Category Archives: Security

Unix accounts primer

Posted by on February 2, 2006

This is a quick primer on what Unix accounts are and the different roles that they can have. While the terminology being used is for Unix (and Linux/Mac OS X), the ideas can be used for some other systems as well.

What is an account?

Unix and Linux computers were designed to have many different people (accounts) using the same computer at the same time, remotely connected by networks.

Each account is separate from every other account; so one person’s work will not interfere with another person’s work on the same system, even if they are both using the system at the same time.

Normally, a Unix system requires you to authenticate yourself (prove that you have access rights) before it will let you use system resources. This helps determine such things as what resources you are allowed (printers, applications, etc), where to put your files, the types of permissions you have, and what preferences you have set for your work environment.

To authenticate you, most Unix systems ask for a username (account name) and password. The combination of the two helps determine what you are allowed to use and do once you log in.

How many accounts should you have?

Different accounts for different privileges

Unix is a multi-user system, and not all users need to have the same privileges. Here are a few examples of the different roles you might see on any given system.

User accounts

This is a normal account. A user account has limited access to anything outside of their work environment. They might create and edit documents, run applications and utilities, and other normal day-to-day work.

They usually cannot change system settings that would affect other users, only themselves. They can only modify their own account and preferences.

If you think in terms of keys and responsibilities, a user account only has a key to their own office space. They do not have keys to other people’s offices or to the front doors of the building. If you lose that one key, only one office might be compromised and only one lock needs to be changed.

There are usually many different users on a Unix system.

Administrator accounts

Administrators have more responsibilities than regular user accounts. They might be able to create/modify/delete other users, change system-wide settings, install software or hardware, and perform maintenance or upgrades that affect all users.

Experienced administrators only log in with these privileges when they need to. They usually use a regular user account when doing day-to-day work. This least-privilege-required mentality helps the overall security of the system.

To continue on with our keys analogy, the administrator is like a custodian. They have keys to many offices, in addition to broom closets, electrical panels, and so on. If the keychain is lost, many locks need to be changed, and a serious security breach has occurred.

There may be more than one administrator for a Unix system.

Superuser (root) accounts

The

superuser
, or

root
, account is the most powerful account on a Unix system. They can do anything, delete any files, and can cause complete chaos if in the wrong hands. Many system administrators will only use the root account when they have to, and then switch to a lesser account as soon as they have completed the task required.

The root user has the ‘skeleton’ key. It opens all doors in the building. If it gets lost, people lose their jobs.

Dictionary Attacks: “8@d P@55\/\/0rDz” Part 2

Posted by on January 30, 2006

One of the most common ways of protecting access to information or a computer account is with a username and a password. If someone wants to try to gain access to your account, the username is often quite easy to guess (email address, for example) so all they might need to figure out is the password.

One method of cracking the password is with a login dictionary attack.

With this kind of attack, software consecutively tries words from a list in a dictionary file (also known as a wordlist). While other attacks, like brute force attacks, are also effective, in real life, dictionary attacks succeed so often because people base their passwords on short, easy to remember words. The larger the dictionary file, the better the chance the attack will succeed.

While a research attack requires some basic knowledge of a person or system, a dictionary attack can be effective without any starting point. However, if you know that someone speaks French, English, and Spanish, you can load up those three dictionaries as a starting point, effectively narrowing your focus to relevant choices.

You can easily find dozens human language dictionaries for these types of attacks in minutes. Why did I say human? There are also Vulcan, Klingon, and other non-human dictionaries available. Actually, word lists go way beyond basic language dictionaries. Celebrities, aircraft, cars, brand names, sports terms, model numbers, jargon, and pretty much anything else that someone might use for a password has been thought up and added to a word list.

Better attack software might also do character manipulation. It’s common practice for people to substitute the number zero for the letter o, for example, or the number one for the letter l.

