[CentOS] duqu

Wed Dec 7 12:33:16 UTC 2011
Lamar Owen <lowen at pari.edu>

On Wednesday, December 07, 2011 04:59:52 AM Nicolas Thierry-Mieg wrote:
> alphanumeric only isn't so secure-seeming is it? Is this for admins who 
> log in with a cell phone instead of a real keyboard? ;-)
> seriously: I thought the consensus was that a secure password should 
> contain at least one or more non-alphanumeric characters.

Further down in the password files some 'patterned' symbol passwords are to be found, for more than the root user.  Things like the obvious:
p at ssw0rd
!@#$%
let!ME!in
T!m0+#y  (Timothy, if you haven't figured it out, and it just so happened that it was paired with the username 'timothy' ala slashdot).

And there were various iterations of those, with differing lengths and such.  But I'll emphasize that the one I found was very rudimentary, and I found it several years ago.  Algorithmic brute-forcers can be much more sophisticated than that.

I also found in the searches that I made that there have been numerous instances of the first password tried working and getting in.  I have to wonder if the chosen user is based on a leak of information from something like a web forum, or a hotmail account, or something else that has gotten hacked.  Don't reuse passwords, in other words.  (easier said than done, unfortunately).

Basically, if any account you have is ever compromised through password login, assume that password has made it into someone's dictionary.  And I'm not talking just ssh accounts here.  I'm thinking about the large e-mail/password lists recently released by lulzsec, for instance.  The blackhats I'm sure have many more such lists that haven't been exposed yet.

And I agree with Johnny (and others) that disabling password auth and using keys for SSH access is a way to go; the fly in that ointment is mitigating private key loss and having a mechanism in place to rapidly revoke keys in a secure manner.  

That and other avenues of access are used that involve web applications, etc, that bypass SSH-oriented controls.

Two-factor auth is better; but even that is foolable (biometrics, even; Mythbusters defeated simple fingerprint scanners several years ago.....).  

Layered security works best; but 'working best' doesn't mean '100% effective.'