What is the likelihood of password sniffing ?

Discussion in 'Computer Security' started by Superbo Barnetta, Oct 22, 2003.

  1. Hello,

    When a lot of us send and receive email, we use 'clear text' passwords. Not
    all do this, but a great many I suspect do. Who has the means to capture
    this un-encrypted information ?

    I would guess at ISPs first, or maybe someone's PC that has been compromised
    with a trojan. Is that the extent of the problem ?

    I would like to hear of any scenarios that show how easily this can be done,
    and if anyone has any history of their passwords being stolen, and then some
    account or other becoming unavailable to them.

    At the moment, I use SSL (port 995) to connect to my mail server, using a
    self-signed certificate, basically because I'm skint. But say I switched
    back to an ISP, and used clear-text pop3 passwords, how likely is it that I
    could get my password stolen ?

    My 'threat model', if that applies to what I'm saying here, is only that of
    embarrassment if someone were to monitor and later disclose information
    gleaned from my inbox. It could be worse in some cases, where I have to
    receive un-encrypted financial information, as the sender refuses to
    'embrace' PGP or similar.

    Thanks for your time.

    SB.
     
    Superbo Barnetta, Oct 22, 2003
    #1
    1. Advertising

  2. In article <>,
    says...
    > Hello,
    >
    > When a lot of us send and receive email, we use 'clear text' passwords. Not
    > all do this, but a great many I suspect do. Who has the means to capture
    > this un-encrypted information ?
    >


    anyone with a shell account on your mail server, anyone with access to a
    network appliance along the way, especially local access to a monitor
    port.


    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Oct 23, 2003
    #2
    1. Advertising

  3. "Colonel Flagg" <> wrote in
    message news:...
    > In article <>,
    > says...
    > > Hello,
    > >
    > > When a lot of us send and receive email, we use 'clear text' passwords.

    Not
    > > all do this, but a great many I suspect do. Who has the means to capture
    > > this un-encrypted information ?
    > >

    >
    > anyone with a shell account on your mail server, anyone with access to a
    > network appliance along the way, especially local access to a monitor
    > port.
    >


    Thanks Colonel. So each of the 'hops' to a typical POP3 server, has the
    potential to grab a clear text password ?

    If that's so, it's what I thought might happen. If someone did snag the
    password, they'd be most likely to just download copies of emails, rather
    than use the default 'delete from server after retrieval' POP3 way of doing
    things. Someone might get suspicious otherwise that they'd never received
    mails when a site/friend told them they'd got mail coming.

    Scary isn't it ? Anyone could be doing it, and you'd just never know ...

    Thanks again.

    SB.
     
    Superbo Barnetta, Oct 23, 2003
    #3
  4. Superbo Barnetta

    Bill Unruh Guest

    "Superbo Barnetta" <> writes:

    ]Hello,

    ]When a lot of us send and receive email, we use 'clear text' passwords. Not
    ]all do this, but a great many I suspect do. Who has the means to capture
    ]this un-encrypted information ?

    Highly likely.
    The chief way is that a computer is broken into and a password sniffer
    installed. The only way our system was comprimised was via such sniffing
    on a computer in Korea that some of the users logged in from. Then a
    sniffer was installed on ours.
     
    Bill Unruh, Oct 23, 2003
    #4
  5. "Bill Unruh" <> wrote in message
    news:bn8996$ft3$...
    > "Superbo Barnetta" <> writes:
    >
    > ]Hello,
    >
    > ]When a lot of us send and receive email, we use 'clear text' passwords.

    Not
    > ]all do this, but a great many I suspect do. Who has the means to capture
    > ]this un-encrypted information ?
    >
    > Highly likely.
    > The chief way is that a computer is broken into and a password sniffer
    > installed. The only way our system was comprimised was via such sniffing
    > on a computer in Korea that some of the users logged in from. Then a
    > sniffer was installed on ours.


    Thanks for the info there Bill. Was it broken into locally or remotely ? The
    Korean computer I mean.

    Cheers.

    SB.
     
    Superbo Barnetta, Oct 23, 2003
    #5
  6. Superbo Barnetta

    Bill Unruh Guest

    "Superbo Barnetta" <> writes:


    ]"Bill Unruh" <> wrote in message
    ]news:bn8996$ft3$...
    ]> "Superbo Barnetta" <> writes:
    ]>
    ]> ]Hello,
    ]>
    ]> ]When a lot of us send and receive email, we use 'clear text' passwords.
    ]Not
    ]> ]all do this, but a great many I suspect do. Who has the means to capture
    ]> ]this un-encrypted information ?
    ]>
    ]> Highly likely.
    ]> The chief way is that a computer is broken into and a password sniffer
    ]> installed. The only way our system was comprimised was via such sniffing
    ]> on a computer in Korea that some of the users logged in from. Then a
    ]> sniffer was installed on ours.

