secauditor speaks: hmmmm…Security - Imagine That

Ok maybe I need to rethink associating all Online Password Storage groups in the same realm as Dogbert. Think think think think…hmmmm….NOPE!

A nice aspect of the blog that I put out for me is the backend shows me where a referral comes from and recently one came from http://www.notsorelevant.com/2008-01-30/is-giving-away-passwords-cool-again/ while the information with in the article was interesting especially the new German application Allyve I thought the author missed the mark comparing this product to OpenID or OAuth. Allyve works more along the lines of any of the top 3 hits that Google brings back when searching for Online Password Storage. Agatra – Comodo – Handypassword

Read the rest of this entry »

I was talking with a coworker the other day about password cracking and I wanted to write up another post regarding that conversation and Michael Coates comments on a previous article that I wrote.

http://secauditor.wordpress.com/2008/02/21/what-is-more-important-password-expiration-complexity-or-something-else/

There are two main areas that must be looked at anytime an organization enters into password cracking. First is the transportation and storage of the password database and the non-repudiation aspect of users once password cracking is entered into. For this article I want to look at the later. Let’s look at a scenario to start with.

Read the rest of this entry »

I was holding a conversation today about password expiration and I have decided it isn’t so much about the password strength or the time between password changes. Looking at it passwords are a primary method used to control access to resources. Because authenticated access is seldom logged, a compromised password is a way to explore a system without causing suspicion. An attacker with a compromised password can access any resource available to that user. So it really comes down to protecting the area that passwords are stored not.

A great example is using a password cracker like Ophcrack, you can crack the password “Fgpyyih804423″ in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. Now granted it is using Rainbow tables, but ultimately if you your SAM file or /etc/passwd /etc/shadow files are compromised your pretty much history. Additionally, if you limit failed attempts with lock outs (or a limited time lockout) I think you are going to prevent the brute force attacks.

Read the rest of this entry »

On Thursday of this week I was fortunate enough to work along side a colleague of mine as we were conducting a forensic investigation. We had retrieved a active laptop and wanted to conduct a live memory dump of the system. Unfortunately there was a password on the screen saver and we didn’t want to compromise the data in anyway. His solution to achieve our goals was to utilize a program called winexe on a *nix system.

Winexe allows a person to connect to the IPC$ share of an active host. Now you might say “whats the point”. Take a moment and look at it from a corporate investigative standpoint. If you have a system that you possess a local admin account for (perhaps a standard one utilized by the company help desk) you can utilize this to access that IPC$ share.

Read the rest of this entry »