Default encrypted passwords

John E. Malmberg malmberg at Encompasserve.org
Thu Oct 11 10:06:03 GMT 2001


On Thu, 27 Sep 2001, Jay Ts wrote:

> > [John Malmberg]
> > Removing the plain text passwords from an SMB network only eliminates the
> > probability that someone could use those same passwords to attack other
> > protocols.
> 
> For a Samba network, this is not true, because Unix usernames and
> passwords are sent over the net in plaintext.  So a cracker could
> use them to attack the Samba host.  One popular method of attacking
> Unix systems is to first obtain a non-root user's password, and then
> use it to log in and do a brute force crack of the root password.

The crackers would understand how to get passwords from SMB packets as
opposed to them picking up the passwords from telnet and other
sessions?

Of course, I do not use UNIX much, I use OpenVMS.  No one at the
DEFCON 9 conference seemed to be able to get anywhere with OpenVMS, and
the Apachie web server running on OpenVMS was giving out non-privileged
interactive shell accounts to anyone that asked.

On OpenVMS, access to the user file requires privilege.  A non-privileged
hacker can not run a crack program.

I would expect by now that UNIX would have similar protection of the
password file.

> > ... it is likely that assuming that they have
> > enough skill, they can compromise any system on the network.
> 
> The key phrase there is "assuming that they have enough skill",
> to which I would add, "and enough CPU time".  All computer security,
> like any other security, functions by making it inconvenient or
> difficult enough to break in that few people do it.

The bandwidth on the network will usually be more of a limit than
CPU time.  Plus the skill level will come into play.
 
> The harder it is to break in, the fewer break-ins there will be.
> 
> Or to put it another way, if you leave the front door key for your
> house under a rock outside next to the front door, aren't you
> asking for trouble?

It really depends on how well you get along with the dog. :-)



The big problem is that when most people approach computer security, they
approach it from the perspective that some malicious cracker is going to
try to break in to their systems, and spend a lot of time and money to
prevent this.

The reality is that this is the least likely thing that will happen to
most companies computer.

The most likely thing to happen is that someone will do something by
accident and cause a data problem.  And knee-jerk solutions from the
"experts" in the trade press can make these accidents more likely to
happen.

In many cases the technological and official policies on computer security
actually create gaping security holes where social engineering can get
through any system.

I have been thwarted a few times from closing a real secuity hole because
some PHB read something in the trade press, and mandated a bad policy.

This is the Barney Fife approach to computer security.  Looks good, but
pays more attention to the jay-walking than to bank robbers.  After a
while the employees stop paying anything but lip service to the security
people.

Preventing accidental corruption to data is higher priority than dealing
with malicious people.

> > A. The skill level needed to exploit this type of security vulnerabilty
> >    is reasonably high.  High skill can usually get high paid jobs.
> >    In most cases at a company the people with these skills are the ones
> >    with a responsibilty to make sure that the systems are secure.
> 
> But there are also disgruntled employees, plus teenage crackers who
> have found a misconfigured firewall (or no firewall) and are attacking
> the LAN from the Internet!

Disgruntled Employees with skill are very rare.  If a company did not take
care to keep someone with that skill from becoming disgruntled, usually
that person would go to greener pastures.

I have had a hard time finding people with the skills that a cracker would
need to do useful system administration and troubleshooting.  I have found
many that thought they knew stuff, but really did not understand what they
were doing, so they could not handle finding out what went wrong.

A misconfigured firewall is more serious, and of course is higher priority
than making sure that any passwords on the wire are encrypted.

To concentrate on internal security more than external security is
counter productive.

You do have to make a reasonable assesment of security.  There are known
issues if someone browses SMB protocols on a wire.  But the protocol was
not designed to stand up to that.  Do you know what protocols on on your
network wire and what their security is?  If not, you have security by
obscurity, and not anything real.

-John
Personal Opinion Only





More information about the samba-technical mailing list