kracksmith
join:2004-07-14
Fullerton, CA
| security experts please explain
Ok let's just saying one of my customer is running a IIS 6.0 FTP server (which he is by the way).
He doesn't want to be running any encryptions on the FTP server. I tell him this is dangerous and somebody can sniff out your clear text username and password.
he said he doesn't go into this FTP all the time but just seldomly plus he likes the IE FTP client, it's easy to use and it's available anywhere he goes. he doesn't want to rely on a encrypted ftp client which he needs to carry or download.
he also said if somebody where to sniff out his password that hacker has to know exactly when he's logging into the FTP server which he says is impossible.
i told him i read hacker can monitor his public and leave a sniffer there 24/7. he said how? i couldn't explain this since i'm not a hacker but from a security stand point i like to know how this is done?
does somebody just run a certain sniffer monitoring program on a public IP ftp server, as easy as that? |
|
kracksmith
join:2004-07-14
Fullerton, CA | anybody?? |
|
hayc59
VoodooChild
Premium
join:2001-02-26
David R.I.P. | reply to kracksmith
Hello, and welcome
give it some time...these professionals
are preparing their turkeys!  |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit |  reply to kracksmith
This thread may be of interest...
»unsecure FTP
At a bare minimum you could use the built-in MS PPTP VPN server/client function with a strong password for the authorized users for simple but safe file access from a remote location.
--
"When all else fails, read the instructions..." |
|
arleybls
Premium
join:2004-05-25
4 edits | reply to kracksmith
said by kracksmith  :does somebody just run a certain sniffer monitoring program on a public IP ftp server, as easy as that? No it is not that easy...but it could be as simple as arp poisoning on the same server's subnet to more sophisticated attacks against one of the hops in which the traffic flows...or...maybe, wire tapping the media 
If your boss concern is performance, you could use IPsec to encrypt only, at least, the FTP's control/command channel (port 21), all data would still be sent in clear trough the data channel... |
|
major marco
Res Firma Mitescere Nescit
Premium
join:2003-02-13
Stepford, CA
clubs:
| reply to kracksmith
said by kracksmith :does somebody just run a certain sniffer monitoring program on a public IP ftp server, as easy as that? If s/he is that obstinate about it, then I say let your "customer" live and learn. And what are you doing with clientele if you are not able to intelligently explain security issues. I hope they aren't paying you for your dearth of expertise. 
--
The Toll
|
|
