Comments on: What I Learned At DEVCON http://fmcollective.com/2006/08/21/what-i-learned-at-devcon/ Syndicating the best FileMaker blogs Sat, 29 Nov 2008 04:44:04 -0600 http://wordpress.org/?v=2.8.3 hourly 1 By: Tim Neudecker http://fmcollective.com/2006/08/21/what-i-learned-at-devcon/comment-page-1/#comment-22 Tim Neudecker Mon, 21 Aug 2006 23:57:18 +0000 http://fmcollective.proofgroup.com/?p=11#comment-22 I just noticed that the last line of my previous mesg was not as clear as I had intended it to be. It should read to say that I captured zero FMI accounts and that all FMI employees (and there were lots there) are using vpn/encrytption or not checking their mail from insecure locations. Good Job FMI I just noticed that the last line of my previous mesg was not as clear as I had intended it to be. It should read to say that I captured zero FMI accounts and that all FMI employees (and there were lots there) are using vpn/encrytption or not checking their mail from insecure locations. Good Job FMI

]]> By: Tim Neudecker http://fmcollective.com/2006/08/21/what-i-learned-at-devcon/comment-page-1/#comment-23 Tim Neudecker Mon, 21 Aug 2006 16:03:26 +0000 http://fmcollective.proofgroup.com/?p=11#comment-23 Some additional info on Steven’s item number 8. Ever since this summer’s DefCon (a hacker conference in New York City) I have been amazed at just how easy it is to “Snif” a net work and hear what people are saying. Remember, the internet is not a private phone line unless you make it a private phone line. By default it is a PARTY LINE. <a href="http://www.tgdaily.com/2004/08/02/defcon_12/index.html" rel="nofollow">http://www.tgdaily.com/2004/08/02/defcon_12/index.html</a> I was hoping to set up a “Wall of Sheep” but felt it might be better to just listen first and see how many developers in the FMP community are not aware of how insecure networking really is, especially open wireless. Over the course of devcon, I downloaded, compiled and ran a free open source program called ettercap. I did no decrypting of wep/SSL/or any opther encryption scheme, just data packet sniffing, I only filtered out packets and reported on packets with clear-text account/passwords. I used FMP to control ettercap and store the results of these sniffs. I have scrambled the passwords after running the stats below. I sniffed during lunch time on Tuesday and Wednesday, and during a few sessions. 252 Total Accounts captured 165 POP 48 IMAP 33 HTTP Why are they not using SSL on their web sites? 5 FTP 1 LDAP 33 mail accounts were for mac.com, so presumably there iDisk is at risk also. 1 Password was the same as account name! 1 password was "Password" 156 unique passwords, so many people are using the same password across multiple servers/accounts. 45 Number of passwords that are in the Dictionary (easily cracked by brute force 9 Passwords 4 or less characters 74 Passwords 6 or less characters On the happy side , there were many folks who were cautious… 400 + Folks used MD5 or Kerberos encryption for Server logon (mostly large corporate users, something to be said about corporate IT folks, they know their stuff.) Lots of Users , Impossible to count because it was encrypted used ssl and VPN's. Good going Folks. 0 FMI employees used clear text accounts/passwords (and there were lots of them there! Way to go!) Some additional info on Steven’s item number 8.

Ever since this summer’s DefCon (a hacker conference in New York City) I have been amazed at just how easy it is to “Snif” a net work and hear what people are saying. Remember, the internet is not a private phone line unless you make it a private phone line. By default it is a PARTY LINE.

http://www.tgdaily.com/2004/08/02/defcon_12/index.html

I was hoping to set up a “Wall of Sheep” but felt it might be better to just listen first and see how many developers in the FMP community are not aware of how insecure networking really is, especially open wireless.

Over the course of devcon, I downloaded, compiled and ran a free open source program called ettercap. I did no decrypting of wep/SSL/or any opther encryption scheme, just data packet sniffing, I only filtered out packets and reported on packets with clear-text account/passwords. I used FMP to control ettercap and store the results of these sniffs. I have scrambled the passwords after running the stats below. I sniffed during lunch time on Tuesday and Wednesday, and during a few sessions.

252 Total Accounts captured
165 POP
48 IMAP
33 HTTP Why are they not using SSL on their web sites?
5 FTP
1 LDAP

33 mail accounts were for mac.com, so presumably there iDisk is at risk also.
1 Password was the same as account name!
1 password was “Password”
156 unique passwords, so many people are using the same password across multiple servers/accounts.
45 Number of passwords that are in the Dictionary (easily cracked by brute force
9 Passwords 4 or less characters
74 Passwords 6 or less characters

On the happy side , there were many folks who were cautious…

400 + Folks used MD5 or Kerberos encryption for Server logon (mostly large corporate users, something to be said about corporate IT folks, they know their stuff.)

Lots of Users , Impossible to count because it was encrypted used ssl and VPN’s. Good going Folks.

0 FMI employees used clear text accounts/passwords (and there were lots of them there! Way to go!)

]]>