overstated.  Anyone on
the same network as you can MitM you.  Anyone on the same network as
the remote end point can MitM you.  For some reason in this day and
age people have all forgotten about ARP poisoning, netbios name
poisoning, DHCP hijacking, and a whole host of other ways to redirect
traffic.  And apparently random people halfway around the world can
hijack your DNS resolver[1].

The dividing line between "internal network" and the Internet is
becoming fuzzier every day.  It is getting easier to get inside and
yet everyone still seems to run an unsegmented internal "trusted"
network.

tim


1. http://arstechnica.com/information-technology/2014/03/google-dns-briefly-hijacked-to-venezuela/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists