[MUD-Dev] strong encryption for authentication

J C Lawrence claw at kanga.nu
Sat Jul 14 20:12:10 New Zealand Standard Time 2001

On Sat, 14 Jul 2001 01:17:44 -0600 
Kwon Ekstrom <justice at softhome.net> wrote:

> From: "J C Lawrence" <claw at 2wire.com>
>> Kwon Ekstrom <justice at softhome.net> wrote:

>> I did an experiment a couple days ago and installed Windows 2K on
>> a test system that had a 'net routable IP.  Suffice to say that
>> the CD was not out of the drive before the box had been port
>> scanned, cracked and a root kit installed (snort on a shared net
>> segment showed me the whole thing). Note: This is not a
>> condemnation of Windows, but an observation of 'net realities.  A
>> mate recently installed Linux on a box, didn't know how to secure
>> it, and had it cracked sometime that evening (~8 hours later).

>> End user systems are not only implicitly untrustworthy, but
>> (most?)  end users have no particular willingness or interest in
>> keeping their home desktops secure.

> Agreed, while some OS's are secure, most users don't know or care
> about security measures.  From your short description of the
> installation, I can think of a dozen things to do in order to
> secure the environment and prevent the hack...

Its actually a curious question.  Given an OS which is insecure when
installed (known, commonly used exploits), and given that the
acquisition method for the patches is public 'net and that you don't
have another otherwise secure system to use/firewall behind, there's
an implicit race condition on obtaining and installing the requisite
patches in time.

Its actually the same race condition which exists between normal
exploit development and patch installation, its just more painful in
this case as the delta can be much larger.

> ... but I'm assuming the nature of your experiment was to see how
> long before you were hacked.

Aye, I was curious what would happen.  I have another box on that
network that gets port scanned ~30 times a day, so I was fairly sure
about what, just not when and how.

> Agreed that the few who have the tools and knowledge can easily
> write scripts, etc, to do their dirty work.  The actual number of
> users capable of it is likely a small fraction...  Unless you're
> snooping an administrator account (even then?) the amount of
> information gained isn't likely to yield a decisive advantage.

I have visions of things like:

  A worm that coordinates via a private IRC channel and which
  monitors use of the local game client.  It does two things
  when-ever the game client is run:

    a) Sends the userID/passwords back home via the IRC channel.

    b) Monitors any played characters for gold pieces and sends home
    reports of in-game account balances etc.

  The cracker then collects the passwords, bank accounts, etc,
  tithes them at his leisure and sells the proceeds via EBay.

Not a very tricky thing to do.  The next step up would be
remote-automating or 'botting the character(s) either directly via
the IP reported via the IRC channel, or via commands on the IRC

The current set of windows root kits aren't that sophisticated.  I
question how much longer that will last.

> The question is still, does the end result justify the means?
> Under some circumstances, such as confidential information, the
> answer is yes.

The current fract in the game market between hobbyist games and
large scale commercial productions will grow wider, partly forced by
the fact that they (the larger/more successful commercial games)
will be forced by their population base onto a quite uncomfortable
security stance.  Its going to be interesting to watch, and quiet
uncomfortable, especially as organised crime moves in.

> Interesting, makes me glad that I check my system for unwanted
> network traffic regularly...  Along with other security
> precautions on my part.

IDS are good.

J C Lawrence                               ("`-''-/").___..--''"`-._         
---------(*)                                 `6_ 6  )   `-.  (     ).`-.__.`)
claw at kanga.nu                               (_Y_.)'  ._   )  `._ `. ``-..-'  
http://www.kanga.nu/~claw/                _..`--'_..-_/  /--'_.' ,'         
I never claimed to be human             (il),-''  (li),'  ((!.-'           
MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list