[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Hiding all copies of your PPP password
On Tue, 8 Dec 1998, Omer Zak wrote:
> 1. If someone broke into your system, he'll at least have to wait until
> you log into the Internet (activate the hacked pppd) before hijacking
> your PPP password. This assumes that the final PPP hiding wrapper
> script knows to wipe out temporary files, not merely unlink them.
> If you use TripWire (or something similar) to verify your system's integrity
> before you connect to the Internet, then the risk from this direction is
> eliminated.
You should be aware that if you have a reasonably secure system, there's
no reason it WILL be hacked at all. And if it is, then the hacker would
probably be skilled enough to place a sniffer on your network interfaces
and grab everything that looks a password. I find the solution of
temporarily monitoring your connection logs for anything suspicious a
perfectly workable security solution. If security bothers you that much,
have your ISP install a secure PPP daemon (one that uses a public-key
scheme) or use phone callbacks (if you're connecting via the Technion or
something.) I'm not sure such a PPP daemon exist, but I don't think it
would be much of a difficulty modifying pppd for that purpose.
Another secure enough solution is to auto-magically change your password
per week/day/connect ;)
-- Dudu
PS - modifying pppd won't cut it for systems which routinely md5sum every
binary and compare it to a verified secure list kept safe. (like
on a floppy.. or encrypted on a remote server). Security freaks
actually do that. Paranoia rules.
------------------------------------------------------------------------------
crisk@netvision.net.il HAIFA, ISRAEL
------------------------------------------------------------------------------
Sexually tilted quote from THE EMPIRE STRIKES BACK:
10. I thought that hairy beast would be the end of me!