Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
The ONE Campaign to make poverty history

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents
Up to --> Security

· What You Can Do About It
· Trusted Hosts
· Modem Security
· Backups
· The Official Word
· Changing Attitudes
· System Security
· Security and the Law

Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
Copyright Info
Terms of Use
Privacy Info
Masthead / Impressum
Your Account

Private Messages

News Archive
Submit News
User Articles
Web Links


The Web

Who's Online
There are currently, 78 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

Linux Tutorial - Security - What You Can Do About It - Changing Attitudes
  The Official Word ---- System Security  

Changing Attitudes

Although your company has a security policy, you need to concentrate more on changing people's attitudes. Perhaps a violation of the policy leads to someone's termination, but does that recover the millions of dollars of research that was lost?

If a user chooses and easily guessed password, then it will be cracked using a dictionary attack. No question. Even if the hacker only has access to small, low-powered PC, he can quickly crack the password. Many users believe that if a password in not in the traditional UNIX dictionary file (/usr/dict/words) then it can't easily be broken. However, there are dozens of dictionary files spread out all over the Internet that contain lists that are much longer. In addition, the words are not limited to just English anymore. There are dictionary files for several other languages, as well.

In his paper "Foiling the Cracker: A Survey of, and Improvement to, Password Security," Daniel Klein of Carnegie Mellon University reported that during tests he conducted 2.8% of all passwords were "guessed" within 15 minutes. He further states that on a machine with 50 accounts, at least one will be cracked within the first 2 minutes! Without user support the number will be a lot higher.

As system administrator or IS manager, you have to educate your users. Explain the need for the passwords and security, in general. Make them aware of the real cases where laxed security had detrimental effects. Be sure that they know the dangers are real.

One thing I found useful was making comparisons that the user understands. For example, compare the inconvenience of having difficult password to the inconvenience when the system crashes. It might take 5 seconds a day longer to type in the correct password, but if the database is down for two hours, then the user could have typed their password 1440 times. In other words, once a day for almost four years.

Another comparison that works well is that of car keys. No one would think of leaving their car unlocked, let alone change the car so that an ignition key is no longer needed. It is just as inconvenient to have to use keys to a car, just as it it to user password on a computer account. It's just a necessary evil.

Finally, there are threats. I don't mean holding a gun to their head and force them to use good password and follow good security practices. Your security policy should state the consequences of giving out passwords or letting other gain access to your account. Users should be aware that they could be held legally responsible for anything done on the system with their account. Especially if they are negligent.

For example, check TFTP, (Trivial File Transfer Protocol) which is often used to transfer files automatically. My suggestion is to disable it completely. There is nothing that can't be done with other means and the risks are too great. If not, there is the potential for accessing files on your system without any password at all.

One significant file is /etc/passwd. Since is it is world-readable, if TFTP is enable, someone could easily download this file without a password. Once they have it, they can use a dictionary attack to try and crack some of the passwords. Another way would be to copy .rhosts files into users' home directories to gain access to the system.

Another useful tool is rpcinfo. This communicates with the portmapper daemon and provide information about what kind of services are being run. One very dangerous service is NIS. Although useful in propagating passwords to other machines, a clever hacker can "persuade" NIS to give him a copy, thus making the system vulnerable to dictionary attacks (among other things.) Although you need to know the NIS domain name, it is much easier to guess than users' password as it is more than likely some variant of the company name or the Internet domain.

There is no way to make a computer completely secure, other than lock the room and turn the computer off. Systems can be made impregnable to the casual intruder, as well as make it more difficult for the experienced cracker. However, there are no guarantees with it.

 Previous Page
The Official Word
  Back to Top
Table of Contents
Next Page 
System Security


Test Your Knowledge

User Comments:

You can only add comments if you are logged in.

Copyright 2002-2009 by James Mohr. Licensed under modified GNU Free Documentation License (Portions of this material originally published by Prentice Hall, Pearson Education, Inc). See here for details. All rights reserved.
Show your Support for the Linux Tutorial

Purchase one of the products from our new online shop. For each product you purchase, the Linux Tutorial gets a portion of the proceeds to help keep us going.



Security Code
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Did You Know?
You can choose larger fonts by selecting a different themes.


Tell a Friend About Us

Bookmark and Share

Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.08 Seconds