Cleartext mail credentials?

KGhaleonKGhaleon Member Posts: 1,347
Recently I ran Cain on my companies network(with their knowledge, of course) and noted that I could *VERY* easily sniff out POP3 username and passwords within seconds. Is this something they can correct or is there something we can do to prevent this?

KG
Present goals: MCAS, MCSA, 70-680

Comments

  • Vask3nVask3n Member Posts: 517
    I believe the solution to cleartext mail communication was S/MIME, but I may be wrong.
    Working on MS-ISA at Western Governor's University
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    Vask3n wrote:
    I believe the solution to cleartext mail communication was S/MIME, but I may be wrong.

    This is one solution. Just know that you'll have to set up a certificate server or use a third party (RSA, Verisign, etc..).
  • KGhaleonKGhaleon Member Posts: 1,347
    So I'm assuming that this activity is normal, or should I go out of my way to fix it? It was over a wireless signal, which was the issue. I'm not concerned with employees...but then again...

    KG
    Present goals: MCAS, MCSA, 70-680
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    KGhaleon wrote:
    So I'm assuming that this activity is normal, or should I go out of my way to fix it? It was over a wireless signal, which was the issue. I'm not concerned with employees...but then again...

    KG

    Your company is passing clear text usernames and passwords over wireless? icon_eek.gif
    Research wireless best business practices and implement some security just as quick as you can. And I would be VERY concerned about employees...
    All things are possible, only believe.
  • KGhaleonKGhaleon Member Posts: 1,347
    Well, the wireless has WPA encryption...I'm just saying that POP3 packets with cleartext username and passwords are being found and it worried me.

    KG
    Present goals: MCAS, MCSA, 70-680
  • SieSie Member Posts: 1,195
    Well, the wireless has WPA encryption

    WPA can still be cracked much harder to do but can be. Last thing i read i think explained how it worked but required an authenticated client to 'reconnect' to the LAN.

    Though i could be wrong icon_lol.gif
    Foolproof systems don't take into account the ingenuity of fools
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,890 Admin
    WPA and WPA2 generate a new encryption key at a predetermined interval that all the connected clients and access points in a BSSID must use. If the regen interval is very small, say one or two hours, a cracker may not have enough time to discover the encryption key before a new one is created and put into use by the wireless network. It's an implementation of the rule "change all your passwords and change them often."
  • drakhan2002drakhan2002 Member Posts: 111
    Do you have any PCI data floating across email? PCI is stuff like credit card information, CCV, etc. If so, or you don't know, you should talk to whomever in your organization that deals with PCI. According to the PCI, all credentials *must* be encrypted in transit - even over an internal network. PCI is rather viral in the sense that it further states that systems "attached to" systems processing credit card information must comply to PCI.

    Forgetting the PCI altogether, it is Information Security "best practice" to encrypt credentials in transit and at rest. Your organization may or may not have the staff to handle a situation like this. Or it may not be a priority. Either way, you're company has a vulnerability. It is not a matter of "if this will happen", it is a matter of "when it will happen." Once it does, it will be too late, obviously.

    There are few more vulnerabilities here, especially with the wireless, but at least you're using WPA (hopefully WPA-Enterprise with a RADIUS server). Anyway, good luck with that issue you have there...
    It's not the moments of pleasure, it's the hours of pursuit...
  • KGhaleonKGhaleon Member Posts: 1,347
    No, nothing important is being sent in those emails. They aren't used that much, actually. I just don't like the idea of someone getting ahold of even one of them. I've read a number of different solutions...but which is the best for keeping people from browsing your traffic? Most employees use Outlook. I most likely won't be the one to implement the fix, so I'm really just researching a solution. I'm going to look into the suggestions and see if one would be appropriate for this type of network.

    So rather than wireless, is it suggestable that we cable everything? It's most likely an option since we don't have that many devices using it.

    KG
    Present goals: MCAS, MCSA, 70-680
  • mrhaun03mrhaun03 Member Posts: 359
    KGhaleon wrote:
    No, nothing important is being sent in those emails. They aren't used that much, actually. I just don't like the idea of someone getting ahold of even one of them. I've read a number of different solutions...but which is the best for keeping people from browsing your traffic? Most employees use Outlook. I most likely won't be the one to implement the fix, so I'm really just researching a solution. I'm going to look into the suggestions and see if one would be appropriate for this type of network.

    So rather than wireless, is it suggestable that we cable everything? It's most likely an option since we don't have that many devices using it.

    KG

    We use Outlook too. For our laptop users we have HTTP over RPC. Basically, the laptop users can use Outlook even when they're not on our network and its over secure HTTP.
    Working on Linux+
  • drakhan2002drakhan2002 Member Posts: 111
    KGhaleon wrote:
    No, nothing important is being sent in those emails.

    Good.
    KGhaleon wrote:
    ...but which is the best for keeping people from browsing your traffic?

    Encryption of some form. S/MIME, HTTPS - depends how your email is configured. Encryption is the *best* at keeping people from browsing traffic.
    KGhaleon wrote:
    So rather than wireless, is it suggestable that we cable everything?

    In my opinion, if you don't have a wireless expert on staff, then cable everything. Wireless takes a unique skill set and not everyone has the time or energy to get up to speed on yet another technology. Having things cabled will eliminate the risks associated with wireless...
    It's not the moments of pleasure, it's the hours of pursuit...
  • seuss_ssuesseuss_ssues Member Posts: 629
    Just because you eliminate the wireless network and cable everything it will not prevent clear text protocols from being sent. It will just restrict it to the cables rather than the airwaves.

    Additionally if you use a switch it will make it more difficult to sniff the traffic.
Sign In or Register to comment.