First off, please accept my apology for the long lag in summarizing this
thread. After getting excellent replies and formulating them to senior
management, I was then informed that I was forbidden to discuss the security
audit results on this mailing list.
Well things have changed and permission was granted.
So here goes:
The original post:
<< I just got back my report card from a major vendor, they did a
security audit on our systems.
Three things I have to address:
1. In their war-dialing excerise, they got to a phone number that is
a normal async model providing basic ASCII dialin to one of our
Alphas. Is there a way to hide the login: prompt or else make the
user do something special to get the prompt to appear.
2. In what I believe was an unfair penetration, they were allowed
inside the building to sniff the firewall protected network. Of
course they eventually saw a telnet session being established and
captured the username and password. From that they got the passwd
file. They suggest that my network traffic should be encrypted!!
Any thoughts on this?
3. Once they got the password file, they were able to crack 5 out of
40 passwords (and root wasn't one of them) after 3 days of brute
force. Can I shadow my password file without going thru the grief of
C2 security? >>
Responses:
1. Alan Davis of DEC says "Modifying the login prompt itself is fairly
painful, it is compiled into the login binary....". Other responders
echoed the same thought.
2. Network encryption cards were suggested, and tossed out as way too
expensive. The best response was to use ssh and turn off the r* commands
(rsh, rlogin, etc).
3. Without turning on C2 then turning off the individual features, there
is no way to do this. Maybe 4.0E will allow a shadow file without the grief
of C2?
Regarding my comment about the "unfair" inside penetration, the responses
were about 50-50 on the validity of such an attack. There is not much I can
do about the inside hack job until the physical security of this building is
beefed up.
Thanks for the responses.
Bob
Received on Fri Jan 15 1999 - 10:23:35 NZDT