LINUX TIPS AND TRICKS --- July 28, 2000

Published by ITworld.com, the IT problem-solving network 
http://www.itworld.com/newsletters 

*********************************************************************

Combating Dictionary Attacks 
by Danny Kalev 

Password attack is a generic term used to describe various activities 
attempting to crack, alter, delete or tamper with a system's password 
database in order to break into it or jeopardize its security. A 
dictionary attack, however, is a special type of password attack. It 
attempts to "reverse engineer" users passwords on a given machine. 

How does a dictionary attack actually work? Linux uses the DES algorithm 
to encrypt users' passwords; however, some users often choose passwords 
that are easy to guess. In addition, the length of a Linux password is 
relatively short. Finally, the DES algorithm is not invincible either. A 
dictionary attack takes advantage of all these factors in order to crack 
passwords. Normally, attackers use a dictionary, or a list of words, and 
encrypt them using the DES algorithm. A typical word list might contain 
the entire Webster dictionary, or similar corpuses of nouns, adjectives 
and proper names. Attackers use sophisticated software tools such as 
Crack that manipulate the words in a dictionary in certain ways -- 
reversing and chopping them, affixing numbers at their ends, changing 
letters' case, etc.... Crack can transform each word into no less than 
4096 distinct strings! After generating all the permutations, the 
password-cracking tool encrypts them using the DES algorithm and 
compares the result with the list of encrypted passwords located at 
/etc/passwd on the target host. Using a fast machine and clever 
password-cracking tools, cracking a password takes a matter of minutes. 

How can you protect your system from such dictionary attacks? As always, 
the first rule is to avoid passwords that are too easy to guess. Several 
utilities enable a system administrator to enforce strict password 
policies -- disabling short passwords, or disabling nouns and proper 
names altogether. A password that consists of a combination of random 
letters, special characters, and numbers is less susceptible to 
dictionary attacks. Remember to also change passwords frequently. 
Finally, use additional user authentication means and protection 
measures such as disabling inactive accounts, intrusion detection 
utilities, and restricted authorizations. 

Resources 

Expired password? Boot into run level 1 
Taming linuxconf when your passwords expire. 
http://www.linuxworld.com/linuxworld/lw-2000-07/lw-07-geek_2.html 

Java security evolution and concepts, Part 1: Security nuts and bolts 
Learn computer security concepts and terms in this introductory 
overview. 
http://www.javaworld.com/jw-04-2000/jw-0428-security.html 

How secure are you? 
Read this security Q&A to determine whether or not you're overlooking 
any major security holes. 
http://www.sunworld.com/sunworldonline/swol-11-1998/swol-11-webmaster_p.html

*********************************************************************

About the author 
---------------- 
Danny Kalev is a system analyst and software engineer with more 
than 10 years of experience, specializing in C++ and 
object-oriented analysis and design on various platforms including 
VMS, DOS, Windows, Unix, and Linux. His technical interests involve 
code optimization, networking, and distributed computing. He is 
also a member of the ANSI C++ standardization committee and the 
author of ANSI/ISO C++ Professional Programmer's Handbook (Que, 
1999). Contact him at linuxnl@excite.com. 
  
*********************************************************************

CUSTOMER SERVICE 

You can subscribe or unsubscribe to any of your e-mail newsletters by 
updating your form at: 
http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html? 

For subscription changes that cannot be handled via the web, please send 
an email to our customer service dept: support@itworld.com 

*********************************************************************

CONTACTS 

* For editorial comments, write Andrew Santosusso, Associate Editor, 
Newsletters at: andrew_santosusso@itworld.com 
* For advertising information, write Dan Chupka, Account Executive at: 
dan_chupka@itworld.com 
* For all other inquiries, write Jodie Naze, Product Manager, 
Newsletters at: jodie_naze@itworld.com 

********************************************************************* 

Copyright 2000 ITworld.com, Inc., All Rights Reserved. 

http://www.itworld.com 
