better(?) job and a question?
Results 1 to 3 of 3

Thread: better(?) job and a question?

  1. #1
    Senior Member wiskic10_4's Avatar
    Join Date
    Jan 2004
    Location
    Corpus Christi, TX
    Posts
    254

    better(?) job and a question?

    <<BE WARNED, THE FOLLOWING POST MAY SEEM SOMEWHAT POINTLESS>>

    I've recently quit my steady, full-time, well paying, benefit-loaded job as a Sherwin-Williams "sales-associate" (delivery driver was basically my job-description, but hey, every position's got a title, right?) to pursue a part-time, low-paying, no-benefit job at the university that I currently attend (www.utpb.edu). I did this for two reasons...

    (1) I'm a HUGE procrastinator (just look at my signature...), and after Halloween, this semester's major assignments and exams jumped out of nowhere and bit me in the ass... I had to make a choice between making the grades or making the paycheck - I chose grades (which was a very poor decision in short-term retrospect (...so...hungry...))

    (2) I was offered a job : "lab-assistant" of the Computer Science Research Lab. The "lab-assistant" is essentially the network administrator of the Computer Science subnet (cslab.utpb.edu)

    I was offered this job because:

    (a) I am one of the more "conceptual" cosc students (meaning that I actually do my homework rather than download it ), and I spend more time at the lab than I do at my house...

    (b) My topic of research this semester was "Sun lab security." So that I could complete my research sufficiently, I was given full administrative privileges... I pointed out some (very obvious) vulnerabilities in the network, but more importantly, restored the lab to functionality... http://204.158.158.14/current/cs4395-team5/index.html

    Anyway...

    During my research presentation tonight, I pointed out the fact that one of the two Sun servers on the network allowed a telnet login with a weak username and password (username: student passwd: student).

    I made the argument that if a malicious hacker (or student) found the open port 23 by running a simple port scan, and then ran a quick "whois" on the IP (which would show "University of Texas of the Permian Basin UTPB-REACH (NET-204-158-144-0-1)", then the student/student combination would be relatively easy to deduce...

    I then made a bold statement: "...once the malicious user has even limited access, then it is relatively trivial for them to create a script to find the root password via a dictionary attack..."

    No one questioned me, but after the presentation, I started to wonder whether or not this was as easy as I'd led everyone to believe. After much "googlin'," I was unable to come up with a single page that discussed such an exploit. However, it seems that something like this would be relatively easy to implement... though I'm not sure exactly how it would be... does anyone else???

    Anyway, sorry about going on and on and on... it's late and I'm a little faded...

    -Wiski
    My Corner of the Intarwebz: Jeremy Dean Online

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I then made a bold statement: "...once the malicious user has even limited access, then it is relatively trivial for them to create a script to find the root password via a dictionary attack..."
    I think you restricted yourself a bit? surely the strength of the password will determine the degree of triviality.

    If it is a non-dictionary password, a dictionary attack cannot work, because it won't be there. They would have to brute force it or install a keylogging/password sniffing program.

    The problem as I see it is that it is the thin end of the wedge............once they have got in maybe all they would need would be a sufficiently authorised superuser with a weak login and password?

    But then, shouldn't you be looking at your logs, running IDS and auditing for weak passwords?

    just a thought

  3. #3
    Senior Member wiskic10_4's Avatar
    Join Date
    Jan 2004
    Location
    Corpus Christi, TX
    Posts
    254
    I think you restricted yourself a bit? surely the strength of the password will determine the degree of triviality.

    If it is a non-dictionary password, a dictionary attack cannot work, because it won't be there. They would have to brute force it or install a keylogging/password sniffing program.
    Absolutely - one of the main points I made during the presentation was the fact that weak passwords combined with generic usernames were creating potential security holes... the su password on this particular server was indeed a dictionary word, however...

    But then, shouldn't you be looking at your logs, running IDS and auditing for weak passwords?
    Correct again... actually, my partner in this project wrote a "logger" which was essentially a script written to combine the commands of several UNIX logging functions into one.

    I intend to set up an IDS during the winter break; I'd like to place one of the older workstations in front of the switch equipped with BSD; this box would be the "pinch-point" for the network, complete with snort, ethereal, etc. This shouldn't cause a "bottleneck" as long as I allow the investigative programs to drop packets, right?

    As far as weak passwords, I wrote a Java program earlier in the semester that would read in a list of the names of computer science majors, and would generate strong user passwords using an algorithm based upon modulus math, a cipher alphabet of symbols, and the students full name.

    While it will be used next year to create the initial student passwords, my boss insisted that users be able to change their password, and that I must find a way to ensure they use strong psswords... I suggested that they e-mail me first for vrification, but she suggestd I write a script to do it... <...more work... >

    My Corner of the Intarwebz: Jeremy Dean Online

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •