>From: "Don Weber" <Donat_private> ... >we use it here primarily for the ability it provides in secure >messages >over icq and one of the others it supports, as far as >security, it does i >blv, store passwords and the like in the registry >and other text files, >here's an old post i just found again related to >trillion. but I'd think >personally, if someone can get to this, your >already in trouble I brought this up with the developer of trillian several months ago because I did some testing of the client when it first came out. I was informed that security was only a temporary fix and that eventually everything is broken, so it is not worth wasting development time on. On machines with multiple users (win2k, XP), trillian does not do any file protection (USERS group is allowed read\execute access to the default directory). The encryption scheme used is very simple to crack. It uses static tables defined in the program to generate the passwords based on length. i.e., passwords that are between 1-5 characters (if I remember correctly) use 1 table, 6-15 characters uses another, and anything over that uses a third table. To crack it, you can sipmly compare passwords of various lengths to the previous password that was used, and in this manner recreate the table used in under 20 minutes. Another issue that I found was that when accessing a hotmail account from trillian, the password is passed to the server in cleartext. If anyone wants a users hotmail password, they only have to wait for the user to access their account and run a browser cache recovery tool. After the hostile meeting with the developer I determined that Trillian was not worth my time or the risk associated with using it. If the local security is that weak, I only wonder what the "encrypted chat" algorithms look like. >Trillian has a system that creates .ini files for connecting to the >respective messenger services such as MSN,Yahoo,IRC,etc...which it >stores >in the users' directory.For example-the settings of a >particular user are >stored in his default user's directory.For >connecting to MSN there is a >file called msn.ini.For Yahoo...there is >yahoo.ini.And so on...These files >include the details of that user >such as his email id to connect to that >service,his contact >list,display options,and all that stuff. >But one thing that seems particularly interesting is that...it stores >the password to the service in an elementary encrypted format. >Trillian does not forbid access to any user's .ini files in any manner. >That leaves a huge security hole in the whole system.Anybody can just copy >and paste the "Profile" of the person to his own msn.ini file and gain full >access to the victim's respective service.Also the masked password appears >in the connection manager field which can be easily unmasked using a >password revealer like Cain.Thus revealing the password of that person.So >all you need to do is just gain access to the victim's .ini files in the >Trillian>>Users>>Victim folder and the work is done. >The .ini file looks like this...... >for example.....for msn service ... -dpx ======================= http://www.dataplex.org Email: dpxat_private ======================= _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 14:23:33 PDT