Re: [LUG@IITD] Re: password hack at IITD ?
Sharad Birmiwal
<debasish.r...@gmail.com> wrote:
> I thought my passowrd was sent over a secure socket layer, so it cannot be
> visible from LAN. The password is never stored in the server, only a
> cryptographic hash is stored (for example md5 or sha1), so there can be no
If we are talking about only hashes, then the service can be
vulnerable to replay attacks.
>
>
> So please be careful where you are giving your passowrd. Another technique
> is to create a virus that keeps track of your keyboard and then sends it to
rootkits also are gaining popularity (which are effectively the same).
Sharad Birmiwal
> I have some thing to say here .
>
> 1. Password hacking tricks (which are more common) are generally local
> machine based. So there is nothing much that CSC ppl can do to avoid that.
> Mostly in labs and csc pcs (which are meant for group usage) its ignorance
> on part of users themselves that accounts for their password being stolen.
> The ideal way to treat this kind of problem is to make users aware (btw if
> they themselves don't understand the importance of their passwds why should
> we care)
I would also like to stress that users should be more careful.
>
> 2. Regarding network based vulnerabilities, they are common to all lan based
> networks. CSC ppl do keep track of lan attacks. (i can't disclose them in
> public). But i know ppl being punished for these kind of things. There are
> very few options (improvements ) that can be done to add to security of the
> Network in IIT-D .
On the contrary, there is scope for many improvements. Changes would
be required in H/W (and new installations) and software used.
>
>
> @Narendra: Chill man . its not completely the fault of CSC ppl.
>
Agreed.
Sharad
Sharad Birmiwal
> What are the other precaution to be made so that we should not loose our
> password,
Using a different password for various accounts. I have seen people
use the same password for their yahoo/gmail/local computer passwords
the same as their CSC passwords. CSC passwords (for telnet and related
services) are not secure.
> Hey Naresh, I generally do not logoff my gmail id , I think this will also
> add the security because password hacking on LAN is done by the software
> which analyze initial packet sent by user for password, (I think so, )
Yes, this was demonstrated this year at BlackHat.
>
> @Debashish -- even password is sent over over SSL but still there are
> software which capture the packets and decrypt them. Decryption may takes a
> time on normal PCs but not on super computer, Other user can explain this
> better.
>
They usually require capturing some certificate or something to do the
"decryption". Cracking is also a way.
BTW, one supercomputer IS available to all of us :)
Naresh Kumar
Can u highlight some possible changes that are required for ensuring more security in IITD LAN. What are exact upgrades available for current installation in IITD ?
Naresh Kumar
4th Year
Dual Degree in Electrical Engineering
(B.tech in Electrical Engineering and M.tech in Information and Communication Technology)
Indian Institute of Technology Delhi
Phone: 91-9213704253
Email: nares...@gmail.com
Sharad Birmiwal
> Can u highlight some possible changes that are required for ensuring more
> security in IITD LAN. What are exact upgrades available for current
> installation in IITD ?
>
I am not an expert in this area so it would be best if a qualified
person addresses this issue (instead of us going ahead and making
claims to people at CSC). A few things that come to my mind (which are
not only about security) are -
1. For the hostel network, disallowing broadcasts
2. Hostel networks in many universities (I know about some foreign
universities only) have strict requirements and conditions for
connecting any PC to the network. E.g.s would include that a machine
is allowed to connect only if it has certain versions of certain OS
with certain SPs and certain firewall etc software. BTW, there are
conditions on Linux too. Students should also be made aware of risks
and good practices. See for example
http://www.housing.uwaterloo.ca/resnet/incoming/index.html .
3. Making it mandatory for users to register their MAC addresses to
connect (start collecting information from the hostel in a distributed
fashion). Any unregistered MAC from anywhere inside IIT should not be
allowed except for specific geographical locations (use a well
segregated network for that then).
4. For the telnet accounts, switching from NIS to LDAP (or some other
secure technology). I was doing a test on this with Ms. Akhila Sinha
when she was in IIT. The project was scrapped when she left.
5. use of encrytion (GPG etc) for webmails? -- Ms. Akhila Sinha was
also trying to take care of this (this is about 2 years back).
6. For public machines (labs/CSC), there is no really secure way.
Installing Linux will not necessarily fix the problem. It requires
pro-active measures from admins.
7. Using IPS/IDS actively for networks.
8. As personal measures, people should also know that viruses/worms
etc propagate through spam and chain-letters as well. (I hate
forwards). https://security.berkeley.edu/tutorial/text.txt (read slide
16) . I am diverging from what you asked me but I will also add that
one should also not post his/her password on websites at the pretense
of getting passwords of your friends/for promoting a certain service
to all your friends on your address book etc.
Can't think of anything else right now.
