[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNS and cats: Password leaks are security holes

W. Martin Borgert un jour écrivit:
On 2008-08-28 20:40, Simon Valiquette wrote:
That's obviously true, but that doesn't cover the case when logs are copied to a second system with sysadmins that doesn't have access to the first server. And if someone use the standard 514 syslog port instead of using an SSL tunnel or the newer syslog-tls on port 601, well you get cleartext password on the wire (yes, people sometime make stupid mistakes).

I once typed a password accidently in address line of a web
browser, which popped up in the wrong moment. This resulted in a
DNS query for my password. I hereby declare it a security bug,
that the web browser tries to resolve my password! :~)

It could be worst: It could have googled for your password, and found many instances of It. ;o)

Personally, I would prefer never to see password stored in clear text anywhere, whatever the file permissions are.

We're talking here about a password that has been typed
accidently for other information. We're not talking about a
regular password store. If the password is good, nobody will
assume a password, but think, that a cat ran over the keyboard.

  For the browser thing, yes maybe.

For the syslog thing, when I see garbage as a username, my first reflex would be to immediately think that It is a password, and I expect It to be the password for one of the few next successful account login.

The next thing I would do, is to try the same password for other systems, as people often reuse the same password, or a variation on the same password. So cracking one computer might helps the attacker to crack many other systems. Yes, people should probably change password if they mistakenly used It once as a username, and should use different passwords for different systems. But in the real world, laziness is very common.

I personally believe that the risks of leaking passwords are usually much higher than the risk of seeing an attack unnoticed because It is written "unknown" for the username instead of what the user really typed in. In most cases, I don't believe It will affect much the probability of noticing the attack.

And if you really want to get more information about the attacker, honeypots are your friends, on which It would be smart to log every usernames, whether they really exist or not.

Simon Valiquette

PS: I also almost forgot to say that there is tools like logcheck that will leak passwords over the net. For many systems, were confidentiality is not an issue, that kind of tools is very convenient and passwords are almost the only really valuable information that could be leaked in the logs.

Reply to: