Solved

Application security.

Posted on 2004-08-04
32
417 Views
Last Modified: 2010-04-11
I've written a client/server communications app in Java which allows a group of users to send email-like messages to one another, which pass over the net but are not held by any third party or intermediate machines.

I'd like any thoughts on how secure this system is, without SSL or other encryption.
0
Comment
Question by:krakatoa
  • 14
  • 12
  • 3
  • +1
32 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 85 total points
ID: 11713869
> without SSL or other encryption
insecure. Dot.
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11713880
>> insecure. Dot ....

I can believe that, but my question is really asking you in what way it is insecure.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11714113
anything you define as insecure
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11714309
I'll take that comment then as supporting the notion that my app is completely secure, since I don't know of a way that internet packets can be intercepted.
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11714347
Hmmm... that demands a complete and comprehencive thinking. You may use a unique signature that will check for the propper application availability, minimize the applications ability to control resources in any way, use a centeral server that will allow messages forwarding according to an address set you choose and forth, what is YOUR thought about a generic security architecture?

Cyber
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11714475
My only thinking is that the way my prog sends and receives messages being unlike that used by email and Messenger where the messages pass across or are held on servers, can only be insecure if a third party can obtain the packets as they are in transit.

I am not worried about the security on the sending and receiving machines as such.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11714606
aha, we get closer to the problem (your understandig of security), sorry for my early sarcastic comments, but the provided information was to short to give better suggestions.

> .. which pass over the net but are not held by any third party or intermediate machines
and
> .. can only be insecure if a third party can obtain the packets as they are in transit.
that's exactly the point: each packet passes the net, means a infinite number of machines inbetween, hence each of these *can* sniff the traffic and store what it sees.
Is that insecure for you?
To make it more secure (as I understand security), you need data encryption and checksums, first to hide data from everyone, second to enshure that the send data has not been changed inbetwwen.
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11714699
>> means a infinite number of machines inbetween ...

what machines are you referring to here? AFAIK, only routers are involved in forwarding packets. My app contains its own server and clients, so there are never any requirements for third party computers to handle any data. How would anyone sniff that lot?
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11714725
>> To make it more secure (as I understand security), you need data encryption ...

I am not referring to that type of security - I dont want to consider encryption in this, simply the capture (and not the plaintext reconstruction of) the message in transit. I want to know who, how and where the transiting information can be picked up - whatever form it's in - given that it never resides on other computers.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11715001
> I want to know who, how and where the transiting information can be picked up  ..
as I said (assuming server and client itself secure): anything inbetween == cable, hub, switch, router, gateway, whatelse, ...
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11715103
OK - so how would the integral payload be captured, given that packets may take a number of varying routes across the wires, hubs and routers of the 'net?
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11715168
At first I wish you luck with your new software you are programming.

Data can be picked in many forms. We can pick up data by tapping directly to a network. This can be achieved by emitting an end console with the address the message is intended. We can do that using Spoofing technology. Also, we can act as behalf someone in the same manner. Also, we know that wires are like big antenas, we can use tapping equiptment (such as a DataScope).
Also you can get information through the emitation of users, trojans and back doors (and that is, my firend, things you cannot do anything to prevent them from appearing).

Further details?

Just yale...

Cyber
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11715226
> ..  how would the integral payload be captured ..
you can find infinite books in any bookstore to give answer to this "how does it work"-question, a few examples see Cyber-Dude's comment
The simplest one is taping on the wire with whatever you find usefull for it. Anything else is more or less sophisticated.
0
 
LVL 10

Expert Comment

by:dis1931
ID: 11715280
I would say you are fine.  If you are not worried about security on the PCs using the app or the server using the app or on the internal networks that house these PCs/servers then you are fine.  I would say that your main concern is not on the Internet because they travel through routers and few if anyone has direct access and if they do I doubt they spend time sniffing packets as a core router or even a smaller router would pass traffic so quickly that it would be almost impossible to find your traffic unless they knew about it and were looking for it.  

I guess if people know about your application and what ports it uses they can attempt to inflitrate your network/router to access these packets and then they will be unencrypted but most likely no one will care....lol

Dis
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11715491
dis1931:

I have to be careful about "agreeing" with you, because I dont want to put myself in the position of accepting an answer because it is the one I want to hear, rather than one I don't want to hear, but having said that, I would imagine your scenario is more like the truth. The other comments have not really answered at all how it's possible to marshall all the packets together again in one place so they can be reconstructed, and once the packets are not integral, there would be no way of knowing what the message really contained.