Sharad
Sharad Birmiwal
using telnet/ftp. But other important factors also come into picture
like performance effects of using ssh on old sun machines where many
people might log in (I remember this was highlighted again by Ms.
Akhila Sinha).
Sharad
Sharad Birmiwal
<narendra...@gmail.com> wrote:
> Thanks Ajit and Naresh,
> Naresh told me to put a secondary email id as iitd email id, If you lost
> password then you can can retrieve at iitd mail id, provided the cracker
> have not touched secondary email ids. If password of iitd mail id has been
> changed then you can reset your iitd mail id password by CSC ppl.
>
> What are the other precaution to be made so that we should not loose our
> password,
> add the security because password hacking on LAN is done by the software
> which analyze initial packet sent by user for password, (I think so, )
> word -- use CAPITAL latter + small latter + symbols + some numeric numbers.
>
Shouldn't we also blame google and yahoo (and other services for
this)? Do I dare say that an advisory should be posted regarding use
of these and other Internet services (how much can we trust
Orkut/Facebook/Onlinesbi to name a few) :)
Sharad
Naresh Kumar
Sharad Birmiwal
provided in IIT? I can not really comment here 'cause I don't use it
much..
Sharad
narendra sisodiya
I also want to point that as per as ( true rumor ) some decryption scripts was executed some years before on Param super computer account. So CSC should also take care about that fact in future also.
Infact as per my view, CSC has tried to apply so security on us by blocking port n hostel wise access that It got result in degraded performance of whole network.
Sharad has made very valuable comments infact.
can we have more suggestion on improving the network performance at IITD (hostel and institute wise) in all aspect
A)-- Bandwidth aspect
--- Setting up repos
--- maintaining hierarchy if proxy server
--- I think there can be improvement in ODC traffic also,
B)-- Security aspect
---- Sharad's & all other points
C) Use of network aspect
-----
--
Narendra Sisodiya MTech, IIT Delhi
Sharad Birmiwal
> was executed some years before on Param super computer account. So CSC
> should also take care about that fact in future also.
As I said earlier, once you give a shell (or worst still, physical
access), it becomes very difficult to keep a machine secure. You need
highly qualified people to manage this. Even the guys at CSC should
understand that the only way they can "truly" implement safe services
for us users is by denying us services and that there is really very
little they can do about users running scripts and doing restricted
activities as long as they provide even some services to us.
>
> Infact as per my view, CSC has tried to apply so security on us by blocking
> port n hostel wise access that It got result in degraded performance of
> whole network.
How does restricting ports and hostel wise access degraded in
performance of whole network?
Sharad
narendra sisodiya
May be like, If they allow connectivity between hostel and institutes then student will not do any ssh proxy tunnel or any extra things to increase the congestion. for connecting one hostel to another hostel the traffic goes to upper level like CSC and the come back to other hostel, (it would have been better , it was routed between hostels), I am not an expert so just analysed in this manner. Having a common LAN for all hostel will result in reduction in congestion and setting up hierarchy of squid proxy server. infact If we come up with caching of youtube video, this will be a great help, (all views are based on small experience, need to correct A-Z).
Ankit Raizada
in CSE for SSH tunneling of web traffic to CSE proxy access. Most of
us want to use our accounts in CSE/Intel Lab for getting access to
faster internet. When palasi goes down we all are left hanging. I dont
understand but why does CSC/hostel management has this moronic policy
of blocking access to port 22 outbound? I mean this essentially stops
anyone from accessing his/her machine in the lab from his hostel and
undermines the very purpose of a LAN...
furthermore as many students in specialized labs have their own
computers which they will like to access from their hostel but
CSC/hostel management effectively puts a denial-of-service on them by
blocking even the basic 22 port.
its understandable to block ports like 21 445 135 which are for
netbios and other unsecured protocol but by blocking port 22 you make
secured tunneling impossible, my suggestion is that access to port 22
outbound should be allowed to all machine from hostels to encourage
use of secured tunnels for which attacks based on sniffing/ man in the
middle is more difficult.
On Wed, May 7, 2008 at 1:40 PM, Sharad Birmiwal
<sharadb...@gmail.com> wrote:
>
--
Ankit Raizada
WC-4 Zanskaar Hostel
IIT-Delhi
Hauz Khas
New Delhi - 110016
Email: mcs0...@cse.iitd.ac.in
araiz...@yahoo.com
ankit....@gmail.com
uday kiran
the LAN now. I think all the inter hostel connectivity was gone there
were attempts to do that at our time. but way back when It started
around 2005 when I was in 3rd year we have a 10mb back bone lan and
internet speed was pathetic. We use to install proxies in CSC's
computers run socks in sun servers etc. to boost that up. Apart from
that we use to do lot more things. Most of the users have windows on
their pcs and very few have linux and to tell the truth I have dual
boot on my PC. Most the windows users have viruses on their pcs and
the sad part is that they accepted them as part of life. Me and a
friend stated looking at linux and started sniffing packets on the
network we use to poke friends that this your passwd and all but we
never did any thing that would conflict their interests. Let me tell
the things from my perspective about security
1) The major problem was that the most users use pirated versions of
windows on their pcs as a result they don't get updates from
microsoft. (Actually Microsoft is not that bad when maintained good).
