Re: Have I been hacked?
On Thu, Jan 15, 2015 at 6:56 AM, Brian a...@cityscape.co.uk wrote: [...] We are still on off-line cracking? How does this sound? Hmm. I guess I should respond to your questions about IP spoofing and using strategy rather than pure brute force after all. Memorable passwords are good. Long, complex passwords are also good. One needn't exclude the other. To a certain degree, they do. However, I can remember TwasBrilligAndTheSlithyToves and associate it with an account. Before signing up I do echo TwasBrilligAndTheSlithyToves | sha1sum | base64 | cut -c -30 The output is what I give to a site as a password. Now you're talking sense. Maybe I don't need to answer your questions about IP spoofing and using strategy instead of pure brute force after all. Although, when you don't have access to a command line that gives you sha1sum, you're back to having to work hard to remember what you gave that site for a password. Frankly, rot13 or rot42 would get pretty close. But I would prefer a tool of my own making that I can use to exclusive-or the site name with my chosen pass-phrase before I pass it to the predictable shuffle. But, as John Hasler points out, we're just sort of re-inventing (half of) ssh keys. Furthermore, before any future logins I can run the command again to get the same password. Isn't this on-line and off-line cracking taken care of? Depends on whether the targetting attacker is aware that you use sha1sum on all your passwords. Or has a copy of the source code for my rot42xor tool. This is the part that SSH keys gets right, of course. The argument, SSH keys versus passwords is kind of missing the point, unless the argument itself helps people listening in think a bit more carefully about their security. -- Joel Rees Be careful when you look at conspiracy. Look first in your own heart, and ask yourself if you are not your own worst enemy. Arm yourself with knowledge of yourself, as well. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43ioj_vklxzni4os_0hzjfghgl9m2hhcmpmm7h5hdmfv...@mail.gmail.com
Re: Have I been hacked?
On Friday 16 January 2015 14:38:09, Joel Rees wrote : I can remember TwasBrilligAndTheSlithyToves and associate it with an account. Before signing up I do echo TwasBrilligAndTheSlithyToves | sha1sum | base64 | cut -c -30 The output is what I give to a site as a password. Now you're talking sense. Maybe I don't need to answer your questions about IP spoofing and using strategy instead of pure brute force after all. Although, when you don't have access to a command line that gives you sha1sum, you're back to having to work hard to remember what you gave that site for a password. Frankly, rot13 or rot42 would get pretty close. But I would prefer a tool of my own making that I can use to exclusive-or the site name with my chosen pass-phrase before I pass it to the predictable shuffle. That looks like https://www.passwordmaker.org/passwordmaker.html which is available as a firefox/iceweasel plugin and a chrome plugin (if I'm not mistaken). That tool takes one master password (you only have to remember that one) and use it to derive a site specific password based on that password, the url and possibly the user name used on the site. The generated password can be computed at any time and on any computer with those informations and various other options (such as the hash algorithm, the characters included in the password, the password length and so on). Due to the hash algorithm, it is impossible to find the master password from one or even many generated passwords. Nor is it possible to compute the password for another site from passwords harvested on compromised sites. If one site is compromised and the owner ask you to change your existing password, simply change one option in PasswordMaker to generate a new password. Frederic -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201501161551.08129.frederic.marc...@wowtechnology.com
Re: Have I been hacked?
On 2015-01-16, Joel Rees joel.r...@gmail.com wrote: The argument, SSH keys versus passwords is kind of missing the point, unless the argument itself helps people listening in think a bit more carefully about their security. The success of the offline cracking of seemingly good hashed passcodes got me to thinking, an activity to which I have reluctantly grown accustomed over the years. -- “There’s no money in poetry, but then there’s no poetry in money, either.” —Robert Graves -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnmbigfd.223.cu...@einstein.electron.org
Re: Have I been hacked?
On Thu, Jan 15, 2015 at 12:35:00PM +0100, mrr wrote: On 14/01/2015 06:00, Bob Proulx wrote: Trying to hide in an unusual username is obscurity not security. You may have heard the term that obscurity is not security. Well obscurity may help, think about the man who loose his car key somewhere in an obscure place but will begin looking for it where there is some light because it's easier to see around! And looking in the wrong place means you'll *NEVER* find the keys no matter how good the light is. Said otherwise, the black hat may try to hack easy targets (with known username) before hacking you (with weird username), no? In this case the black hat *MAY* crack the password. -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150116184146.GA30837@tal
Re: Have I been hacked?
2015-01-13 18:13 GMT+01:00 Danny mynixm...@gmail.com: Am I right in saying that there is actually nothing new when it comes to networking ... hear me out ... the internet (and most networks out there) still works on TCP/IP which is 40 odd years old (70's) ... a car mechanic only needs to know how an engine works ... you can bolt on many other things onto an engine and add a pletora of sensors to it but essentially it remains an engine ... if you understand the way an engine or an automatic/manual transmission works you can confidently service/overhaul any engine/transmission because they all are made up of the same stuff and they all work the same ... and this is my point with TCP/IP ... EVERYTHING is dumped on top of TCP/IP ... yet it remains the same ... a black hat only needs to know TCP/IP in order to knock on your door ... once he knocked on your door it means that he has found you ... he knows you are there ... all he has to do is look at the Matrix screen ... am I making sense? ... Being a hacker requires a bit more knowledge than TCP/IP. To build upon your analogy, TCP/IP is more like the path to your house. If offers no security beyond what you gain by mounting watch on your doorstep. Every open port on your server is like a door or a window. The protocol carried by TCP/IP and recognized by the server application listening on the open port is the lock on the door or window. Your login/credential is the key to the door. Hackers are like thieves trying to break into your house. A thief knows about various types of locks, doors and windows. He knows that some windows break if a pressure is applied on the upper corner opposite the hinges. Such a type of lock is easily defeated by drilling just below the barrel. Some kind of door is best attacked by breaking through the lower panel, and so on. A hacker can find your server the same way a thief can find your house. He just walk around and look at what may be a worthwhile target. A hacker knows about the protocols and server applications. He knows their strengths and weaknesses and will attack where it is easier when he sees an opportunity. That is the reason you must update your server on a regular basis. It removes old safety measures the hackers know how to break. And when the house is properly secured, a thief may knock at the door and sweet talk the owner into letting him in. Hackers do that too :-) Frederic -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caj7r-8qrkups3dyb3mz-wng3k8gtzuoth8-ndfcd4wq2-6f...@mail.gmail.com
Re: Have I been hacked?
On 14/01/2015 23:00, Brian wrote: I can remember TwasBrilligAndTheSlithyToves and associate it with an account. Before signing up I do echo TwasBrilligAndTheSlithyToves | sha1sum | base64 | cut -c -30 The output is what I give to a site as a password. Furthermore, before any future logins I can run the command again to get the same password. Isn't this on-line and off-line cracking taken care of? Excellent, combining memno-technique sentence + hashing to get a pseudo-aleatory easy to remember password! Well, that's elegant and efficient, thanks for the idea, that will be my new strategy henceforth... -- mrr -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b7a2e2$0$2048$426a3...@news.free.fr
Re: Have I been hacked?
On 14/01/2015 06:00, Bob Proulx wrote: Trying to hide in an unusual username is obscurity not security. You may have heard the term that obscurity is not security. Well obscurity may help, think about the man who loose his car key somewhere in an obscure place but will begin looking for it where there is some light because it's easier to see around! Said otherwise, the black hat may try to hack easy targets (with known username) before hacking you (with weird username), no? -- mrr -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b7a5e4$0$12750$426a7...@news.free.fr
Re: Have I been hacked?
mrr writes: Well obscurity may help, think about the man who loose his car key somewhere in an obscure place but will begin looking for it where there is some light because it's easier to see around! Think about the man that comes to steal. He carries a light/night visor with him. Said otherwise, the black hat may try to hack easy targets (with known username) before hacking you (with weird username), no? The black hat will try to get 0:0 access w/o loggin on first. -- /\ ___Ubuntu: ancient /___/\_|_|\_|__|___Gian Uberto Lauri_ African word //--\| | \| | Integralista GNUslamicomeaning I can \/ coltivatore diretto di software not install già sistemista a tempo (altrui) perso...Debian Warning: gnome-config-daemon considered more dangerous than GOTO -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/21687.44032.144990.789...@mail.eng.it
Re: Have I been hacked?
On Tue 13 Jan 2015 at 22:16:12 -0700, Bob Proulx wrote: Brian wrote: Seeing that my argument that enforcing (if it is possible) an unmemorable password is not in the best interests of security doesn't gain any tracton, let me try a different tack. The password TwasBrilligAndTheSlithyToves strikes me as a pretty good one for an ssh login. (I have capitalised some letters for readability, not to add complexity). Personally, I find it easy to remember and associate with ssh and my account. I cannot see why it is not a good password for me. Why passwords have never been weaker—and crackers have never been stronger http://arstechnica.com/security/2012/08/passwords-under-assault/ Most importantly, a series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease. To summarize the problem it is that you as a human are unique in the universe, just like everyone else. Analyzing 100 million passwords exposes the human bias that you introduce that you don't realize you are introducing. It is big data removing the uniqueness and reducing the search space. A good article. There is a follow-up at http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ Although it affects a user, the lack of security at a site is not fixable by him and is not his responsibility. If usernames and hashes are exposed to an off-line attack I would agree the only certain protection is a long, complex password comprising random characters. It would be beyond the present techniques to match the hash in any realistic time. I am still going to maintain that TwasBrilligAndTheSlithyToves is a more than adquate password for logging in *on-line*. If I were to lack trust in the maintenence of security at a site I might consider a change of heart. But then - what would I base my judgement on. apart from the theoretcal possibility? I won't say that the technique you show above is a bad thing. But the current wisdom is that it isn't good enough anymore because after analyzing millions of real world passwords, programs can now guess what humans will do much of the time. So what you really need is something other than what a human would produce. We are still on off-line cracking? How does this sound? Memorable passwords are good. Long, complex passwords are also good. One needn't exclude the other. I can remember TwasBrilligAndTheSlithyToves and associate it with an account. Before signing up I do echo TwasBrilligAndTheSlithyToves | sha1sum | base64 | cut -c -30 The output is what I give to a site as a password. Furthermore, before any future logins I can run the command again to get the same password. Isn't this on-line and off-line cracking taken care of? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150114215605.gb15...@copernicus.demon.co.uk
Re: Have I been hacked?
On Wed 14 Jan 2015 at 18:52:06 +0900, Joel Rees wrote: 2015/01/13 5:17 Brian a...@cityscape.co.uk: strikes me as a pretty good one for an ssh login. (I have capitalised some letters for readability, not to add complexity). Personally, I find it easy to remember and associate with ssh and my account. I cannot see why it is not a good password for me. Just remember that fail2ban only does temporary tarpitting, and only if the attacks are repeated to quickly. How about http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban#Warning:_pick_the_right_jail The automated probes wouldn't get close to cracking it. Think of a bot farm continuously hitting a crowd of targets, once a second, cycling through spoofed IPs, using informed strategies instead of pure brute force. If they can spoof one IP, they can spoof another. Does this increase the number of connections per second? The danger might be a directed attack - from friends, associates, colleagues etc. If they knew about my fixation on Lewis Carroll they might have a go at breaking in. If they think you have something they want, people you don't know will find out about your interests. Blog posts, posts here, etc. 500,000.000 million on the internet at least. It's not my turn yet. Actually, it would be ok as a password for banking access too. There surely cannot be a banking site which does not take action after a number of failed logins. Maybe not using fail2ban, but a similar approach which protects both parties. Means you end up going to the bank in person, to get the lock removed. The telephone? People would be heavily critical if a bank did not take steps to monitor logins and act on unusual activity. Banks aren't perfect, though. You could come to considerable trouble should, for instance, a bank employee decide to do a little investigating passwords in her spare time, without permission. But it's your bank account. Go for it. I have no knowledge or control over what goes on in a bank, Why lose sleep over worrying about it? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150114215653.gc15...@copernicus.demon.co.uk
Re: Have I been hacked?
Brian writes: I can remember TwasBrilligAndTheSlithyToves and associate it with an account. Before signing up I do echo TwasBrilligAndTheSlithyToves | sha1sum | base64 | cut -c -30 The output is what I give to a site as a password. Furthermore, before any future logins I can run the command again to get the same password. Or you can install one of the software packages that do that for you. -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87oaq1dmkh@thumper.dhh.gt.org
Re: Have I been hacked?
Brian wrote: Bob Proulx wrote: Brian wrote: I am still going to maintain that TwasBrilligAndTheSlithyToves is a more than adquate password for logging in *on-line*. If I were to lack trust in the maintenence of security at a site I might consider a change of heart. But then - what would I base my judgement on. apart from the theoretcal possibility? I won't say that the technique you show above is a bad thing. But the current wisdom is that it isn't good enough anymore because after analyzing millions of real world passwords, programs can now guess what humans will do much of the time. So what you really need is something other than what a human would produce. We are still on off-line cracking? How does this sound? Oops. You caught me. Everyone else continued to talk about offline cracking and I had pretty much given up and lost track of the topic. But you were specifically said online and emphasized it. My bad. Although I was trying to address specifically the trust in site security. It is only a matter of time before a high profile site is so mired in its own bureaucracy that they lose track of its own security and expose this information. Historically speaking. But the original poster was talking about a personal Debian system. For a personal system one could probably get away with using a pretty weak password. Your password method would be a pretty strong one for a personal system. If the system is compromised to the point that /etc/shadow with the hashes exposed for an offline attack then you should scrape it clean and install from known good pristine sources and start again using all different passwords than before. The weak password wouldn't have been the problem in that case. The attack could only have only have come through some other vector into the machine. Bob P.S. Before leaving remote web sites entirely behind... Most important is to use a unique password per site. Then using a strong password only if I care about having that data cracked. I use my fair share of weak throwaway passwords on weak throwaway sites. But I never reuse them across sites. signature.asc Description: Digital signature
Re: Have I been hacked?
2015/01/13 5:17 Brian a...@cityscape.co.uk: On Sun 11 Jan 2015 at 16:43:34 -0700, Bob Proulx wrote: Brian wrote: Bob Proulx wrote: Complete agreement. I want to go further and say that a password that you can remember without needing to write it down is probably not a good password. Security of an ssh login is aimed at allowing access to some but denying it to others. An authorised user who cannot remember his 20 character password has experienced a security failure. Security is the part of the system designed to make it not only hard to use but the design goal is to prevent it from being used. Seeing that my argument that enforcing (if it is possible) an unmemorable password is not in the best interests of security doesn't gain any tracton, let me try a different tack. The password TwasBrilligAndTheSlithyToves TwasNotBrilligNAND might have been a stronger password until we talked about these. Both are dead meat now. Or perhaps tVaS nicht BrIlLiG NAND, although it, too, should be considered dead meat now that we have mentioned it in public. Do a bit of l33t$peak on it and it could have been strong enough to use. If I had refrained from mentioning it, at least. strikes me as a pretty good one for an ssh login. (I have capitalised some letters for readability, not to add complexity). Personally, I find it easy to remember and associate with ssh and my account. I cannot see why it is not a good password for me. Just remember that fail2ban only does temporary tarpitting, and only if the attacks are repeated to quickly. The automated probes wouldn't get close to cracking it. Think of a bot farm continuously hitting a crowd of targets, once a second, cycling through spoofed IPs, using informed strategies instead of pure brute force. If they can spoof one IP, they can spoof another. The danger might be a directed attack - from friends, associates, colleagues etc. If they knew about my fixation on Lewis Carroll they might have a go at breaking in. If they think you have something they want, people you don't know will find out about your interests. Blog posts, posts here, etc. Actually, it would be ok as a password for banking access too. There surely cannot be a banking site which does not take action after a number of failed logins. Maybe not using fail2ban, but a similar approach which protects both parties. Means you end up going to the bank in person, to get the lock removed. Banks aren't perfect, though. You could come to considerable trouble should, for instance, a bank employee decide to do a little investigating passwords in her spare time, without permission. But it's your bank account. Go for it. Joel Rees Computer memory is just fancy paper, CPUs just fancy pens. All is a stream of text flowing from the past into the future.
Re: Have I been hacked?
Bob Proulx writes: So what you really need is something other than what a human would produce. And pwgen does that just fine: a different 12 character random password for every site. -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87bnm1fnx8@thumper.dhh.gt.org
Re: Have I been hacked?
Danny wrote: least myself) forgot about ... and that is the importance of choosing a proper username ... ... So ... if I know the username I am already halfway there ... I just need to get the OTHER remainig 50% (by breaking the password) Trying to hide in an unusual username is obscurity not security. You may have heard the term that obscurity is not security. Someone also mentioned black-hats ... I think that black-hats are a necessary evil ... just like lawyers ;) ... I think you are misunderstanding the use of the term. https://en.wikipedia.org/wiki/Hacker_(computer_security)#Black_hat Bob signature.asc Description: Digital signature
Re: Have I been hacked?
Gene Heskett wrote: 10 characters is entirely within the realm of being solved by john in a surprisingly sort time. In order to use john you will need to be running an offline attack against an already exposed account database. It doesn't work as an online attack. But every character you add makes it job around 62 more times as difficult. ANY password I am forced to use online, has an automatic minimum by my own rules of 18 chars, and it its acceptable on the other end, may be 23 or 24. I use a unique password on every site. I never reuse passwords. If a site is cracked open and the account data exposed so that someone can run an offline attack against the password database then it only affects that site and not others. Please be aware that your banking site may appear to accept a 24 char password, but they will silently clip off the surplus above 12 or so. I will shame Schwab again for silently truncating to 8 characters. Bob signature.asc Description: Digital signature
Re: Have I been hacked?
Brian wrote: Seeing that my argument that enforcing (if it is possible) an unmemorable password is not in the best interests of security doesn't gain any tracton, let me try a different tack. The password TwasBrilligAndTheSlithyToves strikes me as a pretty good one for an ssh login. (I have capitalised some letters for readability, not to add complexity). Personally, I find it easy to remember and associate with ssh and my account. I cannot see why it is not a good password for me. Why passwords have never been weaker—and crackers have never been stronger http://arstechnica.com/security/2012/08/passwords-under-assault/ Most importantly, a series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease. To summarize the problem it is that you as a human are unique in the universe, just like everyone else. Analyzing 100 million passwords exposes the human bias that you introduce that you don't realize you are introducing. It is big data removing the uniqueness and reducing the search space. I won't say that the technique you show above is a bad thing. But the current wisdom is that it isn't good enough anymore because after analyzing millions of real world passwords, programs can now guess what humans will do much of the time. So what you really need is something other than what a human would produce. Bob signature.asc Description: Digital signature
Re: Fwd: Re: Have I been hacked?
On 01/13/2015 05:34 AM, Gene Heskett wrote: On Monday, January 12, 2015 11:54:54 PM Joel Rees did opine And Gene did reply: 2015/01/13 5:04 Ric Moore wayward4...@gmail.com: On 01/12/2015 11:50 AM, Jerry Stuckle wrote: You should learn from some REAL security experts, not the internet. Like who? There are compromises all over the net, with consumer security files lying in the open like gutted bleeding fish. I don't think anyone is a REAL security expert, except the ones breaking in. Any advances we have now is result of closing the barn doors after the cow got out. I guess we owe the BlackHats that much. :/ Ric Can I read you as saying that the black hats may be the closest thing to security experts that we have? I was thinking I agree. But I also think we are letting them define security. I keep forgetting that I don't like the definitions they seem to want to impose on us. Joel Rees I'm with Ric on that. We seem to have lost our proactive attitude about security. The net result is predictable in that the lunatics are now running the asylum. Hi Ric. :) Hey Gene! They can't keep a good man down! Did Mandrake finally push up the lilies?? Of course I am not happy with the Blackhats defining security, but if it weren't for them doing their job no one else would. I am jealous that I don't have their brain power. Getting too old, missing a limb and waiting for a triple-bypass. I need some stem cells. Glad to see you here, Gene. :) Ric -- My father, Victor Moore (Vic) used to say: There are two Great Sins in the world... ..the Sin of Ignorance, and the Sin of Stupidity. Only the former may be overcome. R.I.P. Dad. Linux user# 44256 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b56554.2050...@gmail.com
Re: Have I been hacked?
On Tuesday, January 13, 2015 12:13:19 PM Danny did opine And Gene did reply: Hi, I have read with interest all the responses and followed all the links. However, I realized something that I think we all (well, at least myself) forgot about ... and that is the importance of choosing a proper username ... Authentication (usually) is a 2 step process ... as we all know ... a username and a password ... and since ssh is (mostly) referred to here ... we can accept that it is most definately a 2 step process ... So ... if I know the username I am already halfway there ... I just need to get the OTHER remainig 50% (by breaking the password) ... and (like someone mentioned) it will take immensely long for someone to break a 10 (I think it was 10) character password ... then why is the importance of a good username ignored ... if I have a (creepy) username of 10 characters it will take a black hat twice as long to get what he wants ... or am I misleading myself (and others) here ... are we not putting too much emphasis/pressure on a good password where the pressure could be spread between the username AND password ... just asking ... 10 characters is entirely within the realm of being solved by john in a surprisingly sort time. But every character you add makes it job around 62 more times as difficult. ANY password I am forced to use online, has an automatic minimum by my own rules of 18 chars, and it its acceptable on the other end, may be 23 or 24. Please be aware that your banking site may appear to accept a 24 char password, but they will silently clip off the surplus above 12 or so. So your password is always wrong. In that case its best to get on the squawkbox with them so they can reset your access since most will lock you out for a day or more after 3 fails. Then try again, stripping one character at a time off what you enter, until you find their idiotic smaller limit and it works. Frankly it's a right Pain In The Ass. Someone also mentioned black-hats ... I think that black-hats are a necessary evil ... just like lawyers ;) ... I understand some mechanical things better than others, like hydraulics and pneumatics ... mechanical engineering is no obstacle to me ... however ... I have difficulty in getting my head wrapped around things like squid, iptables, procmail, regexp ... some of you have no difficulty in any of these but have difficulty in mechanical stuff ... it is supposed to be like that ... when I think of black-hats I think of the green Matrix screen ... they are a special breed ... they see things that white hats don't see because it is their nature ... Just like car mechanics can tune/alter an engine so can black-hats tune alter a TCP/IP stream/payload ... Am I right in saying that there is actually nothing new when it comes to networking ... hear me out ... the internet (and most networks out there) still works on TCP/IP which is 40 odd years old (70's) ... a car mechanic only needs to know how an engine works ... you can bolt on many other things onto an engine and add a pletora of sensors to it but essentially it remains an engine ... if you understand the way an engine or an automatic/manual transmission works you can confidently service/overhaul any engine/transmission because they all are made up of the same stuff and they all work the same ... and this is my point with TCP/IP ... EVERYTHING is dumped on top of TCP/IP ... yet it remains the same ... a black hat only needs to know TCP/IP in order to knock on your door ... once he knocked on your door it means that he has found you ... he knows you are there ... all he has to do is look at the Matrix screen ... am I making sense? ... Have a nice day Danny Perfect sense Danny, but I have no clue if a new, potentially more secure method is in development. Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201501131104.26321.ghesk...@wdtv.com
Re: Fwd: Re: Have I been hacked?
On Monday, January 12, 2015 11:54:54 PM Joel Rees did opine And Gene did reply: 2015/01/13 5:04 Ric Moore wayward4...@gmail.com: On 01/12/2015 11:50 AM, Jerry Stuckle wrote: You should learn from some REAL security experts, not the internet. Like who? There are compromises all over the net, with consumer security files lying in the open like gutted bleeding fish. I don't think anyone is a REAL security expert, except the ones breaking in. Any advances we have now is result of closing the barn doors after the cow got out. I guess we owe the BlackHats that much. :/ Ric Can I read you as saying that the black hats may be the closest thing to security experts that we have? I was thinking I agree. But I also think we are letting them define security. I keep forgetting that I don't like the definitions they seem to want to impose on us. Joel Rees I'm with Ric on that. We seem to have lost our proactive attitude about security. The net result is predictable in that the lunatics are now running the asylum. Hi Ric. :) Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201501130534.12709.ghesk...@wdtv.com
Re: Have I been hacked?
On Lu, 12 ian 15, 20:17:10, Brian wrote: Seeing that my argument that enforcing (if it is possible) an unmemorable password is not in the best interests of security doesn't gain any tracton, let me try a different tack. The password TwasBrilligAndTheSlithyToves This thread reminds me of https://xkcd.com/936/ and https://xkcd.com/538/ Kind regards, Andrei P.S. Sorry if these have already been posted, didn't go through the entire thread yet. -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt signature.asc Description: Digital signature
Re: Have I been hacked?
On Tuesday 13 January 2015 09:22:25 Andrei POPESCU wrote: This thread reminds me of https://xkcd.com/936/ and https://xkcd.com/538/ P.S. Sorry if these have already been posted, didn't go through the entire thread yet. :-)) Thanks Andrei. Loved the second. I already knew the first, so it lacked the element of surprise! Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201501131015.17587.lisi.re...@gmail.com
Re: Have I been hacked?
Hi, I have read with interest all the responses and followed all the links. However, I realized something that I think we all (well, at least myself) forgot about ... and that is the importance of choosing a proper username ... Authentication (usually) is a 2 step process ... as we all know ... a username and a password ... and since ssh is (mostly) referred to here ... we can accept that it is most definately a 2 step process ... So ... if I know the username I am already halfway there ... I just need to get the OTHER remainig 50% (by breaking the password) ... and (like someone mentioned) it will take immensely long for someone to break a 10 (I think it was 10) character password ... then why is the importance of a good username ignored ... if I have a (creepy) username of 10 characters it will take a black hat twice as long to get what he wants ... or am I misleading myself (and others) here ... are we not putting too much emphasis/pressure on a good password where the pressure could be spread between the username AND password ... just asking ... Someone also mentioned black-hats ... I think that black-hats are a necessary evil ... just like lawyers ;) ... I understand some mechanical things better than others, like hydraulics and pneumatics ... mechanical engineering is no obstacle to me ... however ... I have difficulty in getting my head wrapped around things like squid, iptables, procmail, regexp ... some of you have no difficulty in any of these but have difficulty in mechanical stuff ... it is supposed to be like that ... when I think of black-hats I think of the green Matrix screen ... they are a special breed ... they see things that white hats don't see because it is their nature ... Just like car mechanics can tune/alter an engine so can black-hats tune alter a TCP/IP stream/payload ... Am I right in saying that there is actually nothing new when it comes to networking ... hear me out ... the internet (and most networks out there) still works on TCP/IP which is 40 odd years old (70's) ... a car mechanic only needs to know how an engine works ... you can bolt on many other things onto an engine and add a pletora of sensors to it but essentially it remains an engine ... if you understand the way an engine or an automatic/manual transmission works you can confidently service/overhaul any engine/transmission because they all are made up of the same stuff and they all work the same ... and this is my point with TCP/IP ... EVERYTHING is dumped on top of TCP/IP ... yet it remains the same ... a black hat only needs to know TCP/IP in order to knock on your door ... once he knocked on your door it means that he has found you ... he knows you are there ... all he has to do is look at the Matrix screen ... am I making sense? ... Have a nice day Danny -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150113171319.GA31019@fever.havannah.local
Re: Fwd: Re: Have I been hacked?
On Tuesday, January 13, 2015 01:35:00 PM Ric Moore did opine And Gene did reply: On 01/13/2015 05:34 AM, Gene Heskett wrote: On Monday, January 12, 2015 11:54:54 PM Joel Rees did opine And Gene did reply: 2015/01/13 5:04 Ric Moore wayward4...@gmail.com: On 01/12/2015 11:50 AM, Jerry Stuckle wrote: You should learn from some REAL security experts, not the internet. Like who? There are compromises all over the net, with consumer security files lying in the open like gutted bleeding fish. I don't think anyone is a REAL security expert, except the ones breaking in. Any advances we have now is result of closing the barn doors after the cow got out. I guess we owe the BlackHats that much. :/ Ric Can I read you as saying that the black hats may be the closest thing to security experts that we have? I was thinking I agree. But I also think we are letting them define security. I keep forgetting that I don't like the definitions they seem to want to impose on us. Joel Rees I'm with Ric on that. We seem to have lost our proactive attitude about security. The net result is predictable in that the lunatics are now running the asylum. Hi Ric. :) Hey Gene! They can't keep a good man down! Yeah, well, I had my 10 minute warning buzzer last May, pulmonary emoblism that almost punched my ticket out of here. But the shot worked, no ministrokes from it, so your fav crochety old fart is still here although on a steady diet of warfarin so I leak profusely when nicked. And use a lot of bandaids. Still piddling in the shop, currently making a copy of that blanket chest on the cover of the fall 2014 issue of Fine WoodWorking. But I am cheating a bit because other than the table and chop saw stuff, I am doing all the joinery and trim on my cnc milling machine. Gotta make that sows ear I have entirely too much money and time into making it cnc, pay its way. I could probably do it by hand quicker, but not as precisely, nor as well fitted. Its Green Green style, using ebony chips in square excavations for screw covers for all the screws that hold it together. Between the Mahogany and the ebony, I have about $450 just in the wood. But as I am fond of saying, stuff like this keeps me out of the bars. :) Rumor has it you lost a foot a while back? Did Mandrake finally push up the lilies?? 2 or 3 times now. Google for mageia these days I think it is. Of course I am not happy with the Blackhats defining security, but if it weren't for them doing their job no one else would. I am jealous that I don't have their brain power. There are some formidable talents out there, thats for sure. Combined, they easily beat my quite decent IQ. My biggest problem is the short term memory though. I recognize it for what it is but can't seem to fix it either. Getting too old, aren't we all, I'm 80 now :( missing a limb Heard about that, sorry too. and waiting for a triple-bypass. I need some stem cells. I could use some myself, and some fresh disks in my back, arther has worn them down to bone on bone in at least 2 places. Anyone who says these are the golden years, is only looking at the color of the water in the bowl. My heart OTOH, they spent 2 hours looking at it 2 days later in the shop, because it was blown up to 3x its normal size from trying to pump thru the blockage, looking for a good excuse to put in some stents or whatever (these medics never miss a chance to enhance the bottom line do they) but the guy doing the looking finally sat back and sighed, saying I ought to be good for a decade or more, he flat could not find a reason to put a zipper in my chest. But I need to stop the warfarin before too long, my psa is north of 10. Glad to see you here, Gene. :) Ric Running a 32 bit wheezy install with a 64 bit kernel, working fairly well too. Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201501131604.21976.ghesk...@wdtv.com
Re: Have I been hacked?
On Tue 13 Jan 2015 at 19:13:19 +0200, Danny wrote: I have read with interest all the responses and followed all the links. However, I realized something that I think we all (well, at least myself) forgot about ... and that is the importance of choosing a proper username ... You can be known by whatever name you choose. There is no imortance attached to it. Authentication (usually) is a 2 step process ... as we all know ... a username and a password ... and since ssh is (mostly) referred to here ... we can accept that it is most definately a 2 step process ... Authentication is a minimum one step process. Your argument falls apart after this. You identify yourself and then prove it. Anyone can claim to be you but they may have difficulty substantiating it. Usernames identify but do not authenticate. By all means tell everyone what your username is, but do not give them the means to authenicate using it -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/13012015203206.fa515ce37...@desktop.copernicus.demon.co.uk
Re: Have I been hacked?
On Mon, 12 Jan 2015 17:24:41 +0900 Joel Rees joel.r...@gmail.com wrote: The only truly secure computer is the one that you wrote all the OS and application code for. *And* the compiler(s) and the rest of the build toolchain... *and* the BIOS, *and* the code for any network hardware you use...*and* the firmware of all of your hardware... -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150112091810.40d30...@jresid.jretrading.com
Re: Have I been hacked?
On Mon, Jan 12, 2015 at 7:32 AM, Iain M Conochie i...@thargoid.co.uk wrote: On 10/01/15 20:31, Brian wrote: By all means advocate and use ssh keys. But at least provide some substantial reason for spurning password login for that particular situation. A blanket don't use passwords or keys are better doesn't cut it. There are 3 (current) factors in authentication: According to some models. 1. What the user knows Knowledge is a thing which is had. It is potentially easy to duplicate, in smal pieces. The choice of which piece is used is hopefuly not so easily duplicated. This is the first assumed weakness of passwords, that most people are lazy about the choice. 2. What the user has Typical example is a bank card. Unfortunately, this is easy to duplicate, if one is not careful about where one uses it. (ATM machines where the front panel has been augmented by atackers, and the reader slot has a second reader hiding in front of the real reader provide one example.) Physical keys, like the key to your front door or to the safe deposit box, are another example. 3. What the user is Try to define that in a way useful to authentication, without invoking either of the above concepts. These increase in security as you go higher up the number. How do prove that? How do you define security? So (assuming the implementation is secure Is secure here related to security above? ) my fingerprint (being something I am) You sure it's not something you have? is more secure than a password. Unless someone chops your hand off to steal your BMW. Also, an ssh-key (being something I have Now there's an interesting assertion. It seems reasonable, if one accepts certain implicit, arbitrary boundaries between the three classes of tokens invoked above. -- seems reasonable -- ) is more secure than a password. And, yet, it is no more secure than the user account on the machine in which it is stored. (Noting, not coincidentally, that the computer storage device acts as a memory proxy.) In each case we have the _implementation_ among other things to let us down. #1 is up to the user whereas #2 and #3 are up to the programmer. I can think of a number of ways in which what you appear to be talking about as something you have and something you are are as much under control of the user as under control of the programmer. Who do you trust ;) I would prefer that we all learn to program. -- Joel Rees The only truly secure computer is the one that you wrote all the OS and application code for. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43iov07n20efsd2qqbxa_t_-utavabbbxg4fkyrew7c_...@mail.gmail.com
Re: Have I been hacked?
On 2015-01-12 08:24, Joel Rees wrote: On Mon, Jan 12, 2015 at 7:32 AM, Iain M Conochie i...@thargoid.co.uk wrote: On 10/01/15 20:31, Brian wrote: By all means advocate and use ssh keys. But at least provide some substantial reason for spurning password login for that particular situation. A blanket don't use passwords or keys are better doesn't cut it. There are 3 (current) factors in authentication: According to some models. Care to enlighten me about others? 1. What the user knows Knowledge is a thing which is had. It is potentially easy to duplicate, in smal pieces. The choice of which piece is used is hopefuly not so easily duplicated. This is the first assumed weakness of passwords, that most people are lazy about the choice. While it is possible to enforce certain password policies (e.g. must use capital letters, numbers, symbols etc) these do not necessarily dictate a secure password. I guess if I know you phone number, if it is stored in my phone I have it as well. Someone steals my phone they now also know and have your number. If I do not add it to my phone, do I still have it? 2. What the user has Typical example is a bank card. Unfortunately, this is easy to duplicate, if one is not careful about where one uses it. (ATM machines where the front panel has been augmented by atackers, and the reader slot has a second reader hiding in front of the real reader provide one example.) Physical keys, like the key to your front door or to the safe deposit box, are another example. Yup - I agree with this. 3. What the user is Try to define that in a way useful to authentication, without invoking either of the above concepts. These increase in security as you go higher up the number. How do prove that? Knowledge is easier to duplicate than a physical item. You mentioned the ATM attack. That requires particular equipment to successfully orchestrate, and in fact many ATM's have been modified to not allow said equipment to function. Of course, with the advent of 3D printing, duplicating physical items is much easier that it used to be. How do you define security? I don't need to. There is already a definition in English for this: http://dictionary.cambridge.org/dictionary/british/security So (assuming the implementation is secure Is secure here related to security above? Secure as in the implementation has as close to 0 defects as possible. ) my fingerprint (being something I am) You sure it's not something you have? Nope - I am pretty sure it is something I am, within the context of the above statement. is more secure than a password. Unless someone chops your hand off to steal your BMW. Again - implementation. Is the hand warm? Is there a pulse? Also, an ssh-key (being something I have Now there's an interesting assertion. It seems reasonable, if one accepts certain implicit, arbitrary boundaries between the three classes of tokens invoked above. -- seems reasonable -- ) is more secure than a password. And, yet, it is no more secure than the user account on the machine in which it is stored. OK sure - but we are discussing how to authenticate to an account right? (Noting, not coincidentally, that the computer storage device acts as a memory proxy.) In each case we have the _implementation_ among other things Please expand on other things to let us down. #1 is up to the user whereas #2 and #3 are up to the programmer. I can think of a number of ways in which what you appear to be talking about as something you have and something you are are as much under control of the user as under control of the programmer. Something you have and something you are have to be digitised, to produce a token that can be used to prove your identity to a computer system. That is part of the implementation. Who do you trust ;) I would prefer that we all learn to program. I would prefer that no-one would try and break into my machines to be honest, but we all know that is not going to happen any time soon. Cheers Iain -- Joel Rees The only truly secure computer is the one that you wrote all the OS and application code for. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/23baaf9183378cac13fcbef4f7762...@thargoid.co.uk
Re: Have I been hacked?
On Mon, Jan 12, 2015 at 09:19:58AM -0500, Jerry Stuckle wrote: On 1/12/2015 8:05 AM, i...@thargoid.co.uk wrote: Nope - I am pretty sure it is something I am, within the context of the above statement. A fingerprint is something you HAVE. It is present on your body; it is NOT something you are. You can leave a fingerprint on a glass, for instance, and it doesn't affect you at all. Oh, come on! http://www.thefreedictionary.com/context It is all about *who* you are, or claim to be. https://danielmiessler.com/blog/security-identification-authentication-and-authorization/ -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150112151008.GA2954@tal
Re: Have I been hacked?
On 1/12/2015 8:05 AM, i...@thargoid.co.uk wrote: While it is possible to enforce certain password policies (e.g. must use capital letters, numbers, symbols etc) these do not necessarily dictate a secure password. I guess if I know you phone number, if it is stored in my phone I have it as well. Someone steals my phone they now also know and have your number. If I do not add it to my phone, do I still have it? No different than having a key on your notebook and having the notebook stolen. snip Knowledge is easier to duplicate than a physical item. You mentioned the ATM attack. Incorrect. Knowledge cannot be duplicated if there is no basis for that knowledge. For instance, it was not possible for archeologists to decipher ancient Egyption hieroglyphics before the discovery of the Rosetta Stone in 1799 - before this, there was no basis for knowledge of the language. The same is true for passwords. If you don't have a basis for knowledge of the password's construction, it is impossible to duplicate that password in any reasonable length of time. For instance - let's see you duplicate the password to one of my servers. You won't be able to do it, because it's random and I don't have it written down anywhere. Even if you steal every one of my computers, it won't help you at all, because it's not stored on any of them. How do you define security? I don't need to. There is already a definition in English for this: http://dictionary.cambridge.org/dictionary/british/security I happen to agree with Joel here. I don't want to know the dictionary definition - I want to know YOUR definition of security. snip ) my fingerprint (being something I am) You sure it's not something you have? Nope - I am pretty sure it is something I am, within the context of the above statement. A fingerprint is something you HAVE. It is present on your body; it is NOT something you are. You can leave a fingerprint on a glass, for instance, and it doesn't affect you at all. Also, a fingerprint be duplicated from anywhere you leave it. Watch some of the CSI or similar TV shows, for instance. They take fingerprints off of surfaces all the time. And it's not much harder to make a duplicate of the fingerprint which can be used to access a system. It's already been done multiple times with the new IPhone fingerprint security. is more secure than a password. Unless someone chops your hand off to steal your BMW. Again - implementation. Is the hand warm? Is there a pulse? Not part of the fingerprint - but again, these can be duplicated - a latex glove with the fingerprint etched into it, for instance. Also, an ssh-key (being something I have Now there's an interesting assertion. It seems reasonable, if one accepts certain implicit, arbitrary boundaries between the three classes of tokens invoked above. -- seems reasonable -- ) is more secure than a password. And, yet, it is no more secure than the user account on the machine in which it is stored. OK sure - but we are discussing how to authenticate to an account right? We are discussing how to authenticate an account on another machine. If your key is on your machine, and I steal your machine, I can break the passphrase your key uses. It may take a while, but it will be a lot faster than if that same passphrase were uses as a password to your server. Something you have and something you are have to be digitised, to produce a token that can be used to prove your identity to a computer system. That is part of the implementation. Everything you have mentioned is something I have. I have knowledge of a long, random password (not stored anywhere else). I have a key stored on my computer (protected by a password). I have a fingerprint. And the security of these three items are in DESCENDING order. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b3d80e.3060...@gmail.com
Re: Have I been hacked?
On Mon, Jan 12, 2015 at 09:18:10AM +, Joe wrote: On Mon, 12 Jan 2015 17:24:41 +0900 Joel Rees joel.r...@gmail.com wrote: The only truly secure computer is the one that you wrote all the OS and application code for. *And* the compiler(s) and the rest of the build toolchain... *and* the BIOS, *and* the code for any network hardware you use...*and* the firmware of all of your hardware... Actually, I disagree with this. If I were to write all the OS and application code for my computer, and all that other stuff, I would actually expect it to be LESS secure than it currently is. Mostly because I don't know what I'm doing. And I *REALLY* don't want to have to sit my parents down at a completely dead computer and say Happy Christmas. You'll have to start writing code to boot strap this computer I got you. You might need to start with writing an editor... somehow. Actually, where DO you start with that task? OK, I could get people to review it, apply fixes but if the reason I'm writing this all myself is because I don't trust other people, when why would I trust their judgement? No, the better solution is what we already have. The OS, the application code, the build toolchain, the BIOS, the hardware firmware etc etc, should be written by the people who know about these things. The code should then be made available for peer review along with methods to confirm that what's loaded onto the computer is what was reviewed. Personally, I don't mind if a company says the BIOS will only accept a firmware update signed by our key if they also timely update that firmware with community patches. Open source doesn't really *have* to mean anyone can modify the code. Anyone can suggest modifications, which the original developers will approve/deny should be an acceptable step. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150112091810.40d30...@jresid.jretrading.com signature.asc Description: Digital signature
Re: Have I been hacked?
On 01/12/2015 04:18 AM, Joe wrote: On Mon, 12 Jan 2015 17:24:41 +0900 Joel Reesjoel.r...@gmail.com wrote: The only truly secure computer is the one that you wrote all the OS and application code for. *And* the compiler(s) and the rest of the build toolchain...*and* the BIOS,*and* the code for any network hardware you use...*and* the firmware of all of your hardware... -- Joe Good point, Joe. I'd add that, because IC chips contain code too, we'd also need to build quite a lot of our own hardware. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b3acca.3020...@mousecar.com
Fwd: Re: Have I been hacked?
Forwarding to the list as I seemed to have managed to leave it off. Apologies. Knowledge is easier to duplicate than a physical item. You mentioned the ATM attack. Incorrect. Knowledge cannot be duplicated if there is no basis for that knowledge. For instance, it was not possible for archeologists to decipher ancient Egyption hieroglyphics before the discovery of the Rosetta Stone in 1799 - before this, there was no basis for knowledge of the language. Really? Are you honestly saying that because they did not know what the hieroglyphics meant, they were unable to copy them? The same is true for passwords. If you don't have a basis for knowledge of the password's construction, it is impossible to duplicate that password in any reasonable length of time. For instance - let's see you duplicate the password to one of my servers. You won't be able to do it, because it's random and I don't have it written down anywhere. Even if you steal every one of my computers, it won't help you at all, because it's not stored on any of them. What if I stand over your shoulder with a video camera and video you typing? Or indeed install a keylogger on your machine? You seem to be confusing duplicate with understand, or maybe you are just confusing me :) How do you define security? I don't need to. There is already a definition in English for this: http://dictionary.cambridge.org/dictionary/british/security I happen to agree with Joel here. I don't want to know the dictionary definition - I want to know YOUR definition of security. Semantics is a boring argument. If you wish, tell me yours and I will tell you mine (oooh err missus ;) snip ) my fingerprint (being something I am) You sure it's not something you have? Nope - I am pretty sure it is something I am, within the context of the above statement. A fingerprint is something you HAVE. It is present on your body; it is NOT something you are. You can leave a fingerprint on a glass, for instance, and it doesn't affect you at all. Jerry - just cos you shout does not mean you are more RIGHT. Again, within the context of the above statement it is. You may disagree. Fair enough. snip is more secure than a password. Unless someone chops your hand off to steal your BMW. Again - implementation. Is the hand warm? Is there a pulse? Not part of the fingerprint - but again, these can be duplicated - a latex glove with the fingerprint etched into it, for instance. May or may not work, depending on the implementation. Also, an ssh-key (being something I have Now there's an interesting assertion. It seems reasonable, if one accepts certain implicit, arbitrary boundaries between the three classes of tokens invoked above. -- seems reasonable -- ) is more secure than a password. And, yet, it is no more secure than the user account on the machine in which it is stored. OK sure - but we are discussing how to authenticate to an account right? We are discussing how to authenticate an account on another machine. If your key is on your machine, and I steal your machine, I can break the passphrase your key uses. It may take a while, but it will be a lot faster than if that same passphrase were uses as a password to your server. Is this due to being limited over the network for the number of tries? What if I delete the key on the server when my machine is stolen? What if I generate new keys every week? Something you have and something you are have to be digitised, to produce a token that can be used to prove your identity to a computer system. That is part of the implementation. Everything you have mentioned is something I have. I have knowledge of a long, random password (not stored anywhere else). I have a key stored on my computer (protected by a password). I have a fingerprint. In your opinion. Not in mine (within the context of this discussion) And the security of these three items are in DESCENDING order. In your opinion. Again, shouting does not make you right. Iain Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2711d91488cf15ad4c87653734c35...@thargoid.co.uk
Re: Fwd: Re: Have I been hacked?
On 01/12/2015 11:50 AM, Jerry Stuckle wrote: You should learn from some REAL security experts, not the internet. Like who? There are compromises all over the net, with consumer security files lying in the open like gutted bleeding fish. I don't think anyone is a REAL security expert, except the ones breaking in. Any advances we have now is result of closing the barn doors after the cow got out. I guess we owe the BlackHats that much. :/ Ric -- My father, Victor Moore (Vic) used to say: There are two Great Sins in the world... ..the Sin of Ignorance, and the Sin of Stupidity. Only the former may be overcome. R.I.P. Dad. Linux user# 44256 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b428aa.7060...@gmail.com
Re: Have I been hacked?
On Sun 11 Jan 2015 at 16:43:34 -0700, Bob Proulx wrote: Brian wrote: Bob Proulx wrote: Complete agreement. I want to go further and say that a password that you can remember without needing to write it down is probably not a good password. Security of an ssh login is aimed at allowing access to some but denying it to others. An authorised user who cannot remember his 20 character password has experienced a security failure. Security is the part of the system designed to make it not only hard to use but the design goal is to prevent it from being used. Seeing that my argument that enforcing (if it is possible) an unmemorable password is not in the best interests of security doesn't gain any tracton, let me try a different tack. The password TwasBrilligAndTheSlithyToves strikes me as a pretty good one for an ssh login. (I have capitalised some letters for readability, not to add complexity). Personally, I find it easy to remember and associate with ssh and my account. I cannot see why it is not a good password for me. The automated probes wouldn't get close to cracking it. The danger might be a directed attack - from friends, associates, colleagues etc. If they knew about my fixation on Lewis Carroll they might have a go at breaking in. Actually, it would be ok as a password for banking access too. There surely cannot be a banking site which does not take action after a number of failed logins. Maybe not using fail2ban, but a similar approach which protects both parties. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/12012015193541.dea84e875...@desktop.copernicus.demon.co.uk
Re: Fwd: Re: Have I been hacked?
On 12/01/15 16:50, Jerry Stuckle wrote: On 1/12/2015 11:36 AM, i...@thargoid.co.uk wrote: Forwarding to the list as I seemed to have managed to leave it off. Apologies. Knowledge is easier to duplicate than a physical item. You mentioned the ATM attack. Incorrect. Knowledge cannot be duplicated if there is no basis for that knowledge. For instance, it was not possible for archeologists to decipher ancient Egyption hieroglyphics before the discovery of the Rosetta Stone in 1799 - before this, there was no basis for knowledge of the language. Really? Are you honestly saying that because they did not know what the hieroglyphics meant, they were unable to copy them? They were unable to decipher them. It has nothing to do with copying. Since when is duplication not copying? snip I happen to agree with Joel here. I don't want to know the dictionary definition - I want to know YOUR definition of security. Semantics is a boring argument. If you wish, tell me yours and I will tell you mine (oooh err missus ;) You were asked first. How about putting up? Not playing that game. Joel wanted a definition I gave a definition that apparently was not good enough for you. Tough! snip ) my fingerprint (being something I am) You sure it's not something you have? Nope - I am pretty sure it is something I am, within the context of the above statement. A fingerprint is something you HAVE. It is present on your body; it is NOT something you are. You can leave a fingerprint on a glass, for instance, and it doesn't affect you at all. Jerry - just cos you shout does not mean you are more RIGHT. And repeating something ad nauseum doesn't make you right. Very true. Again, within the context of the above statement it is. You may disagree. Fair enough. snip You need to learn the difference between is and has. They are two entirely different concepts, but you seem to have them mixed up. Not really. I can understand you not wanting to accept that, say, you iris scan is something you are. Surely your eye (and all it's unique properties) is something you have. I have 2 eyes. How can it be something I am? From the point of view of authentication, this is something you are because it is unique to you. Get it now? is more secure than a password. Unless someone chops your hand off to steal your BMW. Again - implementation. Is the hand warm? Is there a pulse? Not part of the fingerprint - but again, these can be duplicated - a latex glove with the fingerprint etched into it, for instance. May or may not work, depending on the implementation. It has been proven to work. That's one reason fingerprints alone are not used for government security. If you think I meant that fingerprints alone are more secure that a password, then of course this is not the case. As well, fingerprints are an _example_ of something you are. Oh, and we all know how secure governments are Also, an ssh-key (being something I have Now there's an interesting assertion. It seems reasonable, if one accepts certain implicit, arbitrary boundaries between the three classes of tokens invoked above. -- seems reasonable -- ) is more secure than a password. And, yet, it is no more secure than the user account on the machine in which it is stored. OK sure - but we are discussing how to authenticate to an account right? We are discussing how to authenticate an account on another machine. If your key is on your machine, and I steal your machine, I can break the passphrase your key uses. It may take a while, but it will be a lot faster than if that same passphrase were uses as a password to your server. Is this due to being limited over the network for the number of tries? What if I delete the key on the server when my machine is stolen? What if I generate new keys every week? It is so easy for me to prevent that it isn't even funny. All I need to do is copy the keyfile (or indeed, the entire disk) to another machine. In fact, that's what I'll probably do, anyway. That way I can access all of your data without even booting your machine. Jolly good. The public key from which you have the private key and are hacking away on to brake the passphrase has been removed from all machines. It is now completely useless to you. Of course, if your disk is encrypted, that becomes another problem. But then you have to use a password to decrypt the disk... Or a fingerprint ;) Something you have and something you are have to be digitised, to produce a token that can be used to prove your identity to a computer system. That is part of the implementation. Everything you have mentioned is something I have. I have knowledge of a long, random password (not stored anywhere else). I have a key stored on my computer (protected by a password). I have a fingerprint. In your opinion. Not in mine (within the context of this discussion) You seem to have difficulty in understanding have versus is. Not
Re: Have I been hacked?
On 12/01/15 16:41, Jerry Stuckle wrote: On 1/12/2015 10:10 AM, Chris Bannister wrote: snip Oh, come on! http://www.thefreedictionary.com/context It is all about *who* you are, or claim to be. https://danielmiessler.com/blog/security-identification-authentication-and-authorization/ You have completely missed the point, Chris. And don't believe every blog you read on the internet. Pot, kettle, black In fact this blog pretty much describes what I am talking about. Seems to be falling on deaf ears though Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b42f25.4000...@thargoid.co.uk
Re: Have I been hacked?
On 01/12/2015 02:47 AM, Joel Rees wrote: On Sun, Jan 11, 2015 at 4:37 AM, Ric Moore wayward4...@gmail.com wrote: You all may wish to read this, from ars technica: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/1/ Very interesting. So interesting that I downloaded cudahashcat. I have 96 cuda cores, and it was running the sample program quickly as it tore into 6 char / 2 numeral paaswd combinations. :) Ric Good for you. That article did a much better job of talking about cracking pswords/passcodes/passphrases than my ramble did. p/s for the sake of $deity, please TRIM these posts!! Heh. Still trying to figure out how I pasted that post into the middle of the post. I was dozing of, I'm sure that had something to do with it. I humbly apologize to you as that rant was directed at ALL who let the thread be untrimmed, not you solely. :) Ric -- My father, Victor Moore (Vic) used to say: There are two Great Sins in the world... ..the Sin of Ignorance, and the Sin of Stupidity. Only the former may be overcome. R.I.P. Dad. Linux user# 44256 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b43230.2060...@gmail.com
Re: Have I been hacked?