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11715701
> .. answered at all how it's possible to marshall all the packets together again in one place so they can be reconstructed, ..
sorry, there're millions of ways to do that, hence we don't give an example for it
examples wanted? here we go: tcpdump, ethereal, packetyzer ...

> ..  there would be no way of knowing what the message really contained.
do you realy believe that it's a heavy task to reconstruct plain text messages from its fragments?
Assuming that *your* packets (text fragments) are no of size 1 byte and in any random order, its a few seconds job (even for humans) to sort them together.

This is a security TA, so what answers are you expecting?
The "how does the world work"-question cannot be answerd 'cause of limited peipole, time, resources, whetever.
Please specify your question, the one you asked initialy have been answered completely several times herein, first time see the very first comment http:#11713869

> The other comments have not really answered at all how  ..
this is not true (see comment above). Anyway, such words are most likely to start a flame war. EE is not a place for flame wars.

Please calm down, rethink about your problem, then describe the security related part of it and ask you detailed question. That's way you get an answer.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Assisted Solution

by:Cyber-Dude
Cyber-Dude earned 165 total points
ID: 11715980
Each packet has some sort of a serial number at its top header. That serial number is devided into two where there is a number for the application causing the traffic and the order number designated to that application. If I want to hijact a session, I am telling a switch that my MAC address is XXX and I am, infact, the PC to recieve packets sent from YYY to XXX. It easy to edit any packet header in the service level to confuse it so that it would arrive to the false XXX rather than the real XXX. You can, in some cases, forward all packets to the true XXX so that the true XXX wont even notice that its packets are being tapped...

I cant tell you here everything about the architecture due to known issues but that is the general idea.

In wireless tapping, you can listen to the order packets are transmited by the header - thus packet serial number, the designation of MAC address and the application causing the traffic...

Also... this is the generic idea...

Hope that helped...

Cyber
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11715989
>> Please calm down ...

Look I contribute in the Java TA as an expert as well, ok. Please dont ask me to calm down, since I am not worked up, although by the attitude of your firsst answers I should be.

If you dont have time to answer questions, or want to tell me I am asking how does it work questions, then you are in the wrong arena, and can just deal with the high end questions that you are surely good at. In the menatime these are my points, and I expect more than just generic "you are barking up the wrong tree" or "this can be done easily" type answers that are evey bity as vague and useless as you accuse my question of being. And hey, lets not start a flame war - you have to take it on the chin. ;)

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11716465
LOL
so, we both calm down for various or unknow reason ;-)
Sorry, I know my comments are a bit sarcastic, sometimes, somehow, but they've never been meant as an offence.

Back to the topic:
seems I'm too stupid to get used to you question. For me it's a generic one.
Even so, as you see in previous comments, there have been given a few examples "how it works".
Is this what you want to know?
0
 
LVL 10

Assisted Solution

by:dis1931
dis1931 earned 100 total points
ID: 11716923
I would not be very hard at all to read a plain text packet just sniff some packets and you will see that plain text can fairly easily be read and pieced together.  Yes it is quite possible to intercept and piece together plain text messages or even get the gist of the text even if missing some packets.  Realistically it is unlikely and inprobable.  I would be more concerned with snoopers at either of the endpoints more.  However, if you have confidential data that you are trying to keep confidential I woud suggest adding encryption or some kind of VPN tunnel to access the software.  If you are not worried about security then don't worry.  I guess I am confused...It is always possible to intercept traffic if someone is trying hard enough and has the appropriate knowledge and hacking skills to acquire the data.  And very simply put if you want to send plain text out to the Internet then you are putting that data out there for anyone with the time and resources to do so.

The simple answer is if you are concerned about security then you should make an effort to implement encryption or some other form of security to prevent plain text from going out.  For example, I used to work for a company that had secure information and we used a proprietary IM client with encryption and access to the server could only be done through a Cisco VPN connection.  So I had a VPN tunnel with encrypted data going across the Internet because the information was proprietary development information that no one should have access to.  However, this is extreme if you are just chit chatting and not passing across vital information or information that doesn't need to be in the public domain.  If you want specific examples of how your traffic can be intercepted, we probably need more information about the server/environment of the network and those connecting to it.
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11719354
>>  we probably need more information about the server/environment of the network and those connecting to it.

