[TriLUG] Securely and Accurately transmit passwords
jonc at nc.rr.com
jonc at nc.rr.com
Thu Oct 4 10:14:00 EDT 2007
Dude! Excellent email...
You are absolutely right - the easiest way to break in is to let a clueless user do it for you!
<no hope! no hope! we are all doomed...>
I can't tell you the number of users that needed "love" or wanted to look at a "naked Anna K" - even after we sent out warnings and blocked those emails from coming into the corporate accounts...
Fortunately we also ran internal firewalling and up-to-date virus protection, and our good pig Snort now warns us of locals without a clue.
NMS is also a great tool for finding zombies, droids, and bots on our extended networks. The networks they are on, tend to light up when you do something as simple as look at their raw traffic over time.
Running all our apps hosted is also a big plus (so far) on the security side. The only folks with the keys to those inner walls run Linux - and a have a clue or two. Still, we are just living in a fools paradise trusting in the mellow good wishes of our world-wide neighbors.
I guess the lesson here, is that if you are going to be a fool, be one with multiple active defenses and zones.
Jon (smart enough not to vote for Bush either time) Carnes
---- "Andrew C. Oliver" <acoliver at buni.org> wrote:
> Maybe I'll reveal too much about my misspent youth...but...
> Strictly speaking you're not using password authentication, you're using
> a combination of password authentication, time lapses, blacklists and
> such. You obviously have to restrict what passwords users choose or
> they'll chose the name of your company. The problem is that your
> average medium to large-sized company has mostly relatively naive people
> of average intelligence who probably value your company's security less
> than you do. In a small company, you can handle this through hiring.
> Once you scale it seems less possible.
> More than likely the way to screw your company would be to create a
> distributed denial of service attack that tried all combinations of
> probable user ids and bad passwords. That way your whole company could
> be taken out at once. As far as having half the net to do it...not
> really a big problem:
> Moreover if you have windows boxes on your network then a firewall is
> really trivial protection. All you need is one dumb person who really
> wants to see the picture of the bunny with the pancake on its head and a
> proxy can be installed locally to a remote computer over the almighty
> safe port 80. Recently I even discovered this can be done with NTLM
> (http://ntlmaps.sourceforge.net/ - btw there are some elementary
> programming error in the proxy_client.py where it misses EOFs and hangs
> indefinitely unless you patch it but I can't manage to submit my patch
> because my Sf account seems dead...or maybe I forgot the password) :-).
> Sticking that into an installer in a worm activeX control shouldn't be
> too hard.
> Or an obvious thing to do from a worm is to fake the occasional password
> popup dialog. You can probably even get the browser proxy settings and
> test the authentication against the proxy. Anyhow there are so many fun
> things you can do with human frailty and the weakness of any
> user-entered token.
> Relax, hacking a phone company is probably too boring for a deliberative
> attempt these days -- MySpace, FaceBook, Skype, AIM or YIM are probably
> more appealing :-)
> jonc at nc.rr.com wrote:
> > <Shakes head> Maybe I'm missing something, but these guys seem to be living in their own mental worlds.... Worlds that for some reason don't contain limits on login attempts.
> > The maximum number of times I let folks try a password (before locking the account for an hour) is 10 times. Tell me how some cracker is going to use a dictionary attack and crack one of my accounts. Unless he lucks into the password in the first 10 tries, his app is simply going to be spinning its' wheels uselessly for the next 59 minutes and 59 seconds...
> > Also, most admins I know use the security app Denyhosts. It was mentioned by someone else earlier in this thread. I have some very strict Denyhost rules for my secure accounts (admin/root accounts). If a hacker is trying to break into a secure account, the python app Denyhosts locks out all the IP's used in his attacks. The hacker would have to harvest the entire net to stand a chance of breaking in, and even then he'll only have a window of opportunity of 10 attempts every hour.
> > Are there folks out there, that don't set limits on invalid login attempts? Are they windows admins?
> > Jon (wobble head) Carnes
> > ---- Chris Calloway <cbc at unc.edu> wrote:
> >> On Oct 2, 2007, at 12:40 PM, MG wrote:
> >>> Oddly enough, CBC (Canadian news) ran an article on password
> >>> security today:
> >>> http://www.cbc.ca/news/background/tech/passwords.html
> >> Read what this well known security expert/pundit has to say on the
> >> matter:
> >> http://www.schneier.com/blog/archives/2005/06/write_down_your.html
> >> You know, just because you write down a password doesn't mean you
> >> have to stick in on a post-it on your workstation. In fact, real
> >> world security means your password *is* written down, sealed in an
> >> envelope, and put in a safe place "in case you get hit by a bus," I
> >> think is the commonly used phrase.
> >> So yeah, use strong passwords and write them down.
> >> --
> >> Sincerely,
> >> Chris Calloway
> >> http://www.seacoos.org
> >> office: 332 Chapman Hall cell: (919) 599-3530
> >> mail: Campus Box #3300, UNC-CH, Chapel Hill, NC 27599
> >> --
> >> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> >> TriLUG Organizational FAQ : http://trilug.org/faq/
> >> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
More information about the TriLUG