October 18th, 2005, 10:51 PM
At least we still have Paros!
I was on pen testing training recently and we were introduced to the Paros tool which acts as a software proxy for IE (Mozilla has something similar built in) and allows you to trap your POSTS and GETS before they are sent.
This is used in pen testing to ensure that both your client end validation and your server end validation work e.g. you can't trap and change the price of an ordered item on order confirmation when purchasing an item from your online commercial site.
But we decided out of interest to log into Hotmail and were shocked to find that (although I guess we should have worked it out before from careful observation) the Hotmail account username and password are sent in the clear with no encryption.
So here is the question! Why does MS insist on us having strong passwords if they don't apply strong password security? Why isn't a proper https session established (easy to do since they have certificates on their site) before the username and password exchange? And how long is it before someone is going to poison a DNS cache and pick up a lot of MS hotmail accounts through a perfectly straightforward mitm attack?
Finding this out has made me, apart from banking and Amazon, give up trying to have strong passwords on line, it just isn't worth the effort if companies are going to be that thick.
Captain Picard where are you now we need you more than ever?
No one can foresee the consequences of being clever.