Re: Hackers

by "Arcady"<arcady(at)jps.net>

 Date:  Tue, 11 Jul 2000 23:03:15 GMT
 To:  hwg-techniques(at)hwg.org
  todo: View Thread, Original
>> 1) As some has suggested, change passwords when an employee leaves.  Even

>if

Actually change passwords regularly.

Perhaps once a week for the major sysadmin passwords in a network. If it was
me in charge of a network I'd go down to my local gaming store. One that sold
games like Dungeons & Dragons and thus carried polyhedral dice. Get some with
4 and 20 sides.
Write out a chart were the numbers on the dice equal certain letters. And then
use that to get a true random password for my sysadmins every week.

something like if the 4 sider is 1 then the 20 sider is the first 20 letters
of the alphabet. If it's 2 then the 20 sider is the last 6 letters of the alphabet,
then the numbers, then whatever other characters my OS will allow in a password.
On a 3 or 4 the 'caps' version of that character.

Personally I'd trust that more than a random password generator program which
itself is merely based on an algorithym of some kind.

>> 2) Never store your password(s) in a public area of your site.  It can be

>> accessed with the view-source option, or by simply browsing to it.

Passwords get stored in wallets only. Somewhere where they have to mug your
sysadmin to get it. That was the recommendation at the last AIP meeting I went
to (which was on the topic of network security and hackers: http://sf.us.association.org/)


http://www.playondemand.com/present/aip/mtgbios/hackerk060600.htm

NEVER let your people store their passwords on sticky notes stuck to their monitors
(very common thing to do). Anyone coming by can see them. Like perhaps the night
Janitor.

>> 3) Never use the same password for anything else.  You have no idea who runs

>> "Joe's Online Newsletter", so don't use your Unix password for your member

>> account at Joe's site...

On the other hand for common passwords the human mind needs to be able to remember
them. One idea I've heard is too keep a list of passwords on hand.

One for those sites that have nothing of value but make you use one to get in.
Like a web forum or something. One for places like ebay/amazon and so on. One
for non business internet accounts. and one for business/critcal stuff.

>> 5) Check the server logs for access records as well, when attempting to
>> track the cracker.  They feel secure within their anonimity...track them

>> down, drag them into the light and they wither and die into a smokey puddle

>> of sludge.  This isn't really in line with your request, but it does make
a
>> satisfying picture!

Most crackers are not what we would think of as pros. They're kids or hobbyists
who think they're experts. A well trained security expert can track "most" of
them down. Note how in the news everytime we get one of those big email viruses
in a week or two they've ussually got some clown being paraded through the courts
of his/her home country.

If you run a large network. A security person is a critical employee. If you
run a smaller one; contract it out to a security service. Not doing so is like
owning a retail store with no security alarms.

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA