[vox] password stolen at linuxworld
ME
vox@lists.lugod.org
Sun, 10 Aug 2003 08:48:46 -0700 (PDT)
Bummer to hear about this. Hopefully nothing is lost, and the system(s)
can be recovered.
Few people want salt rubbed into wounds, so if you don't then dont read
further.
You want to read an "I Told You So" from August 2001?
http://lugod.org/mailinglists/archives/vox-tech/2001-08/msg00050.html
...
'One last thing to point out, as many people new to ssh dont realize:
"SSH is for creating a 'secure' connection over an insecuure network. It
is NOT secure on insecure machines or for securing insecure machines!"'
...
(I cannot stress the statement above enough. Then there is this paragraph
which is ominously scary as predictions go...)
'So, if you go to a library, ISP, friend's house, or Moscone Center for
MacWorld and use a Java based ssh client to connect to your server or a
client you install on their machine, you could be opening up your server
for a break-in. A keyboard sniffer, or trojaned OS at the site you are
using could grab your password as your type it on the keyboard! SSH is
good for working between machines that you trust, and "own" not so good
with machines you do not own. Security model is just blown out of the
water because it does not seek to solve the problem of making the client
machine secure. (Not its problem to solve, never was.)'
...
On the positive side, you are not alone. There are *many* skilled and
educated people who have not considered this and opened themselves up for
breakin by using insecure machines.
Another comment, if you are running an SSH server, you should also set it
up to only permit ssh2 and not ssh1, and of course keep your ssh up to
date!
On some of my servers, I setup a special web page that was available via
htaccess authenticated https that permitted me to open up a hole in the
firewall rules for the IP address from which I was connecting. Then after
a specified time, the hole was automagically closed. It required setting
up a script that utilized a sudo/super based command that could be issued
from "nobody" but it only accepted one argument (a valid ip address) and
anything other than an IP address was removed. This permits a default rule
of deny for ssh so long as people can get to https based web page to open
a hole for their connection. Some day, I might release it, but the
code-base sucks. (This only acts as an extra layer of security to permit a
little more time for me to fix/upgrade my service when an exploit exists
but has not yet been published.)
One more thing... One desire people have in using ssh from remote
locations is checking of e-mail. I would like to suggest you consider
using a webmail based system. I use SquirrelMail and have a separate
userdb for imap authentication. This permits me to use and have a
different password for webmail than I have and use with ssh. If someone
steals my webmail password, they can see my e-mail, but can't read my
pgp/gpg messages, and I can always change my pasword when I later gain
access to a secure machine.
-ME
Bill Kendrick said:
> On Sun, Aug 10, 2003 at 04:26:57AM -0700, Ryan Castellucci wrote:
>>
>> Someone at linux world seems to have gotten ahold of my ssh user
>> password
>> from when I used it at linuxworld.
> <snip>
>>
>> I suspect that my password was either sholder surfed (unlikely, it'd be
>> hard
>> to memorize....) or someone was runnning man-in-the-middle attacks, and
>> forced an SSHv1 session to prevent a warning, simply prompting for a new
>> key.
>
> Ouch! Is this something any of the rest of us LWE volunteer folks need to
> worry about? (I logged into my sonic account numerous times from LWE;
> mostly from Melissa's laptop, but also occasionally from other people's
> laptops, I _think_... it's all such a blur)
>
>
> Sorry this happened. :(
>
> -bill!
>
> --
> bill@newbreedsoftware.com Got kids? Get Tux
> Paint!
> http://newbreedsoftware.com/bill/
> http://newbreedsoftware.com/tuxpaint/
> _______________________________________________
> vox mailing list
> vox@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox
>
>