RE: Unencrypted Email

From: John Daniele (johnd@tsintel.com)
Date: 02/27/02 

Date: Wed, 27 Feb 2002 11:51:31 -0500 (EST)
From: John Daniele <johnd@tsintel.com>
To: "Coffey, Christopher S." <Christopher.Coffey@mail.va.gov>

heheh, well I'd place my spy at the company itself and have them perform a
security walkaround of the building to locate the (normally unprotected)
demark point and install my sniffer physically on the wire there.

Not to say that there aren't any lame ISPs/datacenters around (I have
definately seen my share) but this is their primary line of business, you
are perhaps more likely to gain access to the end user's infrastructure. I
say that the direct approach will probably be more successful. You'd be
suprised how many large companies don't even think to set up a
surveillance camera within their telecom/switching rooms, or even in the
hallway leading up to the door.

_________________________________________
John Daniele
Technical Security & Intelligence
Toronto, ON
Voice: (416) 605-2041
E-mail: johnd@tsintel.com
Web: http://www.tsintel.com

On Mon, 25 Feb 2002, Coffey, Christopher S. wrote:

> I'll add my opinions here, hopefully you will find them interesting:
>
> 1. Yes most sniffers can be configured to find just curtain types of traffic
> by headers (mail, ftp, etc.)
>
> 2. Yes but it takes more work than that, let me explain (this is but a
> sample scenario btw). Say I was a company in LA and I wanted to snoop the
> email of my competitor in NY city. I would need to find out who there ISP is
> (who runs there T1 or whatever) then I would need to "Hack" into that ISP (
> Ok yes this is complicated it might require breaking into multiple routers
> and servers within the ISP to find the right link into there T1 ) and
> install my sniffer software to grab all the mail coming and going from that
> company. This could either be done by a group of black hat mercenaries or by
> a well placed inside at the ISP.
>
> 3. This is a rough scenario, it would be a very big case of corporate
> espionage that so far we haven't seen yet ( or at least not made public) but
> it is possible, with enough time money and luck it could be done, it all
> depends on how much $$$ the data is worth ???
>
> Christopher Coffey
> Network Security Officer
> AAC-VA
>
>
>
>
> -----Original Message-----
> From: Dave Bujaucius [mailto:bujauciusd@gliatech.com]
> Sent: Friday, February 22, 2002 10:58 AM
> To: security-basics@securityfocus.com
> Subject: Unencrypted Email
>
>
> It is common knowledge that unencrypted messages sent over an unsecured
> Internet connection *can* be viewed in clear text and thus the contents
> compromised. My questions:
>
> 1. Is it really easy? How readily available are sniffing tools that
> can do this?
> 2. Can it be done from a user's home dial up or DSL type connection?
> Can someone in California somehow be scanning mail leaving a New York
> location?
> 3. Outside of government agencies that have access to selected ISP's,
> how likely is it that a company could be targeted by an outside person
> or organization?
>
> I realize that like most IT issues everything is relative. I'm
> questioning the relative risk in sending confidential information over
> the Internet. Real life experiences versus theory.
>
> Dave Bujaucius
>