Re: Have I been sniffed?
On Fri, Aug 27, 2004 at 10:06:46AM -0700, Alvin Oga wrote:
>
>
> On Fri, 27 Aug 2004, Marc Shapiro wrote:
>
> > The sender address on the SPAM message was my own. That, of course, is
> > easy enough for anyone to find. The name of the sender, however, is
> > what worries me. The first name was a word that I use for a LOT of my
> > passwords, and the last name could have been found in my e-mail.
>
> could be coincidence or could be that you've been sniffed ..
I usually have two pools of passwords. One for sites that I do not control
(e.g. websites I subscribe to), my "disposable" pool. The other pool is for
"important" sites/passwords. Was this password something that you have used
on websites?
> - if you're using wirelesss... that's probably a good guess that you've
> been sniffed
Depends. I have wireless, and three things I do, from least to most
draconian:
1. Turn off SSID broadcasting.
2. Turn on WEP as high as possible (DLinks will do up to 256 bit).
3. Tunnel wireless traffic through a VPN (e.g. OpenVPN).
I recommend doing 1 and 2 anyway, and 3 if you need it.
> > The fact that one of my passwords was used has me wanting to change all
> > of my important passwords, but if someone has access to my info, then I
> > want to prevent that before I make the changes.
>
> always change all password .. whenever you think there is a problem
> or change it every 30 days by practice
The government documents usually recommend 90 days unless you have higher
requirements.
That said, you could also look into something like OPIE (One-time Passwords
In Everything), which is a one-time pad application. The program uses a
seed, a key and a passphrase to generate a list of random words to use as a
password. Each set of passwords only lasts for one use.
If you opt not to use OPIE, make sure you use good passwords. As long as
possible, using all four character groups (uppercase, lowercase, numbers
and special characters).
> - when changing passwd ... only change it if you can sit
> in front of the machine, otherwise, they'll sniff your new
> passwd too
>
> > What can I do to verify if someone is sniffing my keyboard,
>
> keyboard sniffers is the scary animal ...
> - in windozeland, you can run trojan detectors to find sniffers
>
> - in linuxland ... it's a highly skilled hacker/cracker ( in my
> book ) to be able to overwrite the keyboard device drivers
> - time to get professional help if that occurs
>
> > and what precautions should I be taking.
>
> - implement a spam filter to bounce emails that you consider to be spam
> - dozen-2-dozen (trivially implementable) rules of what is spam
>
> - if you're paranoid ...
> - see if chkroot will find anything
> - see if you see anything odd in your loggs
> ( ssh/telnet/ftp/irc connections to some other ip# you dont know )
Are you using a firewall? If not, I would run iptables on your machine.
I would also use Nessus and nmap to scan for any unknown/unanticipated
ports/services. Use these tools regularly. Also consider an intrusion
detection system, both host-based (e.g. tripwire/samhain/etc.) and network
(e.g. snort).
> - netstat -v,
>
> - you should be running tripwire, aide, or equivalent
>
> - dont use wireless ..... assume everybody is sniffing all your data
or, wireless safely. There is a decent article on Ars Technica called
Essential Home Wireless Security at
http://arstechnica.com/paedia/w/wireless-security-howto/home-802.11b-1.html
> - dont use telnet ....... use ssh instead
And use key-based authentication rather than password based. Passwords used
in ssh are still sent over the network, whereas, passphrases are kept
local, as they are only used to decrypt the private key.
> - dont use ftp .......... use scp/winscp instead
> - dont use pop3/imap .... use secure pop3 instead
>
> - on and on and on ... its an endless game ...
True. Decide what level of security you need and are comfortable with
adminstering, get to that level and stay there. The final thing I would
recommend would be to stay aware of current vulnerabilities with your
distribution. There are several sites which cover vulnerabilities,
secunia.com, securityfocus.com (the Bugtraq list), osvdb.org,
cve.mitre.org. However, if you want a concise breakdown by distribution,
check out the Linux Advisory Watch, which comes out every Friday.
> - always make rotating backups ...
> - even days to the even backup server
> - odd days backup to the odd backup server
Good idea, the only problem is that most breaches are not detected within 2
days, so it is likely that both backup servers are going to be compromised
if one is. Of course, if you are running a host-bsased IDS, you will know
exactly when the breach occurred, and which backupsAto restore from.
Hope that helps,
--
--Brad
========================================================================
Bradley M. Alexander |
IA Analyst, SysAdmin, Security Engineer | storm [at] tux.org
Debian/GNU Linux Developer | storm [at] debian.org
========================================================================
Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34
========================================================================
Law #5: Weak passwords trump strong security.
Reply to: