November 12th, 2003, 03:57 PM
Even Local Govt. Agencies Are Vulnerable.
Why do attacks get amplified? I get questions like this all the time. Typically this question comes on the heels of my dept. stirring up a **** storm over best security practices. Here is a perfect example of why attacks are amplified and the state of many networks despite the numbing amount of information on network/data security.
Kansas auditors crack 1,000 passwords
By Wilson P. Dizard III
The Kansas Health and Environment Department has serious IT security and disaster recovery problems, the state’s legislative auditor has found. The auditors said they used password-cracking software to decipher more than 1,000 of the department’s passwords—including several administrative passwords—or 60 percent of the total, in three minutes.
The department began fixing the security weaknesses and other problems found in its systems as soon as it learned of them, department secretary Roderick L. Bremby said in response to the report.
“The department’s antivirus system was badly flawed, allowing computers to become infected with a large number of different viruses, worms and Trojan horses,” said the report, Kansas Department of Health and Environment Information Systems: Reviewing the Department’s Management of Those Systems.
“The department’s firewall was poorly configured, creating several large holes in and out,” the report said. Auditors found that the department lacked or failed to enforce many basic security policies, such as procedures for incident response, physical security, configuration documentation and former-user account deletion. They also found several major problems with security planning.
The auditors concluded that the department lacked the tools necessary to recover from a disaster and said the plan, left over from the year 2000 rollover, “would be nearly useless in a disaster.”
In response to the auditors’ recommendations, the department hired FishNet Security Inc. of Kansas City, Mo., for a complete vulnerability assessment.
In response to the auditors’ recommendations to overhaul systems security and other IT problems, Bremby wrote, “All recommendations will be ranked and prioritized by risk, and deadlines will be established to complete all recommendations as quickly as possible.” He encouraged the auditors to conduct a second review within a year.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
November 12th, 2003, 04:06 PM
Good article. I would hate to be an auditor, that was a really long report. Kindof gets you thinking about how secure you are. I would say that it is pretty bad to be able to crack 1000 passwords in 3 minutes. I will have to run some tests on my machines to see how secure my passwords are. Hopefully a firewall is enough though. Sounds like that place is a mess security wise. I would like to be the security company fixing their security, with the kind of work they need done, that has to big bucks.
November 12th, 2003, 04:07 PM
Everyone is vulnerable!
In this day and age, everyone is vulnerable ...
I'll give you an example from the place where I work, an IT and networking company. Shortly after the MSBlaster outbreak, after our IT support had been patching everybody's system to protect them, they came around to upgrade my officemate's laptop from Win98 to Win2K.
Until then, he had been safe since MSBlaster didn't affect Win98 ...
He got his laptop back, and he suddenly asked me, "Do you happen to know what this error means"? It was the RPC service crashing ... He had gotten his laptop back from the IT people unpatched AND infected ....
So we called the IT guys ... they come in, scratch their head and say, "Hmm, I wonder how that is possible ..."
It's pretty dumb, but I will admit they were on total overload that week with all the patching going on .... but you would think that a company that sells networks to its customers should know better ... especially when you have the risk of infecting your customers ...
"To estimate the time it takes to do a task, estimate the time you think it should take, multiply by two, and change the unit of measure to the next highest unit. Thus we allocate two days for a one-hour task." -- Westheimer's Rule
November 12th, 2003, 07:06 PM
Just FYI, the auditors were undoubtedly using the Advanced Instant NT Password Cracker. It's not that the passwords are bad, but that NT's password scheme is fundamentally broken. There's really no solution to this problem, other than to not use NT/Lan passwords. If you want compatibility with, say win98, you're toast. A slightly mitigating factor is that you need Admin to get the password hashes. Of course, getting admin on one NT machine on a large network should be pretty easy.
Basically, on any NT network, if you're not using Active Directory, all your password are belong to us. Nobody should be surprised that they got 1k passwords.
November 12th, 2003, 07:44 PM
I doubt they used that - it is an online only cracker and the article states that they got 60% of 1000 passwords in under 3 minutes.... That's mighty quick cutting and pasting of the hashes.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
November 13th, 2003, 03:51 AM
Actually, the method used in the instant NT password cracker is a pretty straightforward dictionary attack, AFAIK. They could've just rewritten it themselves. I was assuming that they, for maximum sensationalism, gathered all the hashes together, then cracked them all at once. And, you know, if they crack the same password on 500 machines, does that count as 500 cracked passwords? I dunno, I should probably RTFA, but it seems like a funding grab to me.