Re: Packet sniffing & regular users

Wed, 02 Mar 2005 16:06:41 -0800 

On Wed, 2 Mar 2005, David Mandelberg wrote:

> s. keeling wrote:
> > Isn't it generally accepted that black hats who get local access (ie.,
> > a user login account) is _much_ worse than black hats who've been kept

anybody and everybody has "local access" with or without permission

> > out?  Assuming black hat wants root, taking over a user's account is a
> > very big first step.

that's trivial to do ... assuming you allow anybody to reboot a pc

and how do you know that a machine has been rebooted or even init 1,
and back up into root and never been rebooted

==
== all bets are off when you have "local access" as there is not way to
== protect against it and no way to prevent it other than a slapp on the
== fingers .. naughty .. naughty ..
==

> > I would take the security of your user's accounts much more seriously
> > if I were you.  If your users are leaving the door open, sooner or
> > later someone much worse than the paper boy is going to come stumbling
> > in.

assuming they are not already in ... and is quietly watching

promiscuos mode ..
        - your sniffer might need/want promiscuous mode, but the
        other 10, 100 machines you are sniffing will not, should not
        be in promiscuous mode

= why make things difficult ??
        - just be root if you wanna sniff

- legal issues

        - regular users should never be sniffing, as they may or may not
        be authorized by the company to be reading other peoples emails
        and who they are tcp/ip'ing or udp'ing with

        - make sure, that you have the legal authority to be sniffing
        BEFORE you do anything like sniffing, as people seems sensitive
        about you finding out that they go those kinds of websites
        and have a mistress on the side .. etc .. etc

sniffers:
        http://linux-sec.net/Sniffers

        i like pfilt.pl ... anybody, non-techies can use it and sniff
        which makes it easy for the manager in charge to see "oh shit"
        and cut a check to go fix the insecure network problems

        no more telnet, no more pop3, no more wireless, no more
        anything that is insecure 

- sniffer detectors ...

        - how do you know you are being sniffed??

        i don't think you can see/find other sniffers for multiple
        reasons

        - always assume you are being sniffed 24x7 from anywhere in 
        the world and act accordingly

        - a sniffer does NOT have to be local to the network
        in the switch of your office

c ya
alvin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to