Once is happenstance.....

**Kosmograd** · November 15th, 2005, 10:24 PM

I know you are not using WEP, right???

Also proximity isn't that relevant. A dedicated attacker can have something like this

http://www.cantenna.com/
http://www.turnpoint.net/wireless/cantennahowto.html

or just pull up in a car

also it helps to check if the time on your systems isn't screwed (expired cert. problem)

was the email legit ... not one of those made look like login screens which will re-mail your auth info to the attacker

***Tiger Shark*** · November 15th, 2005, 11:19 PM

I'm beginning to think I was being paranoid.... ["What YOU" everyone shouts....

].

I have been through my ethereal captures on both the wireless sniff and the external.... There's lots of AV updates, some Windows updates, some scans etc but there isn't anything screwy in 10 hours of capture and I haven't had a repeat of either "oddity" either.... I'll run the ethereals overnight and see what pops up.....

***jinxy*** · November 15th, 2005, 11:28 PM

Originally posted here by Tiger Shark
I'm beginning to think I was being paranoid.... ["What YOU" everyone shouts.... ].

I have been through my ethereal captures on both the wireless sniff and the external.... There's lots of AV updates, some Windows updates, some scans etc but there isn't anything screwy in 10 hours of capture and I haven't had a repeat of either "oddity" either.... I'll run the ethereals overnight and see what pops up.....

Paranoia is good,

But when one is troubleshooting, should we all go for the extreem measures first or look at the more simple?

That is rhetorical, as it should depend on the situation

***Tiger Shark*** · November 15th, 2005, 11:53 PM

Jinx:

Yeah, I like paranoia.... I see bogey men in the clouds....

I would be more concerned if the behaviour was repeatable.... Since it isn't then there are two options:-

i) coincidental glitches
ii) the "attacker" has removed his harvesting system, (possibly in preference of a better system)

As it is I gave away "nothing" passwords to date and have not been using hese boxes for anything other than the same stuff.... I will probably use an alternative way out if I _need_ to work fr a while to see what happens.....

**mandraketux** · November 16th, 2005, 05:09 AM

your not paranoid your old. by the way, make sure to forward the logs to a non web email account. not sure what isp you use but send an email to yourself with the logs as an attachment so you can look them thoroughly over if possible. from what i have heard your from michigan too. maybe its time for some tux + gore and tiger chats because your paranoid which is ok but you leaving work email open like that, not sure how id go about telling you bad boy. you have to know by now that michigan is hot for war driving. its almost disgusting. one thing though, gore may be ok with all that windows you got there, but damn man id bring a sawed off.

***skiddieleet*** · November 16th, 2005, 05:44 AM

Where the heck have you been mandraketux?

Good luck solving the case TS. Hopefully it's nothing. But if it is nothing, that might be bad if you're paranoid because you'll always wonder. Perhaps it would be better if you find something wrong and fix it.

***Und3ertak3r*** · November 16th, 2005, 01:15 PM

"coincidence occurred i was about 5 mins away from my scheduled morning shower.....

thats the trouble with coincidence and paranoia it wont even give you a chance to scratch your balls..

There is a saying.. "Better safe than sorry"

***Tiger Shark*** · November 16th, 2005, 01:39 PM

your not paranoid your old

Well.... Don't beat around the bush old chap.... Say what you mean...

Undies Old Man..... I agree entirely.... <LOL>

As to a wardriver.... I have discounted that for the following reason:-

1. If it were a wardriver he would have had to be sat in range on both occasions. That would mean he would have to have been there at 4:30ish in the evening and again at 5:10am the next morning. I would suggest that it would be unlikely that he would be there for that long or, coincidentally, on the two times I was on unless he had been stalking me for a long time to ascertain my habits.... I haven't lived there that long and my habits have only recenly become "established".

I have discounted this being an installed system for the following reason:-

2. If it were an installed system to harvest passwords it would have to have either be programmed to pick up on my specific connections that require a password or it should be able to recognize the fact that I am about to submit a password, form a copy of the page on the fly, submit the results to the wrong IP address and then return me to the password submission screen of the original web site. Is that _possible_? Yes, but it would take some significant programming and a certain amount of AI to accomplish and would, undoubtedly be quite buggy thus displaying other evidence of it's existence. Furthermore, in subsequent tests of sites, (both the ones that "glitched" and some that I haven't logged in to for a while or from my home network), where I am required to submit a password the symptom is not repeatable. An installed program would continue to display the symptom on web sites that have not been previously harvested - which would be illogical since it would be sensible to _always_ function in case the user has changed their credentials.

Conclusion: I'm paranoid!!!!

But, I have good news.... With all the sniffing I did I found a misconfiguration that leaks DNS information to the ISP's DNS servers which _could_ be sniffable to determine that I run an AD domain within my network. This issue is being fixed in a minute or two.... Oh, and I saved a bunch of money by switching to Geico......

Thread: Once is happenstance.....

Thread Tools

Display

Posting Permissions