Penetration Testing mailing list archives
RE: Education End Users about Passwords
From: "Thompson, Jimi" <JimiT () mail cox smu edu>
Date: Tue, 9 Dec 2003 19:59:51 -0600
Let me start of my stating quite plainly, there is no such thing as unbreakable security. You will never be able to keep a sufficiently motivated individual off your network and/or out of your data. While I agree with you in theory, it takes quite some time to make the custom dictionary (if you have figured out what the patterns are) and to run the cracker against it. The average goober will locate a cable modem segment that's ripe for the picking and leave you be. Never mind the larger issue, which would be this person has either obtained your SAM or your /etc/passwd. First off, "experienced crackers" are a rare breed. The number of people that can isolate a new vulnerability and craft an attack from it is rather minimal. I would estimate that it is well under 1% of the population of the planet. That means your odds of encountering one and attracting their unwanted attention "by accident" is extremely low. With folks of that caliber, you typically have to have something or be doing something that draws their notice. What can you have or what can you be doing to draw their notice? The basic motivators in human society are drugs, love/sex, money, and recognition. 90% of all crime (cyber and otherwise) can be tied back to one of those 4 things. Keep the motivating factors low, and you can avoid a lot of trouble. Most companies cannot offer enough of any of those 4 to be worth that kind of time and effort. For those of you that can offer those kinds of targets, BE WARE! You likely have your hands full. Pharmaceutical companies have to have very tight security surrounding their shipments of things like Ritalin, Valium, etc. Ask the Federal Reserve Bank what their security is like. Ask companies that are engaged in animal research what their security is like. They offer targets because they offer drugs, money, and/or recognition. Security isn't so much about how secure you are, but about being ahead of the curve. Your level of paranoia determines how far "ahead of the curve" you are. I follow the "bear philosophy" of security and find that it works in the vast majority of cases. ALL security devices are based on two rather simple concepts, the "bear" concept and on the concept that locks keep honest people honest. The level of paranoia needs to fit the circumstances. I've worked in what were largely very secure networks (DOD, Brokerage Firm, Insurance Company, cellular, telco, etc.) but I've also spent time in "regular" companies where that kind of security was overkill. You lock your house when you leave to go to work. The reason that you do this is because you want to make it harder for an unauthorized person to enter the house. This is sufficient to keep 99+% of the population out of your house. Let's expand this by saying that maybe you have some expensive art work. You install an alarm system in your house. You do this because the art work could motivate someone to overcome your locks by breaking a window. You don't just install the alarm, though. You put up signs and stickers that SAY you have an alarm. Anyone brave enough to approach the house will likely be deterred by the "Joe Bob's Alarm Service" sign on the front porch. Let's expand this further to say that your painting has turned out to be a Picasso original - it's now whole orders of magnitude more valuable. Simply locking the doors won't be a sufficient deterrent to keep someone from stealing your prize painting and your special deal on the alarm from "Joe Bob" isn't likely to help much either. Now you have a sophisticated alarm company come in. Your lawn is wired for motion detection. Your house now has a complete array of sensors, in fact it's a wonder you don't cause a brown-out because of all the stuff you have installed now. 2 cents, Jimi PS - For those not familiar with the "bear theory" it comes from an old joke 2 friends are running through the forest to get away from a bear. 1 of the stops and starts adjusting his shoes and socks. The other one says "What are you stopping for? We've got to get away from this bear". The first one looks up and says "I don't have to out run the bear, I just have to out run you." -----Original Message----- From: J. Oquendo [mailto:sil () politrix org] Sent: Tuesday, December 09, 2003 1:56 PM To: pen-test () securityfocus com Subject: Re: Education End Users about Passwords
1. Pick a sentence that has meaning for you and that you will remember. i.e. I work at cox today. 2. All consonants (or all vowels) become UPPERCASE characters. 3. All vowels (or all consonants as it is the opposite of rule 2) become lower case characters. 4. Words like to and for become numbers. 5. Words like at and "and" become symbols (@ and &) 6. Add some character to the end like ! or #
Agreed to a certain extent. Consider the following however; Cracker is on a machine that he needs some serious information say for corporate esionage purposes, and the information is vital to him. What makes you think an experienced cracker wouldn't have the correct type of dictionary file? It's as simple as sed 's/a/4/g;s/A/4/g;s/e/3/g;s/E/3/g' and so forth. Substitutions? sed s'/i/\!/g', 's/^/./g', 's/$/./g' and so on.
Once they get this simple thing down, getting them to choose "strong" passwords becomes infinitely easier, because they now have a mnemonic device to recall the password - the primary end user complaint about using "strong" passwords. If they can remember it, they are also a lot less likely to use the nefarious sticky note. Then all you have to worry about is making sure that they know not to give it out over the phone, which frankly, is the easiest method of "cracking" a password. 2 cents, Jimi
Disagree, most people stick with familiarity (cognitive dissonance) and you can try to explain the situation a million times over but the sad fact is most people will stick to their guns. What can you do as an admin/sec engineer? One thing that I think corps. should do is, create some form of quarterly meeting with their employees to explain security issues, e.g.; Post it notes Bad passwords Not locking out their machines Paper based nightmares (using shredders) etc. Too much I could add and work calls. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "I watch gangster flicks and root for the bad guy and turn it off before it ends because the bad guy dies" 50 Cents - 'Assassins' This is a farce confidential disclaimer intended to make you aware that even though this may be priveledged information, being it will become Google cache in the future, my original intentions of keeping this message restricted and/or private are thrown out the door. If you have received this e-mail in error, please enjoy this signature and destroy this message by dousing it in gasoline. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Education End Users about Passwords J. Oquendo (Dec 09)
- Re: Education End Users about Passwords steve . posick (Dec 10)
- <Possible follow-ups>
- RE: Education End Users about Passwords Thompson, Jimi (Dec 10)