Re: Show a login dialog box before the main application
- From: Joseph M. Newcomer <newcomer@xxxxxxxxxxxx>
- Date: Sun, 11 Jun 2006 03:24:41 -0400
Send me private email and I'll mail you my password snarfer. You will quickly see that
(a) I don't have to touch your app and (b) I'll get your password anyway. As long as
you're running in the default desktop, you're vulnerable to a truly trivial hack. In my
security course I also show how this can be trivially loaded via an ActiveVirus control.
Now the question is, what rights do I gain by doing this? If, as you say, all I get is a
CD/DVD server, then it isn't a big hole, but then, if there is no major loss if someone
gets access to the service, what's the need to log in?
We use a login for one app where the purpose of the login is to keep people from tweaking
the device parameters without having tech support on the line. It has no financial value
at all. So there's no concern about anyone getting the password. But my friend's laptop
actually has significant value for someone who can get into his company database. Big
value, as in easily hundreds of thousands of dollars. And the attack which revealed a
password to a "top secret" database has immense value as well. Logins like this need a
lot of protection.
joe
On Mon, 5 Jun 2006 10:47:07 -0700, "Tom Serface" <tserface@xxxxxxx> wrote:
I'd say it depends on what you are logging into... In my application I do aJoseph M. Newcomer [MVP]
connect dialog before showing the application by hiding the Mainframe window
until I want it to show up and making GetDesktopWindow() the parent of the
dialog and it works OK. Of course, if someone "hacked" into my application
the best they would get is access to our CD/DVD burning server so it
wouldn't be much of a security hole. I force the user to login to a server
before the program continues to the UI stage.
Tom
"Joseph M. Newcomer" <newcomer@xxxxxxxxxxxx> wrote in message
news:85a2821rmi5r1drp9nhq9utfiu4m474bqb@xxxxxxxxxx
You have to do it in a separate desktop. It has been too many years since
I looked at
desktops, but classic snarfing hooks won't function across desktops.
I have a friend who works for a major multinational. He has a large
"lump" glued to his
laptop cover (literally!), which is the VPN encryption box that lets him
get into the
corporte network securely. So we loaded my password snarfer onto his
machine, just as an
experiment, and I had his password about a second after he typed it (he
then promptly
removed my snarfer, and changed his password back to the one he normally
used). So then I
asked him if he actually knew that my snarfer was removed, and of course
he didn't know if
it was (yes, it was, but a real attack would have put a honeypot out to
delete). He and I
always have great laughs about "corporate security" types who are
completely clueless
about security. I haven't seen him since last year, but he took a copy of
my program back
with him to scare the living daylights out of the security people)
joe
email: newcomer@xxxxxxxxxxxx
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
.
- References:
- Re: Show a login dialog box before the main application
- From: Joseph M . Newcomer
- Re: Show a login dialog box before the main application
- From: AliR
- Re: Show a login dialog box before the main application
- From: Joseph M . Newcomer
- Re: Show a login dialog box before the main application
- From: Tom Serface
- Re: Show a login dialog box before the main application
- Prev by Date: Re: debugging in release mode
- Next by Date: DC temporary storage
- Previous by thread: Re: Show a login dialog box before the main application
- Next by thread: Re: Daylight Saving Time
- Index(es):
Relevant Pages
|
