Re: Information Security?

From: Michael Lorrey (retroman@together.net)
Date: Sun Nov 15 1998 - 15:27:49 MST


Mike Linksvayer wrote:

> Michael Lorrey wrote:
> > I figured out the other day how WS_FTP encrypts its passwords in its INI
> > file, which is rather weak and a major weakness for anyone using this FTP
> > client to transfer files. Essentially, the encryption works like this: each
> > letter of the password is converted to its hexadecimal value. Then one hex
> > digit is added to the letters hex value based on its position in the
> > password, starting with 0 for the letter in the first position.
> >
> > So, while you may only FTP encrypted files to an FTP site, by using a weak
> > password encryption like this a hacker could easily sniff out your password
> > and then use the FTP site with impunity in YOUR name.
>
> ftp passwords are sent as cleartext between the client and server,
> so ws_ftp's .ini settings obfuscation does nothing to help or hinder
> someone who wants your password, unless that someone has access to
> your ws_ftp .ini file.

Which is also rather easy for users on internet connected LANs or WANs. A common
practice to break into a system is to spoof yourself as an authorized device by
assuming its IP address when it is offline. Once you are in you then have a login
to get by, which is no big deal, as most desk drivers at companies which have no
centrally controlled password system typically just use their name with no
password, or their name as the user and their name as the password, or first and
last, etc. Once you are in, you can copy the ws_ftp.ini file you can find on
every drive the user you are spoofing has access to.

Right now I have implemented a patch to prevent this sort of thing from happening
on the network here, but I doubt that many small businesses know or care about it
at this point.

Mike Lorrey



This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 14:49:47 MST