Educause Security Discussion mailing list archives
Re: Password Cracking & Consequences
From: Michael Mills <mmills () RKON COM>
Date: Fri, 27 Aug 2004 13:26:26 -0500
All great points, The phishing tactics I was referring to at the time were of the more "direct" variety, maybe more "Social" than "Automated". From experience I have seen users give their passwords out to people on the phone that claim to be from the IT department. Michael Mills Great subject BTW, I don't think that these issues get enough "airtime" as it is. -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn Sent: Friday, August 27, 2004 12:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password Cracking & Consequences Michael Mills wrote:
To take another perspective on this issue I add that in effort to create
an
audit trail of users access to campus resources, for any number of
reasons,
it in imperative from not only a personal liability issue, but down to the campus's ability to enforce any kind of IT Security policy, NOONE must
EVER
know anyone else's password. Even if only to prove that a password is insecure. Imagine a scenario where the campus is under fire from the
RIAA,
and the university passes the responsibility over to the student in question. If that student can prove that other people have the ability to "crack" their password and also do so, on a regular basis, that student is let off the hook (barring any other circumstances) and the responsibility
is
placed right back on the university. Or another scenario, a staff/faculty member is identified to have attempted to access areas he/she does not
have
access to, so the university decides to let this person go. That person gets a lawyer and charges that on a regular basis the IT staff "cracks" their passwords and because of that how can it be proved 100% that that person is the guilty party?
Not to argue with what you're saying but the ugly truth is that a lot (most?) computer evidence is tainted that way. There are all kinds of arguments people can use: 1) Somebody must have spoofed my IP. 2) Somebody must have spoofed my MAC address. 3) I must (or do) have a trojan installed on my computer. 4) Somebody hacked my computer. 5) That stream of ones and zeros could have been tampered with in any of a thousand ways and places before it was put in law enforcement custody. 6) My system isn't patched so anyone could have broken in and done it. 7) The IT system wasn't patched so anyone could have broken in and done it. 8) I typed my password into an e-bay mailing a few weeks ago when it asked me to update my account. 9) The network wires aren't under constant surveillance so anyone can sniff my password or do a man in the middle attack and hijack my session. Unless you can collect network traffic on the local subnet, at the specific switch/dial-up port, at the same time a camera is aiming at the keyboard the evidence is questionable. If its local data being abused, you'd also need a keyboard logger. One could still argue about mysterious, disappearing kernel BOTS. :) I suspect a fair number of cases are made on a preponderance of questionable evidence convincing a non-technical jury or, perhaps, a scared defendant into making a deal. In any case, one could also argue that an IT department showing that they regularly tested passwords for strength may decrease the strength of the defendants' arguments in your scenarios.
With today's increased "phishing" methods of obtaining passwords you will want to but into effect a "No one will EVER under ANY circumstances ask
for
your password" policy.
The phishing attacks ask for passwords indirectly. That is, they want you to do something which, as a side effect, requires you to login. You can't directly attack that with such a policy without saying "don't type your password into a web site login screen or computer keyboard when asked for it". BTW. Another good policy would be "don't synchronize passwords amongst services. Else one successful phishing attack gains a user account on an unrelated system. I speak from experience. -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Password Cracking & Consequences, (continued)
- Re: Password Cracking & Consequences Eric Pancer (Aug 27)
- Re: Password Cracking & Consequences Christian Wilson (Aug 27)
- Re: Password Cracking & Consequences Justin Azoff (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Scott Bradner (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Mike Austin (Aug 27)
- Re: Password Cracking & Consequences Davis, Thomas R. (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Gary Flynn (Aug 27)
- Re: Password Cracking & Consequences Michael Mills (Aug 27)
- Re: Password Cracking & Consequences Cal Frye (Aug 28)
- Re: Password Cracking & Consequences Jere Retzer (Aug 28)
- Re: Password Cracking & Consequences Brian Eckman (Aug 29)
- Re: Password Cracking & Consequences Ron Parker (Aug 30)
- Re: Password Cracking & Consequences Wayne Wilson (Aug 30)
(Thread continues...)