RE: Education End Users about Passwords

From: Thompson, Jimi (JimiT@mail.cox.smu.edu)
Date: Tue Dec 09 2003 - 20:59:51 EST


Let me start of my stating quite plainly, there is no such thing as
unbreakable security. You will never be able to keep a sufficiently
motivated individual off your network and/or out of your data. While I
agree with you in theory, it takes quite some time to make the custom
dictionary (if you have figured out what the patterns are) and to run the
cracker against it. The average goober will locate a cable modem segment
that's ripe for the picking and leave you be. Never mind the larger issue,
which would be this person has either obtained your SAM or your /etc/passwd.

First off, "experienced crackers" are a rare breed. The number of people
that can isolate a new vulnerability and craft an attack from it is rather
minimal. I would estimate that it is well under 1% of the population of the
planet. That means your odds of encountering one and attracting their
unwanted attention "by accident" is extremely low. With folks of that
caliber, you typically have to have something or be doing something that
draws their notice.

What can you have or what can you be doing to draw their notice? The basic
motivators in human society are drugs, love/sex, money, and recognition.
90% of all crime (cyber and otherwise) can be tied back to one of those 4
things. Keep the motivating factors low, and you can avoid a lot of
trouble. Most companies cannot offer enough of any of those 4 to be worth
that kind of time and effort. For those of you that can offer those kinds
of targets, BE WARE! You likely have your hands full. Pharmaceutical
companies have to have very tight security surrounding their shipments of
things like Ritalin, Valium, etc. Ask the Federal Reserve Bank what their
security is like. Ask companies that are engaged in animal research what
their security is like. They offer targets because they offer drugs, money,
and/or recognition.

Security isn't so much about how secure you are, but about being ahead of
the curve. Your level of paranoia determines how far "ahead of the curve"
you are. I follow the "bear philosophy" of security and find that it works
in the vast majority of cases. ALL security devices are based on two rather
simple concepts, the "bear" concept and on the concept that locks keep
honest people honest. The level of paranoia needs to fit the circumstances.
I've worked in what were largely very secure networks (DOD, Brokerage Firm,
Insurance Company, cellular, telco, etc.) but I've also spent time in
"regular" companies where that kind of security was overkill.

You lock your house when you leave to go to work. The reason that you do
this is because you want to make it harder for an unauthorized person to
enter the house. This is sufficient to keep 99+% of the population out of
your house. Let's expand this by saying that maybe you have some expensive
art work. You install an alarm system in your house. You do this because
the art work could motivate someone to overcome your locks by breaking a
window. You don't just install the alarm, though. You put up signs and
stickers that SAY you have an alarm. Anyone brave enough to approach the
house will likely be deterred by the "Joe Bob's Alarm Service" sign on the
front porch. Let's expand this further to say that your painting has turned
out to be a Picasso original - it's now whole orders of magnitude more
valuable. Simply locking the doors won't be a sufficient deterrent to keep
someone from stealing your prize painting and your special deal on the alarm
from "Joe Bob" isn't likely to help much either. Now you have a
sophisticated alarm company come in. Your lawn is wired for motion
detection. Your house now has a complete array of sensors, in fact it's a
wonder you don't cause a brown-out because of all the stuff you have
installed now.

2 cents,

Jimi

PS - For those not familiar with the "bear theory" it comes from an old joke

2 friends are running through the forest to get away from a bear.
1 of the stops and starts adjusting his shoes and socks. The other one says
"What are you stopping for? We've got to get away from this bear". The
first one looks up and says "I don't have to out run the bear, I just have
to out run you."

-----Original Message-----
From: J. Oquendo [mailto:sil@politrix.org]
Sent: Tuesday, December 09, 2003 1:56 PM
To: pen-test@securityfocus.com
Subject: Re: Education End Users about Passwords

> 1. Pick a sentence that has meaning for you and that you will remember.
> i.e. I work at cox today.
> 2. All consonants (or all vowels) become UPPERCASE characters.
> 3. All vowels (or all consonants as it is the opposite of rule 2) become
> lower case characters.
> 4. Words like to and for become numbers.
> 5. Words like at and "and" become symbols (@ and &)
> 6. Add some character to the end like ! or #

Agreed to a certain extent. Consider the following however; Cracker is on
a machine that he needs some serious information say for corporate
esionage purposes, and the information is vital to him. What makes you
think an experienced cracker wouldn't have the correct type of dictionary
file? It's as simple as sed 's/a/4/g;s/A/4/g;s/e/3/g;s/E/3/g' and so
forth.

Substitutions? sed s'/i/\!/g', 's/^/./g', 's/$/./g' and so on.

>
> Once they get this simple thing down, getting them to choose "strong"
> passwords becomes infinitely easier, because they now have a mnemonic
> device
> to recall the password - the primary end user complaint about using
> "strong"
> passwords. If they can remember it, they are also a lot less likely to
> use
> the nefarious sticky note. Then all you have to worry about is making
> sure
> that they know not to give it out over the phone, which frankly, is the
> easiest method of "cracking" a password.
>
> 2 cents,
>
> Jimi

Disagree, most people stick with familiarity (cognitive dissonance) and
you can try to explain the situation a million times over but the sad fact
is most people will stick to their guns. What can you do as an admin/sec
engineer? One thing that I think corps. should do is, create some form of
quarterly meeting with their employees to explain security issues, e.g.;

Post it notes
Bad passwords
Not locking out their machines
Paper based nightmares (using shredders)

etc.

Too much I could add and work calls.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"I watch gangster flicks and root for the bad guy
and turn it off before it ends because the bad guy dies"
50 Cents - 'Assassins'

This is a farce confidential disclaimer intended to make you
aware that even though this may be priveledged information,
being it will become Google cache in the future, my original
intentions of keeping this message restricted and/or private
are thrown out the door. If you have received this e-mail in
error, please enjoy this signature and destroy this message
by dousing it in gasoline.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT