Current time: 04-21-2014, 12:50 AM Hello There, Guest! (LoginRegister)

Post Reply 
password recovery: is anyone happy?
05-24-2011, 05:30 PM (This post was last modified: 05-24-2011 05:34 PM by bobocat.)
Post: #26
RE: password recovery: is anyone happy?
Have you all read the very lucid accounts of the HBGary break-in recently? Ars Technica has a good series of articles on it.

It all boils down to a bit of luck on the part of the hackers, a bit of lax security practices on the part of users, and a bit of social engineering.

Now it's an open secret that people re-use passwords. Yes, we all agree that they shouldn't, even security professionals at HBGary, but we do. Some don't, but we can't ignore the reality that probably 90% of computer users do reuse some passwords in some ways. This is prima facie evidence that passwords should never, under any circumstances, be transmitted or stored in cleartext. At minimum, salt and hash them, even if the algorithm is not the best in the world (MD5)

Another part of the equation is the username. I'm surprised at how easy it is to see which users share my machine and what domains are hosted. I mentioned this to DH a few days ago, but they didn't seem too interested, stating that they couldn't think of how that information would be too useful. I don't know either as I'm not a hacker and I don't know if it's standard for Linux to reveal that sort of information.

It would seem to me, though, that if you wanted to hack someone's account, you need three keys: domain, username, and password. If two of those are freely available, that puts all the security on just the password, which is in cleartext. Not being able to know the username in advance, in addition to the password, would seem more secure.

Just for the record, to see what domains are hosted on your machine, you can type:
Code:
$ cat @
and hit tab twice for autocomplete. According to DH support, it's trying to guess which email address you want, so it lists all of the available domains.

To see most of the usernames on your machine, type:
Code:
$ ls -l /tmp/sess_a* | awk '{print $3}' | sort -u
You can change the final a of 'sess_a' to be 0-9 or a-z. Leaving it off will produce a list too big to process. But basically, all PHP session files seem to be stored in /tmp, so it's pretty easy to see the owner's account names. Granted, you can't actually read the contents of any PHP session files which you do not own, but it's just interesting that DH has blocked:
Code:
$ ls /home/
perhaps in an attempt to maintain privacy, but then allowed that information to be seen by anyone in /tmp.

Anyway, as I said, I'm new to Linux and security, so I don't know if these are standard practices or not, but after reading the account of HBGary's break-in, I'm much more cautious and suspicious than I use do to be. I'm also eagerly awaiting an account of the Sony break-in... Could it happen at DH as well?
Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
RE: password recovery: is anyone happy? - bobocat - 05-24-2011 05:30 PM

Forum Jump: