Hi

Got forwarded an interesting mail from a friends security manager who is contesting that their machines are at risk from "password guessing" as in the gpu monster thing detailed in the article he is circulating:

http://securityledger.com/new-25-gpu...ds-in-seconds/

Been through the same pain where security disabled all local passwords in favour of SSH keys and RSA.

Could it be construed that perhaps there are vulnerabilities in the company infrastructure (firewalls and network)?

I ask because as I see it, if you limit the network access by mac address and monitor failed attempts then surely the risk has to come from the inside?

And if the risk is on the inside then you have to commission 25 internal machines to password crack what can be found on the network that can be reached to make the article valid?

He also tells me that a number of their Linux servers have an uptime of 400+ days. Surely these "internet facing" Unix boxes are more of a risk than having local passwords disabled?

Thanks for any feedback.

Kevin

Pragmatically, risks could come from anywhere. Practicing the "principle of least privilege" (and "least access") is an excellent idea. For instance, internal network servers might indeed be limited to accept connections only from the known TCP/IP subnets ... "computers are really awful at saying 'yes' but really good at saying 'no.'"

You should presume that there are unknown holes in any armor plate. Each machine should be appropriately hardened, so that you do not have the "chocolate bon-bon problem" ... a hard, crunchy exterior full of sweet, unguarded juicy parts.

SSH keys (including password-protected i.e. encrypted ones) have the same advantage as the badges you wear do: either you've got one (and it's still valid), or you don't. Either way, it is uniquely yours.

However, always remember that SSH will start with the most-restrictive security option ... then step right on down to the least(!) one ... accepting the least(!!) one that it has been told that it may accept. You must specifically exclude password-authentication. Also, if your company uses a company-wide authority such as LDAP, your servers should uniformly be configured to refer to it as the authority in preference to individual system files.

1 members found this post helpful.

Thanks for super reply.

Question though..

So a system has local passwords stored on the machine - in this case I now learn it has not been patched for 500+ days.

Setting up SSH/LDAP is
1. making a statement that authentication is done off the machine so no point in going in looking at hashed password info.
2. in the case of lack of patching, putting a big lock on a door to a house where some of the windows are open (ref your holes in armor plate analogy).

In context of the "GPU monster" in the article, surely big companies have tools to determine such monsters are not able to access their machines because these armor plates are monitored? Also then is it the case that the vulnerability is that someone would have to lift the password info of the machines (manually) to feed such a monster (a human-resource screening "issue" - I read also most attacks come from the inside).

I am certainly not knocking the LDAP thing - I'm not qualified but I still find the whole thing very interesting.