From: Thor (Hammer of God) (thor@hammerofgod.com)
Date: Fri May 18 2007 - 14:31:32 EDT
Erin,
While I agree that one should try to leave conjecture alone and just "answer
the question," it's not always that easy to do. Most of the people on this
list (well, ones that post anyway) are detail oriented, technical, pedantic
people. It comes with the job. So when you see a question that's just "not
quite right," you have to ask the obvious "how did you get here from there"
questions, particularly when the scenarios smack of white lie.
The simple "what would you do" question brings a lot with it. Personally,
it is painfully obvious (or should be) to anyone that people will use
unsecured, public networks in insecure ways. Being surprised by seeing a
POP3 username/password on a wlan is a "red flag" in itself. To have an
apparent pen-tester working for PWC post to a list asking what he should do
in such a case is simply suspect (to me, anyway) - so I think it is natural
for people to ask WTF? I would much rather see someone say "I was sniffing
traffic on a wireless network." If the "my laptop came out of hibernation"
scenario is true, then the real lesson should be "if you are a professional
pen-tester for PWC, you should not, under any circumstances, have your
laptop set to automatically connect to the first unsecured wireless lan it
comes across." The OP was (obviously) performing a sniff on another
wireless network before, presumably as part of a pen-test, and just put his
lappy into hibernation. In such a case, automatically having his laptop
connect to an unsecured network could actually have resulted in a breech of
the data he was previously testing. The question therefore is not "what do
I do when, gasp, I see a pop3 password" but rather "is this the way PWC
trains their pen-testers, and is this the way PWC goes about protecting
their customer's confidential data?"
To me, *that* is the real "issue at hand."
That being said, when you see POP3 password, SMTP mail data, HTTP base64
encoded basic authentication data on an unsecured wlan, the obvious thing to
do is see if it gets you free porn somehow.
t
----- Original Message -----
From: "Erin Carroll" <amoeba@amoebazone.com>
To: "'Tremaine Lea'" <pen-test@ddiction.com>; "'Eduardo Di Monte'"
<eduardo.dimonte@gmail.com>
Cc: <jasper.o.waale@kh.pwc.com>; <listbounce@securityfocus.com>;
<pen-test@securityfocus.com>
Sent: Thursday, May 17, 2007 12:57 PM
Subject: RE: Sneaking a peek on Wlan in airports
All,
Tremaine has a point I'd like to tangent from. There are many posts that
come across the list that can be interpreted as actions or events which are
questionable given the scenario. Unless explicitly stated by someone or
obviously illegal, please try to assume that the question or situation is of
a benign nature. We could argue about intentions or likelihood until we're
blue in the face but it generally devolves to flaming or not-so-nice
inferences that I do not want on this list.
Yes, there are script kiddies and unethical behavior in our profession...
But let's focus on the issue at hand and not the motive: You encounter
leaking sensitive data that was not in scope of a job or part of your duties
etc. What should you do?
-- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball" > -----Original Message----- > From: listbounce@securityfocus.com > [mailto:listbounce@securityfocus.com] On Behalf Of Tremaine Lea > Sent: Thursday, May 17, 2007 10:36 AM > To: Eduardo Di Monte > Cc: jasper.o.waale@kh.pwc.com; listbounce@securityfocus.com; > pen-test@securityfocus.com > Subject: Re: Sneaking a peek on Wlan in airports > > Starting a sniffer by error is pretty unlikely. > > > Starting a sniffer and then closing your laptop after having > forgotten about it, that's not unlikely. > > > > > --- > > Tremaine Lea > Network Security Consultant > > Be in pursuit of equality, but not at the expense of excellence. > > > On 17-May-07, at 4:15 AM, Eduardo Di Monte wrote: > > > Jasper, > > > > You don´t run a sniffer by error, so stay away from doing > this again. > > > > Regards, > > > > Eduardo Di Monte > > > > > > -----Mensaje original----- > > De: listbounce@securityfocus.com > > [mailto:listbounce@securityfocus.com] En nombre de > > jasper.o.waale@kh.pwc.com Enviado el: miércoles, 16 de mayo de 2007 > > 7:20 > > Para: listbounce@securityfocus.com; pen-test@securityfocus.com > > Asunto: Sneaking a peek on Wlan in airports > > > > I'm sure you as I have many time been in airport with public wlan > > access and by error had some kind of sniffer running ? > > > > well I has Cain open because of a general scan I was making > related to > > a test, and I picked up a Pop3 account and password, I did > try to find > > the guy to tell him but did not see anybody with a laptop, > so what now > > do I email him as asking him to update the password or do I just > > ignore it and let he carry on doing this to him self and his firm. > > > > Regards > > > > Jasper O Waale > > _________________________________________________________________ > > The information transmitted is intended only for the person > or entity > > to which it is addressed and may contain confidential and/or > > privileged material. Any review, retransmission, dissemination or > > other use of, or taking of any action in reliance upon, this > > information by persons or > > entities other than the intended recipient is prohibited. If you > > received > > this in error, please contact the sender and delete the > material from > > any computer. > > > > > > > ---------------------------------------------------------------------- > > -- > > This List Sponsored by: Cenzic > > > > Are you using SPI, Watchfire or WhiteHat? > > Consider getting clear vision with Cenzic See HOW Now with > our 20/20 > > program! > > > > http://www.cenzic.com/c/2020 > > > ---------------------------------------------------------------------- > > -- > > > > > > > ---------------------------------------------------------------------- > > -- > > This List Sponsored by: Cenzic > > > > Are you using SPI, Watchfire or WhiteHat? > > Consider getting clear vision with Cenzic See HOW Now with > our 20/20 > > program! > > > > http://www.cenzic.com/c/2020 > > > ---------------------------------------------------------------------- > > -- > > > > > > > > > -------------------------------------------------------------- > ---------- > This List Sponsored by: Cenzic > > Are you using SPI, Watchfire or WhiteHat? > Consider getting clear vision with Cenzic See HOW Now with > our 20/20 program! > > http://www.cenzic.com/c/2020 > -------------------------------------------------------------- > ---------- > ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:48 EDT