[5672] in Kerberos
Re: authentication secure?
daemon@ATHENA.MIT.EDU (Sam Hartman)
Fri Aug 11 11:09:46 1995
To: Art Houle <houle@acns.fsu.edu>
Cc: Sam Hartman <hartmans@MIT.EDU>, Joe Beiter <jwb@wilbur.hhisland.com>,
kerberos@MIT.EDU
In-Reply-To: Your message of "Fri, 11 Aug 1995 09:11:18 EDT."
<Pine.SUN.3.91.950811090212.9146A-100000@acns.fsu.edu>
Date: Fri, 11 Aug 1995 10:59:25 EDT
From: Sam Hartman <hartmans@MIT.EDU>
>>>>> "Art" == Art Houle <houle@acns.fsu.edu> writes:
Art> 'tap the phone line..'
Art> That is an interesting point of exposure. If this was a
Art> voice transaction that would be simple. Since modems
Art> negotiate the modulation scheme, it seams that connecting to
Art> the pair of wires is the easiest part of this. Setting up a
Art> listening modem for the correct modulation scheme would
Art> require some archane knowledge and tools that few hackers
Art> have access to. As someone who has hardware and software
Art> background, I see this as the hardest part. Unless I work for
Art> a modem manufacturer, or am willing to wirewrap my own
Art> hardware, this seems beyond the normal modems capabilities.
Art> ..comments?
Art> As once mentioned in a security lecture on kerberos , the
Art> easier solution is to bribe someone.
This used to be trivial; below 2400 baud, you can actually
disable the carrier generator on some modems and actually get it to
listen to the conversation. I suspect it's also fairly trivial under
ISDN for those with sufficient clue.
Socially accepted practice at MIT ais that you can type your
root instance password over a dialup line *directly connected to a
workstation*. However, you are expected to change your password as
soon as you get to a secure location. Also, this is only done in
emergencies. The general rule of thumb is only type passwords over an
end-to-end secure channel, and with the availability of SLIP/PPP, this
just really isn't that hard to accomplish.
Social engineering is probably cheaper than connecting a modem
to a phone line. However, we can only do so much about social
attacks; we can be as paranoid as we like about technical attacks.
--Sam
Art> Art Houle e-mail: houle@acns.fsu.edu Academic Computing &
Art> Network Services Voice: 644-2591 Florida State University
Art> FAX: 644-8722
