a user security hole in mindterm's ssh 2 applet
Jorge Carrizo
jorge.carrizo@eds.com
Thu, 19 Sep 2002 11:38:11 -0400
Totally agree with this approach, ie one-time, unrelated, random
generated and "really strong" passwords.
I also belive that multiple security barriers would be better
understanded (and approved) by your auditors / security analysts.
regards,
jorge
David Forslund wrote:
> This is one of the reasons why we use one-time passwords at Los Alamos.
> There are too many ways to breach security when you have a simple
> name/password login. I suggest that Brookhaven go to a one-time
> password system with CryptoCards to avoid this problem as
> we have done at Los Alamos. Mindterm works great in
> this scenario and there is nothing left on a remote machine
> that would enable someone to "steal" the password, encrypted or not.
>
> Dave Forslund
> Los Alamos National Laboratory
>
>
> At 06:17 AM 9/19/2002 -0400, Stephen Adler wrote:
>
>> Mats,
>>
>> thank you very much for your reply but this is a big concern
>> for us. Here's the problem. We cannot trust the users to be
>> security conscious. We must assume that if there is something
>> a user can do to leave his password open, they will, even though
>> they don't intend to. Secondly, we are using mindterm as the
>> official way of giving access to our systems from insecure
>> places around the world. We have professors who travel to
>> countries around the world who will being gaining access to
>> our computer systems.
>>
>> We are a Department of Energy facility and we are under a
>> microscope these days regarding computer security. Remember
>> the Win Ho Lee case of Los Alamos National Labs? Well Brookhaven
>> National Labs is a "sister" research facility managed by the
>> same federal department. (i.e. Department of Energy) We are
>> undergoing a large scale security restructuring of our computer
>> systems and we will be reviewed and audited by DOE to ensure
>> that our security model is acceptible. If I show up to a review
>> and explain to them that we are using a software product which
>> if you do xyz, then a windows PC in some foreign country will
>> have a hostname/username/password such that anyone can gain
>> access to the system, we will flunk the review.
>>
>> Mats, is it possible to get appgate to modify your mindterm
>> product so that we can disable the password saving feature
>> and still use the signed version of the applet? (As I understand,
>> scp does not work with the unsigned version, otherwise
>> we would use the unsigned version.) Who at appgate could I call
>> to explain our situation? In your estimate, how big a change
>> to mindterm would this be?
>>
>> Thanks for the reply Mats
>>
>> Steve
>>
>> On Thu, 2002-09-19 at 05:52, Andersson, Mats wrote:
>> >
>> > On 18 Sep 2002, Adler, Stephen wrote:
>> > > discovered a rather ugly user enabled security hole in the mindterm
>> > >
>> > > the "save password" option, then not enter in a password to
>> password
>> >
>> > This is actually a "feature", it means that if you save your
>> passwords
>> > et.c. without encrypting it (i.e. no passphrase given), it's going
>> to save
>> > it unencrypted (so it can be retrieved without user intervention).
>> >
>> > > to find a way to close this hole, either by setting up some way of
>> > > disabling the saving of passwords, or forcing the user to enter
>> in a
>> > > password to encrypt the local password file.
>> >
>> > Saving passwords is disabled by default. Entering an empty passphrase
>> > should perhaps warn people what it implicates to do that. You
>> might also
>> > have a point in the need for a special setting which entirely
>> disables the
>> > option to use it too (or something forcing a passphrase and hence
>> > encryption).
>> >
>> > I wouldn't consider this a very grave security-issue though, even
>> a normal
>> > user probably understands that he shouldn't enable saving
>> passwords on a
>> > computer that anybody can access freely (even when giving a
>> passphrase to
>> > encrypt it).
>> >
>> > Cheers,
>> >
>> > /Mats
>> >
>>
>>
>>
>> _______________________________________________
>> Mindterm-users mailing list
>> Mindterm-users@mindterm.appgate.com
>> http://www.mindbright.se/mailman/listinfo/mindterm-users
>
>
>
> _______________________________________________
> Mindterm-users mailing list
> Mindterm-users@mindterm.appgate.com
> http://www.mindbright.se/mailman/listinfo/mindterm-users
>
>