[ISN] Beware the Ides of March

From: InfoSec News (isnat_private)
Date: Mon Mar 24 2003 - 00:43:52 PST

  • Next message: InfoSec News: "[ISN] More CERT Documents Leaked"

    +------------------------------------------------------------------+
    |  Linux Security: Tips, Tricks, and Hackery                       |
    |  Published by Onsight, Inc.                                      |
    |                                                                  |
    |  23-March-2003                                                   |
    |  http://www.hackinglinuxexposed.com/articles/20030323.html       |
    +------------------------------------------------------------------+
    
    This issue sponsored by Open Source Web Development with LAMP
    
    OSWD w/ LAMP by James Lee and Brent Ware presents a comprehensive
    overview of LAMP technologies - Linux, Apache, MySQL, Perl, PHP, WML,
    Embperl, and Mason - and allows the reader to decide which tool may
    be appropriate for the particular task at hand. It focuses on the
    most important core material necessary so that developers can "hit
    the ground running" and begin buliding applications right away, while
    improving reliability and dramatically cutting costs.
    
    For reviews, sample chapters, or to order, go to
    www.opensourcewebbook.com
    
    --------------------------------------------------------------------
    
    Beware the Ides of March
    By Brian Hatch
    
    Every year on March 15th my mother would act out the death of Julius
    Caesar. From the warning he received as a young child from the grimy
    soothsayer, his speech to his "Friends, Romans, Countrymen", the
    assassin sneaking up behind him for the strike, a truly pained "Et tu
    Brute?", and a couple of final gurgles. Oh, the last death throes of
    a great ruler, acted out yearly in the kitchen, or hallway, or -- if
    you were really late waking up -- your very own bedroom. Now that
    we're out of the house, March 15th means an early morning phone call
    from home, but it's lost none of it's potency.
    
    Now you might be wondering why in the heck a security column should
    begin with the Ides of March. Or, even more interestingly, why it
    would begin with the Ides of March a week after the Ides of March.[1]
    Well, fear not, I'll get to the point.
    
    I can't imagine what you might do should you be woken some morning to
    the retelling of the fall of an empire, but to me it reminds me that
    it's time to change my passwords. Most security folks suggest you
    change your passwords at least once or twice a year. One of the most
    frequently suggested times are the change to and from daylight
    savings time. But for me, it's the Ides of March.[2]
    
    So what makes a bad password? Anything associated with you or your
    likes, desires, or quirks. Anything out of a dictionary in any
    language. The name of your relative, pet, significant other,
    favourite movie, phone number, birthday, or favourite colour. These
    things are either easy to guess if someone knows you, or are able to
    be cracked fairly easily by password guessing programs.
    
    And most importantly, any password that you've used before is right
    out.
    
    So what makes a good password? It depends somewhat on your
    password-hashing algorithm. Most new Linux installs use strong
    password-hashing algorithms such as MD5, which can take an infinite
    length password. Older installs used the traditional DES algorithm,
    which only allows 8 character passwords. It's best for you to ask
    your administrator which kind of hashing algorithm is used on the
    system before you choose a password.
    
    If you are the administrator, it's not too hard to see which kind of
    hashing algorithm is the default. For example, change the password
    for jdoe and then do the following:
    
      old_des_style# grep jdoe /etc/shadow
      jdoe:m1kbsnKnULUKs:12133:0:99999:7:::
           ^^^^^^^^^^^^^
      md5_style#     grep jdoe /etc/shadow
      jdoe:$1$e0/v1t9O$y/SxZxbiHsesW5HbeZRHq0:12133:0:99999:7:::
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    
    (I've underlined each password hash above with caret symbols to make
    it easier to see them.)
    
    On the first host, the passwd program is configured to use the older
    DES-style password hashes. The password hash is the 13 character long
    string "m1kbsnKnULUKs". The second host uses MD5 hashing instead, as
    can be seen by much longer hash "$1$e0/v1t9O$y/SxZxbiHsesW5HbeZRHq0".
    There are other possible password hashing routines[3] but these are
    the two you're most likely to have available.
    
    So, once you've determined which kind of password hashing algorithm
    your machine uses, what makes a good password? Since each type of
    algorithm has different characteristics, here are my recommendations:
    
    Traditional DES-based
    
      * 6 to 8 characters long
      * No more than 8 characters - extras are ignored
      * At least one character from the four following characters
        classes:
          + Lower Letters ( abcd...wxyz )
          + Upper Letters ( ABCD...WXYZ )
          + Numbers ( 1234567890 )
          + Other Characters ( !@#$%^&* etc )
      * A good way of creating a short but entropy-laden password is to
        take the first letter of each word in a phrase, and add some
        weird characters to it or convert some letters to other
        characters, for example:
       
          + Where did I leave my keys? => WdIlmk?
          + Linux kicks Window's a**. => lKW's&**
          + Open Source and LAMP make my day => 0S&lmmd%
    
    MD5-based
    
      * A short password (6-8 chars long) that satisfies the above rules,
        or
       
      * A 'passphrase' which
          + Should be at least 15 characters long (15-40 is a good rule
            of thumb)
          + Has a variety of characters, not simply 'aaaabbbbcccc' -- use
            at least two or three from the four classes above.
          + Can incorporate dictionary words as long as you have a long
            enough passphrase. For short passwords, using dictionary
            words is a horrible idea, but with long passphrases it is not
            as vulnerable to brute force measures. For example:
           
              o Bridge-dare!prone
              o I'd_rather-run=DJBDNS
              o March^last(if you ask me)
    
    The most important thing, regardless of which password hashing
    algorithm your system uses, is that your password should be easy for
    you to remember[4] but hard for others to guess or crack.
    
    And the other most important thing -- never use your password on an
    unencrypted channel. Use SSH for logins, and SSL-enabled versions of
    any protocols that use passwords, such as IMAPS instead of IMAP, or
    STARTTLS for SMTP. A cracker doesn't need to guess or crack your
    password if he can read it on the wire directly.
    
    NOTES:
    
    [1] I thought I should finish up that three part SSH Port Forwarding
    thread before I accosted you with sentimental childhood memories.
    
    [2] I use SSH keys for almost all my connections, and I barely ever
    log in using an actual password, so the chances they'll be snagged
    are pretty low. Besides, I get copies of all the logs showing my
    login times and methods, so I'd notice pretty quick if any of my
    passwords have been compromised. I keep my SSH identities on my
    laptop only, and change them more frequently.
    
    [3] For example, Owl Linux supports traditional DES, BSDI-style DES,
    FreeBSD-style MD5, and OpenBSD-style Blowfish hashes.
    
    [4] If you need to write it down on a sticky note, you're in trouble.
    
                                -------------                            
    Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking
    Linux Exposed and Building Linux VPNs. His wife fears that he will
    continue the yearly ritual with their lovely and impressionable
    daughter. But hey - it's history, educational, and even contains a
    little Latin. Can't be all bad, right? Brian can be reached at
    brianat_private
    
    --------------------------------------------------------------------
    This newsletter is distributed by Onsight, Inc.
    
    The list is managed with MailMan (http://www.list.org). You can
    subscribe, unsubscribe, or change your password by visiting
    http://lists.onsight.com/ or by sending email to
    linux_security-requestat_private
    
    Archives of this and previous newsletters are available at
    http://www.hackinglinuxexposed.com/articles/
    
    --------------------------------------------------------------------
    
    Copyright 2003, Brian Hatch.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Mar 24 2003 - 03:44:17 PST