Topics on this page:
xinetdfor Host Authentication
Many systems come with well-known default passwords which go unchanged by lazy admins. Here are lists, do you have any remaining risks?:
The "What's My Pass?" page
claims to list
"The Top 500 Worst Passwords of All Time",
but there is no explanation of where they got that data.
admin isn't even on the list despite being
the default password on lots of network gear, I don't think
the list is very authoritative.
But it's kind of interesting.
How does the Microsoft re-design break the security of their "Kerberos"?
The initial request for a user identity ticket is the only thing
that is supposed to be cleartext.
There is no risk in seeing that some user on the network is
currently asking to be authenticated as a specific user name.
Microsoft includes an extra field in that request,
something they call "pre-authentication".
It's the current timestamp encrypted with the user's secret key.
Since all hosts in a Kerberos realm must have their clocks
synchronized, an attacker can capture the initial ticket request
and then mount a known-plaintext attack.
The free and commonly available package
does exactly that.
klaniktu. An early version is "A Random Word Generator for Pronouncable Passwords", Gasser, M., Mitre report MTR-3006, ESD-TR-75-97, November 1975.
See a list of technologies and vendors at the Wikipedia page, or here are some:
Here's a table from "Beyond Fingerprinting", Anil K Jain and Sharath Pankanti, Scientific American Sep 2008 pp 78-81, drawing from US NIST studies. They bring up an issue I hadn't seen before, technology will be less likely to be used if it is unsuitable as evidence in a court of law. Because iris recognition is based on complicated statistical analysis of subtle image features, "no known human experts can determine whether or not two iris images match. Hence, the data are unsuitable for evidence in a court of law."
|How well trait can be sensed||Medium||High||Medium||Medium|
|Speed and cost efficiency of system||High||Low||High||Low|
|Willingness of people to have trait used||Medium||High||Low||High|
|Difficulty of spoofing the trait||High||Low||High||Low|
|False rejection rate||0.4%||1.0—2.5%||1.1—1.4%||5—10%|
|False acceptance rate||0.1%||0.1%||0.1%||2—5%|
DARPA is running an Active Authentication project. They describe this work as:
The current standard method for validating a user?s identity for authentication on an information system requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.
The Active Authentication program seeks to address this problem by developing novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software based biometrics. Biometrics are defined as the characteristics used to uniquely recognize humans based on one or more intrinsic physical or behavioral traits. This program focuses on the behavioral traits that can be observed through how we interact with the world. Just as when you touch something your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a "cognitive fingerprint."
The first phase of the program will focus on researching biometrics that do not require the installation of additional hardware sensors, rather the program will look for research on biometrics that can be captured through the technology we already use looking for aspects of this "cognitive fingerprint." These could include, for example, how the user handles the mouse and how the user crafts written language in an e-mail or document. A heavy emphasis will be placed on validating any potential new biometrics with empirical tests to ensure they would be effective in large scale deployments.
When Apple released their iPhone 5s with a fingerprint scanner they seemed to be working on this technology. A New Yorker story reported that in the week before the iPhone 5s release, Apple was awarded a patent for gesture based authentication.
Don't just hand out the system administrator's password!
Allow certain users to run only certain commands with sysadmin
privileges, with the
xinetdfor Host Authentication
It's weak, as it trusts DNS, but
xinetd can do double DNS lookups and require
To be honest, this won't keep the bad guys out, and you
will realize what a sloppy and imcomplete job many places
do with the PTR records.
xinetd— it's more complicated to administer, but you do get finer control over access. It supports time-sensitive access rules, limitations on maximum simultaneous connections, etc. It replaces
Software piracy (kinda) falls under authentication. Authenticate your software, make sure it's legitimate.
Why audit yourself? If your site has pirated software, you may incur huge fines. Disgruntled employees will turn you in for rewards from SPA and BSA (Software Publishers Association and Business Software Alliance), who shows up with federal agents and search warrents. Fines in the $100,000-200,000 range are common, and can go into the millions. Autodesk, maker of AutoCAD, recovered more than US$ 35 million from North American copyright infringers in 1989-1999 (SC Magazine, April 1999, pg 18). The SPAudit tool is available for free. It audits what software is installed where, and also inventories hardware and system boot files. Further info is available on software piracy.