I just got back my report card from a major vendor, they did a
security audit on our systems.
Three things I have to address:
1. In their war-dialing excerise, they got to a phone number that is
a normal async model providing basic ASCII dialin to one of our
Alphas. Is there a way to hide the login: prompt or else make the
user do something special to get the prompt to appear.
2. In what I believe was an unfair penetration, they were allowed
inside the building to sniff the firewall protected network. Of
course they eventually saw a telnet session being established and
captured the username and password. From that they got the passwd
file. They suggest that my network traffic should be encrypted!!
Any thoughts on this?
3. Once they got the password file, they were able to crack 5 out of
40 passwords (and root wasn't one of them) after 3 days of brute
force. Can I shadow my password file without going thru the grief of
C2 security?
Thanks for any insight,
Bob
Received on Wed Dec 02 1998 - 19:52:58 NZDT