Re: [aclug-L] Security Question: How safe is it?

[John Goerzen <jgoerzen@xxxxxxxxxxxx>]

Bob Deep <bobd@xxxxxxxxxxxx> writes:

> Ah yes... The Chicken and egg thing..  Even if this was a new service,
> the encoding of passwords would have to be well known in advance, so
> even then the sending of the password would be risky, even if it was
> encoded some how.

Nope, ssh uses public-key cryptography, so there is no need to
exchange passwords beforehand, or to excahnge passwords in unencrypted 
fashion.

> This is an interesting issue of security.. I wonder how many folks,
> sitting at their home computer, would be routed traffic that contained
> such information from their ISP?

I always use ssh whenever going to a computer outside of my ISP if
possible.  It's always a good diea.

> Further, assuming somebody actually had a direct attachment to a segment
> of the backbone, how much password information they could filter out of
> the data stream...   Consider that they would only be able to see
> traffic on that specific segment and that you need three pieces of
> information to log into a computer....
>       1.  The IP address of the host (or the host name to look up the IP).
>       2.  A valid user name,
>       3.  The password for that user name.

Anybody with appropriate equipment at any point between you and the
remote could sniff this.  Many times, the backbone in between may not
be running such equipment, but the remote could very well be on
Ethernet, which is trivially sniffed with existing tools (one can
watch an entire session on Ethernet).  Also, it is possible at other
locations as well, just not as easy.

> Getting a socket connection requires quite a number of packets, which
> would all have to be intercepted to be sure to get all the required
> information to monitor the connection.  Then you must be able to
> interpret the service to sniff out a user name and password... How
> easily can this be done?  It does not sound very easy, and it is limited
> to traffic on the local network segment to start with...

All you have to do is intercept packets to/from a particular IP and
port number, and instantly you've got the entire session, including
passwords.

> crowd" of data flowing around.  It's not totally effective, but is it
> good enough?

One could, for instance, look for only new connections to a telnet
port or a POP3 port on a remote machine, which would almost always
have a password in plaintext following shortly.


-- 
John Goerzen   Linux, Unix consulting & programming   jgoerzen@xxxxxxxxxxxx |
Developer, Debian GNU/Linux (Free powerful OS upgrade)       www.debian.org |
----------------------------------------------------------------------------+
Visit the Air Capital Linux Users Group on the web at http://www.aclug.org
---
This is the Air Capitol Linux Users Group discussion list.  If you
want to unsubscribe, send the word "unsubscribe" to
aclug-L-request@xxxxxxxxxxxx.  If you want to post to the list, send your
message to aclug-L@xxxxxxxxxxxx.