Christmas wish list - PowerPoint PPT Presentation

1 / 9
About This Presentation
Title:

Christmas wish list

Description:

If hackers have automatic tools for CGI attacks, couldn't these be included in ... Server sends email with list of weak passwords ... – PowerPoint PPT presentation

Number of Views:102
Avg rating:3.0/5.0
Slides: 10
Provided by: rwgk
Category:

less

Transcript and Presenter's Notes

Title: Christmas wish list


1
Christmas wish list
  • Password cracking service
  • HTTP vulnerability scan

2
Jims friendly email
  • (at least) one of the following web attacks were
    successful against cci,
  • in that the /etc/passwd file was read out -
    yikes! /etc/passwd has the
  • crypttext for the root password (i.e. its not
    shadowed). I'm blocking
  • cci from internet access
  • Dec 4 111002 HTTP_SensitiveURI
  • 200-103-127-198.bsace705.dsl.brasiltelecom.net.br/
    1699 gt cci/http
  • 30399 GET
  • /cctbx_build/show_folded.cgi?source../../../../..
    /../../../../../../../../../../../etc/passwd
  • (200 "OK" 1181 cci.lbl.gov)
  • Dec 4 111206 HTTP_SensitiveURI
  • 200-103-127-198.bsace705.dsl.brasiltelecom.net.br/
    1716 gt cci/http
  • 30399 GET
  • /cctbx_build/show_folded.cgi?source../../../../..
    /../../../../../../../../../../../etc/shadow

3
(No Transcript)
4
(No Transcript)
5
Immediate reactions
  • Review of all CGI scripts
  • Revealed a few similar vulnerabilities
  • Similar scripts used in multiple places
  • Entire sections of web server disabled
  • Reorganization of CGI scripts
  • Loss of time one day
  • Root password changed on 30 machines
  • Loss of time couple of hours
  • Server back online after about 28 hours

6
Worries remain!
  • CGI scripts are essential but intrinsically
    insecure
  • CGI script developer struggling with inherent
    complexity security is only an afterthought
  • CGI scripts shared with co-workers who copy them
    to other servers difficult to track down all
    copies if a problem is found later
  • New people get involved in the future
    unawareness leads to new incidents
  • Quality of passwords is our last line of defense

7
Password cracking exercise
  • Google search John the Ripper
  • Installs quickly
  • Runs very quickly and pinpoints three weak
    passwords
  • But stops with an error message
  • Bad luck John the Ripper web site is down that
    day
  • Time invested about one hour

8
Password cracking worries
  • Is John the Ripper the best tool to use?
  • Did I use it correctly?
  • Why did it finish so quickly?
  • What does the error message mean?
  • What are word lists and character list?
  • How important is it to maintain these lists?
  • Answering these questions and ongoing maintenance
    is likely to consume a significant amount of time
    -gt likely to fall through the crack sooner rather
    than later.

9
Could someone please help protect ourselves
better?
  • If hackers have automatic tools for CGI attacks,
    couldnt these be included in the routine scans
    conducted by CPP?
  • Central password cracking service?
  • Send password files to central server via a cron
    job
  • Server sends email with list of weak passwords
  • Awareness alone will lead to timely fixes in most
    cases
  • Central, professionally managed facility
    maximizes quality and cost efficiency at the same
    time
  • Combination of bondo and password cracking?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Christmas wish list" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!