[Beowulf] Re: "hobbyists"

Robert G. Brown rgb at phy.duke.edu
Thu Jun 19 19:33:47 PDT 2008 

On Fri, 20 Jun 2008, Chris Samuel wrote:

>
> ----- "Joe Landman" <landman at scalableinformatics.com> wrote:
>
>> People spend lots of time and effort on security theater.  Make up odd
>> rules for passwords.  Make them hard to guess and crack.  Well, is
>> that the vector for break-ins?  Weak passwords?
>
> Yeah - sadly.. :-(

Do you have an recent contemporary evidence for that?  I mean, back in
the 80's and 90's, when I could use ypx to grab anybody's encrypted
password files and run crack on them and get a dozen hits in a few hours
of work, sure, but since MD5 became near-universal and since /etc/shadow
was invented and since they fixed the worst of the holes that let
"anybody" get at the encrypted password list, since password changing
programs no longer let you use a REALLY bad password (or at least bitch
about it if they do), since sysadmins started routinely running crack on
the encrypted list defensively and forcing the change of particularly
weak ones, since most systems can beconfigured with tools that bitch or
slow down or flag repeated brute force attacks, I'd have thought that
wasn't so true anymore.  We run log scanners that count the attacks on
our systems in a 24 hour period and break them down by e.g. originating
IP number and so on, and truth be told they are nearly continuous, but I
haven't heard of any of those attacks SUCCEEDING on any linux box run by
any non-complete-idiot for years now.

Password TRAPS are a pretty common vector; the only cases I tend to hear
of at all commonly anymore for crackings (of linux boxes, not Windows
systems that are cracked or infected almost at will) tend to be somebody
who goes home for the summer, uses an infected, trojanned, vile spewpot
of a Windows box to login back at duke from home via e.g. putty or some
other related interface, and has their keystrokes logged as they do.
Quite a lot of the Windows viruses install trojan spyware that does full
keystroke logging and so on; I got to watch one attempt this on one of
my kids boxes when it was infected, and had to change one of my
passwords after cleaning it up because (sigh) I had to use it to get
Duke to get the site license software I needed to do the cleaning.

There are also still -- relatively rarely -- buffer overwrite attacks
discovered.  Most coders "get it" that one shalt not use the non-n
string commands to manipulate buffers these days, although there is
still legacy code in existence (I'm sure) that has it.  I personally
last got nailed by the slammer attack, because I got lazy about updates
(this was barely pre-yum) and didn't patch my web software in time.
Kernel bugs, and MAYBE a rare race condition, still sometimes allow
promotion to root.

But weak passwords that are brute force guessed or cracked from the
shadow file?  Only on a poorly managed network, one where the sysadmin
doesn't bother to check and fails to inform the users of how to choose a
good one, AND where users manage to gain access to the shadow file in
the first place.

     rgb

(of course MY passwd is just rgbbgr -- that's secure enough don't you
think...;-)

-- 
Robert G. Brown                            Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977

More information about the Beowulf mailing list