Would a Duress Password be a Good Idea?

  • John Hanrahan (4/21/2015)


    The newest security is using USB keys to allow a user to login along with the password and physical access. It would have to be a pretty big payoff to go to the trouble of trying to break all of that. Maybe a war situation or something just below that or one heck of a lot of money.

    It's not clear how much more security the USB key offers. If the villian puts a gun to the geek's head, then he can take both the login credentials and USB key. But just having a USB drive on the PC is a security risk, because the villian can bring along his own portable drive and dump all he needs then and there before running away.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Ok first of all they'd have to get past Moneypenny and secondly we'll add some biometric security. Finally we'll add enhanced bunker remote security. Should stop all but something that probably means the end of the world or more likely bankruptcy of said company. Actually I've worked with Wall Street Mutual Fund companies and their security was not far off from this. Had everything but obvious armed guards. Intel was pretty close to this (they had armed guards) but they had so many employees it was pretty crazy.

  • Moneypenny was a crack shot, so I definitely wouldn't try to sneak past her! There was a line in one of the books where M says that she shoots better than most of his agents, I think that was after Bond was brainwashed and tried to assassinate M with a cyanide gun, can't remember which book.

    A previous employer of mine bought USB fingerprint scanners, I have no idea how much they cost or how reliable they were. After seeing the Mythbusters ep where they got past a fingerprint scanner door lock without a lot of trouble, I wouldn't say they're very good.

    I like the fingerprint scanner in the iPhone 6. It doesn't read just the fingerprint, it also notes the capillary pattern beneath your skin. No idea if it looks to see whether or not you have any body temperature, such sensors can be problematic in harsh winters or other cold climates. Still, I don't use it for unlocking my phone since you can be legally compelled to produce a key, i.e. your finger, but not a password, i.e. your brain. Though there are exceptions to that.

    I've also read about Bluetooth proximity security: you walk away from your computer with your phone in your pocket, and your computer automatically locks. I really like that, pity that more desktop computers don't have BT built-in.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • So did we learn anything today, or was this mostly an offbeat topic?

    What do you guys think about the honeypot database server to attract hackers or for duress login re-directs?

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (4/21/2015)


    So did we learn anything today, or was this mostly an offbeat topic?

    What do you guys think about the honeypot database server to attract hackers or for duress login re-directs?

    I think a kidnap/coercion attack on a sysadmin/DBA is a very unlikely scenario for most non-government/classified installations.

    I've always been intrigued by honeypots, but I've never spent the time to really study them. I know my wife's observatory could use one: for some reason they're attacked a lot by attempted hacks, but they're pretty casual script kiddie-level attacks.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • I think the duress attacks are going to exceedingly rare. However the honeypots are a great idea but only if you have active networking guys who can monitor and research intrusions and then action said intrusion.

  • Wayne West (4/21/2015)


    Eric M Russell (4/21/2015)


    So did we learn anything today, or was this mostly an offbeat topic?

    What do you guys think about the honeypot database server to attract hackers or for duress login re-directs?

    I think a kidnap/coercion attack on a sysadmin/DBA is a very unlikely scenario for most non-government/classified installations.

    I've always been intrigued by honeypots, but I've never spent the time to really study them. I know my wife's observatory could use one: for some reason they're attacked a lot by attempted hacks, but they're pretty casual script kiddie-level attacks.

    You can learn a lot about a hacker's identity by covertly observing their behaviour once they've "broken" into a server; for example what passwords, scripts, or special techniques they use. Even the folders and tables can be named in such a way that the hacker reveals their intended target of interest while navigating. Also the organization can go to underground websites and post IP addresses and login credentials for "compromised" servers. By posting a different set of credentials on each website, they can use that to trace the origin of the attack. It would be similar in concept to embedding a unique hidden watermark in electronic documents as means of tracing it distribution.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (4/21/2015)


    Wayne West (4/21/2015)


    Eric M Russell (4/21/2015)


    So did we learn anything today, or was this mostly an offbeat topic?

    What do you guys think about the honeypot database server to attract hackers or for duress login re-directs?

    I think a kidnap/coercion attack on a sysadmin/DBA is a very unlikely scenario for most non-government/classified installations.

    I've always been intrigued by honeypots, but I've never spent the time to really study them. I know my wife's observatory could use one: for some reason they're attacked a lot by attempted hacks, but they're pretty casual script kiddie-level attacks.

    You can learn a lot about a hacker's identity by covertly observing their behaviour once they've "broken" into a server; for example what passwords, scripts, or special techniques they use. Even the folders and tables can be named in such a way that the hacker reveals their intended target of interest while navigating. Also the organization can go to underground websites and post IP addresses and login credentials for "compromised" servers. By posting a different set of credentials on each website, they can use that to trace the origin of the attack. It would be similar in concept to embedding a unique hidden watermark in electronic documents as means of tracing it distribution.

    What would be interesting would be to lace your h'pot docs with malware to try to infect and compromise the attacker! It's fairly well documented that a lot of these criminals practice poor password hygiene so it's not unreasonable to suppose that they're also lax on their own system defenses.

    A lot also depends on what you anticipate your attacker profile would be: a criminal vs a rival corp vs a state actor are radically different skill sets. How long were the attackers who took apart Sony Pictures in their network before they destroyed it? Considering the amount of information that they exfiltrated undetected, I'd say over a month. Completely undetected. And Sony Et Al KNOW that they're despised by a lot of people after their music CD root kit and other shenanigans that they've pulled over the years, they should have had much better monitoring.

