Re: sniffing plaintext protocols

From: Dotzero (dotzero@gmail.com)
Date: Wed Aug 09 2006 - 12:10:41 EDT

• Next message: Mark Teicher: "Re: What is being a pen tester really like?"
• Previous message: Isidro Ramon Labrador Rodriguez: "RE: SQL injection (or not?)"
• In reply to: itsec.info: "Re: sniffing plaintext protocols"
• Next in thread: Francois Labreque: "RE sniffing plaintext protocols"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 8/1/06, itsec.info <itsec.info@gmail.com> wrote:

> From a security point of view it is a fundamental question whether such a
> scenario is technically possible or not.
> If so, how do I have to assess such a risk, how can I check that at a
> penetration test and how about the mitigation.
>

Mike,

The answer is to avoid using plaintext protocols. About the only
plaintext protocol I can think of any argument for would be ftp (which
I would limit to anonymous logins). If at all possible I would force
users to use scp, sftp or ftps.

As far as checking during a penetration test,.....if they are using
plaintext protocols then you ahve your answer. While this may sound
like an extreme statement to some, continued use of plaintext
protocols in todays environment can generally be attributed to
laziness or ignorance. I'd love to hear someone make a case that use
of plaintext protocols (other than http for general web browsing) is a
best (or even acceptable) practice.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

• Next message: Mark Teicher: "Re: What is being a pen tester really like?"
• Previous message: Isidro Ramon Labrador Rodriguez: "RE: SQL injection (or not?)"
• In reply to: itsec.info: "Re: sniffing plaintext protocols"
• Next in thread: Francois Labreque: "RE sniffing plaintext protocols"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:37 EDT