2)On top of the broken windows we have an antivirus thats also broken
and pirated that also most of the times does not get updated.
3)They mostly use an outdated version of the pathetic windows internet
explorer with improper security levels.
4)I agree that using linux would make life easier with less security
vulnerabilities .. but one thing is that we need to have support. If
you push csc people to install linux in all the insti pcs if there is
a problem they should find person to make responsible and fix it.
(thats what management looks at).They cannot afford to make the pcs
down. Look at coporate linux players like redhat or Suse to do that.
4) I strongly disagree to register macs and monitor all the activity
on the network because it restricts the freedom of the users.(Why
should some one monitor my network access?). we are here at IITD to
hack and learn. Which is not possible when some one rings the bell
when ever I try to just access the network.
5)Bad people are always there and will be there. The security steps
should come from users. I want a secured conversation when it is
needed. If any one wants a secure connection they should use
encryption tools.They should not share the passwds.( ofcourse we use
to share our all course passwds and some mail passwds now also I bet
some people do that which we should not be doing.Sharing is really
good .What are you going to share let people should decide. Lets not
push anything to people.
In summary my take on it is we should have a security system that is
transparent to even lay people who are just touching pcs for the first
time and should be able to connect the pc at any where in the
institute and start using it. And strictly no auditing please. what
will the poor csc people who cannot fix a mouse to a PC when I asked
do with the audit logs of the whole institute ;)
narendra sisodiya
I found a email id -- centre....@gmail.com
this was used by cracker,,,,
password cracking was aimed for girls.
narendra sisodiya
report immediately.
Thanks n Regards
--
Narendra Sisodiya MTech, IIT Delhi
skype : narendra_sisodiya
webpage : http://narendra.sisodiya.googlepages.com/aboutme
LUG@IITD : http://www.lug-iitd.org
ajit singh
I know one of my friends who is having the same problem. What can you do about it?
The volume of a pizza with radius z and height a is ....... pi * z * z * a
narendra sisodiya
ajit singh
Can you point out the vulnerabilities existing in the CSC network. That might help in detecting the cause of the fraudulent activites.
narendra sisodiya
but this may be because of some crackers or may because of pirated window XP all around the hostels,
But possibility of second option is very less, as this they are changing password of associated with other ids.
I got so some reports that not only they got hacked by Gmail but other accounts associated with that account also.
means they cannot even retrieve with secondary email ids also,
password hacking is such a illegal crime that you are taking away a web-&-Internet-identity of a person. it is a crime which is equal to murder of a person.
It is a co-incident that I got 2 reports of password hacking & both are girls.
Shakthi Kannan
--- On Tue, May 6, 2008 at 10:49 AM, narendra sisodiya
<narendra...@gmail.com> wrote:
| hacked by Gmail
| ...
| password hacking is such a illegal crime
\--
Terminology please.
Hacking is the art of programming. Hackers are programmers who pursue
programming as an artistic passion, who are eager to solve challenging
computer problems.
People who break into systems, crack passwords, cause DoS, DDoS
attacks are called crackers.
SK
--
Shakthi Kannan
http://www.shakthimaan.com
narendra sisodiya
Hi,
--- On Tue, May 6, 2008 at 10:49 AM, narendra sisodiya
<narendra...@gmail.com> wrote:| hacked by Gmail
| ...
| password hacking is such a illegal crime\--
Terminology please.
hacking is some unwanted manner is automatically accounted as cracking ,
please do not start a discussion on hacking vs cracking, this thread is not meant to that purpose,
Hacking is the art of programming. Hackers are programmers who pursue
programming as an artistic passion, who are eager to solve challenging
computer problems.
People who break into systems, crack passwords, cause DoS, DDoS
attacks are called crackers.
SK
--
Shakthi Kannan
http://www.shakthimaan.com
gajendra khanna
I looked up the dictionary.
A hacker is a person who hacks.
And as per the dictionary the relevant meaning of hack is as given below:-
(Computers) To program (a computer) for pleasure or
compulsively; especially, to try to defeat the security
systems and gain unauthorized access to a computer.
(From The Collaborative International Dictionary of English v.0.48)
There are 14 other definitions of hack which don't seem relevant.
(e.g. Unburned brick or tile, stacked up for drying. [1913 Webster]
is also a hack!)
hope this clears some confusion.
This term cracker is a relatively newer term for what people called
'blackhat hackers' (who mean something malicious as opposed to
'whitehat hackers' who do it for pleasure and to expose
vulnerabilities in the system).
