[TriLUG] Securely and Accurately transmit passwords

Andrew C. Oliver acoliver at buni.org
Thu Oct 4 00:22:48 EDT 2007 

Maybe I'll reveal too much about my misspent youth...but...

Strictly speaking you're not using password authentication, you're using 
a combination of password authentication, time lapses, blacklists and 
such.  You obviously have to restrict what passwords users choose or 
they'll chose the name of your company.  The problem is that your 
average medium to large-sized company has mostly relatively naive people 
of average intelligence who probably value your company's security less 
than you do.  In a small company, you can handle this through hiring.  
Once you scale it seems less possible.

More than likely the way to screw your company would be to create a 
distributed denial of service attack that tried all combinations of 
probable user ids and bad passwords.  That way your whole company could 
be taken out at once.  As far as having half the net to do it...not 
really a big problem: 
http://en.wikipedia.org/wiki/Code_Red_%28computer_worm%29 
http://en.wikipedia.org/wiki/Code_Red_II_%28computer_worm%29 
http://en.wikipedia.org/wiki/ILOVEYOU

Moreover if you have windows boxes on your network then a firewall is 
really trivial protection.  All you need is one dumb person who really 
wants to see the picture of the bunny with the pancake on its head and a 
proxy can be installed locally to a remote computer over the almighty 
safe port 80.  Recently I even discovered this can be done with NTLM 
(http://ntlmaps.sourceforge.net/ - btw there are some elementary 
programming error in the proxy_client.py where it misses EOFs and hangs 
indefinitely unless you patch it but I can't manage to submit my patch 
because my Sf account seems dead...or maybe I forgot the password) :-).  
Sticking that into an installer in a worm activeX control shouldn't be 
too hard. 

Or an obvious thing to do from a worm is to fake the occasional password 
popup dialog.  You can probably even get the browser proxy settings and 
test the authentication against the proxy.  Anyhow there are so many fun 
things you can do with human frailty and the weakness of any 
user-entered token.

Relax, hacking a phone company is probably too boring for a deliberative 
attempt these days -- MySpace, FaceBook, Skype, AIM or YIM are probably 
more appealing :-)

-andy

jonc at nc.rr.com wrote:
> <Shakes head> Maybe I'm missing something, but these guys seem to be living in their own mental worlds.... Worlds that for some reason don't contain limits on login attempts. 
>
> The maximum number of times I let folks try a password (before locking the account for an hour) is 10 times. Tell me how some cracker is going to use a dictionary attack and crack one of my accounts. Unless he lucks into the password in the first 10 tries, his app is simply going to be spinning its' wheels uselessly for the next 59 minutes and 59 seconds...
>
> Also, most admins I know use the security app Denyhosts.  It was mentioned by someone else earlier in this thread. I have some very strict Denyhost rules for my secure accounts (admin/root accounts). If a hacker is trying to break into a secure account, the python app Denyhosts locks out all the IP's used in his attacks. The hacker would have to harvest the entire net to stand a chance of breaking in, and even then he'll only have a window of opportunity of 10 attempts every hour.
>
> Are there folks out there, that don't set limits on invalid login attempts? Are they windows admins?
>
> Jon (wobble head) Carnes
>
> ---- Chris Calloway <cbc at unc.edu> wrote: 
>   
>> On Oct 2, 2007, at 12:40 PM, MG wrote:
>>     
>>> Oddly enough, CBC (Canadian news) ran an article on password  
>>> security today:
>>>
>>> http://www.cbc.ca/news/background/tech/passwords.html
>>>       
>> Read what this well known security expert/pundit has to say on the  
>> matter:
>>
>> http://www.schneier.com/blog/archives/2005/06/write_down_your.html
>>
>> You know, just because you write down a password doesn't mean you  
>> have to stick in on a post-it on your workstation. In fact, real  
>> world security means your password *is* written down, sealed in an  
>> envelope, and put in a safe place "in case you get hit by a bus," I  
>> think is the commonly used phrase.
>>
>> So yeah, use strong passwords and write them down.
>>
>> --
>> Sincerely,
>>
>> Chris Calloway
>> http://www.seacoos.org
>> office: 332 Chapman Hall cell: (919) 599-3530
>> mail: Campus Box #3300, UNC-CH, Chapel Hill, NC 27599
>>
>>
>>
>> -- 
>> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>     
>
>

More information about the TriLUG mailing list