Re: sniffing plaintext protocols

[Dotzero <dotzero () gmail com>]

On 8/1/06, itsec.info <itsec.info () gmail com> wrote:

> From a security point of view it is a fundamental question whether such a
> scenario is technically possible or not.
> If so, how do I have to assess such a risk, how can I check that at a
> penetration test and how about the mitigation.

Mike,

The answer is to avoid using plaintext protocols. About the only
plaintext protocol I can think of any argument for would be ftp (which
I would limit to anonymous logins). If at all possible I would force
users to use scp, sftp or ftps.

As far as checking during a penetration test,.....if they are using
plaintext protocols then you ahve your answer. While this may sound
like an extreme statement to some, continued use of plaintext
protocols in todays environment can generally be attributed to
laziness or ignorance. I'd love to hear someone make a case that use
of plaintext protocols (other than http for general web browsing) is a
best (or even acceptable) practice.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------