    ]Thanks for the info there Bill. Was it broken into locally or remotely ? The
    ]Korean computer I mean.

    I have no idea how the Korean one was broken, (probably the same way
    mine was) but there were some vague intimations that the crackers were
    Italian as I recall. (That was when I switched everthing over to ssh
    instead of telnet, which sends passwords over the net in the clear)
     
    Bill Unruh, Oct 23, 2003
    #6
  7. In article <>,
    says...
    >
    > "Colonel Flagg" <> wrote in
    > message news:...
    > > In article <>,
    > > says...
    > > > Hello,
    > > >
    > > > When a lot of us send and receive email, we use 'clear text' passwords.

    > Not
    > > > all do this, but a great many I suspect do. Who has the means to capture
    > > > this un-encrypted information ?
    > > >

    > >
    > > anyone with a shell account on your mail server, anyone with access to a
    > > network appliance along the way, especially local access to a monitor
    > > port.
    > >

    >
    > Thanks Colonel. So each of the 'hops' to a typical POP3 server, has the
    > potential to grab a clear text password ?
    >
    > If that's so, it's what I thought might happen. If someone did snag the
    > password, they'd be most likely to just download copies of emails, rather
    > than use the default 'delete from server after retrieval' POP3 way of doing
    > things. Someone might get suspicious otherwise that they'd never received
    > mails when a site/friend told them they'd got mail coming.
    >
    > Scary isn't it ? Anyone could be doing it, and you'd just never know ...
    >
    > Thanks again.
    >
    > SB.



    I haven't tested this on many email servers, but on the few I've looked
    into, I've noticed that if you "do not delete" from the server, the
    messages are marked as "read", therefore, if bad-guy-client downloads
    prior to your download, he'll more than likely mark the message as read,
    so when you download it, it won't show as "unread". In Eudora in
    particular with the little blue ball on the left of the message pane,
    the blue ball is absent from messages downloaded from the server by
    another client, prior to when Eudora pulls the message. This is a good
    indicator that another client has already viewed the emails, and a good
    indicator to change your password.






    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Oct 24, 2003
    #7
  8. On Thu, 23 Oct 2003 23:50:04 -0400, Colonel Flagg wrote:

    > In article <>,
    > says...
    >>
    >> "Colonel Flagg" <> wrote in
    >> message news:...
    >> > In article <>,
    >> > says...
    >> > > Hello,
    >> > >
    >> > > When a lot of us send and receive email, we use 'clear text' passwords.

    >> Not
    >> > > all do this, but a great many I suspect do. Who has the means to capture
    >> > > this un-encrypted information ?
    >> > >
    >> >
    >> > anyone with a shell account on your mail server, anyone with access to a
    >> > network appliance along the way, especially local access to a monitor
    >> > port.
    >> >

    >>
    >> Thanks Colonel. So each of the 'hops' to a typical POP3 server, has the
    >> potential to grab a clear text password ?
    >>
    >> If that's so, it's what I thought might happen. If someone did snag the
    >> password, they'd be most likely to just download copies of emails, rather
    >> than use the default 'delete from server after retrieval' POP3 way of doing
    >> things. Someone might get suspicious otherwise that they'd never received
    >> mails when a site/friend told them they'd got mail coming.
    >>
    >> Scary isn't it ? Anyone could be doing it, and you'd just never know ...
    >>
    >> Thanks again.
    >>
    >> SB.

    >
    >
    > I haven't tested this on many email servers, but on the few I've looked
    > into, I've noticed that if you "do not delete" from the server, the
    > messages are marked as "read", therefore, if bad-guy-client downloads
    > prior to your download, he'll more than likely mark the message as read,
    > so when you download it, it won't show as "unread". In Eudora in
    > particular with the little blue ball on the left of the message pane,
    > the blue ball is absent from messages downloaded from the server by
    > another client, prior to when Eudora pulls the message. This is a good
    > indicator that another client has already viewed the emails, and a good
    > indicator to change your password.


    Good tips there, I hadn't thought of the 'marking read' bit.

    Cheers.

    SB.
     
    Superbo Barnetta, Oct 24, 2003
    #8
  9. Superbo Barnetta

    Dave Korn Guest

    "Colonel Flagg" <> wrote in
    message news:...
    >
    > I haven't tested this on many email servers, but on the few I've looked
    > into, I've noticed that if you "do not delete" from the server, the
    > messages are marked as "read", therefore, if bad-guy-client downloads
    > prior to your download, he'll more than likely mark the message as read,
    > so when you download it, it won't show as "unread". In Eudora in
    > particular with the little blue ball on the left of the message pane,
    > the blue ball is absent from messages downloaded from the server by
    > another client, prior to when Eudora pulls the message. This is a good
    > indicator that another client has already viewed the emails, and a good
    > indicator to change your password.