The software might try:

  • dig, Dig, DIg, DIG, dIG, diG , dIg
  • dog, Dog, DOg, DOG, dOG, doG, dOg
  • dug, Dug, DUg, DUG, dUG, duG, dug

as well as:

  • d1g, D1g, D1g, D1G, d1G, d1G , d1g
  • d0g, D0g, D0g, D0G, d0G, d0G
  • dvg, Dvg, Dvg, DvG, dvG, dvG
  • dVg, DVg, DVg, DVG, dVG, dVG
  • d19, D19, D19, D19, d19, d19 , d19
  • d09, D09, D09, D09, d09, d09
  • dv9, Dv9, Dv9, Dv9, dv9, dv9, dv9
  • di9, Di9, DI9, DI9, dI9, di9 , dI9
  • do9, Do9, DO9, DO9, dO9, do9, dO9
  • du9, Du9, DU9, DU9, dU9, du9, du9

Common character substitutions include:

A 4 B 8 E 3 g 9 T 7 V \ /
i 1 L 1 O 0 S 5 M / \ / \ W \ / \ /

Also, decent word lists will contain common (and not so common) misspellings. They will also contain keyboard patterns (asdf, qwerty) and common variations of any known pattern of characters that people tend to use.

Tip: don’t use words based on any kind of dictionary, even if you purposely misspell or manipulate the characters.

Keeping consumer confidence under lock and key.

Posted by on January 26, 2006

Some companies just don’t get it. I am helping a friend purchase something on the Web, and the site is asking for personal, confidential information (name, password, email, credit card information, etc) on a non-secure page.

Are you kidding me? We read the privacy page, and they go on about how secure their system is, yet they are asking for personal credit card information over a non-secure connection.

I wonder how many people even notice these things.

As a consumer, never give away personal information from companies you do not know or trust, unless you are ready to take the risk of this information getting used or ‘misplaced’ without your knowing.

Also, never give this kind of information away unless you have a secure connection. How do you know you are running a secure connection? The first thing to look at is the address of the Web page. Normal (non-secure) Web pages start with http (HyperText Transfer Protocol). Secure connections start with https. The https means you are running over a Secure Socket Layer (SSL).

Also, your Web browser should display a ‘closed lock’ or a solid key (as opposed to no lock, an open lock, no key, a broken key, or whatever).

Now, technically, you could be on a secure page and not see these clues that you are reasonably safe. This is because some Web sites use ‘frames’ for their pages, which might prevent you from seeing these important security clues. This is their loss. As more and more people learn about safe online practices, Webmasters will have to become aware that just saying a site is safe is not going to convince everyone. They have to prove it.

Brand spoofing, phishing, keystroke loggers, and malware are taking their toll on consumer confidence. Real companies need to be aware of this, and take every effort to inform their users that they are legit.

I have little doubt that the major company I was trying to help my friend make a purchase from was legitimate, but I do think they doubt how savvy consumers are becoming. Otherwise, they would have taken the time to ensure their site looked, acted, and was secure.

This is not a complete list by any means, but here are a couple tips to keep consumer confidence off the top of my head:

  • Take the time to inform people on what your security policies are. What steps do you take to ensure that information that is transmitted to you is secure (SSL). How do you protect the information once it is on your servers? What are your policies about using/sharing/selling that information? Make that information be easy to find and understand.
  • Put up a FAQ on what SSL is, how it works, and other related content. The more information like that you have on your site, the more it shows customers you are open, honest, and informative. Discuss what cookies and other technologies are and how you use them.
  • Let users easily contact you via email, a form, a forum, phone, fax, or whatever. If they have questions about if you are legit or not, hiding contact information is not going to ease their concerns.
  • Give people control over their accounts. If you let people register for services, let them change their personal/account/contact information, and let them subscribe and unsubscribe at will. Let them delete their account, or at the very least, make it easy to request these changes (and of course, fulfill their requests in a timely fashion).
  • If someone makes a mistake when they fill out a form, use JavaScript to check it right away and give helpful error messages. Give examples of the format you want the information before it is entered, not after. Don’t waste their time and yours. In case they have JavaScript turned off, double-check the data on the server. Again, make sure that any error messages you give are clear and concise, and re-populate the correct data in the form before they proceed to fill in the mistakes. No one likes to fill in 15 fields of information twice. They will probably get frustrated and leave.