Re: Security awareness (Re: Questions regarding using ciphers..)

New Message Reply About this list Date view Thread view Subject view Author view

Daniel J. Frasnelli (dfrasnel@csee.wvu.edu)
Tue, 27 Apr 1999 19:52:34 -0400 (EDT)


        If I were to guess, I bet you are in the "PC state of mind".
Nothing wrong with that, but I tend to think more in terms of
multiuser operating systems when it comes to security - unless
a hole in a Windows/MacOS service permits a gateway to machines on
our network, which I have seen in action.
        What follows is written from the Unix side of security; read on
if you wish.

> With a very large number of web sites now requiring logins and passwords,
> I find myself picking an awful lot of weak, similar-looking passwords.
        Sites offering accounts for something like the NYT or
BBC generally do not contain the amount of sensitive information as,
say, a server which you can only access via ssh from the outside world.
No offense meant, but I could care less whether someone gets access to
my account on a pay-for-opportunity-to-read news articles site.

> This isn't out of laziness, it's just because I don't want to bother
> memorizing 10 different passwords, particularly not for web sites which I
> only grudgingly deal with in the first place. I have other things to waste
> brain cells on, thankyouverymuch. The alternative is to write them all
        Maybe I am just a weirdo, but after typing a password (or any
 sequence) a couple times, I am able to retain the keystrokes quite well.
Off the top of my head... I can think of 8 different passwords I currently
use on various systems, and at least 4 from previous accounts/projects.
And no, they are not simple/weak passphrases. More like random gook.
Not sure that your "lacking gray matter" argument stands up, at least
not in my experience :) Like I said before, S/key & other one-time
implementations and smartcards solve the problem of remembering
passwords at the expense of need for increased physical security.

> down in one place, which I might start doing in the future, but for the
> time being I think I'm engaging in an emminently reasonable response to
> lots of web sites putting a completely unfair password memorization burden
> on me.
        Unfair password memorization burden? Here is what it comes
down to, at least in the Unix world. If you choose a weak password on an
account for the sake of easy memorization, you establish two security
risks right off the top:
1. Jeopardization of your own data. This may or may not be of
  concern to the user - I'll assume personal files have some importance.
2. Compromise of the entire network the system is connected to.
  This took a while for me to understand, but security compromise
  operates in a scalar fashion.

        This might explain the second point better. If an intruder
gains unauthorized access to your account on one system, it may be
assumed that these levels are at risk:
User: Files belonging to you in your home directory and elsewhere
             on that initial point of entry system. Files for which
             a group you are part of also falls into this category.
        
System: As the old cliche among hackers goes, if I can gain access
             to your system, I can gain root. Operating systems have
             a staggering number of exploitable "features", and chances
             are that whatever system is compromised is not up-to-date
             with patches.

Network: If I gain root (or even euid 0) access, I can knock an
            interface into promiscuous mode and watch traffic going
            here, there, and everywhere on the local segment. Any
            exchange of login information is potentially at risk.

Offsite: If a compromised account owner has accounts elsewhere,
            an intruder will do their best to find those systems and
            see what key opens what doors.

        The moral of the story is that password-based authentication
is indeed a weak link in the chain, but it's certainly not the only one.
A person may boast the most obfuscated passwords this side of the
galaxy, but social engineering, pinhole video cameras, and covert
channels can make short work of even the most complicated password.
Intelligence and counterintelligence is a fun topic - the best defense
is to remain alert and choose your moves carefully.

---
 Daniel J. Frasnelli                    Infosec analyst and cryptographer
  He who wonders discovers that this in itself is wonder. -- M.C. Escher


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Thu May 27 1999 - 23:44:23