Hope this makes things a bit clearer on the terminology front.
Regards
Gajendra
narendra sisodiya
I told in last mail this thread is not meant meant for this purpose,, go ahead to create a new thread for unwanted discussion. I am sorry, but if snake come to our home , will you Google it what a snake do and what is its species & etc OR help other to make the snake out from home.
Sorry, but its is a high time to take some actions, rather on discussion,. We have lot of work pending for summer , I will be busy for project work ,, volunteer are needed to work on many task which have to be done by LUG by summer.
I am asking the how many are the victims of such attack in past week. just mail the names and network location of them,
gajendra khanna
terminologies are important. Their knowledge makes our concepts.
The threads are opportunities for interaction and remain valid
considering the threads are children of the tree of mailing list. The
global interests of the group remain valid for each thread.
As for googling for the snake species may not be that bad an idea
considering over 99% of Indian snakes are non-poisonous. (We have the
most poisonous snake too is another story).
As for the so called threat please elaborate on this:-
1. What "pirated" windows xp has to do with getting hacked? (pirated
means its an illegal copy. Whats more great people also get illegal
service packs). It could be due to anything. Is there any instance of
people's pc being hacked for password or only the sympton of password
not working is known?
2. What is the exact issue which is cause for trouble of hacking
here? Till that is known this thread is meaningless.
3. Is an epidemic being created about two isolated instances of
password being lost here? (A molehill out of an ant?)
4. What exactly can be done if there is a problem?
5. What do you mean by security vulnerabilities here in the system?
Please give examples.
Lots of similar loopholes in the thread. Plug them and a constructive
discussion can be done on the thread.
Regards
Gajendra
narendra sisodiya
I was just checking how many are the student present in IITD who have lost their password in last 2-3 days.
after knowing the details we can carry all your discussion & Actions in some another thread.
@ Ajit
can you give the details your friend who suffered fro this.
Ishan Arora
I cannot tell all vulnerability publically, It is not my duty. but passowrd hacking is a proof of such vulnerabilities.
Regards,
Ishan
narendra sisodiya
Hi,I cannot tell all vulnerability publically, It is not my duty. but password hacking is a proof of such vulnerabilities.
I don't think that's enough of a proof. There are many simple ways to get into people's account. In most cases it is because of your own carelessness. I know a lot of people who leave there accounts logged in at CSC and leave. And most of these people are girls :) Sorry for sounding sexist but I go by statistics.
Regards,
Ishan
Dear Ishan, I agree with you that there are not enough proof, I just asking how many such cases to make some conclusion at this time.
btw do you know at in past history of IITD, there are a such attack and infact the password list was distributed was leaked over ODC.
There may be the more case of password cracking, there are very less user who reads our mails regularly,
Naresh Kumar
1. Password hacking tricks (which are more common) are generally local machine based. So there is nothing much that CSC ppl can do to avoid that. Mostly in labs and csc pcs (which are meant for group usage) its ignorance on part of users themselves that accounts for their password being stolen. The ideal way to treat this kind of problem is to make users aware (btw if they themselves don't understand the importance of their passwds why should we care)
@Narendra: Chill man . its not completely the fault of CSC ppl.
ajit singh
Varsha has told me about this today morning and i think you know about this already.
ajit singh
So let's just say that somebody is not so desperate that he will go to some website for a gmail password. Then too, saving passwords in Mozilla Firefox wallet is a bad habit. Anybody can see the passwords in plain text if the victim have not enabled Master security password and have saved some passwords in Firefox's wallet. Other bad habit is of not locking the screen while going out for a break (for labs). Thirdly a good precautionary measure is to use Thunderbird. Well in case of a theft, at least a backup of important mails remains with the user.
Debasish Ray Chawdhuri
narendra sisodiya
Naresh told me to put a secondary email id as iitd email id, If you lost password then you can can retrieve at iitd mail id, provided the cracker have not touched secondary email ids. If password of iitd mail id has been changed then you can reset your iitd mail id password by CSC ppl.
What are the other precaution to be made so that we should not loose our password,
Hey Naresh, I generally do not logoff my gmail id , I think this will also add the security because password hacking on LAN is done by the software which analyze initial packet sent by user for password, (I think so, )
another point you made, keep your password strong --- never use dictionary word -- use CAPITAL latter + small latter + symbols + some numeric numbers.
gajendra khanna
Sharad Birmiwal
On Tue, May 6, 2008 at 4:31 PM, ajit singh <ajitsi...@gmail.com> wrote:
> Ok.
> So let's just say that somebody is not so desperate that he will go to some
> website for a gmail password. Then too, saving passwords in Mozilla Firefox
> wallet is a bad habit. Anybody can see the passwords in plain text if the
> victim have not enabled Master security password and have saved some
pidgin also does the same.