RE: Passwords

From: Siglite (sigliteat_private)
Date: Wed Oct 13 1999 - 10:06:37 PDT

Next message: Don Helms: "Re: Passwords"

Previous message: Regan, Sharon: "RE: Firewall(s) "maxed" out"
Maybe in reply to: Rex Murphy: "Passwords"
Next in thread: Don Helms: "Re: Passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On smaller networks, the best way to determine if user passwords have been
compromised is to be familiar with your users's habits.  

Example:

Joe logs in from dialupipat_private twice a day or so, and you know this
because you diligently watch your logs.  Joe's been doing this oh, every
day or so for the past six months.  Then one day, you notice in your logs
that Joe has started loggin in from someip.somenetwork.cz.  On my network,
that would be pretty unusual, prompting me to ask joe about it.

That's a pretty extreme example, but familiarity with your users, and
thier habits goes a LONG way towards detecting a security breech.  I do of
course realize how much more difficult this becomes in a serious
enterprise environment with thousands upon thousands of users.  However,
I've written scripts in the past to parse my system logs to determine
where any individual is most likely to login from, then look for changes.

/*-----------------------------------*/
/* I live with FEAR every day.       */
/* But, sometimes, she lets me RACE. */
/*-----------------------------------*/

KT Morgan
Network Engineer
Checkpoint Firewall-1 CCSA/CCSE
Microsoft MCP
Software Systems Group, Inc

the compaq support website, crib notes version:   
"you cant do that."

On Thu, 7 Oct 1999 sean.kellyat_private wrote:

> > From: Rex Murphy [mailto:rmurphyat_private]
> > 
> > Is there a product that can identify "hacked Passwords."  I had a
> > conversation with some one and they mentioned that such a 
> > product existed.
> 
> You can run the software people have written to hack passwords on your
> password file to determine "hackable" passwords.  My friend did this a lot
> in college and sent alerts to the sysadmin.  As far as determining if a
> password has been "hacked," how is this possible?  "Hacked" could mean
> shoulder-surfed or guessed.  ie. there would be nothing to distinguish a
> hacker logging on to an account from the actual user logging into the
> account.  Unless they mean detecting hack attempts, and this kind of thing
> is genrally in place in systems already.
> 
> Sean
>

Next message: Don Helms: "Re: Passwords"
Previous message: Regan, Sharon: "RE: Firewall(s) "maxed" out"
Maybe in reply to: Rex Murphy: "Passwords"
Next in thread: Don Helms: "Re: Passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:58 PDT