2015/01/13 5:45 Ric Moore wayward4...@gmail.com: On 01/12/2015 02:47 AM, Joel Rees wrote: On Sun, Jan 11, 2015 at 4:37 AM, Ric Moore wayward4...@gmail.com wrote: You all may wish to read this, from ars technica: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/1/ Very interesting. So interesting that I downloaded cudahashcat. I have 96 cuda cores, and it was running the sample program quickly as it tore into 6 char / 2 numeral paaswd combinations. :) Ric Good for you. That article did a much better job of talking about cracking pswords/passcodes/passphrases than my ramble did. p/s for the sake of $deity, please TRIM these posts!! Heh. Still trying to figure out how I pasted that post into the middle of the post. I was dozing of, I'm sure that had something to do with it. I humbly apologize to you as that rant was directed at ALL who let the thread be untrimmed, not you solely. :) Ric No problem. I was just taking the opportunity to attempt to apologize to the list for failing to catch that before I posted it. I'm sure the attempt at sleep-recursing didn't make the ramble more comprehensible. Heh. Unfortunately, I'm not sure it makes it less comprehensible. :/ Security, with all that we conflate onto it, is a hard concept to pin down. Joel Rees Computer memory is just fancy paper, CPUs just fancy pens. All is a stream of text flowing from the past into the future.
Re: Fwd: Re: Have I been hacked?
2015/01/13 5:04 Ric Moore wayward4...@gmail.com: On 01/12/2015 11:50 AM, Jerry Stuckle wrote: You should learn from some REAL security experts, not the internet. Like who? There are compromises all over the net, with consumer security files lying in the open like gutted bleeding fish. I don't think anyone is a REAL security expert, except the ones breaking in. Any advances we have now is result of closing the barn doors after the cow got out. I guess we owe the BlackHats that much. :/ Ric Can I read you as saying that the black hats may be the closest thing to security experts that we have? I was thinking I agree. But I also think we are letting them define security. I keep forgetting that I don't like the definitions they seem to want to impose on us. Joel Rees
Re: Have I been hacked?
On 1/12/2015 10:10 AM, Chris Bannister wrote: On Mon, Jan 12, 2015 at 09:19:58AM -0500, Jerry Stuckle wrote: On 1/12/2015 8:05 AM, i...@thargoid.co.uk wrote: Nope - I am pretty sure it is something I am, within the context of the above statement. A fingerprint is something you HAVE. It is present on your body; it is NOT something you are. You can leave a fingerprint on a glass, for instance, and it doesn't affect you at all. Oh, come on! http://www.thefreedictionary.com/context It is all about *who* you are, or claim to be. https://danielmiessler.com/blog/security-identification-authentication-and-authorization/ You have completely missed the point, Chris. And don't believe every blog you read on the internet. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b3f931.8050...@gmail.com
Re: Fwd: Re: Have I been hacked?
On 1/12/2015 11:36 AM, i...@thargoid.co.uk wrote: Forwarding to the list as I seemed to have managed to leave it off. Apologies. Knowledge is easier to duplicate than a physical item. You mentioned the ATM attack. Incorrect. Knowledge cannot be duplicated if there is no basis for that knowledge. For instance, it was not possible for archeologists to decipher ancient Egyption hieroglyphics before the discovery of the Rosetta Stone in 1799 - before this, there was no basis for knowledge of the language. Really? Are you honestly saying that because they did not know what the hieroglyphics meant, they were unable to copy them? They were unable to decipher them. It has nothing to do with copying. The same is true for passwords. If you don't have a basis for knowledge of the password's construction, it is impossible to duplicate that password in any reasonable length of time. For instance - let's see you duplicate the password to one of my servers. You won't be able to do it, because it's random and I don't have it written down anywhere. Even if you steal every one of my computers, it won't help you at all, because it's not stored on any of them. What if I stand over your shoulder with a video camera and video you typing? Or I would shoot you. indeed install a keylogger on your machine? You'd first have to compromise my machine. And that you can't do. You seem to be confusing duplicate with understand, or maybe you are just confusing me :) How do you define security? I don't need to. There is already a definition in English for this: http://dictionary.cambridge.org/dictionary/british/security I happen to agree with Joel here. I don't want to know the dictionary definition - I want to know YOUR definition of security. Semantics is a boring argument. If you wish, tell me yours and I will tell you mine (oooh err missus ;) You were asked first. How about putting up? snip ) my fingerprint (being something I am) You sure it's not something you have? Nope - I am pretty sure it is something I am, within the context of the above statement. A fingerprint is something you HAVE. It is present on your body; it is NOT something you are. You can leave a fingerprint on a glass, for instance, and it doesn't affect you at all. Jerry - just cos you shout does not mean you are more RIGHT. And repeating something ad nauseum doesn't make you right. Again, within the context of the above statement it is. You may disagree. Fair enough. snip You need to learn the difference between is and has. They are two entirely different concepts, but you seem to have them mixed up. is more secure than a password. Unless someone chops your hand off to steal your BMW. Again - implementation. Is the hand warm? Is there a pulse? Not part of the fingerprint - but again, these can be duplicated - a latex glove with the fingerprint etched into it, for instance. May or may not work, depending on the implementation. It has been proven to work. That's one reason fingerprints alone are not used for government security. Also, an ssh-key (being something I have Now there's an interesting assertion. It seems reasonable, if one accepts certain implicit, arbitrary boundaries between the three classes of tokens invoked above. -- seems reasonable -- ) is more secure than a password. And, yet, it is no more secure than the user account on the machine in which it is stored. OK sure - but we are discussing how to authenticate to an account right? We are discussing how to authenticate an account on another machine. If your key is on your machine, and I steal your machine, I can break the passphrase your key uses. It may take a while, but it will be a lot faster than if that same passphrase were uses as a password to your server. Is this due to being limited over the network for the number of tries? What if I delete the key on the server when my machine is stolen? What if I generate new keys every week? It is so easy for me to prevent that it isn't even funny. All I need to do is copy the keyfile (or indeed, the entire disk) to another machine. In fact, that's what I'll probably do, anyway. That way I can access all of your data without even booting your machine. Of course, if your disk is encrypted, that becomes another problem. But then you have to use a password to decrypt the disk... Something you have and something you are have to be digitised, to produce a token that can be used to prove your identity to a computer system. That is part of the implementation. Everything you have mentioned is something I have. I have knowledge of a long, random password (not stored anywhere else). I have a key stored on my computer (protected by a password). I have a fingerprint. In your opinion. Not in mine (within the context of this discussion) You seem to have difficulty in understanding have
Re: Have I been hacked?
On Sat 10 Jan 2015 at 15:27:15 -0700, Bob Proulx wrote: scott wrote: Jerry Stuckle wrote: Actually, 62 possible characters (upper case, lower case and digits), 10 positions is 62^10 or 839,299,365,868,340,224 possible combinations. Adding in special characters obviously would increase that. But there is no way you'll hit a server 1,000,000 times a second trying to brute force a password. Complete agreement. I want to go further and say that a password that you can remember without needing to write it down is probably not a good password. Security of an ssh login is aimed at allowing access to some but denying it to others. An authorised user who cannot remember his 20 character password has experienced a security failure. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/11012015175351.d973d8849...@desktop.copernicus.demon.co.uk
Re: Have I been hacked?
On 11/01/15 23:18, Brian wrote: On Sun 11 Jan 2015 at 22:32:39 +, Iain M Conochie wrote: On 10/01/15 20:31, Brian wrote: By all means advocate and use ssh keys. But at least provide some substantial reason for spurning password login for that particular situation. A blanket don't use passwords or keys are better doesn't cut it. There are 3 (current) factors in authentication: 1. What the user knows 2. What the user has 3. What the user is These increase in security as you go higher up the number. So (assuming the implementation is secure) my fingerprint (being something I am) is more secure than a password. Also, an ssh-key (being something I have) is more secure than a password. Both a password and a key is something the user is in possession of. Think pin and bank card. Both you are in possession of. Only one you know. Perhaps this will explain: http://en.wikipedia.org/wiki/Multi-factor_authentication A fingerprint (a key, I suppose) is no more me than a password. I may be being dense but I am having difficulties in following your argument and the distinctions you are trying to make. dense is the one of last thing you are Brian. In each case we have the _implementation_ to let us down. #1 is up to the user whereas #2 and #3 are up to the programmer. Who do you trust ;) Sorry, I do not follow this either. As I see it, the ability of a computer to reduce an individual to a _unique_ blob[1] is what we are trying to achieve here. Think the hash of a password. [1] A length of arbitrary bytes. Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b3092e.3070...@thargoid.co.uk
Re: Have I been hacked?
On Sun 11 Jan 2015 at 22:32:39 +, Iain M Conochie wrote: On 10/01/15 20:31, Brian wrote: By all means advocate and use ssh keys. But at least provide some substantial reason for spurning password login for that particular situation. A blanket don't use passwords or keys are better doesn't cut it. There are 3 (current) factors in authentication: 1. What the user knows 2. What the user has 3. What the user is These increase in security as you go higher up the number. So (assuming the implementation is secure) my fingerprint (being something I am) is more secure than a password. Also, an ssh-key (being something I have) is more secure than a password. Both a password and a key is something the user is in possession of. A fingerprint (a key, I suppose) is no more me than a password. I may be being dense but I am having difficulties in following your argument and the distinctions you are trying to make. In each case we have the _implementation_ to let us down. #1 is up to the user whereas #2 and #3 are up to the programmer. Who do you trust ;) Sorry, I do not follow this either. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/11012015230609.01a9ffe85...@desktop.copernicus.demon.co.uk
Re: Have I been hacked?
Iain M Conochie wrote: These increase in security as you go higher up the number. So (assuming the implementation is secure) my fingerprint (being something I am) is more secure than a password. Also, an ssh-key (being something I have) is more secure than a password. Concerning fingerprints and other biometrics for security... I am sorry to disclose that our site had a security breach. Please change your fingerprints to a new secure fingerprint before using the site. Hmm... I think I would much rather change my password. Bob signature.asc Description: Digital signature
Re: Have I been hacked?
On 11/01/15 23:47, Bob Proulx wrote: Iain M Conochie wrote: These increase in security as you go higher up the number. So (assuming the implementation is secure) my fingerprint (being something I am) is more secure than a password. Also, an ssh-key (being something I have) is more secure than a password. Concerning fingerprints and other biometrics for security... I am sorry to disclose that our site had a security breach. Please change your fingerprints to a new secure fingerprint before using the site. Hmm... I think I would much rather change my password. Bob Hence assuming the implementation is secure. When you use more secure authentication factors, the ability of the remote system to keep them secure needs to be higher. In other words, you have to _trust_ the remote site to be able to keep your unique data secure. Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b30d13.3080...@thargoid.co.uk
Re: Have I been hacked?
On 10/01/15 20:31, Brian wrote: By all means advocate and use ssh keys. But at least provide some substantial reason for spurning password login for that particular situation. A blanket don't use passwords or keys are better doesn't cut it. There are 3 (current) factors in authentication: 1. What the user knows 2. What the user has 3. What the user is These increase in security as you go higher up the number. So (assuming the implementation is secure) my fingerprint (being something I am) is more secure than a password. Also, an ssh-key (being something I have) is more secure than a password. In each case we have the _implementation_ to let us down. #1 is up to the user whereas #2 and #3 are up to the programmer. Who do you trust ;) Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b2fa07.80...@thargoid.co.uk
Re: Have I been hacked?
Brian wrote: Bob Proulx wrote: Complete agreement. I want to go further and say that a password that you can remember without needing to write it down is probably not a good password. Security of an ssh login is aimed at allowing access to some but denying it to others. An authorised user who cannot remember his 20 character password has experienced a security failure. Security is the part of the system designed to make it not only hard to use but the design goal is to prevent it from being used. Bob signature.asc Description: Digital signature
Re: Have I been hacked?
On 01/11/2015 06:47 PM, Bob Proulx wrote: Iain M Conochie wrote: These increase in security as you go higher up the number. So (assuming the implementation is secure) my fingerprint (being something I am) is more secure than a password. Also, an ssh-key (being something I have) is more secure than a password. Concerning fingerprints and other biometrics for security... I am sorry to disclose that our site had a security breach. Please change your fingerprints to a new secure fingerprint before using the site. Hmm... I think I would much rather change my password. If you don't wear gloves, you leave your fingerprints all over the place. And, as you mention, you can't change them. :) Ric -- My father, Victor Moore (Vic) used to say: There are two Great Sins in the world... ..the Sin of Ignorance, and the Sin of Stupidity. Only the former may be overcome. R.I.P. Dad. Linux user# 44256 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b36300.3090...@gmail.com
Re: Have I been hacked?
On Sun, Jan 11, 2015 at 4:37 AM, Ric Moore wayward4...@gmail.com wrote: You all may wish to read this, from ars technica: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/1/ Very interesting. So interesting that I downloaded cudahashcat. I have 96 cuda cores, and it was running the sample program quickly as it tore into 6 char / 2 numeral paaswd combinations. :) Ric Good for you. That article did a much better job of talking about cracking pswords/passcodes/passphrases than my ramble did. p/s for the sake of $deity, please TRIM these posts!! Heh. Still trying to figure out how I pasted that post into the middle of the post. I was dozing of, I'm sure that had something to do with it. :-/ -- Joel Rees Taking a nap is not a good time to practice recursion. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43ipcdjqr4mugvm81s_anpk26cmrsgh8x3rndkkqdopa...@mail.gmail.com
Re: Have I been hacked?
On 01/12/2015 01:00 AM, Ric Moore wrote: On 01/11/2015 06:47 PM, Bob Proulx wrote: Iain M Conochie wrote: These increase in security as you go higher up the number. So (assuming the implementation is secure) my fingerprint (being something I am) is more secure than a password. Also, an ssh-key (being something I have) is more secure than a password. Concerning fingerprints and other biometrics for security... I am sorry to disclose that our site had a security breach. Please change your fingerprints to a new secure fingerprint before using the site. Hmm... I think I would much rather change my password. If you don't wear gloves, you leave your fingerprints all over the place. And, as you mention, you can't change them. :) Ric Interestingly, a few years ago I took out a joint deposit box account with my daughter. The bank--a credit union-- uses fingerprints--but not ours. Neither of us could get their machine to record our fingerprints! And no, neither of us is a safecracker! --doug -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b36d8b.4090...@optonline.net
Re: Have I been hacked?
On Sat, Jan 10, 2015 at 12:24 PM, scott redhowlingwol...@gmx.com wrote:
On 01/09/2015 09:19 PM, Jerry Stuckle wrote:
On 1/9/2015 8:49 PM, Joel Rees wrote:
On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald mar...@lichtvoll.de
wrote:
Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian:
On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote:
Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle:
Just ensure you're using good security practices - don't allow root
login, use long, random passwords, etc. I also use a random character
strings for the login ids, as well as passwords - just one more thing
for the hackers to have to figure out how to get around.
Only allow SSH key based logins. Of course, only after you copied a
public
key onto the machine with ssh-copy-id.
And have SSH keys with *strong* passphrases, to protect against someone
stealing your key. Use ssh-agent wisely only on trusted machines.
SSH password logins are just as safe. 20 characters gives a strong
password for use on trusted machines. There is no need to worry about
it being stolen because it is in your memory,
I think SSH keys are safer, cause there is no password at all that can be
brute forced.
What do you mean by that?
Okay, one can try to guess the key, but try that with a 4096 bit
key.
Hmm.
10 characters, 6 to 7 bits per character, that's 60 bits.
If the bits are truly random, straight brute-force will take, on
average, half of 2^60 attempts.
million
We can hold the integer 2^59 in a C variable on most recent desktops,
but if we have bc (dc if you like post-fix), we can do this on even 32
bit CPUs:
576460752303423488 (base ten)
At one milion attempts per second, that's 5764607523034 seconds, or
182678 CPU-years.
There's no way that's going to happen on-line, if the password is
truly random, and not randomly a password that's a quick permutation
of common memes or of entries in rainbow tables.
Actually, 62 possible characters (upper case, lower case and digits), 10
positions is 62^10 or 839,299,365,868,340,224 possible combinations.
Adding in special characters obviously would increase that.
But there is no way you'll hit a server 1,000,000 times a second trying
to brute force a password.
I currently use sixteen or more letters in my passwords, don't use
simple permutations or common phrases (as for the first leter trick),
use disconnected words from multiple languages. Or use 16 character
true random passwords for the important stuff.
All good suggestions.
SSH keys are useful, but you have to keep them somewhere. The real
danger to good passwords is the off-line attempts, and the passphrase
you use for your private keystore is potentially subject to off-line
if your password is.
Yes, keys may actually be less secure than passwords.
Jerrymillion
If you have a dedicated hacker, or hackers, time is on their side.
What are your assumptions?
Even the NSA doesn't have the CPUs to brute force, from the network, a
password like y3z!6G@dA9}f2lP.. That's going to require a mean of
something like (95^15)/2 attempts. (Since Jerry points out that I
might as well count the members of the set to make the math clear,
since I've got bc fired up.) That's 10 followed by 28 zeros. At a
(network impossible) billion attempts a second, that's a mean time to
discovery of about 10^13 years, which is, what? roughly 2.5 thousand
times the current best hypothesis of the age of the solar sytem.
Off-line attacks can currently achieve in the range of a million
guesses a second, and the guesses can be split between as many CPUs as
you have. That's why a ten character password of only latin
upper/lower case and numbers is within reach of the NSA.
Also, passwords/passphrases/SSH keys like !-L0U{.t@4loR/$w|f+ are dead
meat, whether you like Taylor Swift or not, because they are
permutations of common memes, and that's subject to strategy attacks.
I
would much rather use a key with a passphrase.
What you do when you use an SSH key is introduce two stages of authentication.
The one that occurs on the net uses huge keys that really do put the
odds so far beyond the known lifetime of the universe as to make it
practically resistant to brute force. It is also generated by
arbitrary, statistically well-distributed processes, to make it very
resistant to analysis. So, as long as there are no vulnerabilities,
that stage can be relied on.
The other stage occurs on your computer, where you have means to
control access andOn Sat, Jan 10, 2015 at 12:24 PM, scott
redhowlingwol...@gmx.com wrote:
On 01/09/2015 09:19 PM, Jerry Stuckle wrote:
On 1/9/2015 8:49 PM, Joel Rees wrote:
On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald mar...@lichtvoll.de
wrote:
Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian:
On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote:
Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle:
Just ensure you're using good
Re: Have I been hacked?
On 1/10/2015 6:39 AM, Joel Rees wrote:
On Sat, Jan 10, 2015 at 12:24 PM, scott redhowlingwol...@gmx.com wrote:
On 01/09/2015 09:19 PM, Jerry Stuckle wrote:
On 1/9/2015 8:49 PM, Joel Rees wrote:
On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald mar...@lichtvoll.de
wrote:
Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian:
On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote:
Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle:
Just ensure you're using good security practices - don't allow root
login, use long, random passwords, etc. I also use a random character
strings for the login ids, as well as passwords - just one more thing
for the hackers to have to figure out how to get around.
Only allow SSH key based logins. Of course, only after you copied a
public
key onto the machine with ssh-copy-id.
And have SSH keys with *strong* passphrases, to protect against someone
stealing your key. Use ssh-agent wisely only on trusted machines.
SSH password logins are just as safe. 20 characters gives a strong
password for use on trusted machines. There is no need to worry about
it being stolen because it is in your memory,
I think SSH keys are safer, cause there is no password at all that can be
brute forced.
What do you mean by that?
Okay, one can try to guess the key, but try that with a 4096 bit
key.
Hmm.
10 characters, 6 to 7 bits per character, that's 60 bits.
If the bits are truly random, straight brute-force will take, on
average, half of 2^60 attempts.
million
We can hold the integer 2^59 in a C variable on most recent desktops,
but if we have bc (dc if you like post-fix), we can do this on even 32
bit CPUs:
576460752303423488 (base ten)
At one milion attempts per second, that's 5764607523034 seconds, or
182678 CPU-years.
There's no way that's going to happen on-line, if the password is
truly random, and not randomly a password that's a quick permutation
of common memes or of entries in rainbow tables.
Actually, 62 possible characters (upper case, lower case and digits), 10
positions is 62^10 or 839,299,365,868,340,224 possible combinations.
Adding in special characters obviously would increase that.
But there is no way you'll hit a server 1,000,000 times a second trying
to brute force a password.
I currently use sixteen or more letters in my passwords, don't use
simple permutations or common phrases (as for the first leter trick),
use disconnected words from multiple languages. Or use 16 character
true random passwords for the important stuff.
All good suggestions.
SSH keys are useful, but you have to keep them somewhere. The real
danger to good passwords is the off-line attempts, and the passphrase
you use for your private keystore is potentially subject to off-line
if your password is.
Yes, keys may actually be less secure than passwords.
Jerrymillion
If you have a dedicated hacker, or hackers, time is on their side.
What are your assumptions?
Even the NSA doesn't have the CPUs to brute force, from the network, a
password like y3z!6G@dA9}f2lP.. That's going to require a mean of
something like (95^15)/2 attempts. (Since Jerry points out that I
might as well count the members of the set to make the math clear,
since I've got bc fired up.) That's 10 followed by 28 zeros. At a
(network impossible) billion attempts a second, that's a mean time to
discovery of about 10^13 years, which is, what? roughly 2.5 thousand
times the current best hypothesis of the age of the solar sytem.
Off-line attacks can currently achieve in the range of a million
guesses a second, and the guesses can be split between as many CPUs as
you have. That's why a ten character password of only latin
upper/lower case and numbers is within reach of the NSA.
Also, passwords/passphrases/SSH keys like !-L0U{.t@4loR/$w|f+ are dead
meat, whether you like Taylor Swift or not, because they are
permutations of common memes, and that's subject to strategy attacks.
I
would much rather use a key with a passphrase.
What you do when you use an SSH key is introduce two stages of authentication.
The one that occurs on the net uses huge keys that really do put the
odds so far beyond the known lifetime of the universe as to make it
practically resistant to brute force. It is also generated by
arbitrary, statistically well-distributed processes, to make it very
resistant to analysis. So, as long as there are no vulnerabilities,
that stage can be relied on.
The other stage occurs on your computer, where you have means to
control access andOn Sat, Jan 10, 2015 at 12:24 PM, scott
redhowlingwol...@gmx.com wrote:
On 01/09/2015 09:19 PM, Jerry Stuckle wrote:
On 1/9/2015 8:49 PM, Joel Rees wrote:
On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald mar...@lichtvoll.de
wrote:
Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian:
On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote:
Am Donnerstag, 8.
Re: Have I been hacked?
On 09/01/15 16:43, Jerry Stuckle wrote: If you don't follow good security practices, it's your own fault if you get hacked. No. It is always the hacker's fault. It may be your partial responsibility, however. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b144d6.5080...@zen.co.uk
Re: Have I been hacked?
On 10.01.2015 13:39, Joel Rees wrote: On Sat, Jan 10, 2015 at 12:24 PM, scott redhowlingwol...@gmx.com wrote: [snip] I would much rather use a key with a passphrase. What you do when you use an SSH key is introduce two stages of authentication. [snip] In wheezy (7) you have to choose one or the other, keys or password unless you are using openssh-server 6.6 from backports. Since 6.3, the server will allow both a key and a password to be required¹. See the option AuthenticationMethods in the manual page for sshd_config. In testing, (upcoming jessie aka debian 8) you have a newer version of the server, 6.7. Further down the line, in 6.8, it looks like the option even for requiring multiple keys will be allowed². Regards, /Lars ¹ http://www.openssh.com/txt/release-6.3 ² https://bugzilla.mindrot.org/show_bug.cgi?id=2323 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b1333a.9070...@gmail.com
Re: Have I been hacked?
On 1/10/2015 12:24 AM, scott wrote: On 01/10/2015 12:01 AM, Jerry Stuckle wrote: On 1/9/2015 10:24 PM, scott wrote: On 01/09/2015 09:19 PM, Jerry Stuckle wrote: On 1/9/2015 8:49 PM, Joel Rees wrote: On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald mar...@lichtvoll.de wrote: Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian: On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote: Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. Only allow SSH key based logins. Of course, only after you copied a public key onto the machine with ssh-copy-id. And have SSH keys with *strong* passphrases, to protect against someone stealing your key. Use ssh-agent wisely only on trusted machines. SSH password logins are just as safe. 20 characters gives a strong password for use on trusted machines. There is no need to worry about it being stolen because it is in your memory, I think SSH keys are safer, cause there is no password at all that can be brute forced. What do you mean by that? Okay, one can try to guess the key, but try that with a 4096 bit key. Hmm. 10 characters, 6 to 7 bits per character, that's 60 bits. If the bits are truly random, straight brute-force will take, on average, half of 2^60 attempts. We can hold the integer 2^59 in a C variable on most recent desktops, but if we have bc (dc if you like post-fix), we can do this on even 32 bit CPUs: 576460752303423488 (base ten) At one milion attempts per second, that's 5764607523034 seconds, or 182678 CPU-years. There's no way that's going to happen on-line, if the password is truly random, and not randomly a password that's a quick permutation of common memes or of entries in rainbow tables. Actually, 62 possible characters (upper case, lower case and digits), 10 positions is 62^10 or 839,299,365,868,340,224 possible combinations. Adding in special characters obviously would increase that. But there is no way you'll hit a server 1,000,000 times a second trying to brute force a password. I currently use sixteen or more letters in my passwords, don't use simple permutations or common phrases (as for the first leter trick), use disconnected words from multiple languages. Or use 16 character true random passwords for the important stuff. All good suggestions. SSH keys are useful, but you have to keep them somewhere. The real danger to good passwords is the off-line attempts, and the passphrase you use for your private keystore is potentially subject to off-line if your password is. Yes, keys may actually be less secure than passwords. Jerry If you have a dedicated hacker, or hackers, time is on their side. I would much rather use a key with a passphrase. That's fine, if you don't care about security. Lose your laptop and your pass phrase can be broken at a rate of 1 billion attempts per second, since it is local to your machine. There is no way you're going to get even 100 attempts per second into an SSH server. And since the hacker doesn't have direct access to the encrypted password on the server, he can't break it on a local machine. Using the same password/pass phrase for both systems, it would take 10,000,000 times longer to hack the SSH password than your local pass phrase. And then there's the problem you can only access the server from a system with the key file. And the more computers the key file resides on, the less secure it is. Since a password is not stored on any machine (except the server), there is nothing to break. Jerry I replied to your post to me specifically, so I 'll do it here, also. The fact is that if you have physical access to any machine, unfettered, it's game over. Scotty Which is more likely for a hacker to gain physical access to? A laptop you carry around (or even a desktop), or a server in a data center with people on site 24/7? Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b11e21.1090...@gmail.com
Re: Have I been hacked?
On 01/10/2015 07:42 AM, Jerry Stuckle wrote: On 1/10/2015 12:24 AM, scott wrote: On 01/10/2015 12:01 AM, Jerry Stuckle wrote: On 1/9/2015 10:24 PM, scott wrote: On 01/09/2015 09:19 PM, Jerry Stuckle wrote: On 1/9/2015 8:49 PM, Joel Rees wrote: On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald mar...@lichtvoll.de wrote: Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian: On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote: Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. Only allow SSH key based logins. Of course, only after you copied a public key onto the machine with ssh-copy-id. And have SSH keys with *strong* passphrases, to protect against someone stealing your key. Use ssh-agent wisely only on trusted machines. SSH password logins are just as safe. 20 characters gives a strong password for use on trusted machines. There is no need to worry about it being stolen because it is in your memory, I think SSH keys are safer, cause there is no password at all that can be brute forced. What do you mean by that? Okay, one can try to guess the key, but try that with a 4096 bit key. Hmm. 10 characters, 6 to 7 bits per character, that's 60 bits. If the bits are truly random, straight brute-force will take, on average, half of 2^60 attempts. We can hold the integer 2^59 in a C variable on most recent desktops, but if we have bc (dc if you like post-fix), we can do this on even 32 bit CPUs: 576460752303423488 (base ten) At one milion attempts per second, that's 5764607523034 seconds, or 182678 CPU-years. There's no way that's going to happen on-line, if the password is truly random, and not randomly a password that's a quick permutation of common memes or of entries in rainbow tables. Actually, 62 possible characters (upper case, lower case and digits), 10 positions is 62^10 or 839,299,365,868,340,224 possible combinations. Adding in special characters obviously would increase that. But there is no way you'll hit a server 1,000,000 times a second trying to brute force a password. I currently use sixteen or more letters in my passwords, don't use simple permutations or common phrases (as for the first leter trick), use disconnected words from multiple languages. Or use 16 character true random passwords for the important stuff. All good suggestions. SSH keys are useful, but you have to keep them somewhere. The real danger to good passwords is the off-line attempts, and the passphrase you use for your private keystore is potentially subject to off-line if your password is. Yes, keys may actually be less secure than passwords. Jerry If you have a dedicated hacker, or hackers, time is on their side. I would much rather use a key with a passphrase. That's fine, if you don't care about security. Lose your laptop and your pass phrase can be broken at a rate of 1 billion attempts per second, since it is local to your machine. There is no way you're going to get even 100 attempts per second into an SSH server. And since the hacker doesn't have direct access to the encrypted password on the server, he can't break it on a local machine. Using the same password/pass phrase for both systems, it would take 10,000,000 times longer to hack the SSH password than your local pass phrase. And then there's the problem you can only access the server from a system with the key file. And the more computers the key file resides on, the less secure it is. Since a password is not stored on any machine (except the server), there is nothing to break. Jerry I replied to your post to me specifically, so I 'll do it here, also. The fact is that if you have physical access to any machine, unfettered, it's game over. Scotty Which is more likely for a hacker to gain physical access to? A laptop you carry around (or even a desktop), or a server in a data center with people on site 24/7? People like Snowden?? :) Ric -- My father, Victor Moore (Vic) used to say: There are two Great Sins in the world... ..the Sin of Ignorance, and the Sin of Stupidity. Only the former may be overcome. R.I.P. Dad. Linux user# 44256 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b18081.7080...@gmail.com
Re: Have I been hacked?
On Fri 09 Jan 2015 at 21:19:41 -0500, Jerry Stuckle wrote: On 1/9/2015 8:49 PM, Joel Rees wrote: SSH keys are useful, but you have to keep them somewhere. The real danger to good passwords is the off-line attempts, and the passphrase you use for your private keystore is potentially subject to off-line if your password is. Yes, keys may actually be less secure than passwords. That's an an interesting line of enquiry! An administrator who enforces a log in with keys knows exactly what the server will accept in terms of authentication for *all* users. What he does not know is the level of security which the user has placed on the key with the passphrase. Furthermore, he has no technical way of ensuring the passphrase is sufficiently strong or that the private key is not left lying about on various machines to be probed at someone's leisure. Another interesting aspect is that public-key authentication support by ssh was not introduced as a response to any perceived general weakness in a login with a password. SSH, The Secure Shell: The Definitive Guide cites the single password per account as inconvenient (a new password must be communicated to everyone with access to the account) and accountabilty of access as reasons. Granted, the same book also says passwords can be captured on a compomised host. But if the host is compromised the administrator has quite big problems elsewhere. By all means advocate and use ssh keys. But at least provide some substantial reason for spurning password login for that particular situation. A blanket don't use passwords or keys are better doesn't cut it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/10012015194257.e68f933ce...@desktop.copernicus.demon.co.uk
Re: Have I been hacked?
afaik all you can do to block an entire country is drop all the ip blocks assigned to them, which will be tedious. For instance here is a list of the blocks for Belgium: http://www.nirsoft.net/countryip/be.html -Joris Thanks for the link ... just for fun I added China and Belgium to iptables and those 2 countries's ip address range/blocks added 20866 lines to iptables ... Now just imagine if I had to add Russia, Bangkok etc ... :) ... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150110220621.GB18991@fever.havannah.local
Re: Have I been hacked?
You all may wish to read this, from ars technica: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/1/ Very interesting. So interesting that I downloaded cudahashcat. I have 96 cuda cores, and it was running the sample program quickly as it tore into 6 char / 2 numeral paaswd combinations. :) Ric p/s for the sake of $deity, please TRIM these posts!! -- My father, Victor Moore (Vic) used to say: There are two Great Sins in the world... ..the Sin of Ignorance, and the Sin of Stupidity. Only the former may be overcome. R.I.P. Dad. Linux user# 44256 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b17f95.7060...@gmail.com
Re: Have I been hacked?
On 01/09/2015 11:29 AM, Danny wrote: I am an Aircraft Engineer by trade not a Computer Scientist Have you considered that alone would make you a tasty bit to hack, and for that reason, if you have anything tasty on your machine, you REALLY need to clear it up soonest with a complete re-install. I'd add a measure of panic to that level of concern. No need for the black hats to have access at all. :) Ric Luckily for me I am one up on them ... I stash all juicy stuff under the mattress ... ;) ... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150110215339.GA18991@fever.havannah.local
Re: Have I been hacked?
On 1/10/2015 2:41 PM, Ric Moore wrote: People like Snowden?? :) Ric Snowden had direct access to the files. No hacking required. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b198f0.7030...@gmail.com
Re: Have I been hacked?
scott wrote: Jerry Stuckle wrote: Actually, 62 possible characters (upper case, lower case and digits), 10 positions is 62^10 or 839,299,365,868,340,224 possible combinations. Adding in special characters obviously would increase that. But there is no way you'll hit a server 1,000,000 times a second trying to brute force a password. Complete agreement. I want to go further and say that a password that you can remember without needing to write it down is probably not a good password. I currently use sixteen or more letters in my passwords, don't use I use 10 for most sites but longer for banking sites. Except for Schwab which I have shamed here before for silently truncating all passwords to 8 characters! simple permutations or common phrases (as for the first leter trick), use disconnected words from multiple languages. Or use 16 character true random passwords for the important stuff. For quite some time now I have only used completely randomly generated passwords. I can't possibly remember them. I use a password storage system unique to my environment. I don't remember them. I write them down. I copy them from my storage when I need them. I use cut-n-paste and so this is actually reasonably convenient everywhere but the tablet. (None of the input methods on the tablet are convenient to me.) This allows me to change passwords at any time without causing me any stress. $ pwgen -s 10 3 orLz4zqMl8 7dCrxj10VT PYzdfX37K0 SSH keys are useful, but you have to keep them somewhere. The real danger to good passwords is the off-line attempts, and the passphrase you use for your private keystore is potentially subject to off-line if your password is. Yes, keys may actually be less secure than passwords. Yes. The server must trust that the user isn't hacked. Just the same as when using passwords the server must trust that the user didn't let their password escape. It is the same trust needed. If my laptop (with a fully encrypted file system) is stolen then I am definitely going to know almost immediately. (I live on my laptop.) I am immediately going to remove that ssh key from my servers. It will be useless immediately. Well before an attacker can crack both the file system encryption and the ssh rsa key encryption. Both of which I can only assume will eventually happen and I must take appropriate actions due to it. If you have a dedicated hacker, or hackers, time is on their side. I would much rather use a key with a passphrase. There are two different areas under discussion here. They are completely different. Yet in this thread people have been confusing them. One is when a database of hashed accounts and passwords has been exposed. An offline cracker has all of the time in the world to crack those hashes. The hashes themselves may be strong or weak. Time and resources are on their side for an offline attack. An offline attack already needs a breach and data exposure first. But that is not what we have been talking about. One is trying to crack an online system by either dictionary or brute force attack. This is what we have been talking about when talking about passwords and ssh rsa keys. The attacker does NOT have time on their side. The attacker is at an extreme disadvantage. Fail the password several times and the connection must be restart which is done specifically to slow down the attacker. Used with fail2ban and after several failed attempts the attacker is banned for ten minutes. In that situation it is probably possible to try a few dozen passwords every ten minutes from a single IP. Even using a distributed botnet attack only scales things linearly with the number of bots. A strong 10 character password with 62+^10 possible combinations as Jerry has calculated out is not practically possible to brute force from an online system. It would take longer than the heat death of the universe. We will all have moved to IPv512 before the odds of success turn into their favor. Bob signature.asc Description: Digital signature
Re: Have I been hacked?
