Although your company has a security
policy, you need to concentrate more on changing people's attitudes.
Perhaps a violation of the policy leads to someone's termination, but does that recover the
millions of dollars of research that was lost?
If a user chooses and easily guessed password,
then it will be cracked using a dictionary attack. No question. Even if the hacker only has access to small, low-powered PC, he can quickly crack the password. Many users believe that if a password in not in the traditional UNIX
dictionary file (/usr/dict/words) then it can't easily be
broken. However, there are dozens of dictionary files spread out all over the Internet that contain
lists that are much longer. In addition, the words are not limited to just English anymore.
There are dictionary files for several other languages, as well.
In his paper "Foiling the
Cracker: A Survey of, and Improvement to, Password Security," Daniel Klein of Carnegie Mellon
University reported that during tests he conducted 2.8% of all passwords were "guessed"
within 15 minutes. He further states that on a machine with 50 accounts, at least one will be
cracked within the first 2 minutes! Without user support the number will be a lot higher.
or IS manager, you have to educate your users. Explain the need for the
passwords and security,
in general. Make them aware of the real cases where laxed security had
detrimental effects. Be sure that they know the dangers are real.
One thing I
found useful was making comparisons that the user understands. For example, compare the
inconvenience of having difficult password to the inconvenience when the system crashes. It might
take 5 seconds a day longer to type in the correct password, but if the database is down for two
hours, then the user could have typed their password 1440 times. In other words, once a day for
almost four years.
Another comparison that works well is that of car keys. No one would think
of leaving their car unlocked, let alone change the car so that an ignition key is no longer needed.
It is just as inconvenient to have to use keys to a car, just as it it to user password on a
It's just a necessary evil.
Finally, there are threats. I don't
mean holding a gun to their head and force them to use good password and follow good security
practices. Your security
policy should state the consequences of giving out passwords or letting
other gain access to your account.
Users should be aware that they could be held legally
responsible for anything done on the system with their account.
Especially if they are
For example, check TFTP, (Trivial File Transfer Protocol) which is often used to
transfer files automatically. My suggestion is to disable it completely. There is nothing that can't
be done with other means and the risks are too great. If not, there is the potential for accessing
files on your system without any password at all.
One significant file is /etc/passwd. Since
is it is world-readable, if TFTP is enable, someone could easily download this file without a
password. Once they have it, they can use a dictionary attack to try and crack some of the
passwords. Another way would be to copy .rhosts files into users' home directories to gain
access to the system.
Another useful tool is rpcinfo. This communicates with the portmapper
daemon and provide information about what kind of services are being run. One very dangerous service
Although useful in propagating passwords to other machines, a clever hacker can "persuade"
NIS to give him a copy, thus making the system vulnerable to dictionary attacks (among other
things.) Although you need to know the NIS
name, it is much easier to guess than users'
password as it is more than likely some variant of the company name or the Internet domain.
There is no way to make a computer completely secure, other than lock the room and turn the
computer off. Systems can be made impregnable to the casual intruder, as well as make it more
difficult for the experienced cracker. However, there are no guarantees with