    Heh, sorry to have to correct you, but that's completely wrong. The
    read-or-not-read status is stored locally by your mail client. There's
    nothing in the POP server itself to store that status nor any means in the
    protocol to communicate it. Your copy of Eudora must have ESP, or perhaps
    you got something wrong when you ran your tests. Have you tried reproducing
    this?


    DaveK
    --
    moderator of
    alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
    Burn your ID card! http://www.optional-identity.org.uk/
    Help support the campaign, copy this into your .sig!
    Proud Member of the Exclusive "I have been plonked by Davee because he
    thinks I'm interesting" List Member #<insert number here>
    Master of Many Meowing Minions
    Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
    and beyond the call of hilarity.
    PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD
     
    Dave Korn, Oct 24, 2003
    #9
  10. In article <d5amb.229$>,
    lid says...
    > "Colonel Flagg" <> wrote in
    > message news:...
    > >
    > > I haven't tested this on many email servers, but on the few I've looked
    > > into, I've noticed that if you "do not delete" from the server, the
    > > messages are marked as "read", therefore, if bad-guy-client downloads
    > > prior to your download, he'll more than likely mark the message as read,
    > > so when you download it, it won't show as "unread". In Eudora in
    > > particular with the little blue ball on the left of the message pane,
    > > the blue ball is absent from messages downloaded from the server by
    > > another client, prior to when Eudora pulls the message. This is a good
    > > indicator that another client has already viewed the emails, and a good
    > > indicator to change your password.

    >
    > Heh, sorry to have to correct you, but that's completely wrong. The
    > read-or-not-read status is stored locally by your mail client. There's
    > nothing in the POP server itself to store that status nor any means in the
    > protocol to communicate it. Your copy of Eudora must have ESP, or perhaps
    > you got something wrong when you ran your tests. Have you tried reproducing
    > this?
    >
    >
    > DaveK




    um, yes. i can reproduce it right now.... messages are marked as read on
    the server, download with a totally different client, still marked as
    read in Eudora.

    X-UIDL:

    This header is added to the pop daemon to indicate to the client the
    status of the message. If it's been read, the clients that read this
    header will show it as read, rather than unread.

    I would suspect you've never used a client that acknowledges this
    header.


    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Oct 26, 2003
    #10
  11. Superbo Barnetta

    Rowdy Yates Guest

    don't know if anyone is following this thread anymore, but i might as
    well add.

    - there are logs kept on the mail server as to which ip address accessed
    the mail account last. if the host is on one of you subnets, it's really
    easy to track it back.
    - clear text is very easy to sniff. passwords & usr names MUST be sent
    encrypted and stored reversable.
    - i am not too familiar with the pop flagging process, but i know from
    personal experiece on imap, that after you download the messages, it is
    marked as read. but, if you have usr name & passwrd, you can mark it as
    unread again.

    hope it helps.


    "Superbo Barnetta" <> wrote in
    news::

    > Hello,
    >
    > When a lot of us send and receive email, we use 'clear text'
    > passwords. Not all do this, but a great many I suspect do. Who has the
    > means to capture this un-encrypted information ?
    >
    > I would guess at ISPs first, or maybe someone's PC that has been
    > compromised with a trojan. Is that the extent of the problem ?
    >
    > I would like to hear of any scenarios that show how easily this can be
    > done, and if anyone has any history of their passwords being stolen,
    > and then some account or other becoming unavailable to them.
    >
    > At the moment, I use SSL (port 995) to connect to my mail server,
    > using a self-signed certificate, basically because I'm skint. But say
    > I switched back to an ISP, and used clear-text pop3 passwords, how
    > likely is it that I could get my password stolen ?
    >
    > My 'threat model', if that applies to what I'm saying here, is only
    > that of embarrassment if someone were to monitor and later disclose
    > information gleaned from my inbox. It could be worse in some cases,
    > where I have to receive un-encrypted financial information, as the
    > sender refuses to 'embrace' PGP or similar.
    >
    > Thanks for your time.
    >
    > SB.
     
    Rowdy Yates, Oct 28, 2003
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?a21hbjIxNA==?=

    Wireless/Wired Sniffing Security

    =?Utf-8?B?a21hbjIxNA==?=, Aug 12, 2005, in forum: Wireless Networking
    Replies:
    3
    Views:
    639
  2. AM
    Replies:
    1
    Views:
    1,745
  3. Nicole Kidman
    Replies:
    18
    Views:
    697
    Monsignor Larville Jones MD
    Aug 19, 2003
  4. kmf

    Likelihood of Canon S50 successor anytime soon?

    kmf, Apr 9, 2004, in forum: Digital Photography
    Replies:
    5
    Views:
    381
    Spaceboy
    May 10, 2004
  5. Giovanni

    sniffing digited password in the locac wifi LAN

    Giovanni, Jun 2, 2008, in forum: Wireless Networking
    Replies:
    2
    Views:
    371
    Giovanni
    Jun 3, 2008
Loading...

Share This Page