lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Apr 2014 01:18:43 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: "fulldisclosure@...lists.org >> Mailing-List fulldisclosure"
	<fulldisclosure@...lists.org>
Subject: Re: [FD] Audit: don't only focus on heartbleed issue



Am 17.04.2014 01:06, schrieb Tim:
>> and the others need a MITM attack which is not *that* easy
>> as connect to a server and send a heartbleed-packet without
>> anything in the logs of the attacked server
> 
> I agree with you here.  It seems that Lucky13 requires much more
> access and is much harder to pull off in practice.  Unless there's
> new techniques out there that I haven't kept up on
> 
>> frankly outside a public hotspot / untrusted network nobody
>> but the NSA and otehr agencies are able to really to MITM
> 
> This I think is a misconception, or at least overstated.  Anyone on
> the same network as you can MitM you.  Anyone on the same network as
> the remote end point can MitM you.  For some reason in this day and
> age people have all forgotten about ARP poisoning, netbios name
> poisoning, DHCP hijacking, and a whole host of other ways to redirect
> traffic.  And apparently random people halfway around the world can
> hijack your DNS resolver[1].

agreed, but was i meant was that the attack surface in a known, maintained
LAN is way lower than for Heartbleed where for sure straight after it
was made public zombie-botnets startet to randomly attack around the
web port 443, 993 and 995, pulling a unknown amount of data which mostly
is not analyzed now and will be used for all sorts of attacks, spamming
and so on if the found user credentials are not changed in the meantime

that hardly happens inside a closed network - even a server in the network
of a public hotspot has a limited attack surface in that context

> The dividing line between "internal network" and the Internet is
> becoming fuzzier every day.  It is getting easier to get inside and
> yet everyone still seems to run an unsegmented internal "trusted"
> network.

sadly true after every random guy installs a WLAN-AP without any
thougt about security or people don't get a punch from the sysadmin
if their brother enters the company and pulls his infected notebook
straight into the next ethernet port he finds

the latter is also the fault of the admin patching every unused port

on the other side in a well managed network with a isolated guest LAN
coming with NAT and the outgoing IP restricted on the main network
as well as on the AP/Router itself there is not much room for ARP
spoofing or DHCP hijacking, even cheap WLAN routers support blocking
traffic between the client stations


Download attachment "signature.asc" of type "application/pgp-signature" (247 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists