Dominick LaTrappe <[EMAIL PROTECTED]> writes:
>While on the topic of password-sniffing anecdotes from conferences --
>
>At the 2600-coordinated Beyond HOPE conference (NYC, 1997), it was made very
>clear to users that passwords transmitted in-the-clear would be sniffed. To
>hammer home the point, one participant in the Tiger Teaming panel singled-out
>an unlucky telnet user, announcing a domain name and hinting at the password
>over the loudspeaker system. It got a pretty good laugh from the audience.
>
>Perhaps that the kind of shock factor that's necessary to get people (certain
>people, anyhow) thinking realistically about security. We even considered
>sniffing passwords and hooking up a line printer in a central location.....
>nah! :)
A while back at a trade show attended by large numbers of banks, one of the
vendors considered running a sniffer to display the traffic on the show LAN
just to demonstrate to attendees how easy it was to get at this sort of
information. In the end they decided that while it would make an effective
demo, it would also probably be the last time they attended the show if they
ran it. The general response to this sort of thing from attendees was "Our
data doesn't go across the network as text, it's all encoded" (meaning it was
all bundled up using something like X.12), which ignored the fact that the
70-80% of breaches which are internal would be by people who know the format
anyway, and the remaining 20-30% wouldn't take more than 5 minutes to figure it
out (decoding X.12 isn't exactly rocket science, you can mostly do it just by
looking at the records). To give an idea of the kind of data which would be
transmitted in this manner, one attendee mentioned that the average single
transaction they handled was $10M and the typical daily transaction amount was
$10B (although obviously they weren't running this sort of stuff on the show
LAN).
Peter.
