Default encrypted passwords

John E. Malmberg malmberg at Encompasserve.org
Thu Oct 11 16:38:11 GMT 2001 

On Thu, 11 Oct 2001, Jay Ts wrote:

> > 
> Passwords can be picked up from both quite easily.  But consider that
> Red Hat 7 (at least) now comes "out of the box" with telnet disabled,
> and running a sshd daemon. Telnet and the r-commands are nowadays
> contraindicated on a secure network.

It really depends on the level of security needed.  I normally have
proxies set up between trusted machines.

r-commands on OpenVMS require a System administrator to setup the proxy.
Normal users can not do it.
 
> 
> Is your network running at 10 bits per second? :-)

Not anymore.  It is switched.  This means that you can only snoop on a
local segment.

All of a sudden, all that work to encrypt things on the internal wire
has become useless.
 
> This is an old discussion, but my point, IIRC, was that it's really
> easy to grab someone's .pwl file and run a brute-force attack on it.
> This requires CPU time.  Networks speed is not an issue for this type
> of attack, assuming it is running at faster than 0 bits per second.

I have not seen a .pwl file since the end of windows 3.1 clients.  Yes,
the locally cached password file on a PC can probably be cracked given
enough time.  But as recent breakin reports have shown, it is not worth
the effort.  Bigger security holes can usually be found in any place
where you can get access to run the program.
 
> > > The harder it is to break in, the fewer break-ins there will be.
> > > 
> > > Or to put it another way, if you leave the front door key for your
> > > house under a rock outside next to the front door, aren't you
> > > asking for trouble?
> > 
> > It really depends on how well you get along with the dog. :-)
> 
> Unfortunately, computers don't have dogs in them.

It is not that hard to put "dogs" in a system.  But that would be telling.

> Someone attacking
> from over the network can "own" an insecure computer before anyone who is
> managing or using that computer even notices.

At a former job site, the PC client support team decided to try one of
those free trial network security testers without letting us in the server
support area know.

They were really surprised at how fast and easily they were found using
this supposedly stealth tool.

They set off the default security alarms builtin to OpenVMS.  Tracing an
IP address to a specific PC and the last user logged in is trivial.
SAMBA even provides tools to do this so that I could automate the whole
process.

> > The big problem is that when most people approach computer security, they
> > approach it from the perspective that some malicious cracker is going to
> > try to break in to their systems, and spend a lot of time and money to
> > prevent this.
> > 
> > The reality is that this is the least likely thing that will happen to
> > most companies computer.
> 
> I wonder if you still "own" yours! :-)  I'd recommend for you a quick
> reading of a good book on network security.  Even though you're running
> OpenVMS there (which I think most hackers don't grok, and therefore
> would be less likely to attack), you might benefit from a quick
> perusal of O'Reilly's book "Practical Unix & Internet Security".

I am quite aware of network security, and the security awareness of the
typical office user.

The bottom line is that in most case the computer can not be secured.
Even if I deal with all of the threats to security, I can not be sure that
a PC has not been taken over.  This is even after busting my *** to make
sure that all technological tricks are covered.

I can make sure that all of the data on a server has an audit trail of who
did what and when.  I can make sure that I can roll back or recover data.

I can find out who let their user credentials get used.  And usually how
they let that happen.

But I can not get the average user to properly secure their desk or their
workstation.

I can erase the disk and reload it easily though.  Then it is between them
and their chain of management to deal with the consequences.

And all I have ever caught at a very large site is people deleting or
damaging their groups intermediate work files by accident.

> > Preventing accidental corruption to data is higher priority than dealing
> > with malicious people.
> 
> That makes sense, but just don't do your first priority, and forget
> about everything else!

Of course not.  I am just pointing out that for all the publicity that it
gets, it is a rare occurence for someone to attack a companies network
from the inside through a technological attack.

The risks of getting caught are too high and the real returns are too low.

Someone with enough skills to pull it off sucessfully is also smart enough
to make even more money legally.

> > Disgruntled Employees with skill are very rare.
> 
> The type of attack I was referring to previously (in Workgroup
> security) does not require any skill at all!  For example, I have
> virtually no cracking skills whatsoever, but if you set me down at
> a logged-in Windows workstation on your SMB network, I can grab
> ALL of your network passwords within 2 minutes, guaranteed.  All I
> would have to do is wait until you step out to refill your coffee
> cup, and put a floppy in the drive and run one simple program.
> And you would never know it happened. Now do you see what I'm getting at?

Perfectly.  Instead of wasting time getting passwords, your floppy could
just as easly dropped a program that could bypass all of the technological
stuff that everyone recommends doing to the network.  That after all is
the more usual attack.  E-mail being now the prefered transport mechanism.

But the E-mail issue is easy to deal with.

And a company that has someone like that physically in any office where a
computer user has change access to vital data has much more to worry about
than computer crackers.

And Workgroup security is only meant to be a courtesy security to prevent
minor accidents.  Just like the locks that come with most luggage or are
on a bathroom door.

Corporate policy requires a password protected screen saver lock on all
PCs, enforced through the registry.  Users are required to invoke the lock
before leaving their stations.  Usual penalties threatened for
non-compliance.

Bottom line is that I know how much damage that a cracker can do to any
type of my systems that they can compromise, and all the methods that they
will use and the likely hood of each being used.

I can not stop some of the easier methods on the PCs, so I assume that
they can and will be compromised.

I can secure the servers with out much effort, even to the degree that if
a privileged account get compromised, I can still control the situation.

-John
wb8tyw at qsl.network
Personal Opinion Only

More information about the samba-technical mailing list