I suppose this is my point, and addressing it now will also address ahoffman's point to me which I understand and appreciate his calmness on. ;)

To put it bluntly, I am not all that interested *personally* in encryption, but it would be good to have it on the app., since it could deal with sensitive information. That said, I want to see some actual proof that someone can swipe the information my app sends, so that, well, I just 'know' it can happen. Sounds naive, amateur and flying in the face of reason I know, but that's what I'd like to have demonstrated to me. The app is finished and runs pretty much ok, so this is one of the last pieces in the jigsaw. (Incidentally, I should mention that I have successfully already implemented SSL in a separate prototype of the app., but it is not included in the working model at this time).
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11719508
>> For me it's a generic one ...

ahoffman ... I suppose my question could be put one other way  : for whom are the difficulties of packet sniffing easily surmountable? How many people - who might even be able to crack encryption on data passed by more traditional means  such as email and web - would be excluded from "cracking" into the message passing on my app due to the fact that it was physically more problematic to obtain, not necessarily logically more or less difficult to decrypt. To call a spade a spade, I'd like to know who would be able to obtain that capability or who has it already.
0
 
LVL 10

Expert Comment

by:dis1931
ID: 11719555
I think anyone actually proving it to you would require hacking and information that we don't have such as IPs, etc...and probably committing a crime by breaking into your router or whatever your network set up is.  I mean we all know how people steal credit card numbers or other information after breaking into certain networks or databases and this is after having to bypass many security measures setup by security consultants whose job it is to protect information from hackers.  If they can break into that I think they can break into your clear text messaging server and for that matter even if you do secure it further by using encryption.  But encryption/SSL is used to deter the common observer of network traffic possibly on your local LAN or on a remote LAN that has managed to gain access to some part of your network and is listening for something good.

If you've already done it and SSL works then use it and forget it....
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11719625
Well, it all belongs to me and not a company, and is all on this machine, a laptop, which is on a two-machine wirless LAN, and that's it. I have an IP or the server which the client targets, and off it goes. All I want to see is that if I tell a third person who doesnt have a copy of the client software, what the IP of this, the server machine is, will he be able to grab enough information to make sense of what is being said - ? As I said before, the difference between this and the sort of information that hackers target, is that mine is not held on a disk anywhere, so I can't believe they could do it.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11720263
> ..  wirless LAN, ..
and then asking if a clear text protocol is secure, is this a joke? sorry for being sarcastic again ;-)

> .. who doesnt have a copy of the client software ..
You don't need anything, nor do you need an IP. Wireless LAN: just a softare to descrypt weak WLAN protocols (search the web and you find countless ones:), join/hijack the network as you like, read and write what you want, or even what you could not imagine. This is script-kiddie's recreation exercise ...

Excuse me again, but talking about a clear text protocol in WLAN and saying it's secure is magic, realy magic.
I'll second previous comments (not ahoffmann's:-) forget it, if you think secure use at least SSL/TLS

Again (I'm repeating): all you need is tcpdump, well pretty old (roughly 30 years), and no click&type GUI, just options, everyone used to read man-pages can use it in roughly 5 minutes to collect all your packets.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11723522
Glad to see that you've read the comments carefully, and we hopefully helped you understanding security a bit more. Security is a process, not a product.
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11724071
It's just that when I ask a proramming question on EE, I cna try the answer out to establish whether it works or not. I cant see how I can do it myself in this case without concocting a false scenario. So someone has jdump of whatever its called - I cant still se how they would ever get access to the packets sent from this machine, and I would, just like when you buy a piece of machinery, like to see it working in front of me, if you get my drift.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11729119
again, simply use tcpdump for example on your own server or client and see what you can see ;-)
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11729964
OK, I'll take a shuftee sometime! Arriverwiedersehen compadres!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11730184
Hasta luego Arri vidergi Au Revoir Allah ismarladik Auf Wiedersehen Pfiad di Adjö  
:-)
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11730880
And of course hoffers, I'll tap someone else's machine to get it, rather than buy!!!

Oahha ha ha ha ha!!!!!!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11733088
well, someone else's machine, in some magazines you can read how to tap on someone else's internet connection without paying, just using war driving hot spots ;-)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Bit Locker 2 55
deny local logon 12 62
Windows Defender struggles to check for updates. 9 52
Secure service for sharing documents? 2 80
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now