Password setup commands

[leegold2]

Hi,

Very basic question. What's the difference between the following:

Set a console password
vs.
Set a telnet password
vs.
Set the enable password
vs.
Set the enable secret password

You could explain or link me to an explanation - either way I appreciate it.

Lee G.

 

[silverhairb]

First rule of security is NOTHING IS TOTALLY SECURE!!!"

I would suggest changing that statement to"

"First rule of security is NOTHING *OPERATIONAL* IS TOTALLY SECURE!!!

Given a reasonable amount of entropy, including "pseudo-random noise sampling" the key generation process can be considered secure. However, that also assumes that the key generation device is not used a second time and is destroyed.

That said, it should be a basic assumption that at least 87% of ALL security breaches are inside jobs. Dual control over critical processes (including system logon) helps reduce the exposure a lot.

Short true story....

The Triad kidnapped the family of the night operator at a bank card processing center somewhere in Asia. Their demand was not ransom money, it was bank card transaction data with mag stripe images that was stored in the data center. Just a day or two worth of transactions and they would release the family. So the night operator, working alone in a highly secure data center with multiple layers of access controls, copied a little over two million transactions onto portable media and handed it over to the mob. That resulted in the compromise of 1.44 million bank card transactions.

I had been in the data center prior to the compromise to have a look at their security. I was called in after the compromise to assist in the investigation and to review new dual control features in the center.

This compromise would likely not have happened if there had been dual controls in place or if the data had been securely encrypted on the system (a subsequent PCI security requirement). The Triad would have had to take higher risks in a double kidnapping and might have considered that to be too risky to pull off.

From an operational perspective, encrypting the data on this particular system (with their existing design) would have had a severe impact on the merchant service reps and on the merchant reconciliation process.

[the other] Bill

 

[lerdalt]

I remember someone once telling me the best way to secure a Windows NT server was to:
-remove keyboard
-remove monitor
-remove mouse
-remove NIC

Basically have the tower unit sit there powered on. I always kind of took it as joke, but with a slightly serious tone to it.

Something else though you brought up, that I think is a huge piece to security is not only physical security, but the human element to security. A book I read that really opened my eyes to some things was "The Art of Deception" by Kevin Mitnick. Was really interesting look at the social engineering side of things.

I think everyone takes some of these pieces lightly. I work in a healthcare environment and HIPAA rules are pretty strict, but it doesn't always cover things like having printed a document that contains patient information, and it getting left on the printer.

 

[maczen]

Dalt, That was a great book.. Social Engineering became much more recognized because of it! To answer your other question, I just discovered Rainbow Tables the other day and have not had an opportunity to play with them yet. Have been ordering some books and am going to have to build my crypto skills from the ground up!

Bill, You should watch the movie Firewall.. It had a similar plot (albeit fictitious) but it was a good movie. What ever happened to the banker? Did he live?



B Haines
CCNA R&S, ETA FOI

 

[lerdalt]

I've seen some demonstrations on rainbow tables, and was very impressed with how they worked. But wasn't certain if they worked as well as the demo's made them out to.

I did start compiling some rainbow tables once...after it ran for 2 days and was only a couple percent complete, I gave up.

 

[maczen]

LoL.. Sounds like my first three attempts at Gentoo!

B Haines
CCNA R&S, ETA FOI

 

[silverhairb]

If you're talking about the night computer operator, he and his family ended up OK. IIRC, he was transferred to a different position in the bank and allowed to quietly seek employment elsewhere while the bank continued to pay him. That way everybody saved face (very important over there).

[the other] Bill

 

[burtsbees]

You guys see Harrison Ford doing all the "show" commands on the Cisco CLI?lol

Another good book is The Hacker Crackdown.

Burt

 

[CiscoGuy33]

OK guys,

Speaking of good books about hacking:
Stealing the Network: How to Own the Box is a unique book in the fiction department. It combines stories that are fake, with technology that is real, in other words, the names have been changed to protect the gulity and stupid I swear you could sub Burt, Billy or Gene for many of the names and it would sound real

This is the book I read over a few months at Borders and it is a bunch of short stories on different hacks, some from the hacker perspective, some from the security team and at least one from both back-and-forth as things are going on! It discusses real software and hardware - just the names of places and people are fictious or are they?

http://www.amazon.com/Stealing-Netw...df080d&itemPosition=99&qid=1231801327&sr=1-99

E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[maczen]

If we are talking fiction then...

http://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book)

Don't forget Bill(Silver), Todd(Lerdalt) and... Hey, what's Clue's name?

B Haines
CCNA R&S, ETA FOI

 

[burtsbees]

Tad.
Easy to remember---my kids have a toy frog that counts and says the abc's---his name is Tad.

Burt

 

[maczen]

LoL.. Thanks!

B Haines
CCNA R&S, ETA FOI

 

[Cluebird]

I should get royalties. The frog can't subnet, yet. Maybe in a later version...?

 

[burtsbees]

Well, this version only asks "How many squares do you see? Will you count with me?" However, the latest firmware upgrade will allow him to ask, "What subnet does 191.111.18.11/17 belong to, and what is the broadcast address for this subnet?"

Burt