    A state actor is going to be the hardest to detect and prevent verging on nigh impossible, I'd say it's a toss-up between who's more dangerous and detectable between a criminal or a rival corp. But it's still dependent on the attack being detected, and the resources for that depend on the size of the installation being defended (greater size = potential greater budget dollars and staff for defense).

    Friend of mine did help desk installs for the US Marine Corps. He was at one site when he realized that he didn't have a service pack that he needed, but he had it on his private FTP server. He asked the Marine with whom he was working if he could connect his laptop and download it, received permission, and proceeded to start the transfer. Within minutes an MP was pointing a loaded gun at his head and ordering him to step away from the keyboard. Now THAT is detection and response! I'd be surprised if most non-government sites could detect and respond that quickly.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • So let me get this right. You're suggesting Password123 be my duress password instead of password123? Yah, I think that might work! 😀

    I think there are 101 simpler and safer ways to get access to a corporate database or system than kidnapping an overworked and tired sysadmin.

    There was a case where somebody was leaving USB sticks with malware on the ground outside the corporate front doors. Guess what, dozens of employees picked them up and plugged them into their computers. No need to kidnap anybody.


    David

  • I have thought about this from time to time. I imagine the implementation would not be much different in principle than a honeypot.

    Give them an account and password that is routed to a honeypot. They get what they think is legit documentation, and this gives you time to track the breach and act upon that breach.

    How frequently would this be needed - probably rare at the most frequent.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Eric M Russell (4/21/2015)


    Iwas Bornready (4/21/2015)


    I love it. Make a movie.

    We need an action movie where the hero is a fed up IT guy. It seems like we always get marginalized as supporting characters, or on occasion the villian.

    Would his character name be Eric Snowden?

    There is a line from my wife's favorite television show: "Please don't hurt my family." We have already worked out what to do and my family knows exactly what to do if I am ever taken hostage. Having a terminal diagnosis was so clarifying.

    My boss was watching me log on one day. He asked "Is your password really ... ?" I admitted that it was. If ever I'm asked what my password is I can tell them and they still won't know what it is. The phrase is likely to get me struck in the face but so be it. They are not likely to use the exclamation point on the end even if I shout it out.

    Are duress passwords and the like needed? The uncomfortable answer is YES. We used to be able to think that this was all fun and games and nothing like that would ever be needed. Times have changed.

    ATBCharles Kincaid

  • SQLRNNR (4/21/2015)


    I have thought about this from time to time. I imagine the implementation would not be much different in principle than a honeypot.

    Give them an account and password that is routed to a honeypot. They get what they think is legit documentation, and this gives you time to track the breach and act upon that breach.

    How frequently would this be needed - probably rare at the most frequent.

    Conceptually, it's like when the police leave an "abandoned" car on the side of the road and wait for theives. A honeypot could be a virtual VMWare instance walled off from the rest of the internal corporate network but with ports deliberately open to the internet. There are some honeypot images for download from web, and also 3rd party products and consulting firms that can set one up, including the specialized auditing services.

    http://www.networkworld.com/article/2296754/lan-wan/how-to-make-a-honeypot-network-security-system-pay-off.html

    A honeypot could also be a service that mimics a database server. When the perp tries to connect to one of these open honeypot ports, they get a message like the following, which seems to indicate the presence of a live database server.

    Cannot connect to MyCorpStorefront. (Microsoft SQL Server, Error: 8514294078)

    However, the actual error message is a shill. If the perp tabs over to Google and searches on "Error: 8514294078", now their IP address (and maybe even recent browser history) is on file at Google. The search could even link to a tech support website for a fake firewall solution. The perp would be provided with helpful instructions on how to resolve the connectivity issue, which includes advice on disabling their browser's proxy server and installing a download ...

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (4/22/2015)


    Conceptually, it's like when the police leave an "abandoned" car on the side of the road and wait for theives. ...

    Law enforcement has a honeypot car that can be completely remotely controlled, including shutting off the fuel. I love it!

    And I think the idea of a trapped bogus error message is quite good. I'm not sure you could get Google to go along with providing you with the tracking information, but I like the approach.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • Eric M Russell (4/22/2015)


    ...However, the actual error message is a shill. If the perp tabs over to Google and searches on "Error: 8514294078", now their IP address (and maybe even recent browser history) is on file at Google. ...

    A hacker running an unmasked IP is probably too stupid to be much of a threat.

    ...

    -- FORTRAN manual for Xerox Computers --

  • Wayne West (4/22/2015)


    Eric M Russell (4/22/2015)


    Conceptually, it's like when the police leave an "abandoned" car on the side of the road and wait for theives. ...

    Law enforcement has a honeypot car that can be completely remotely controlled, including shutting off the fuel. I love it!

    And I think the idea of a trapped bogus error message is quite good. I'm not sure you could get Google to go along with providing you with the tracking information, but I like the approach.

    Google might cooperate, if there was reason to believe that the honeypot visitor was part of a broader coordinate hacking effort against the many organizations.

    If not, then Plan B. Next I would contact Google's marketing department, specifically their commercial analytics department. I want to know everything I can about people who visit my website HoneyFirewall.com. Who and where they are (to the maximum extent that information can be purchased) and what other websites to they visit. I'm particularly interested in those people who visit a particular support page, HoneyFirewall.com\8514294078. I'm sure for the right price, and probably not very much, they'd be willing to help in my "marketing" efforts.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Viewing 15 posts - 16 through 30 (of 58 total)

You must be logged in to reply to this topic. Login to reply