From: Eric Allman Subject: security problems -- change passwords Date: Thu, 16 Feb 1995 15:49:18 -0800 Many of you may have read the New York Times article this morning on the arrest of ``Cyberthief'' Kevin Mitnick. (If you haven't, I've put a copy on my office door.) Just to put things in context, we have pretty good evidence that he has been tromping around in our systems (including my workstation -- harumph!). We know that he used a "network sniffer" program to capture passwords, but we have not (and can not) determined how many he may have gotten. Mr. Mitnick was not working alone, and there is good reason to believe that at least one other person has any passwords that he captured. Today would be an excellent day to choose a new password. If you have logged in to any other machines (outside of Berkeley) you should change those passwords too -- sniffers can see outgoing as well as incoming traffic, and he was sniffing many nets. CHANGING YOUR PASSWORD: When you change passwords, try to avoid typing your new password over the network (unless you are fortunate enough to have an encrypted link). If you change your Kerberos password, do it from your local workstation. Those of you in EECS who don't have a Kerberos password should get one -- see below.) If you have to change a password on another machine that does not support encrypted sessions, try to do it by physically walking to that machine and changing your password from the console. If you can't do that, keep your fingers crossed. When you choose a password, try to make it at least eight characters long, with at least one non-alphabetic character. Dictionary words with a digit attached are weak (that is, easy to crack) passwords, and anything related to your own name is very easy to crack. For example, for me passwords like "allman0" and "2eric" are easy passwords to guess, and things like "secret7" are ridiculously trivial. On the other hand, passwords such as "Y^E11wSub" are harder -- note the use of control-E instead of "e" and the digit 1 instead of letter "l", and the fact that "yellwsub" is not a dictionary word. GETTING AND USING KERBEROS (EECS ONLY): Using Kerberos substantially reduces the risk of having your account cracked, and allows you to encrypt your telnet and rlogin sessions so that people sniffing the net cannot see your private traffic. See /usr/sww/doc/kerberos/quick-start for details. Be warned: you cannot encrypt X windows traffic, so if you are one of those people who likes to start up a remote xterm that displays on your screen you will not have encryption protection. A safer method is to start up a local xterm which sets up an encrypted connection to the remote machine -- for example, xterm -e rlogin -x remote-system will start up such a window connected to "remote-system". ONE TIME PASSWORDS: You can configure your UNIX system to use one-time passwords using the S/Key system from Bellcore. One-time passwords are what they sound like -- once you use a password it is no longer usable. While you are in a secure environment (e.g., logged in at your console at work) you can initialize your password list. This will give you (typically) a hundred numbered passwords which you print out and put in your wallet. When you log in (e.g., from home) you type your user name as usual, and then the system prompts you for a given password number. It will be a different number each time. One time passwords do not give you an encrypted channel -- for example, if you use one time passwords to log in from an Annex terminal server, you should not then type your Kerberos password since that will make it suseptible to being stolen. We do not yet have a script to get one-time passwords installed on your workstation -- I hope to have those in a couple of days (but I didn't want to hold up this message). HOW HE GOT IN: Mitnick got in to my machine by using IP spoofing -- essentially, telling another machine to "masquerade" as a machine that my workstation trusted (that is, a machine that was in my .rhosts file). The fewer machines that your machine trusts, the safer you are. If you use Kerberos regularly you don't have to have any hosts at all in .rhosts. We have reconfigured the routers into Soda Hall to reduce the chance of someone using this attack -- essentially, you have to already be inside the building to use the attack -- and thanks to Ken Lindahl and the DCNS crew a router has been added between the campus and the Internet that filters IP packets there. However, these are hurdles to jump over, not absolute security. WE ARE A COMMUNITY: A key point here is that machines together on a network are a community. You may not think that having your machine insecure is a danger to anyone but yourself, but that simply isn't true. If an intruder breaks into a single machine on a network he/she/it can sniff the network, compromising all machines on that network. He/she/it can look through any filesystems you have mounted, reading other people's files. And since they are now inside Soda Hall instead of outside, they can use things like IP spoofing attacks. EVERYONE has a responsibility to ensure that their systems are well managed. Many systems in Soda Hall are very poorly managed today. If any good comes out of this incident it will be to wake people up to the fact that a poorly managed system is a danger to everyone in the department, and that my continual harpings on the subject are not just the rantings of a pedantic madman. This intruder has stolen proprietary source code and credit card records. He has removed, modified, and vandalized peoples' files. He has changed passwords, reconfigured and rebooted machines. When he got into my machine he installed a sniffer to steal passwords. He installed trap doors to ensure continued access to my workstation. He apparently read my personal files, including my e-mail, copied some of it to another system, and shared it with a friend. As much as I would like to tell you that your personal correspondence is private, that isn't always so. If you have files you want to keep truly private, copy them to tape and remove them from disk, or at least encrypt them. ENCRYPTING YOUR DATA: There are several tools available to do encryption. The "crypt" program is available on nearly all UNIX systems everywhere but is relatively easy for a determined person to break (it is cryptographically weak). The "bdes" program (in SWW) is stronger. PGP is quite good, but is really designed for a slightly different purpose, although it can be used. I'm sorry, but I don't know what's available for non-UNIX systems. FURTHER INFORMATION: Writing all this down has made it very clear to me that there is a lot of information that needs to be collected together. With that in mind I'll be trying to build a "Systems Administration" web page. The URL will be http://http.cs.berkeley.edu/csdiv/Sysadmin/ You can also contact someone from TCS (in Soda Hall, Craig Lant and Mike Kiernan) or myself. eric