cracked

So the account compromises I mentioned the other day seems to be a symptom of a bigger epidemic. Several friends’ machines had a rootkits installed on them, and it took a while for my friends to contain and repair the damage (some machines are still offline). I am feeling a little bit better because it is seeming less likely that I was the cause of these failures and more just a victim, but I still used the same password on multiple machines, which is bad news. It is comforting that several of my friends had the same bad habit, so at least I’m in good company. :P

I’ve reset my passwords on those boxes to random characters and am using ssh keys to authenticate instead. There are a few systems I can’t do this on, however. CSH, for example, requires me to password authenticate to retrieve my email and use other house resources, so I can’t set that to a random password. I have, however, picked a password that is unique to each system where I have to use password auth and have unique ssh keypairs (with unique passwords) to each machine I have physical access to. I’ve also decided to never jump out from one remote machine to another (for instance, log in to CSH, then from there log into Matt’s machine), so if the first machine is compromised I don’t have to worry about some rogue sshd snarfing my password (which was one “feature” of the rootkit used in these attacks). Finally, I will change all of my passwords every few months.

As far as I can tell this is about as good of a policy as I can come up with. Any suggestions are appreciated..

I had a strange question asked of me today… Matt Weaver asked me if I had tried to ‘su -‘ on his machine today… I hadn’t, which opened a huge can of worms that ended up with me (and others) believing that my password was somehow obtained and used without my knowledge by persons unknown. This problem was exacerbated by the fact that I was using the same password on many systems. If the person was a good cracker, they would have covered their tracks, so it’s difficult to tell how long they’ve been at this, but if we are to believe logs it seems like it was only today (er, wednesday).

I do my best to choose good passwords, but I guess I had one bad habit left, which was using the same password on multiple systems… I suspect that many of you reading do this, so I don’t feel so guilty, but still…

Anyway, I have gone through all the Unix systems I have access to (or, at least the ones I remember) and changed my passwords to something unique to each system. I’ve also deleted any ssh keys I had floating around as they can’t be trusted anymore. At least this way if this happens again, using unique passwords on all the various systems will limit the blast radius. If you’re reading, I hope that was fun for you.. (P.S. If I have an account on your machine and I haven’t mailed you, let me know because I might have forgotten about you).

In less aggravating news I saw Henry Rollins tonight doing his Spoken Word act… As always, a wonderful show (although the seats sucked).

grahams' completely normal random rantings

the number of the donkeys is two.

Computer Security

Ugh