[lug] security of mindterm applet?
Ferdinand P. Schmid
fschmid at archenergy.com
Mon Oct 30 10:34:07 MST 2000
rm at mamma.varadinet.de wrote:
> On Mon, Oct 30, 2000 at 08:16:14AM -0700, Ferdinand P. Schmid wrote:
> > Yes, they have the password if it was typed continuously - and right after the login
> > was typed. But I don't think those apps can find out what window on the PC you are
> > typing in. So you could play with the mouse and have two browser windows open and
> > for example type one character of your login and some characters in the different
> > window and then another one of your login...
>
> If the author of the trojan was a decent programmer this won't help. It's
> fairly easy to filter events that where sent to a particular type of window/widget.
> This is a major problem of all security/authentication applications: even if you
> use a retina scanner or fingerprint reader (or smartcard etc.) the device is
> usually hooked the computer and uses the OSs routines -- pretty easy for a
> 'man-in-the-middle' attack.
That is the part I was missing. Thanks for the lesson.
> > You can find all kinds of games to
> > play - but in general I wouldn't be too concerned. After all you may have browsed
> > the wrong site with your work PC (running Windows and IE) and that site has installed
> > a little application sending all your browsing info including password... to a remote
> > site. This is generally known as the "perfect hack" - because it doesn't require
> > dealing with firewalls and other well protected systems and it is very difficult to
> > detect. Such a thing happened to a friend of mine and it was only discovered because
> > that malignant application tried to connect to the internet without entering the
> > proxy password.
> > Bottom line - nothing is safe and most of us (except for some extremely security
> > savvy and concerned folks) will be vulnerable in one form or another. Generally the
> > more functionality you need or want the higher risk you need to take.
>
> Err, i wouldn't agree on that. The mailserver i write this from was hacked twice,
> both times the intruder seemd to have the 'right' password. And both times the
> intrusion happend shortly after the owner of the box logged in from an internet
> cafe (and he claims that he used ssh).
>
> > Did you know that around 95% of all e-mail is downloaded using POP3 (or IMAP)
> > protocols with plain text password transmission? Using IMAP over SSL is still very
> > uncommon! Just to keep the greater picture in mind.
>
> Sadly that is true! At least over here universities switched to POP over ssh.
>
> Ralf
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
--
Ferdinand Schmid
Architectural Energy Corporation
http://www.archenergy.com
(303) 444-4149
More information about the LUG
mailing list