[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Found, a new rootkit



On Sat, 2006-04-01 at 08:42 +0800, John Summerfield wrote:
> Craig White wrote:
> 
> > 
> > it's actually the fault of the admins who don't use any password
> > checking mechanisms, but I suppose that it's more feasible to blame
> > stupid users...of course, I would never do such a thing  ;-)
> 
> There is quite a deal of well-reasoned debate about what constitutes a 
> good password.
> 
> First, one needs to be able to remember it without writing it down. This 
> meets Windows AD complexity requirements,
> 
> 10:72:94:e5:64:d5:68:51:d1:55:c0:2b:e5:4e:7f:fa
----
of course Windows computers keep the hash lying around which is fairly
easily cracked  ;-)
----
> 
> but I defy anyone to remember it any time soon!
> 
> "bismcoles" would probably be easy for Bill Smith to remember, and would 
> certainly defy any dictionary attack. As would "bluewatermelon."
> 
> The expect package has a password generator that creates passwords like 
> this, but again they're hard to remember: "et3tUfGd."
> 
> 
> A reasonable security system would shut down the login process for a 
> time after some number of consecutive failed login attempts. It's a rule 
> that's been around for a long time, it's even in Linux, but implemented 
> poorly.
----
that's why you actually have think about what you are doing when you
permit shell account access on a system that is exposed to the Internet.
Password complexity is but one part of the equation. The other part is
whether you actually have to provide shell access. In this case, it's
clear that they neither considered methods to get what they wanted done
without shell accounts, password complexity and they even provided a
compiler on the system which should have really been just a firewall,
but I'm sure that the 'crackers' appreciated the thoughtful touch of a
compiler so they could compile their programs.

I hear people talk about the lack of security in Windows but it seems to
me, exposing a Linux system to the Internet with shell accounts and weak
passwords is far more insecure than a typical Windows system. This kind
of system administration will give Linux a bad rap.

Craig


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]