Information Security Help!!!

Protecting your Linux box
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

use pgp instead of ssh passwords? ha ha! there's no end to the depths of your ignorance. i pity the people who have to rely on you at work.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

securitykid wrote:I like your signature
the linked article is worth reading.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
Saad Khan
Company Havaldaar Major
Posts: 155
Joined: Sun Jun 11, 2006 6:19 pm
Location: Karachi

Post by Saad Khan »

x2oxen wrote:Thanks for your comprehensive reply guys. But all forgot to mention a really major point that is we should not use passwords for ssh logins cause any smart middle man can detect it and can harm us. We should always go for PGP and Public-Key Cryptography that will make our systems far away secure than using plain passwords.
we should not use passwords for ssh?? that means, ssh is not secured?
this post really instigating me to know about that person? who suggested you to use PGP, instead of ssh usage. or may be i didn't know that, there are some sniffers exist, that sniff your encrypted ssh logins, i would like to have such programs in my toolkit. :)
correct me, if i am wrong, i would like to increase my skills with your precious replies and suggestions.
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

lambda wrote:use pgp instead of ssh passwords? ha ha! there's no end to the depths of your ignorance. i pity the people who have to rely on you at work.
Your any further post ain't gonna make any different to me cause don't pay attention to edicts word's and you are high at your knowledge for sure!
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

Saad Khan wrote:
x2oxen wrote:Thanks for your comprehensive reply guys. But all forgot to mention a really major point that is we should not use passwords for ssh logins cause any smart middle man can detect it and can harm us. We should always go for PGP and Public-Key Cryptography that will make our systems far away secure than using plain passwords.
we should not use passwords for ssh?? that means, ssh is not secured?
this post really instigating me to know about that person? who suggested you to use PGP, instead of ssh usage. or may be i didn't know that, there are some sniffers exist, that sniff your encrypted ssh logins, i would like to have such programs in my toolkit. :)
correct me, if i am wrong, i would like to increase my skills with your precious replies and suggestions.

Have you ever heard about key logger saad??

In some cases we need to let others access our servers as well for some certain passwords and we do not want to disclose our passwords to them. PGP & Public key encryptography is the best option and uncrackable until now.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
securitykid
Naik
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Post by securitykid »

Guys,

Its ok,

I understand what you were saying, actually SSH works with somewhat same mechanism that you were referring to. Correct!, Public Key cryptography and SSL, etc will protect the data theft/temper on wire/transmission. (Man-in-Middle), (Monkey-in-Middle).

Read this to know more about how ssh works:

http://www.eng.cam.ac.uk/help/jpmg/ssh/ssh-detail.html

BUT what if a stealth key logger is tracking your keys?,

there is a way to even protect it, Any one interested? let me know I will describe how to combat with key loggers which cannot be fixed/clean/detected by traditional AVs.

I hope this helps you...

I strongly discourage " Behas brai Behas " if this argues are constructive they are welcome to post.

Thanks
SecurityKID-ITdotCOM
Security Every Where! BUT where? :)
securitykid
Naik
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Post by securitykid »

Hey Guys,

Any one look at the URL that I post in my earlier post?



http://www.masterofit.net/index.php?filter=deck&cid=1

Any comments?

Thanks
SecurityKID-ITdotCOM
Security Every Where! BUT where? :)
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

Muhammad Islam decleared as Master of IT and this is incredible that a pakistani has made his mark in Internation Ranking! Thats simply austum
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

BUT what if a stealth key logger is tracking your keys?,

there is a way to even protect it, Any one interested? let me know I will describe how to combat with key loggers which cannot be fixed/clean/detected by traditional AVs.
Definitely I will be interested for sure to know bout it.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
securitykid
Naik
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Post by securitykid »

Guys,

Send me the private message I will reply the solution

Thanks
SecurityKID-ITdotCOM
Security Every Where! BUT where? :)
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

is it necessary to discuss this in private messeges?
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
masud
Havaldaar
Posts: 108
Joined: Thu Aug 05, 2004 12:15 am
Location: Fremont, CA
Contact:

Post by masud »

x2oxen wrote: Have you ever heard about key logger saad??

In some cases we need to let others access our servers as well for some certain passwords and we do not want to disclose our passwords to them. PGP & Public key encryptography is the best option and uncrackable until now.
If any one can install a key logger on your system, he can easily copy/use your keys as well. Using keys are just an option and wont help you in securing anything.
--SP--
kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Post by kbukhari »

x2oxen wrote: Have you ever heard about key logger saad??

In some cases we need to let others access our servers as well for some certain passwords and we do not want to disclose our passwords to them. PGP & Public key encryptography is the best option and uncrackable until now.
your answer is Not to much useful. i never use pgp keys authentication for security or escape from key loggers. well reasone behind usage of ssh keys for me is .....

I dont want to change servers password every time when a person leaves my orgnization.
I dont want to remember all unique and strong type of password.
I dont want to keep them in a file or open that file while some one reading it from my shoulder.

and it requires no time to log me in on server :D
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

Saad Khan wrote:who suggested you to use PGP, instead of ssh usage. or may be i didn't know that, there are some sniffers exist, that sniff your encrypted ssh logins, i would like to have such programs in my toolkit. :)
ignore him. really. there's no reason to set up and use pgp for ssh authentication. just use the ssh-keygen generated keys, like everyone else. the tools and processes for using pgp keys with ssh are not as mature as ssh-keygen's.

if you want more details, read the post i made several months ago in the howto subforum.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

x2oxen wrote:Your any further post ain't gonna make any different to me cause don't pay attention to edicts word's and you are high at your knowledge for sure!
i wish i could be certain about what this means. it's as confusing as most of your advice, if not as flawed.

that's okay with me, you know? you can keep ignoring my comments about how dumb your suggestions are.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
Post Reply