On 12/5/2014 10:59 AM, Richard Pieri wrote:
On 12/4/2014 11:42 PM, John Abreau wrote:
On the other hand, if you accept the bad guy's poisoned DNS data:

Long story short: Joe is screwed either way. Or I am depending on who takes the fall. If someone is reprimanded or fired or even killed because a security system is working as designed? That's a terrible system.


No offense, but Joe might not have a choice: the hotel wants him to click on a user agreement, and so the box they've bought will intercept every DNS call and redirect it to their consent page before allowing Joe to connect to the net. I can't say if that's going to happen at Starbucks or [whereever], but it might.

I don't know if that agreement gives the hotel/mega-corp permission to monitor emails as well as collect the click list, but MITM attacks require Joe to agree to accept an invalid certificate at some point, and it's possible to disable his ability to do so. End-to-end email encryption would prevent any monitoring of the email, and a corporate VPN would obviate the problem altogether. Some companies avoid the issue altogether by entering fixed IP addresses in VPN scripts - the only matching key is/should be at the VPN box/server, so there's no loss of flexibility, and IP addresses are cheap enough if the company wants to provide a backup. In any case, Joe's logs will verify that he made the attempt.

Of course, theory and practice often differ in security, and we've all met mister "JustDoItOrYou'reFired" who likes to tell us to break the rules, but that isn't a technical problem. A well designed security suite will give Joe the option of sending his reports by encrypting them first with a few key clicks.

FWIW. YMMV.

Bill Horne

--
E. William Horne
339-364-8487

_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to