Cleartext mail credentials?

Recently I ran Cain on my companies network(with their knowledge, of course) and noted that I could *VERY* easily sniff out POP3 username and passwords within seconds. Is this something they can correct or is there something we can do to prevent this?

KG

Find more posts tagged with

Comments

Vask3n

I believe the solution to cleartext mail communication was S/MIME, but I may be wrong.

keatron

Vask3n wrote:

I believe the solution to cleartext mail communication was S/MIME, but I may be wrong.

This is one solution. Just know that you'll have to set up a certificate server or use a third party (RSA, Verisign, etc..).

KGhaleon

So I'm assuming that this activity is normal, or should I go out of my way to fix it? It was over a wireless signal, which was the issue. I'm not concerned with employees...but then again...

KG

sprkymrk

KGhaleon wrote:

So I'm assuming that this activity is normal, or should I go out of my way to fix it? It was over a wireless signal, which was the issue. I'm not concerned with employees...but then again...

KG

Your company is passing clear text usernames and passwords over wireless?

Research wireless best business practices and implement some security just as quick as you can. And I would be VERY concerned about employees...

KGhaleon

Well, the wireless has WPA encryption...I'm just saying that POP3 packets with cleartext username and passwords are being found and it worried me.

KG

Sie

Well, the wireless has WPA encryption

WPA can still be cracked much harder to do but can be. Last thing i read i think explained how it worked but required an authenticated client to 'reconnect' to the LAN.

Though i could be wrong

JDMurray

WPA and WPA2 generate a new encryption key at a predetermined interval that all the connected clients and access points in a BSSID must use. If the regen interval is very small, say one or two hours, a cracker may not have enough time to discover the encryption key before a new one is created and put into use by the wireless network. It's an implementation of the rule "change all your passwords and change them often."

drakhan2002

Do you have any PCI data floating across email? PCI is stuff like credit card information, CCV, etc. If so, or you don't know, you should talk to whomever in your organization that deals with PCI. According to the PCI, all credentials *must* be encrypted in transit - even over an internal network. PCI is rather viral in the sense that it further states that systems "attached to" systems processing credit card information must comply to PCI.

Forgetting the PCI altogether, it is Information Security "best practice" to encrypt credentials in transit and at rest. Your organization may or may not have the staff to handle a situation like this. Or it may not be a priority. Either way, you're company has a vulnerability. It is not a matter of "if this will happen", it is a matter of "when it will happen." Once it does, it will be too late, obviously.

There are few more vulnerabilities here, especially with the wireless, but at least you're using WPA (hopefully WPA-Enterprise with a RADIUS server). Anyway, good luck with that issue you have there...

KGhaleon

No, nothing important is being sent in those emails. They aren't used that much, actually. I just don't like the idea of someone getting ahold of even one of them. I've read a number of different solutions...but which is the best for keeping people from browsing your traffic? Most employees use Outlook. I most likely won't be the one to implement the fix, so I'm really just researching a solution. I'm going to look into the suggestions and see if one would be appropriate for this type of network.

So rather than wireless, is it suggestable that we cable everything? It's most likely an option since we don't have that many devices using it.

KG

mrhaun03

KGhaleon wrote:

No, nothing important is being sent in those emails. They aren't used that much, actually. I just don't like the idea of someone getting ahold of even one of them. I've read a number of different solutions...but which is the best for keeping people from browsing your traffic? Most employees use Outlook. I most likely won't be the one to implement the fix, so I'm really just researching a solution. I'm going to look into the suggestions and see if one would be appropriate for this type of network.

So rather than wireless, is it suggestable that we cable everything? It's most likely an option since we don't have that many devices using it.

KG

We use Outlook too. For our laptop users we have HTTP over RPC. Basically, the laptop users can use Outlook even when they're not on our network and its over secure HTTP.

drakhan2002

KGhaleon wrote:

No, nothing important is being sent in those emails.

Good.

KGhaleon wrote:

...but which is the best for keeping people from browsing your traffic?

Encryption of some form. S/MIME, HTTPS - depends how your email is configured. Encryption is the *best* at keeping people from browsing traffic.

KGhaleon wrote:

So rather than wireless, is it suggestable that we cable everything?

In my opinion, if you don't have a wireless expert on staff, then cable everything. Wireless takes a unique skill set and not everyone has the time or energy to get up to speed on yet another technology. Having things cabled will eliminate the risks associated with wireless...

seuss_ssues

Just because you eliminate the wireless network and cable everything it will not prevent clear text protocols from being sent. It will just restrict it to the cables rather than the airwaves.

Additionally if you use a switch it will make it more difficult to sniff the traffic.