This month’s Technet brings an excellent article on why we need to patch even in SBS land:

Microsoft TechNet – Help: I Got Hacked. Now What Do I Do?:
http://www.microsoft.com/technet/security/secnews/articles/gothacked.mspx

Cleaning up after something happens is not fun.  Patch, Firewall and Antivirus.  Keep all three in place and you are just fine.  In the newsgroups we’re seeing reports of SBSers seeing that they are getting dictionary attacks on accounts. 

Funny thing is, the website www.incidents.org talked about these password “bot” attacks on their web site the other day.  Bottom line… think of them as passphrases not passwords and make them alphanumeric.  I ususally substitute numbers for vowels and add things from the top row of the keyboard like $ or ! or &.  Next make them longer than 7 characters to ensure they don’t have low “entropy“.

<theory> A measure of the disorder of a system. Systems tend to go from a state of order (low entropy) to a state of
maximum disorder (high entropy).  [pssst… translation… just make them long, alphanumeric and hard to guess.  If they are less than 7 characters and in the dictionary, Lc4 or John the Ripper can crack them pretty quickly.

“Worm Passwords List

Passwords are in general, the weakest link in the corporate security strategy. In the 2003 edition of SANS Top 20 vulnerabilities, weak passwords are listed as one major vulnerability:
http://www.sans.org/top20
Item 4.1 Description:

“Passwords, passphrases and/or security codes are used in virtually every interaction between users and information systems. Most forms of user authentication, as well as file and data protection, rely heavily on user or vendor supplied passwords. In addition, since properly authenticated access is often not logged, or if logged not likely to arouse suspicion, a compromised password is an opportunity to explore a system virtually undetected. An attacker in possession of a valid user password would have complete access to any resources available to that user, and would be significantly closer to being able to access other accounts, nearby machines, and perhaps even obtain root level access on this system. Despite this threat, user and administrator level accounts with poor or non-existent passwords are still very common. As well, organizations with a well-developed and enforced password policy are still uncommon.

The most common password vulnerabilities are: (a) user accounts that have weak or nonexistent passwords; (b) users accounts with widely known or openly displayed passwords; (c) system or software created administrative level accounts with widely known, weak, or nonexistent passwords; and (d) weak or well known password hashing algorithms and/or user password hashes that are stored with weak security and are visible to anyone.

The best defense against all of these vulnerabilities is a well developed password policy that includes: detailed instructions for users to create strong passwords; explicit rules for users to ensure their passwords remain secure; a process in place for IT staff to promptly replace weak/insecure/default or widely known passwords and to promptly lock down inactive or close down unused accounts; and a proactive and regular process of checking all passwords for strength and complexity. ”

In today’s ISC Webcast, we talked about an example of a password list that was used by malware known as “IRCBot” to guess/brute force passwords to get access on systems.

This list is available at:
http://isc.sans.org/presentations/ircbot_pwlist.txt

Did you miss our monthly ISC Webcast?
Check out the Webcast archives: http://www.sans.org/webcasts/archive.php

 

Comments are closed.