Re: Password Cracking & Consequences

[Michael Mills <mmills () RKON COM>]

All great points,

The phishing tactics I was referring to at the time were of the more
"direct" variety, maybe more "Social" than "Automated".  From experience I
have seen users give their passwords out to people on the phone that claim
to be from the IT department.

Michael Mills

Great subject BTW, I don't think that these issues get enough "airtime" as
it is.



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn
Sent: Friday, August 27, 2004 12:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Cracking & Consequences

Michael Mills wrote:

> To take another perspective on this issue I add that in effort to create
an
> audit trail of users access to campus resources, for any number of
reasons,
> it in imperative from not only a personal liability issue, but down to the
> campus's ability to enforce any kind of IT Security policy, NOONE must
EVER
> know anyone else's password.  Even if only to prove that a password is
> insecure.  Imagine a scenario where the campus is under fire from the
RIAA,
> and the university passes the responsibility over to the student in
> question.  If that student can prove that other people have the ability to
> "crack" their password and also do so, on a regular basis, that student is
> let off the hook (barring any other circumstances) and the responsibility
is
> placed right back on the university.  Or another scenario, a staff/faculty
> member is identified to have attempted to access areas he/she does not
have
> access to, so the university decides to let this person go.  That person
> gets a lawyer and charges that on a regular basis the IT staff "cracks"
> their passwords and because of that how can it be proved 100% that that
> person is the guilty party?

Not to argue with what you're saying but the ugly truth is that
a lot (most?) computer evidence is tainted that way. There are
all kinds of arguments people can use:

1) Somebody must have spoofed my IP.
2) Somebody must have spoofed my MAC address.
3) I must (or do) have a trojan installed on my computer.
4) Somebody hacked my computer.
5) That stream of ones and zeros could have been tampered
    with in any of a thousand ways and places before it was
    put in law enforcement custody.
6) My system isn't patched so anyone could have broken in
    and done it.
7) The IT system wasn't patched so anyone could have broken
    in and done it.
8) I typed my password into an e-bay mailing a few weeks ago
    when it asked me to update my account.
9) The network wires aren't under constant surveillance so
    anyone can sniff my password or do a man in the middle
    attack and hijack my session.

Unless you can collect network traffic on the local subnet,
at the specific switch/dial-up port, at the same time a
camera is aiming at the keyboard the evidence is
questionable. If its local data being abused, you'd also
need a keyboard logger. One could still argue about
mysterious, disappearing kernel BOTS. :)

I suspect a fair number of cases are made on a preponderance
of questionable evidence convincing a non-technical jury
or, perhaps, a scared defendant into making a deal.

In any case, one could also argue that an IT department showing
that they regularly tested passwords for strength may decrease
the strength of the defendants' arguments in your scenarios.

> With today's increased "phishing" methods of obtaining passwords you will
> want to but into effect a "No one will EVER under ANY circumstances ask
for
> your password" policy.

The phishing attacks ask for passwords indirectly. That is, they
want you to do something which, as a side effect, requires you
to login. You can't directly attack that with such a policy
without saying "don't type your password into a web site login
screen or computer keyboard when asked for it".

BTW. Another good policy would be "don't synchronize passwords
amongst services. Else one successful phishing attack gains
a user account on an unrelated system. I speak from experience.

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.