Re: Packet sniffing & regular users

To: David Mandelberg <mandelbergd@eth0.is-a-geek.org>
Cc: debian-security@lists.debian.org
Subject: Re: Packet sniffing & regular users
From: Alvin Oga <aoga@ns.Linux-Consulting.com>
Date: Wed, 2 Mar 2005 15:48:52 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1050302153922.11035B-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 42263808.4000409@eth0.is-a-geek.org>

On Wed, 2 Mar 2005, David Mandelberg wrote:

> s. keeling wrote:
> > Isn't it generally accepted that black hats who get local access (ie.,
> > a user login account) is _much_ worse than black hats who've been kept

anybody and everybody has "local access" with or without permission

> > out?  Assuming black hat wants root, taking over a user's account is a
> > very big first step.

that's trivial to do ... assuming you allow anybody to reboot a pc

and how do you know that a machine has been rebooted or even init 1,
and back up into root and never been rebooted

==
== all bets are off when you have "local access" as there is not way to
== protect against it and no way to prevent it other than a slapp on the
== fingers .. naughty .. naughty ..
==

> > I would take the security of your user's accounts much more seriously
> > if I were you.  If your users are leaving the door open, sooner or
> > later someone much worse than the paper boy is going to come stumbling
> > in.

assuming they are not already in ... and is quietly watching

promiscuos mode ..
	- your sniffer might need/want promiscuous mode, but the
	other 10, 100 machines you are sniffing will not, should not
	be in promiscuous mode

= why make things difficult ??
	- just be root if you wanna sniff

- legal issues

	- regular users should never be sniffing, as they may or may not
	be authorized by the company to be reading other peoples emails
	and who they are tcp/ip'ing or udp'ing with

	- make sure, that you have the legal authority to be sniffing
	BEFORE you do anything like sniffing, as people seems sensitive
	about you finding out that they go those kinds of websites
	and have a mistress on the side .. etc .. etc

sniffers:
	http://linux-sec.net/Sniffers

	i like pfilt.pl ... anybody, non-techies can use it and sniff
	which makes it easy for the manager in charge to see "oh shit"
	and cut a check to go fix the insecure network problems

	no more telnet, no more pop3, no more wireless, no more
	anything that is insecure 

- sniffer detectors ...

	- how do you know you are being sniffed??

	i don't think you can see/find other sniffers for multiple
	reasons

	- always assume you are being sniffed 24x7 from anywhere in 
	the world and act accordingly

	- a sniffer does NOT have to be local to the network
	in the switch of your office

c ya
alvin

Reply to:

Follow-Ups:
- Re: Packet sniffing & regular users
  - From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>
- Re: Packet sniffing & regular users
  - From: "s. keeling" <keeling@spots.ab.ca>

References:
- Re: Packet sniffing & regular users
  - From: David Mandelberg <mandelbergd@eth0.is-a-geek.org>

Prev by Date: Re: Packet sniffing & regular users
Next by Date: Re: Packet sniffing & regular users
Previous by thread: Re: Packet sniffing & regular users
Next by thread: Re: Packet sniffing & regular users
Index(es):
- Date
- Thread