Re: DNS and cats: Password leaks are security holes
W. Martin Borgert un jour écrivit:
On 2008-08-28 20:40, Simon Valiquette wrote:
That's obviously true, but that doesn't cover the case when logs are
copied to a second system with sysadmins that doesn't have access to the
first server. And if someone use the standard 514 syslog port instead of
using an SSL tunnel or the newer syslog-tls on port 601, well you get
cleartext password on the wire (yes, people sometime make stupid
I once typed a password accidently in address line of a web
browser, which popped up in the wrong moment. This resulted in a
DNS query for my password. I hereby declare it a security bug,
that the web browser tries to resolve my password! :~)
It could be worst: It could have googled for your password, and found
many instances of It. ;o)
Personally, I would prefer never to see password stored in clear text
anywhere, whatever the file permissions are.
We're talking here about a password that has been typed
accidently for other information. We're not talking about a
regular password store. If the password is good, nobody will
assume a password, but think, that a cat ran over the keyboard.
For the browser thing, yes maybe.
For the syslog thing, when I see garbage as a username, my first reflex
would be to immediately think that It is a password, and I expect It to be
the password for one of the few next successful account login.
The next thing I would do, is to try the same password for other
systems, as people often reuse the same password, or a variation on the
same password. So cracking one computer might helps the attacker to crack
many other systems. Yes, people should probably change password if they
mistakenly used It once as a username, and should use different passwords
for different systems. But in the real world, laziness is very common.
I personally believe that the risks of leaking passwords are usually
much higher than the risk of seeing an attack unnoticed because It is
written "unknown" for the username instead of what the user really typed
in. In most cases, I don't believe It will affect much the probability of
noticing the attack.
And if you really want to get more information about the attacker,
honeypots are your friends, on which It would be smart to log every
usernames, whether they really exist or not.
PS: I also almost forgot to say that there is tools like logcheck that
will leak passwords over the net. For many systems, were confidentiality
is not an issue, that kind of tools is very convenient and passwords are
almost the only really valuable information that could be leaked in the logs.