On 01/09/2015 09:19 PM, Jerry Stuckle wrote: On 1/9/2015 8:49 PM, Joel Rees wrote: On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald mar...@lichtvoll.de wrote: Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian: On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote: Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. Only allow SSH key based logins. Of course, only after you copied a public key onto the machine with ssh-copy-id. And have SSH keys with *strong* passphrases, to protect against someone stealing your key. Use ssh-agent wisely only on trusted machines. SSH password logins are just as safe. 20 characters gives a strong password for use on trusted machines. There is no need to worry about it being stolen because it is in your memory, I think SSH keys are safer, cause there is no password at all that can be brute forced. What do you mean by that? Okay, one can try to guess the key, but try that with a 4096 bit key. Hmm. 10 characters, 6 to 7 bits per character, that's 60 bits. If the bits are truly random, straight brute-force will take, on average, half of 2^60 attempts. We can hold the integer 2^59 in a C variable on most recent desktops, but if we have bc (dc if you like post-fix), we can do this on even 32 bit CPUs: 576460752303423488 (base ten) At one milion attempts per second, that's 5764607523034 seconds, or 182678 CPU-years. There's no way that's going to happen on-line, if the password is truly random, and not randomly a password that's a quick permutation of common memes or of entries in rainbow tables. Actually, 62 possible characters (upper case, lower case and digits), 10 positions is 62^10 or 839,299,365,868,340,224 possible combinations. Adding in special characters obviously would increase that. But there is no way you'll hit a server 1,000,000 times a second trying to brute force a password. I currently use sixteen or more letters in my passwords, don't use simple permutations or common phrases (as for the first leter trick), use disconnected words from multiple languages. Or use 16 character true random passwords for the important stuff. All good suggestions. SSH keys are useful, but you have to keep them somewhere. The real danger to good passwords is the off-line attempts, and the passphrase you use for your private keystore is potentially subject to off-line if your password is. Yes, keys may actually be less secure than passwords. Jerry If you have a dedicated hacker, or hackers, time is on their side. I would much rather use a key with a passphrase. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b09b89.5060...@gmx.com
Re: Have I been hacked?
On 1/9/2015 8:49 PM, Joel Rees wrote: On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald mar...@lichtvoll.de wrote: Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian: On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote: Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. Only allow SSH key based logins. Of course, only after you copied a public key onto the machine with ssh-copy-id. And have SSH keys with *strong* passphrases, to protect against someone stealing your key. Use ssh-agent wisely only on trusted machines. SSH password logins are just as safe. 20 characters gives a strong password for use on trusted machines. There is no need to worry about it being stolen because it is in your memory, I think SSH keys are safer, cause there is no password at all that can be brute forced. What do you mean by that? Okay, one can try to guess the key, but try that with a 4096 bit key. Hmm. 10 characters, 6 to 7 bits per character, that's 60 bits. If the bits are truly random, straight brute-force will take, on average, half of 2^60 attempts. We can hold the integer 2^59 in a C variable on most recent desktops, but if we have bc (dc if you like post-fix), we can do this on even 32 bit CPUs: 576460752303423488 (base ten) At one milion attempts per second, that's 5764607523034 seconds, or 182678 CPU-years. There's no way that's going to happen on-line, if the password is truly random, and not randomly a password that's a quick permutation of common memes or of entries in rainbow tables. Actually, 62 possible characters (upper case, lower case and digits), 10 positions is 62^10 or 839,299,365,868,340,224 possible combinations. Adding in special characters obviously would increase that. But there is no way you'll hit a server 1,000,000 times a second trying to brute force a password. I currently use sixteen or more letters in my passwords, don't use simple permutations or common phrases (as for the first leter trick), use disconnected words from multiple languages. Or use 16 character true random passwords for the important stuff. All good suggestions. SSH keys are useful, but you have to keep them somewhere. The real danger to good passwords is the off-line attempts, and the passphrase you use for your private keystore is potentially subject to off-line if your password is. Yes, keys may actually be less secure than passwords. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b08c3d.4090...@gmail.com
Re: Have I been hacked?
On 01/10/2015 12:01 AM, Jerry Stuckle wrote: On 1/9/2015 10:24 PM, scott wrote: On 01/09/2015 09:19 PM, Jerry Stuckle wrote: On 1/9/2015 8:49 PM, Joel Rees wrote: On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald mar...@lichtvoll.de wrote: Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian: On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote: Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. Only allow SSH key based logins. Of course, only after you copied a public key onto the machine with ssh-copy-id. And have SSH keys with *strong* passphrases, to protect against someone stealing your key. Use ssh-agent wisely only on trusted machines. SSH password logins are just as safe. 20 characters gives a strong password for use on trusted machines. There is no need to worry about it being stolen because it is in your memory, I think SSH keys are safer, cause there is no password at all that can be brute forced. What do you mean by that? Okay, one can try to guess the key, but try that with a 4096 bit key. Hmm. 10 characters, 6 to 7 bits per character, that's 60 bits. If the bits are truly random, straight brute-force will take, on average, half of 2^60 attempts. We can hold the integer 2^59 in a C variable on most recent desktops, but if we have bc (dc if you like post-fix), we can do this on even 32 bit CPUs: 576460752303423488 (base ten) At one milion attempts per second, that's 5764607523034 seconds, or 182678 CPU-years. There's no way that's going to happen on-line, if the password is truly random, and not randomly a password that's a quick permutation of common memes or of entries in rainbow tables. Actually, 62 possible characters (upper case, lower case and digits), 10 positions is 62^10 or 839,299,365,868,340,224 possible combinations. Adding in special characters obviously would increase that. But there is no way you'll hit a server 1,000,000 times a second trying to brute force a password. I currently use sixteen or more letters in my passwords, don't use simple permutations or common phrases (as for the first leter trick), use disconnected words from multiple languages. Or use 16 character true random passwords for the important stuff. All good suggestions. SSH keys are useful, but you have to keep them somewhere. The real danger to good passwords is the off-line attempts, and the passphrase you use for your private keystore is potentially subject to off-line if your password is. Yes, keys may actually be less secure than passwords. Jerry If you have a dedicated hacker, or hackers, time is on their side. I would much rather use a key with a passphrase. That's fine, if you don't care about security. Lose your laptop and your pass phrase can be broken at a rate of 1 billion attempts per second, since it is local to your machine. There is no way you're going to get even 100 attempts per second into an SSH server. And since the hacker doesn't have direct access to the encrypted password on the server, he can't break it on a local machine. Using the same password/pass phrase for both systems, it would take 10,000,000 times longer to hack the SSH password than your local pass phrase. And then there's the problem you can only access the server from a system with the key file. And the more computers the key file resides on, the less secure it is. Since a password is not stored on any machine (except the server), there is nothing to break. Jerry I replied to your post to me specifically, so I 'll do it here, also. The fact is that if you have physical access to any machine, unfettered, it's game over. Scotty -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b0b779.2010...@gmx.com
Re: Have I been hacked?
On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald mar...@lichtvoll.de wrote: Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian: On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote: Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. Only allow SSH key based logins. Of course, only after you copied a public key onto the machine with ssh-copy-id. And have SSH keys with *strong* passphrases, to protect against someone stealing your key. Use ssh-agent wisely only on trusted machines. SSH password logins are just as safe. 20 characters gives a strong password for use on trusted machines. There is no need to worry about it being stolen because it is in your memory, I think SSH keys are safer, cause there is no password at all that can be brute forced. What do you mean by that? Okay, one can try to guess the key, but try that with a 4096 bit key. Hmm. 10 characters, 6 to 7 bits per character, that's 60 bits. If the bits are truly random, straight brute-force will take, on average, half of 2^60 attempts. We can hold the integer 2^59 in a C variable on most recent desktops, but if we have bc (dc if you like post-fix), we can do this on even 32 bit CPUs: 576460752303423488 (base ten) At one milion attempts per second, that's 5764607523034 seconds, or 182678 CPU-years. There's no way that's going to happen on-line, if the password is truly random, and not randomly a password that's a quick permutation of common memes or of entries in rainbow tables. I currently use sixteen or more letters in my passwords, don't use simple permutations or common phrases (as for the first leter trick), use disconnected words from multiple languages. Or use 16 character true random passwords for the important stuff. SSH keys are useful, but you have to keep them somewhere. The real danger to good passwords is the off-line attempts, and the passphrase you use for your private keystore is potentially subject to off-line if your password is. Anyway, I will unsubscribe now. Staying on this list has not been beneficial for me. The amount of traffic on this list, that is not related to Debian or is bickering like this is soo high that I find it too time consuming to find out the rare gems of threads where I can still learn something new about Debian or that I enjoy in engaging and replying to. Don´t bother to answer. I will likely delete it. Ciao, -- Martin 'Helios' Steigerwald - http://www.Lichtvoll.de GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7 -- Joel Rees Freedom costs in software, too. How much, and what, are you willing to pay for your freedom? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43imglrutsiitri17xotaz0qvwip5eymc1z-q+vsd_ss...@mail.gmail.com
Re: Have I been hacked?
On 1/9/2015 10:24 PM, scott wrote: On 01/09/2015 09:19 PM, Jerry Stuckle wrote: On 1/9/2015 8:49 PM, Joel Rees wrote: On Fri, Jan 9, 2015 at 6:25 PM, Martin Steigerwald mar...@lichtvoll.de wrote: Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian: On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote: Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. Only allow SSH key based logins. Of course, only after you copied a public key onto the machine with ssh-copy-id. And have SSH keys with *strong* passphrases, to protect against someone stealing your key. Use ssh-agent wisely only on trusted machines. SSH password logins are just as safe. 20 characters gives a strong password for use on trusted machines. There is no need to worry about it being stolen because it is in your memory, I think SSH keys are safer, cause there is no password at all that can be brute forced. What do you mean by that? Okay, one can try to guess the key, but try that with a 4096 bit key. Hmm. 10 characters, 6 to 7 bits per character, that's 60 bits. If the bits are truly random, straight brute-force will take, on average, half of 2^60 attempts. We can hold the integer 2^59 in a C variable on most recent desktops, but if we have bc (dc if you like post-fix), we can do this on even 32 bit CPUs: 576460752303423488 (base ten) At one milion attempts per second, that's 5764607523034 seconds, or 182678 CPU-years. There's no way that's going to happen on-line, if the password is truly random, and not randomly a password that's a quick permutation of common memes or of entries in rainbow tables. Actually, 62 possible characters (upper case, lower case and digits), 10 positions is 62^10 or 839,299,365,868,340,224 possible combinations. Adding in special characters obviously would increase that. But there is no way you'll hit a server 1,000,000 times a second trying to brute force a password. I currently use sixteen or more letters in my passwords, don't use simple permutations or common phrases (as for the first leter trick), use disconnected words from multiple languages. Or use 16 character true random passwords for the important stuff. All good suggestions. SSH keys are useful, but you have to keep them somewhere. The real danger to good passwords is the off-line attempts, and the passphrase you use for your private keystore is potentially subject to off-line if your password is. Yes, keys may actually be less secure than passwords. Jerry If you have a dedicated hacker, or hackers, time is on their side. I would much rather use a key with a passphrase. That's fine, if you don't care about security. Lose your laptop and your pass phrase can be broken at a rate of 1 billion attempts per second, since it is local to your machine. There is no way you're going to get even 100 attempts per second into an SSH server. And since the hacker doesn't have direct access to the encrypted password on the server, he can't break it on a local machine. Using the same password/pass phrase for both systems, it would take 10,000,000 times longer to hack the SSH password than your local pass phrase. And then there's the problem you can only access the server from a system with the key file. And the more computers the key file resides on, the less secure it is. Since a password is not stored on any machine (except the server), there is nothing to break. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b0b23c.8060...@gmail.com
Re: Have I been hacked?
2015/01/09 23:46 Danny mynixm...@gmail.com: You have completely failed to understand what fail2ban is telling you. Anyway, I have decided to get new hardware and do a clean install of everything ... as many of you have suggested ... It was heading that way so it is probably best for you. You sound like a heartless Seargeant Major in the Marines ... ;) ... I'm afraid you're going to like my comments here even less. However, as I fly a lot internationally, is there a way I can temporarily block these country's IP's for a few days at most untill I have enough time on hand to do a fresh install ... What has flying got to do with it? What I meant was that I fly a lot and don't have time in the immediate future to do a fresh install ... So I wanted a temporary stop-gap solution for a few days untill time would lend itself for the task ... Which was why I was trying to tell you to quit wasting time looking for shortcuts and consolation and re-install. Start with new hardware if you can possibly afford it, to be safe and to save time. Now it looks like your server needs to be off-line for a while until you get back. Also, once you're back up, you need a second, someone who can at least pull the plug while you're out, preferably someone who can also help you review your system design and implementation. Patience, and willingness to listen while you ramble, can be more important than technical expertise. -- Joel Rees Freedom costs in software, too. How much, and what, are you willing to pay for your freedom? Currently my iptables looks like this ... If you have resorted to using iptables you have lost it. A standard Debian install doesn't need it. Yip ... definately a Seargeant Major ... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43in7jyn-dg2tb29o6kkrmjloxpzxnq9nmq7iry5q+fq...@mail.gmail.com
Re: Have I been hacked?
On Sex, 09 Jan 2015, Jerry Stuckle wrote: SSH passwords are very safe, if they are long enough. For instance, if you have a 10 character password, mixed case and numbers (no special characters), a brute force attack of 100 attempts per second would take almost 266 million years to cover all possibilities. 11 characters would take over 16 billion years - longer than the life of the universe. If the characters are random, that is. The problem is that passwords are often not really random. So even seemingly secure passwords may be guessed relatively easy. This article gives a good overwiew about this topic: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ -- Eduardo M KALINOWSKI edua...@kalinowski.com.br -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150109161939.horde.0abxbzwnoqt8_zsbyxhd...@mail.kalinowski.com.br
Re: Have I been hacked?
On 1/8/2015 3:02 PM, Brian wrote: If you have resorted to using iptables you have lost it. A standard Debian install doesn't need it. I disagree. iptables is a great tool for blocking unwanted connections. What do you have against it? Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54aff68e.8020...@gmail.com
Re: Have I been hacked?
On 1/9/2015 4:25 AM, Martin Steigerwald wrote: Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian: On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote: Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. Only allow SSH key based logins. Of course, only after you copied a public key onto the machine with ssh-copy-id. And have SSH keys with *strong* passphrases, to protect against someone stealing your key. Use ssh-agent wisely only on trusted machines. SSH password logins are just as safe. 20 characters gives a strong password for use on trusted machines. There is no need to worry about it being stolen because it is in your memory, I think SSH keys are safer, cause there is no password at all that can be brute forced. Okay, one can try to guess the key, but try that with a 4096 bit key. SSH passwords are very safe, if they are long enough. For instance, if you have a 10 character password, mixed case and numbers (no special characters), a brute force attack of 100 attempts per second would take almost 266 million years to cover all possibilities. 11 characters would take over 16 billion years - longer than the life of the universe. The biggest disadvantage of using keys is it limits the machines you can access the server from. That's not good if you need to access the server and you're not near your machine. Anyway, I will unsubscribe now. Staying on this list has not been beneficial for me. The amount of traffic on this list, that is not related to Debian or is bickering like this is soo high that I find it too time consuming to find out the rare gems of threads where I can still learn something new about Debian or that I enjoy in engaging and replying to. Don´t bother to answer. I will likely delete it. Ciao, If a little off-topic discussion bothers you, then it probably is best you unsubscribe. Personally, I've learned a lot just from reading this list. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54aff89d.4000...@gmail.com
Re: Have I been hacked?
On 1/9/2015 11:29 AM, Danny wrote: If you want to inspect further, I would suggest you look at each of the jobs being run. See if they are what you expect them to be. Also check your /etc/crontab and /etc/anacrontab to see what is in them. I would love to investigate further but I am afraid I am not inclined towards forensics ... lol ... I am an Aircraft Engineer by trade not a Computer Scientist ... :) ... I played around with sleuthkit but that confused the living hell out of me ... lol ... I don't even know what to look for ... The server I have is a small community/family server that gives wireless access to poor families ... As for the attacks - I've seen a big uptake in the attacks over the last couple of weeks. The worst I've seen is 100 IP's locked out in one 24 hour period. They are coming from all over the world, although since there are a lot of proxies (many of them from trojans/viruses installed on unsuspecting machines), there's no easy way to tell what the real origins are. It's astonishing how quick they can find an IP ... I have permanently blocked the IP ranges of some of the worst offenders, but the only real way to stop it is to take your machine off the internet completely. Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. That's the problem right there ... random passwords ... lol ... but I will have to adapt ... Thank You Yes, randomizing your passwords is important - as is not using the same password on multiple systems. One trick I use is to take a long phrase and use the first (or second or third...) letter of each word. Then capitalize certain characters. For instance, if you used To be or not to be, that is the question. Your password could be something like 2bOn2BtiTq (capitalizing every 3rd character). It's a lot easier to remember a phrase than a bunch of random characters. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54aff9e5.1020...@gmail.com
Re: Have I been hacked?
Am Freitag, 9. Januar 2015, 00:24:06 schrieb Brian: On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote: Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. Only allow SSH key based logins. Of course, only after you copied a public key onto the machine with ssh-copy-id. And have SSH keys with *strong* passphrases, to protect against someone stealing your key. Use ssh-agent wisely only on trusted machines. SSH password logins are just as safe. 20 characters gives a strong password for use on trusted machines. There is no need to worry about it being stolen because it is in your memory, I think SSH keys are safer, cause there is no password at all that can be brute forced. Okay, one can try to guess the key, but try that with a 4096 bit key. Anyway, I will unsubscribe now. Staying on this list has not been beneficial for me. The amount of traffic on this list, that is not related to Debian or is bickering like this is soo high that I find it too time consuming to find out the rare gems of threads where I can still learn something new about Debian or that I enjoy in engaging and replying to. Don´t bother to answer. I will likely delete it. Ciao, -- Martin 'Helios' Steigerwald - http://www.Lichtvoll.de GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/3714920.DLpo8KHxcl@merkaba
Re: Have I been hacked?
On Fri 09 Jan 2015 at 16:19:39 +, Eduardo M KALINOWSKI wrote: On Sex, 09 Jan 2015, Jerry Stuckle wrote: SSH passwords are very safe, if they are long enough. For instance, if you have a 10 character password, mixed case and numbers (no special characters), a brute force attack of 100 attempts per second would take almost 266 million years to cover all possibilities. 11 characters would take over 16 billion years - longer than the life of the universe. If the characters are random, that is. The problem is that passwords are often not really random. So even seemingly secure passwords may be guessed relatively easy. This article gives a good overwiew about this topic: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ Please note that this excellent article describes off-line cracking. The number of attempts per second is limited only by the machinery at hand. The 100 attempts per second for on-line cracking isn't something which can be increased to the same level. Jerry's argument still holds up. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/09012015175110.acd723095...@desktop.copernicus.demon.co.uk
Re: Have I been hacked?
On 01/09/2015 11:29 AM, Danny wrote: I am an Aircraft Engineer by trade not a Computer Scientist Have you considered that alone would make you a tasty bit to hack, and for that reason, if you have anything tasty on your machine, you REALLY need to clear it up soonest with a complete re-install. I'd add a measure of panic to that level of concern. No need for the black hats to have access at all. :) Ric -- My father, Victor Moore (Vic) used to say: There are two Great Sins in the world... ..the Sin of Ignorance, and the Sin of Stupidity. Only the former may be overcome. R.I.P. Dad. Linux user# 44256 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b021fc.6080...@gmail.com
Re: Have I been hacked?
On Fri 09 Jan 2015 at 10:41:02 -0500, Jerry Stuckle wrote: On 1/8/2015 3:02 PM, Brian wrote: If you have resorted to using iptables you have lost it. A standard Debian install doesn't need it. I disagree. iptables is a great tool for blocking unwanted connections. What do you have against it? I have nothing against it and, in fact, agree with you. I'll enlarge on my sketchy remarks. The OP installs Debian with (say) Gnome. There are no listening services so there is no need to block any connections. If it happened that sshd was installed at the same time (or later) the use of ssh keys or a very strong password for authentication is sufficient to protect the service. However, there can be a big annoyance factor when attempts to log on the server take place. Software like fail2ban (which uses iptables) can be some comfort here and will at least reduce the noise in auth.log. Last year this machine saw about 4000 such random connections. I don't know how typical that is but none of them caused me to lose any sleep. Iptables can do a great job blocking unwanted connections. If someone wants to use it as a way of obtaining peace of mind, that's fine. But it doesn't add one iota of security to a well-set-up and well-managed sshd. With more services running the need is to understand their different security needs. Substituting the use of iptables for understanding isn't (IMO) something that needs to be top of the list. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150109175103.ga15...@copernicus.demon.co.uk
Re: Have I been hacked?
On 1/9/2015 11:19 AM, Eduardo M KALINOWSKI wrote: On Sex, 09 Jan 2015, Jerry Stuckle wrote: SSH passwords are very safe, if they are long enough. For instance, if you have a 10 character password, mixed case and numbers (no special characters), a brute force attack of 100 attempts per second would take almost 266 million years to cover all possibilities. 11 characters would take over 16 billion years - longer than the life of the universe. If the characters are random, that is. That's just good security practice. The problem is that passwords are often not really random. So even seemingly secure passwords may be guessed relatively easy. This article gives a good overwiew about this topic: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ If you don't follow good security practices, it's your own fault if you get hacked. Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b00528.2040...@gmail.com
Re: Have I been hacked?
On Fri, Jan 09, 2015 at 10:49:49AM -0500, Jerry Stuckle wrote: snip... SSH passwords are very safe, if they are long enough. For instance, if you have a 10 character password, mixed case and numbers (no special characters), a brute force attack of 100 attempts per second would take almost 266 million years to cover all possibilities. 11 characters would take over 16 billion years - longer than the life of the universe. That's the key phrase, to cover all possibilities Don't forget, it's possible to hit pay dirt on the first try...or the 3rd...or the 20th... or the 500th...or the 50,000th...or the last possibility. I constantly hear references to mind boggling lengths of time required to crack passwords/phrases. I think it's misleading, especially to a beginner. On the other hand I have to admit I can't come up with a better way. ...snip.. -- Bob Holtzman Giant intergalactic brain-sucking hyperbacteria came to Earth to rape our women and create a race of mindless zombies. Look! It's working! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150109213704.ga32...@cox.net
Re: Have I been hacked?
Bob Holtzman writes: That's the key phrase, to cover all possibilities Don't forget, it's possible to hit pay dirt on the first try And it's about equally likely that a burst of cosmic rays of just the right pattern will strike your computer so as to reconfigure it to allow passwordless root logins via telnet. -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87vbkfha85@thumper.dhh.gt.org
Re: Have I been hacked?
On 1/9/2015 4:37 PM, Bob Holtzman wrote: On Fri, Jan 09, 2015 at 10:49:49AM -0500, Jerry Stuckle wrote: snip... SSH passwords are very safe, if they are long enough. For instance, if you have a 10 character password, mixed case and numbers (no special characters), a brute force attack of 100 attempts per second would take almost 266 million years to cover all possibilities. 11 characters would take over 16 billion years - longer than the life of the universe. That's the key phrase, to cover all possibilities Don't forget, it's possible to hit pay dirt on the first try...or the 3rd...or the 20th... or the 500th...or the 50,000th...or the last possibility. I constantly hear references to mind boggling lengths of time required to crack passwords/phrases. I think it's misleading, especially to a beginner. On the other hand I have to admit I can't come up with a better way. ...snip.. That's true. On average it will take 1/2 as long - or about 133 million years for a 10 character password or 8 billion years for an 11 character password. But that's also assuming the hacker knows how long your password is. He/she would also have to consider all possible combinations of 1-9 character passwords. That alone would take almost 4.36 million years just to ensure the password wasn't shorter. Of course, the hacker could also probably skip 1 character passwords ( 1 second), 2 character passwords (38 seconds), etc. But even going through all the possibilities of 9 character passwords would take around 4.29 million years (without a hit because the password is 10 characters). Of course, *anything* can be caught on the first, second or third try. But the odds of hitting it on the first try are over 13 quadrillion (13 followed by 15 zeros) to 1. You have a better chance of being struck by lightning while in an elevator 300' underground! Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b0530a.4020...@gmail.com
Re: Have I been hacked?
On Thursday 08 January 2015 21:53:45, Danny wrote : Hi guys, So what I did was do disable all startup scripts/servers/services and then enable only one at a time ... then I would reboot and wait and keep an eye on /boot (I deleted all randomly generated files, so I could see if a file was added or not, and it was also the only way I knew for certain that the culprit was active or not, hence that is how I could time it) ... All went well untill I enabled cron ... I checked all cron jobs and they all look normal ... here is an ls of my cron directories ... ### /etc/cron.d/ anacron atop mrtg php5 /etc/cron.daily/ anacron atop mrtg php5 /etc/cron.hourly/ cron.sh sarg /etc/cron.monthly 0anacron sarg /etc/cron.weekly 0anacron apt-xapian-index man-db sarg ### Have a look at /etc/crontab. The file contains commands to be run by cron. The directory /var/spool/cron/crontabs also contains user's cron jobs. If anacrontab is installed, /etc/anacrontab may contain more jobs. Since I killed cron at bootup everything seems fine ... network is back to normal ... I don't get the transition between the above paragraph (network is normal if cron is killed) and the below paragraph (troubles begin when network is up). Do you have any evidence that cron is triggering the attack or am I misreading your mail? However, as soon as my network was up and running I got attacked ... here is an excerpt of one of the fail2ban mails ... ### The IP 204.12.241.227 has just been banned by Fail2Ban after 3 attempts against ssh. Jan 8 04:23:15 fever sshd[17406]: Connection from 204.12.241.227 port 38090 on 10.0.0.5 port 22 Jan 8 04:23:17 fever sshd[17406]: Invalid user zhangyan from 204.12.241.227 Jan 8 04:23:17 fever sshd[17406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 Jan 8 04:23:20 fever sshd[17406]: Failed password for invalid user zhangyan from 204.12.241.227 port 38090 ssh2 Jan 8 04:23:20 fever sshd[17406]: Received disconnect from 204.12.241.227: 11: Bye Bye [preauth] Jan 8 04:23:20 fever sshd[17408]: Connection from 204.12.241.227 port 39800 on 10.0.0.5 port 22 Jan 8 04:23:22 fever sshd[17408]: Invalid user dff from 204.12.241.227 Jan 8 04:23:23 fever sshd[17408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 Jan 8 04:23:24 fever sshd[17408]: Failed password for invalid user dff from 204.12.241.227 port 39800 ssh2 ## The mail is sent because someone is brute force attacking your ssh server. Not starting fail2ban or your mail server would suppress those mails but not the attack. Turning off ssh or the network would stop the attack though :-) If your line of reasoning is to correlate the mail arrival with starting cron, then maybe cron is the last link required to make the fail2ban alert functional. What is interesting to me is the user in the above excerpt zhangyan ... By using a username that is unfamiliar to the western world tells me that whatever is on my system had to respond to this username otherwise why would this guy use a username that only he is familiar with ... Other usernames that were used: 3D, ssht and ftfl ... Also, attempts were made from China, Hong Kong, Belgium and Canada ... You cannot tell something is responding to that user name on your system based only on that fail2ban alert. On the contrary, the mail means fail2ban successfully thwarted that particular attempt. Attackers can't know what names are valid login names unless they can find one by hacking into a legitimate user's computer or a user posted its login on the net. What hackers do instead, is to try a long list of possible login names collected on servers they have hacked in the past. That's the reason this particular bot was trying to login with the zhangyan user name. There is nothing to worry about unless you receive alerts about a valid login name. Currently my iptables looks like this ... ### -A INPUT -p tcp -s 122.0.0.0/8 -j DROP -A INPUT -p tcp -s 61.0.0.0/8 -j DROP -A INPUT -p tcp -s 117.0.0.0/8 -j DROP -A INPUT -p tcp -s 103.0.0.0/8 -j DROP -A INPUT -p tcp -s 82.0.0.0/8 -j DROP -A INPUT -p tcp -s 204.0.0.0/8 -j DROP -A INPUT -p tcp -s 218.0.0.0/8 -j DROP ### As you can see ... I am already DROPping some of these IP's ... I just need something to block an ENTIRE country ... You can't ban an entire country based on IPv4 addresses because the whole IPv4 address space is
Re: Have I been hacked?
On Thu, Jan 08, 2015 at 10:53:45PM +0200, Danny wrote: Hi guys, My apologies for replying a little late ... [cut] As you can see ... I am already DROPping some of these IP's ... I just need something to block an ENTIRE country ... Install xtables-addons-dkms (which will build the module for your current kernel). You can then use instructions such as those at [1] to set up xtables (basically, though, you use xt_geoip_dl to download the GeoIP database and then do something akin to iptables -A INPUT -m geoip --src-cc CN -j DROP). [1]: http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip Thank you ... and thanks to everyone replying ... I apreciate it ... Danny -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150108205345.GA4732@fever.havannah.local signature.asc Description: Digital signature
Re: Have I been hacked?
If you want to inspect further, I would suggest you look at each of the jobs being run. See if they are what you expect them to be. Also check your /etc/crontab and /etc/anacrontab to see what is in them. I would love to investigate further but I am afraid I am not inclined towards forensics ... lol ... I am an Aircraft Engineer by trade not a Computer Scientist ... :) ... I played around with sleuthkit but that confused the living hell out of me ... lol ... I don't even know what to look for ... The server I have is a small community/family server that gives wireless access to poor families ... As for the attacks - I've seen a big uptake in the attacks over the last couple of weeks. The worst I've seen is 100 IP's locked out in one 24 hour period. They are coming from all over the world, although since there are a lot of proxies (many of them from trojans/viruses installed on unsuspecting machines), there's no easy way to tell what the real origins are. It's astonishing how quick they can find an IP ... I have permanently blocked the IP ranges of some of the worst offenders, but the only real way to stop it is to take your machine off the internet completely. Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. That's the problem right there ... random passwords ... lol ... but I will have to adapt ... Thank You -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150109162948.GA17386@fever.havannah.local
Re: Have I been hacked?
So Many?? For instance here is a list of the blocks for Belgium: http://www.nirsoft.net/countryip/be.html -Joris Feel sorry for iptables ;) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150109163429.GB17386@fever.havannah.local
Re: Have I been hacked?
Blocking a country which is famous for producing chocolate and beer. What is the world coming to? rofl :) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150109163622.GC17386@fever.havannah.local
Re: Have I been hacked?
*me* blushing Why? If you don't know anyone in China, don't pick up the phone. Why are your services responding to them? You're not seriously telling us you're accepting user name and password for ssh authentication from the Internet, are you? Uhm ... yes ... (looking down ashamed ...) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150109163909.GD17386@fever.havannah.local
Re: Have I been hacked?
You have completely failed to understand what fail2ban is telling you. Anyway, I have decided to get new hardware and do a clean install of everything ... as many of you have suggested ... It was heading that way so it is probably best for you. You sound like a heartless Seargeant Major in the Marines ... ;) ... However, as I fly a lot internationally, is there a way I can temporarily block these country's IP's for a few days at most untill I have enough time on hand to do a fresh install ... What has flying got to do with it? What I meant was that I fly a lot and don't have time in the immediate future to do a fresh install ... So I wanted a temporary stop-gap solution for a few days untill time would lend itself for the task ... Currently my iptables looks like this ... If you have resorted to using iptables you have lost it. A standard Debian install doesn't need it. Yip ... definately a Seargeant Major ... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150109164451.GE17386@fever.havannah.local
Re: Have I been hacked?
On Thu 08 Jan 2015 at 22:36:46 +0100, Martin Steigerwald wrote: Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. Only allow SSH key based logins. Of course, only after you copied a public key onto the machine with ssh-copy-id. And have SSH keys with *strong* passphrases, to protect against someone stealing your key. Use ssh-agent wisely only on trusted machines. SSH password logins are just as safe. 20 characters gives a strong password for use on trusted machines. There is no need to worry about it being stolen because it is in your memory, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/09012015001632.a7c9236b8...@desktop.copernicus.demon.co.uk
Re: Have I been hacked?
Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: As for the attacks - I've seen a big uptake in the attacks over the last couple of weeks. The worst I've seen is 100 IP's locked out in one 24 hour period. They are coming from all over the world, although since there are a lot of proxies (many of them from trojans/viruses installed on unsuspecting machines), there's no easy way to tell what the real origins are. Okay, as for the dovecot logs, yes there are more. People try to hack it. Also from China some. And there are even people who try more than plaintext: Jan 5 22:25:40 mondschein dovecot: pop3-login: Disconnected (no auth attempts in 5 secs): user=, rip=66.240.236.119, lip=[…], TLS: SSL_read() syscall failed: Connection reset by peer, TLSv1.2 with cipher DHE-RSA-AES256-GCM- SHA384 (256/256 bits) Jan 5 22:25:40 mondschein dovecot: pop3-login: Disconnected (no auth attempts in 10 secs): user=, rip=66.240.236.119, lip=[…], TLS: Disconnected, TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits) but then don´t even try to authentificate. So, of course, you need to be careful about passwords with password based services. -- Martin 'Helios' Steigerwald - http://www.Lichtvoll.de GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/8029236.eVnGfnYuZB@merkaba
Re: Have I been hacked?
Am Donnerstag, 8. Januar 2015, 14:20:27 schrieb Jerry Stuckle: As for the attacks - I've seen a big uptake in the attacks over the last couple of weeks. The worst I've seen is 100 IP's locked out in one 24 hour period. They are coming from all over the world, although since there are a lot of proxies (many of them from trojans/viruses installed on unsuspecting machines), there's no easy way to tell what the real origins are. I don´t see much going on, but this one from auth.log is amusing: Jan 8 04:44:17 mondschein sshd[28806]: Bad protocol version identification 'GET http://s1.bdstatic.com/r/www/cache[… no spam on this list …] HTTP/1.1' from 125.64.35.67 Jan 8 04:44:48 mondschein sshd[28808]: Set /proc/self/oom_score_adj to 0 Jan 8 04:44:48 mondschein sshd[28808]: Connection from 125.64.35.67 port 40044 Jan 8 04:44:48 mondschein sshd[28808]: Bad protocol version identification This one is coming from China: martin@merkaba:~ geoiplookup 125.64.35.67 GeoIP Country Edition: CN, China And of course not in DNS properly: martin@merkaba:~ host 125.64.35.67 Host 67.35.64.125.in-addr.arpa. not found: 3(NXDOMAIN) From network of a chinese telecommunication company: martin@merkaba:~#1 whois 125.64.35.67 % [whois.apnic.net] % Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html % Information related to '125.64.0.0 - 125.71.255.255' inetnum:125.64.0.0 - 125.71.255.255 netname:CHINANET-SC descr: CHINANET Sichuan province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 country:CN admin-c:CH93-AP tech-c: CS408-AP mnt-by: APNIC-HM mnt-lower: MAINT-CHINANET-SC mnt-routes: MAINT-CHINANET-SC status: ALLOCATED PORTABLE […] Ah, nice: remarks:send abuse reports to scip[…] But whether its worth the time? I am not sure, whether this is really an attacked, could be some quite confused software application. They are doing this repeatedly. Just as an example on how you can try to have someone go after the attacker. I have SSH running on a different port and it seems still that most attackers do not seem to afford port scans. And no, I don´t rely on it for security. But for now, it still keeps my logs clean. Ah, and I have some attempts to login into Dovecot: mondschein:~ egrep -v (postfix|lda|martin|some|more|known|usernames) /var/log/mail.log […] Jan 7 10:18:29 mondschein dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=, rip=185.49.12.120, lip=[…] Jan 7 22:06:49 mondschein dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=, rip=185.49.12.120, lip=[…] Jan 8 09:56:19 mondschein dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=, rip=185.49.12.120, lip=[…] Jan 8 21:43:45 mondschein dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=, rip=185.49.12.120, lip=[…] Okay, this one is from Poland. martin@merkaba:~ host 185.49.12.120 120.12.49.185.in-addr.arpa domain name pointer 185a49b12c120.greendata.pl. martin@merkaba:~ geoiplookup 185.49.12.120 GeoIP Country Edition: PL, Poland martin@merkaba:~ host 185.49.12.120 120.12.49.185.in-addr.arpa domain name pointer 185a49b12c120.greendata.pl. martin@merkaba:~ whois 185.49.12.120 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the -B flag. % Information related to '185.49.12.0 - 185.49.12.255' % Abuse contact for '185.49.12.0 - 185.49.12.255' is '[…] inetnum:185.49.12.0 - 185.49.12.255 netname:WITRYNA-PL-NET-1 descr: Hosting services remarks:INFRA-AW geoloc: 52.40831540563876 16.934303481487177 country:PL admin-c:WRAD1-RIPE […] abuse-mailbox: abuse@[…] Now I would also need to check apache logs as well for a complete picture, and well that one is the one with the highest likelyhood of a successful attack as I have some PHP stuff installed. Just ensure you're using good security practices - don't allow root login, use long, random passwords, etc. I also use a random character strings for the login ids, as well as passwords - just one more thing for the hackers to have to figure out how to get around. Only allow SSH key based logins. Of course, only after you copied a public key onto the machine with ssh-copy-id. And have SSH keys with *strong* passphrases, to protect against someone stealing your key. Use ssh-agent wisely only on trusted machines. Ciao, -- Martin 'Helios' Steigerwald - http://www.Lichtvoll.de GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
Re: Have I been hacked?
Hi guys, My apologies for replying a little late ... It was an absolute struggle getting things to work just so that I can give more information about the intrusion. I narrowed it down to cron ... What would happen is this ... After a boot the network would work fine but would start degrading at different times ... sometimes after 5 minutes, sometime after a longer period of time ... So what I did was do disable all startup scripts/servers/services and then enable only one at a time ... then I would reboot and wait and keep an eye on /boot (I deleted all randomly generated files, so I could see if a file was added or not, and it was also the only way I knew for certain that the culprit was active or not, hence that is how I could time it) ... All went well untill I enabled cron ... I checked all cron jobs and they all look normal ... here is an ls of my cron directories ... ### /etc/cron.d/ anacron atop mrtg php5 /etc/cron.daily/ anacron atop mrtg php5 /etc/cron.hourly/ cron.sh sarg /etc/cron.monthly 0anacron sarg /etc/cron.weekly 0anacron apt-xapian-index man-db sarg ### For those of you who asked ... here is ### file -k bxerzoalfk: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped ### and ### grep -ir Binary file kvvcqvddix matches Binary file aknaykocbs matches Binary file bxerzoalfk matches Binary file isrgzlchmx matches Binary file ryrfvxjggh matches Binary file wevzubbsgn matches grub/grub.cfg:# from /etc/grub.d and settings from /etc/default/grub grub/grub.cfg:### BEGIN /etc/grub.d/00_header ### grub/grub.cfg:### END /etc/grub.d/00_header ### grub/grub.cfg:### BEGIN /etc/grub.d/05_debian_theme ### grub/grub.cfg:### END /etc/grub.d/05_debian_theme ### grub/grub.cfg:### BEGIN /etc/grub.d/10_linux ### grub/grub.cfg:### END /etc/grub.d/10_linux ### grub/grub.cfg:### BEGIN /etc/grub.d/20_linux_xen ### grub/grub.cfg:### END /etc/grub.d/20_linux_xen ### grub/grub.cfg:### BEGIN /etc/grub.d/30_os-prober ### grub/grub.cfg:### END /etc/grub.d/30_os-prober ### grub/grub.cfg:### BEGIN /etc/grub.d/40_custom ### grub/grub.cfg:### END /etc/grub.d/40_custom ### grub/grub.cfg:### BEGIN /etc/grub.d/41_custom ### grub/grub.cfg:### END /etc/grub.d/41_custom ### Binary file esijfkmwnd matches Binary file cwpgfmvkrk matches Binary file gyimenpwnt matches Binary file fndswijgdk matches Binary file rfjmdtlsoj matches Binary file zfmpizunja matches Binary file zkdjlvhuui matches Binary file hutaslspbf matches Binary file dkseypedtx matches Binary file hjmmvaxfzq matches Binary file izytxsbskq matches Binary file czhlgmsgzh matches Binary file ttqssdikcn matches Binary file xjeemjyuly matches ### Since I killed cron at bootup everything seems fine ... network is back to normal ... However, as soon as my network was up and running I got attacked ... here is an excerpt of one of the fail2ban mails ... ### The IP 204.12.241.227 has just been banned by Fail2Ban after 3 attempts against ssh. Jan 8 04:23:15 fever sshd[17406]: Connection from 204.12.241.227 port 38090 on 10.0.0.5 port 22 Jan 8 04:23:17 fever sshd[17406]: Invalid user zhangyan from 204.12.241.227 Jan 8 04:23:17 fever sshd[17406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 Jan 8 04:23:20 fever sshd[17406]: Failed password for invalid user zhangyan from 204.12.241.227 port 38090 ssh2 Jan 8 04:23:20 fever sshd[17406]: Received disconnect from 204.12.241.227: 11: Bye Bye [preauth] Jan 8 04:23:20 fever sshd[17408]: Connection from 204.12.241.227 port 39800 on 10.0.0.5 port 22 Jan 8 04:23:22 fever sshd[17408]: Invalid user dff from 204.12.241.227 Jan 8 04:23:23 fever sshd[17408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 Jan 8 04:23:24 fever sshd[17408]: Failed password for invalid user dff from 204.12.241.227 port 39800 ssh2 ### What is interesting to me is the user in the above excerpt zhangyan ... By using a username that is unfamiliar to the western world tells me that whatever is on my system had to respond to this username otherwise why would this guy use a username that only he is familiar
Re: Have I been hacked?
On Thu 08 Jan 2015 at 11:30:46 -0800, Joris Bolsens wrote: On 01/08/2015 12:53 PM, Danny wrote: ### As you can see ... I am already DROPping some of these IP's ... I just need something to block an ENTIRE country ... Thank you ... and thanks to everyone replying ... I apreciate it ... Danny afaik all you can do to block an entire country is drop all the ip blocks assigned to them, which will be tedious. For instance here is a list of the blocks for Belgium: http://www.nirsoft.net/countryip/be.html Blocking a country which is famous for producing chocolate and beer. What is the world coming to? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/08012015194657.62f315045...@desktop.copernicus.demon.co.uk
Re: Have I been hacked?
On Thu 08 Jan 2015 at 22:53:45 +0200, Danny wrote: However, as soon as my network was up and running I got attacked ... here is an excerpt of one of the fail2ban mails ... ### The IP 204.12.241.227 has just been banned by Fail2Ban after 3 attempts against ssh. Jan 8 04:23:15 fever sshd[17406]: Connection from 204.12.241.227 port 38090 on 10.0.0.5 port 22 Jan 8 04:23:17 fever sshd[17406]: Invalid user zhangyan from 204.12.241.227 Jan 8 04:23:17 fever sshd[17406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 Jan 8 04:23:20 fever sshd[17406]: Failed password for invalid user zhangyan from 204.12.241.227 port 38090 ssh2 Jan 8 04:23:20 fever sshd[17406]: Received disconnect from 204.12.241.227: 11: Bye Bye [preauth] Jan 8 04:23:20 fever sshd[17408]: Connection from 204.12.241.227 port 39800 on 10.0.0.5 port 22 Jan 8 04:23:22 fever sshd[17408]: Invalid user dff from 204.12.241.227 Jan 8 04:23:23 fever sshd[17408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 Jan 8 04:23:24 fever sshd[17408]: Failed password for invalid user dff from 204.12.241.227 port 39800 ssh2 ### What is interesting to me is the user in the above excerpt zhangyan ... By using a username that is unfamiliar to the western world tells me that whatever is on my system had to respond to this username otherwise why would this guy use a username that only he is familiar with ... Other usernames that were used: 3D, ssht and ftfl ... Also, attempts were made from China, Hong Kong, Belgium and Canada ... You have completely failed to understand what fail2ban is telling you. Anyway, I have decided to get new hardware and do a clean install of everything ... as many of you have suggested ... It was heading that way so it is probably best for you. However, as I fly a lot internationally, is there a way I can temporarily block these country's IP's for a few days at most untill I have enough time on hand to do a fresh install ... What has flying got to do with it? Currently my iptables looks like this ... If you have resorted to using iptables you have lost it. A standard Debian install doesn't need it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/08012015195405.2b1dd99f9...@desktop.copernicus.demon.co.uk
Re: Have I been hacked?
On Thu, 8 Jan 2015 22:53:45 +0200 Danny mynixm...@gmail.com wrote: As you can see ... I am already DROPping some of these IP's ... I just need something to block an ENTIRE country ... Why? If you don't know anyone in China, don't pick up the phone. Why are your services responding to them? You're not seriously telling us you're accepting user name and password for ssh authentication from the Internet, are you? -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150108194402.56463...@jresid.jretrading.com
Re: Have I been hacked?
On 01/08/2015 12:53 PM, Danny wrote: ### As you can see ... I am already DROPping some of these IP's ... I just need something to block an ENTIRE country ... Thank you ... and thanks to everyone replying ... I apreciate it ... Danny afaik all you can do to block an entire country is drop all the ip blocks assigned to them, which will be tedious. For instance here is a list of the blocks for Belgium: http://www.nirsoft.net/countryip/be.html -Joris signature.asc Description: OpenPGP digital signature
Re: Have I been hacked?
On Thu, Jan 08, 2015 at 02:20:27PM -0500, Jerry Stuckle wrote: Danny, If you want to inspect further, I would suggest you look at each of the jobs being run. See if they are what you expect them to be. Also check your /etc/crontab and /etc/anacrontab to see what is in them. And if you can't tell which job is the culprit, try running them one by one to see which one causes the problems you're seeing. Oh, and make sure you check users' cron jobs. You can find them in /var/spool/cron/*. All of this is in the name of curiosity only, however. Like others have said alread, a reinstall is in your future. -Rob signature.asc Description: Digital signature
Re: Have I been hacked?
On 1/8/2015 3:53 PM, Danny wrote: Hi guys, My apologies for replying a little late ... It was an absolute struggle getting things to work just so that I can give more information about the intrusion. I narrowed it down to cron ... What would happen is this ... After a boot the network would work fine but would start degrading at different times ... sometimes after 5 minutes, sometime after a longer period of time ... So what I did was do disable all startup scripts/servers/services and then enable only one at a time ... then I would reboot and wait and keep an eye on /boot (I deleted all randomly generated files, so I could see if a file was added or not, and it was also the only way I knew for certain that the culprit was active or not, hence that is how I could time it) ... All went well untill I enabled cron ... I checked all cron jobs and they all look normal ... here is an ls of my cron directories ... ### /etc/cron.d/ anacron atop mrtg php5 /etc/cron.daily/ anacron atop mrtg php5 /etc/cron.hourly/ cron.sh sarg /etc/cron.monthly 0anacron sarg /etc/cron.weekly 0anacron apt-xapian-index man-db sarg ### For those of you who asked ... here is ### file -k bxerzoalfk: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped ### and ### grep -ir Binary file kvvcqvddix matches Binary file aknaykocbs matches Binary file bxerzoalfk matches Binary file isrgzlchmx matches Binary file ryrfvxjggh matches Binary file wevzubbsgn matches grub/grub.cfg:# from /etc/grub.d and settings from /etc/default/grub grub/grub.cfg:### BEGIN /etc/grub.d/00_header ### grub/grub.cfg:### END /etc/grub.d/00_header ### grub/grub.cfg:### BEGIN /etc/grub.d/05_debian_theme ### grub/grub.cfg:### END /etc/grub.d/05_debian_theme ### grub/grub.cfg:### BEGIN /etc/grub.d/10_linux ### grub/grub.cfg:### END /etc/grub.d/10_linux ### grub/grub.cfg:### BEGIN /etc/grub.d/20_linux_xen ### grub/grub.cfg:### END /etc/grub.d/20_linux_xen ### grub/grub.cfg:### BEGIN /etc/grub.d/30_os-prober ### grub/grub.cfg:### END /etc/grub.d/30_os-prober ### grub/grub.cfg:### BEGIN /etc/grub.d/40_custom ### grub/grub.cfg:### END /etc/grub.d/40_custom ### grub/grub.cfg:### BEGIN /etc/grub.d/41_custom ### grub/grub.cfg:### END /etc/grub.d/41_custom ### Binary file esijfkmwnd matches Binary file cwpgfmvkrk matches Binary file gyimenpwnt matches Binary file fndswijgdk matches Binary file rfjmdtlsoj matches Binary file zfmpizunja matches Binary file zkdjlvhuui matches Binary file hutaslspbf matches Binary file dkseypedtx matches Binary file hjmmvaxfzq matches Binary file izytxsbskq matches Binary file czhlgmsgzh matches Binary file ttqssdikcn matches Binary file xjeemjyuly matches ### Since I killed cron at bootup everything seems fine ... network is back to normal ... However, as soon as my network was up and running I got attacked ... here is an excerpt of one of the fail2ban mails ... ### The IP 204.12.241.227 has just been banned by Fail2Ban after 3 attempts against ssh. Jan 8 04:23:15 fever sshd[17406]: Connection from 204.12.241.227 port 38090 on 10.0.0.5 port 22 Jan 8 04:23:17 fever sshd[17406]: Invalid user zhangyan from 204.12.241.227 Jan 8 04:23:17 fever sshd[17406]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 Jan 8 04:23:20 fever sshd[17406]: Failed password for invalid user zhangyan from 204.12.241.227 port 38090 ssh2 Jan 8 04:23:20 fever sshd[17406]: Received disconnect from 204.12.241.227: 11: Bye Bye [preauth] Jan 8 04:23:20 fever sshd[17408]: Connection from 204.12.241.227 port 39800 on 10.0.0.5 port 22 Jan 8 04:23:22 fever sshd[17408]: Invalid user dff from 204.12.241.227 Jan 8 04:23:23 fever sshd[17408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.12.241.227 Jan 8 04:23:24 fever sshd[17408]: Failed password for invalid user dff from 204.12.241.227 port 39800 ssh2 ### What is interesting to me is the user in the above excerpt zhangyan ... By using a username that is unfamiliar to the
Re: Have I been hacked?
Brian a...@cityscape.co.uk writes: On Tue 06 Jan 2015 at 19:47:09 +0100, Martin Steigerwald wrote: Am Dienstag, 6. Januar 2015, 21:51:26 schrieb Danny: Hi guys, I am afraid my happiness was short lived. To test if the deletion of the file (and the effects thereof) would be permanent I rebooted the system and consequently found another file (same size, same random lettering) booted up with everything else. :( ... The culprit is well hidden and regenerates itself ... Well… if something creates a file in /boot, it needs to be started somewhere. I still bet an examination along the ideas I suggested from a live distro may reveal where the file is created. Or it may not, at least not easily, if a changed binary creates the file, instead of some script. Its still not clear whether its really a malware or just some broken third party software you installed, but… if you didn´t install any broken third party software and it really is, read on. Are we now to assume these files are only created on boot? The OP could at least look into this and let us know whether this is so. It looks to me there is some configuration which creates them. The configuration is far more likely to have been produced by him than some invader. I've seen malware that downloaded a BitCoin miner and installed it, and reinstalled itself if removed. That one was rather dumb and had installed the check for installation and download script in a cronjob, so it was easy to remove, but if it is at any rate possible, reinstalling is the best bet. Mart -- We will need a longer wall when the revolution comes. --- AJS, quoting an uncertain source. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/86bnmbhtxg@gaheris.avalon.lan
