|
Authentication Tools
|
|
|
Many systems come with well-known default passwords
which go unchanged by lazy admins.
Here are lists, do you have any remaining risks?:
The "What's My Pass?" page
claims to list
"The Top 500 Worst Passwords of All Time",
but there is no explanation of where they got that data.
Since admin isn't even on the list despite being
the default password on lots of network gear, I don't think
the list is very authoritative.
But it's kind of interesting.
How does the Microsoft re-design break the security of their "Kerberos"?
The initial request for a user identity ticket is the only thing
that is supposed to be cleartext.
There is no risk in seeing that some user on the network is
currently asking to be authenticated as a specific user name.
Microsoft includes an extra field in that request,
something they call "pre-authentication".
It's the current timestamp encrypted with the user's secret key.
Since all hosts in a Kerberos realm must have their clocks
synchronized, an attacker can capture the initial ticket request
and then mount a known-plaintext attack.
The free and commonly available package kerbcrack
does exactly that.
-
If you have too many passwords on multiple systems,
you need a secure means to store them on one system:
-
pwsafe
is a secure command-line tool for any Unix-like OS.
-
Password Gorilla
is a secure graphical tool
for any Unix-like OS, plus Windows.
-
Password Safe
is a secure open-source tool which unfortunately
is only available for Windows.
Yubico has announced that their YubiKey
two-factor authentication works with Password Safe.
-
Also see the
page on system configuration testing and auditing
for several password cracking and password testing packages.
-
A general collection of password tools is at:
ftp.cert.dfn.de.
-
Stronger replacements for the default Unix password package are:
-
Use the
pam_passwdqc PAM module
for enforcing password
quality on Solaris, Linux, HP-UX, BSD, and possibly elsewhere.
-
Two one-time password systems are
S/KEY and OPIE ("One-Time Passwords in Everything").
OPIE
is available to everyone from
inner.net,
and to .mil and .gov users only at
ftp.nrl.navy.mil.
S/KEY
is available from ftp.cert.dfn.de.
-
Good static passwords are essential.
First, educate your users.
Second, validate their actions with Crack.
See the
system auditing section.
-
The Automated Password Generator (APG) is suggested or
required on all DoD and Govt. computers without
hardware authentication devices.
See NIST publication FIPS 181, "Automated Password Generator",
5 Oct 1993.
The goal is a random string that is pronouncable and thus rememberable.
E.g., "Kla-Nik-Tu", -> klaniktu.
An early version is
"A Random Word Generator for Pronouncable Passwords",
Gasser, M., Mitre report MTR-3006, ESD-TR-75-97,
November 1975.
See a list of technologies and vendors
at the Wikipedia page,
or here are some:
-
Fingerprints
-
Sony makes fingerprint scanners, see their
FIU-600
and
FIU-810/PERS
units
-
CA and Identix make a fingerprint reader.
-
Fooling fingerprint readers and/or
shortcomings of biometric systems
are described at
securityfocus
and
optel.pl.
-
Hand Shape
-
Recognition Systems,
part of Ingersoll Rand and now working
with Schlage,
makes fingerprint and hand geometry systems:
-
Voice
-
Veritel Corporation
-
Periphonics and T-Netix (+1-303-705-4552).
-
Truster,
by Seem Software Corp., claims to be a
voice-based lie detector.
My guess is that trusting this product
requires some huge assumptions.
-
Blood vessel pattern recognition —
"The technology has been more widely accepted than
fingerprinting in Asia mainly for cultural reasons",
says Michelle Shen of ePolymath Consulting in Toronto.
"In Japan, they are very concerned about hygiene.
They're reluctant with fingerprinting because they
have to touch the sensor."
(quoted in Technology Review,
Dec 2003 / Jan 2004, pg 22).
-
Get hardware from Techsphere of
Seoul, South Korea, distributed by
Identica, of Toronto, Canada.
In use at the Toronto and Ottawa airports to
authenticate ground crew, who often have dirty hands
that don't work with fingerprinting.
-
Hitachi is working on this:
"Finger vein authentication,
introduced widely by Japanese banks in the
last two years [2006-2008],
is claimed to be the fastest and most secure
biometric method"
because blood vessels are invisible to the eye,
extremely difficult to forge and simulate.
It uses near-IR absorption by hemoglobin.
Fujitsu uses a similar approach but on
a palm scanner rather than a fingertip,
and its system has been installed at
Carolina HealthCare System in Charlotte NC.
See the story in the
London Times.
-
Buttock Pressure Map (yes, really)
-
No idea if they want to apply this to biometrics,
but it's intriguing....
A group at Purdue
was working on this around 2001.
A friend worked in that lab and was looking for
test subjects.
At right you see my buttock pressure maps!
The one at left is when sitting upright,
the one at right is when intentionally slouching
and leaning to one side as directed.
-
Some ten years later, a group at the Advanced Institute
of Industrial Technology in Tokyo was
working on a project
to put 360 pressure sensors in the bucket seat of
a car, claiming 98% accuracy in allowing only
recognized people to start the car.
Also see descriptions
here
and
here,
and also see their
presentation.
Here's a table from "Beyond Fingerprinting",
Anil K Jain and Sharath Pankanti,
Scientific American Sep 2008 pp 78-81,
drawing from US NIST studies.
They bring up an issue I hadn't seen before,
technology will be less likely to be used if it is unsuitable
as evidence in a court of law.
Because iris recognition is based on complicated statistical analysis
of subtle image features,
"no known human experts can determine whether or not
two iris images match. Hence, the data are unsuitable
for evidence in a court of law."
|
Fingerprint |
Face |
Iris |
Voice |
| Distinctiveness |
High |
Low |
High |
Low |
| Permanence |
High |
Medium |
High |
Low |
| How well trait can be sensed |
Medium |
High |
Medium |
Medium |
| Speed and cost efficiency of system |
High |
Low |
High |
Low |
| Willingness of people to have trait used |
Medium |
High |
Low |
High |
| Difficulty of spoofing the trait |
High |
Low |
High |
Low |
| False rejection rate |
0.4% |
1.0—2.5% |
1.1—1.4% |
5—10% |
| False acceptance rate |
0.1% |
0.1% |
0.1% |
2—5% |
Don't just hand out the system administrator's password!
Allow certain users to run only certain commands with sysadmin
privileges, with the
sudo tool.
It's weak, as it trusts DNS, but tcpd and
xinetd can do double DNS lookups and require
consistency.
To be honest, this won't keep the bad guys out, and you
will realize what a sloppy and imcomplete job many places
do with the PTR records.
-
Get
TCP Wrapper
-
An alternative is
xinetd
— it's more complicated
to administer, but you do get finer control over access.
It supports time-sensitive access rules,
limitations on maximum simultaneous connections, etc.
It replaces inetd.
Software piracy (kinda) falls under authentication.
Authenticate your software, make sure it's legitimate.
Why audit yourself?
If your site has pirated software, you may incur huge fines.
Disgruntled employees will turn you in for rewards
from SPA and BSA
(Software Publishers Association and Business Software Alliance),
who shows up with federal agents and search warrents.
Fines in the $100,000-200,000 range are common,
and can go into the millions.
Autodesk,
maker of AutoCAD, recovered more than US$ 35 million from
North American copyright infringers in 1989-1999
(SC Magazine, April 1999, pg 18).
The
SPAudit tool
is available for free.
It audits what software is installed where, and also
inventories hardware and system boot files.
Further info is available on software piracy.
