Another reason not to use sudo?
Hudson Delbert J Contr 61 CS/SCBN
Delbert.Hudson at LOSANGELES.AF.MIL
Wed Nov 24 15:40:51 UTC 2004
john,
knowing the vulnerabilities and mitigating the asociated risk with
same vulnerabilities on one's own network IS THE province of the
network or system admin. closing those holes or at least make those
holes known to the powers that be and explaining risk associated
with stated vulnerabilities is your job if you are tasked w/the security
of the network. information assurance is not a set-it and forget-it
proposition at best. not to be snippy but if the scenario described
below would penetrate your nets you got much bigger problems than simple
dict attacks. w/out knowing much about your topology, it appears that
some ingress and egress filtering of services are waaaaaaaaay too light
and monitoring appears sketchy if ssh probes and the like could go
undetectable on your network. spotting scans like these are trivial and
can help to discern what 'knob-twisting' and are easily detected by a
plethora of tools. rsvp offlist if you'd like?
use a bit more intuitive thinking also (i.e.)
using animal names or names of specific types of items that occu in nature
such as aetna and vesuvius indicate using mountain ranges for a naming
theme.
using the types of dogs or other species would lead one to 'hunch'
that ceratin emails might use that same model like
collie, spaniel.....dingo and such provide a large crack base
because i like most people disobey a lot of tenets of securing access
like do nopt use dictionary words or items that can be associated with
a specific item like your email name indicates a affinity for things of
an australian nature and we'd proceed from there.
wallabee, sydney, et al...
~piranha
-----Original Message-----
From: ubuntu-users-bounces at lists.ubuntu.com
[mailto:ubuntu-users-bounces at lists.ubuntu.com]On Behalf Of John
Sent: Tuesday, November 23, 2004 9:56 AM
Cc: Ubuntu List
Subject: Re: Another reason not to use sudo?
Hudson Delbert J Contr 61 CS/SCBN wrote:
>
> almost no one will know the root password, if YOU dont tell it.
So you've not heard of a dictionary attack?
Let's say I want to take over some computers. I'm not fussy which.
I compile a list of likely accounts. Maybe
root
admin
guest
john
jason
I compile a list of common passwords.
dog
cat
toor
betty
rover
puss
george
georgew
bush
tony
tonyblair
A few hundred maybe. Doesn't have to be a lot. I might also try some
character changes 'o' to '0' and such, and some capitalisations.
I compile a list of IP addresses.
I rotate over them trying to login to each of the hosts as each of the
users with each of the passwords.
If I have a moderately large list of IP addresses and rotate over those
most quickly, I might not trigger alarms with lots of failed attempts.
I might try ssh logins (as happened to me), imap pop3 and telnet. A mate
reports a brand of ADSL router has telnet open to the Internet by
default. That could be fun.
It happens this list would crack some of my test machines:-)
Getting into an arbitrary computer might be difficult, but find _a_
computer that's not secured well isn't so difficult and if you allow
logins with passwords, your password is in my dictionary and you're
accessible via the Internet then the only further requirement is for me
to test the door.
--
ubuntu-users mailing list
ubuntu-users at lists.ubuntu.com
http://lists.ubuntu.com/mailman/listinfo/ubuntu-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 4444 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20041124/9a5e0471/attachment.bin>
More information about the ubuntu-users
mailing list