Show the Ponty Headed Boss that http is insecure - how?

[gnubuddy]

The geniuses at my work place have coded themselves a web app that can be accessed remotely from any web browser. The app is intended for the entry of highly sensitive data, and is password protected by a default password that includes part of the users social security number and other personal information that could easily lead to identity theft. If the preceding stupidity isn't enough, the server uses plain old http - there is no encryption at all. To top this off, all employees are REQUIRED to use this app - no alternative exists or is acceptable. EVERYONE has to use it by Jan 13th, so there is only a small window of time to address this.

Now, I've tried to tell the PHB and his minions that this is a security nightmare. However, everyone I've talked to is a non-technical person and I cannot convince them of the severity of the problem. The tech "experts" who created this nightmare swear up and down that their app is secure "because it requires a password to log in". They do not seem to understand that without https, the data is out in the open for anyone to grab off the network.

I need to demonstrate unequivocally for the powers that be that this app is insecure. The best way I can think to do this would be to demonstrate vividly the problem by grabbing someone else's password / login information off the network (with written permission from management as well as that other person, obviously.) Another vivid demo would be to capture and display the contents of the web page they're currently viewing on my computer, if this is possible.

While I know a little bit about TCP/IP and networking, I'm not a network security expert by a long shot. So here's the question: is there any Linux software that will do what I need, and do it without requiring complex configuration? Any pointers/tips/leads/howtos would be much appreciated.

Obviously I can emerge just about any app to my Gentoo box, but there might be an advantage in demonstrating to the PHB that there is nothing magic about my laptop - the demonstration would have more impact if I can do it using one of the employee computers at work, simply booting it off a Linux Live CD. So, here's question #2: is there a Live CD distribution that includes tools to do what I want to do?

TIA,

-Gnubuddy

[Naib]

use wireshark and start capturing data, get them to type username/passwd in and then show them their passwd in wireshark
_________________

[gnubuddy]

[Hu]

Be sure to test this before demonstrating for the boss. Depending on how the network switches and routers are configured, it might be difficult for you to snoop traffic without being directly in the path between the victim and the application server. This does not help much from the perspective of securing the application, but it could impede a demonstration.

By the way, typically the boss has pointy hair, not a pointy head.

[PaulBredbury]

[gnubuddy]

Thanks for the suggestions, everyone. Much appreciated.

I have good news - sort of. I didn't get as far as having to do a Wireshark demo. Evidently some of the ruckus I'd stirred up eventually triggered some dim memory in someone that maybe, just maybe, http wasn't the most secure protocol in the world. The login page to the internal site now has a "click me" button that takes you to a secure login page (https), and the old unsecured page has disappeared.

That's the good news. The bad news is that the new https server is using a self-generated security certificate. So there is still the very significant risk of spoofing/phishing; without going into details, we have literally tens of thousands of customers and former customers, many of whom would love to have access to the data accessible via this app, and many of whom don't have exactly the highest level of ethics on the planet. So it certainly isn't that far-fetched that someone would go to the trouble of spoofing the site.

Now I'm trying to explain to the PHB's that switching to https is a good first step, but it is really important to get a real security certificate.

And I can't believe that after years of reading Dilbert I got "PHB" wrong!

-Gnubuddy

[Hu]

Generally speaking, who will be using this site? Is it only to be used by employees of your organization, or is this externally visible for use by employees of other corporations? In the former case, you can get a decent hybrid solution by having the IT department issue a certificate for the server and sign the certificate using your company's internal CA. Many IT departments have, or can easily set up, an internal CA for exactly this sort of purpose: all company owned machines need to trust the certificate, but circumstances preclude buying a publicly recognized certificate.

Although the good news is better than the priori situation, this is still not that secure. If the landing page is http, a man in the middle can trivially replace it with a modified landing page that takes you to an http login page. Most users will fail to notice that they did not transition to an SSL site. Since the site will not be encrypted, the man in the middle will not need to do any certificate tricks. To plug this hole, the landing page must be served over https, so that any man in the middle is forced to present a bad certificate. The announcement / usage instructions can then direct the user to an https landing page. Ideally, if the load on the site is low enough to permit it, you should simply disable the http listener entirely so that users can never navigate to an unsecured page, even by accident.