Firewall Wizards mailing list archives

RE: Passwords

From: Siglite <siglite () criticalstop com>
Date: Wed, 13 Oct 1999 13:06:37 -0400 (EDT)


On smaller networks, the best way to determine if user passwords have been
compromised is to be familiar with your users's habits.  

Example:

Joe logs in from dialupip () his isp com twice a day or so, and you know this
because you diligently watch your logs.  Joe's been doing this oh, every
day or so for the past six months.  Then one day, you notice in your logs
that Joe has started loggin in from someip.somenetwork.cz.  On my network,
that would be pretty unusual, prompting me to ask joe about it.

That's a pretty extreme example, but familiarity with your users, and
thier habits goes a LONG way towards detecting a security breech.  I do of
course realize how much more difficult this becomes in a serious
enterprise environment with thousands upon thousands of users.  However,
I've written scripts in the past to parse my system logs to determine
where any individual is most likely to login from, then look for changes.



/*-----------------------------------*/
/* I live with FEAR every day.       */
/* But, sometimes, she lets me RACE. */
/*-----------------------------------*/

KT Morgan
Network Engineer
Checkpoint Firewall-1 CCSA/CCSE
Microsoft MCP
Software Systems Group, Inc


the compaq support website, crib notes version:   
"you cant do that."

On Thu, 7 Oct 1999 sean.kelly () lanston com wrote:

From: Rex Murphy [mailto:rmurphy () Networkguys com]

Is there a product that can identify "hacked Passwords."  I had a
conversation with some one and they mentioned that such a 
product existed.


You can run the software people have written to hack passwords on your
password file to determine "hackable" passwords.  My friend did this a lot
in college and sent alerts to the sysadmin.  As far as determining if a
password has been "hacked," how is this possible?  "Hacked" could mean
shoulder-surfed or guessed.  ie. there would be nothing to distinguish a
hacker logging on to an account from the actual user logging into the
account.  Unless they mean detecting hack attempts, and this kind of thing
is genrally in place in systems already.

Sean

Current thread:

Passwords Rex Murphy (Oct 06)
- Re: Passwords Rick Smith (Oct 12)
  - Re: Passwords Don Helms (Oct 16)
  - Message not available
    - Re: Passwords Rick Smith (Oct 16)
- <Possible follow-ups>
- RE: Passwords sean . kelly (Oct 12)
  - RE: Passwords Siglite (Oct 16)
  - RE: Passwords Peter J. Kunz (Oct 16)
- RE: Passwords LeGrow, Matt (Oct 18)
- RE: Passwords Doty, Ted (ISSAtlanta) (Oct 18)
- Re: Passwords Vin McLellan (Oct 18)