[lug] security of mindterm applet?

Ferdinand P. Schmid fschmid at archenergy.com
Mon Oct 30 10:34:07 MST 2000


rm at mamma.varadinet.de wrote:

> On Mon, Oct 30, 2000 at 08:16:14AM -0700, Ferdinand P. Schmid wrote:
> > Yes, they have the password if it was typed continuously - and right after the login
> > was typed.  But I don't think those apps can find out what window on the PC you are
> > typing in.  So you could play with the mouse and have two browser windows open and
> > for example type one character of your login and some characters in the different
> > window and then another one of your login...
>
> If the author of the trojan was a decent programmer this won't help. It's
> fairly easy to filter events that where sent to a particular type of window/widget.
> This is a major problem of all security/authentication applications: even if you
> use a retina scanner or fingerprint reader (or smartcard etc.) the device is
> usually hooked the computer and uses the OSs routines -- pretty easy for a
> 'man-in-the-middle' attack.

That is the part I was missing.  Thanks for the lesson.

> > You can find all kinds of games to
> > play - but in general I wouldn't be too concerned.  After all you may have browsed
> > the wrong site with your work PC (running Windows and IE) and that site has installed
> > a little application sending all your browsing info including password... to a remote
> > site.  This is generally known as the "perfect hack" - because it doesn't require
> > dealing with firewalls and other well protected systems and it is very difficult to
> > detect.  Such a thing happened to a friend of mine and it was only discovered because
> > that malignant application tried to connect to the internet without entering the
> > proxy password.
> > Bottom line - nothing is safe and most of us (except for some extremely security
> > savvy and concerned folks) will be vulnerable in one form or another.  Generally the
> > more functionality you need or want the higher risk you need to take.
>
> Err, i wouldn't agree on that. The mailserver i write this from was hacked twice,
> both times the intruder seemd to have the 'right' password. And both times the
> intrusion happend shortly after the owner of the box logged in from an internet
> cafe (and he claims that he used ssh).
>
> > Did you know that around 95% of all e-mail is downloaded using POP3 (or IMAP)
> > protocols with plain text password transmission?  Using IMAP over SSL is still very
> > uncommon!  Just to keep the greater picture in mind.
>
> Sadly that is true! At least over here universities switched to POP over ssh.
>
> Ralf
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

--
Ferdinand Schmid
Architectural Energy Corporation
http://www.archenergy.com
(303) 444-4149






More information about the LUG mailing list