[lug] security of mindterm applet?

rm at mamma.varadinet.de rm at mamma.varadinet.de
Mon Oct 30 08:28:59 MST 2000 

On Mon, Oct 30, 2000 at 08:16:14AM -0700, Ferdinand P. Schmid wrote:
> Yes, they have the password if it was typed continuously - and right after the login
> was typed.  But I don't think those apps can find out what window on the PC you are
> typing in.  So you could play with the mouse and have two browser windows open and
> for example type one character of your login and some characters in the different
> window and then another one of your login...   

If the author of the trojan was a decent programmer this won't help. It's 
fairly easy to filter events that where sent to a particular type of window/widget.
This is a major problem of all security/authentication applications: even if you
use a retina scanner or fingerprint reader (or smartcard etc.) the device is
usually hooked the computer and uses the OSs routines -- pretty easy for a 
'man-in-the-middle' attack.

> You can find all kinds of games to
> play - but in general I wouldn't be too concerned.  After all you may have browsed
> the wrong site with your work PC (running Windows and IE) and that site has installed
> a little application sending all your browsing info including password... to a remote
> site.  This is generally known as the "perfect hack" - because it doesn't require
> dealing with firewalls and other well protected systems and it is very difficult to
> detect.  Such a thing happened to a friend of mine and it was only discovered because
> that malignant application tried to connect to the internet without entering the
> proxy password.
> Bottom line - nothing is safe and most of us (except for some extremely security
> savvy and concerned folks) will be vulnerable in one form or another.  Generally the
> more functionality you need or want the higher risk you need to take.

Err, i wouldn't agree on that. The mailserver i write this from was hacked twice,
both times the intruder seemd to have the 'right' password. And both times the
intrusion happend shortly after the owner of the box logged in from an internet
cafe (and he claims that he used ssh). 

> Did you know that around 95% of all e-mail is downloaded using POP3 (or IMAP)
> protocols with plain text password transmission?  Using IMAP over SSL is still very
> uncommon!  Just to keep the greater picture in mind.

Sadly that is true! At least over here universities switched to POP over ssh.


Ralf

More information about the LUG mailing list