Re: Password Cracking & Consequences

[Gary Flynn <flynngn () JMU EDU>]

Michael Mills wrote:

> To take another perspective on this issue I add that in effort to create an
> audit trail of users access to campus resources, for any number of reasons,
> it in imperative from not only a personal liability issue, but down to the
> campus's ability to enforce any kind of IT Security policy, NOONE must EVER
> know anyone else's password.  Even if only to prove that a password is
> insecure.  Imagine a scenario where the campus is under fire from the RIAA,
> and the university passes the responsibility over to the student in
> question.  If that student can prove that other people have the ability to
> "crack" their password and also do so, on a regular basis, that student is
> let off the hook (barring any other circumstances) and the responsibility is
> placed right back on the university.  Or another scenario, a staff/faculty
> member is identified to have attempted to access areas he/she does not have
> access to, so the university decides to let this person go.  That person
> gets a lawyer and charges that on a regular basis the IT staff "cracks"
> their passwords and because of that how can it be proved 100% that that
> person is the guilty party?

Not to argue with what you're saying but the ugly truth is that
a lot (most?) computer evidence is tainted that way. There are
all kinds of arguments people can use:

1) Somebody must have spoofed my IP.
2) Somebody must have spoofed my MAC address.
3) I must (or do) have a trojan installed on my computer.
4) Somebody hacked my computer.
5) That stream of ones and zeros could have been tampered
   with in any of a thousand ways and places before it was
   put in law enforcement custody.
6) My system isn't patched so anyone could have broken in
   and done it.
7) The IT system wasn't patched so anyone could have broken
   in and done it.
8) I typed my password into an e-bay mailing a few weeks ago
   when it asked me to update my account.
9) The network wires aren't under constant surveillance so
   anyone can sniff my password or do a man in the middle
   attack and hijack my session.

Unless you can collect network traffic on the local subnet,
at the specific switch/dial-up port, at the same time a
camera is aiming at the keyboard the evidence is
questionable. If its local data being abused, you'd also
need a keyboard logger. One could still argue about
mysterious, disappearing kernel BOTS. :)

I suspect a fair number of cases are made on a preponderance
of questionable evidence convincing a non-technical jury
or, perhaps, a scared defendant into making a deal.

In any case, one could also argue that an IT department showing
that they regularly tested passwords for strength may decrease
the strength of the defendants' arguments in your scenarios.

> With today's increased "phishing" methods of obtaining passwords you will
> want to but into effect a "No one will EVER under ANY circumstances ask for
> your password" policy.

The phishing attacks ask for passwords indirectly. That is, they
want you to do something which, as a side effect, requires you
to login. You can't directly attack that with such a policy
without saying "don't type your password into a web site login
screen or computer keyboard when asked for it".

BTW. Another good policy would be "don't synchronize passwords
amongst services. Else one successful phishing attack gains
a user account on an unrelated system. I speak from experience.

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.