dlm@cuuxb.ATT.COM (Dennis L. Mumaugh) (12/14/88)
In article a previous article I described a terminal lock program for an AT&T 630MTG: > The neatest special program is the 630MTG program dmdlock. If > the terminal has no user activity - mouse or keyboard - in a > given time period, the terminal locks itself and 15 minutes later > the screen blanks. One has to then unlock the terminal. Hence > walking away from the 630MTG results in auto-locking the > terminal. > My security friends remind me that even the above terminal lock program won't be safe. In "UNIX Operating System Security," Grampp, F.T. and Morris, R. H., ATT Tech. Journal, vol 63, no 8, part 2, pp 1649-1672, October 1984, the concept of a password grabber was discussed. Read it. Alogithm for penetration of a system via attack on a locked terminal. A priori know the behaviour of the lock. Break the lock. [We assume this is done by power cycling the terminal or dropping the line/modem]. Use the terminal to login on your favorite system, possibly the same as the victim. Run your version of the password grabber/ lock masquerade program. When our victim returns and tries to unlock the terminal, they can't. After a few tries, the program simulates a logout. Our lock program leaves a log of attempts in the user's login directory. Hence if I can't unlock my terminal, I always [always?!] check the lock log to see that it did log the attempt. If I don't see my failure, well .... Moral: terminal locking programs are NEVER [what never? no! never!] secure. -- =Dennis L. Mumaugh Lisle, IL ...!{att,lll-crg}!cuuxb!dlm OR cuuxb!dlm@arpa.att.com
friedl@vsi.COM (Stephen J. Friedl) (12/18/88)
In article <2292@cuuxb.ATT.COM>, dlm@cuuxb.ATT.COM (Dennis L. Mumaugh) writes: > Moral: terminal locking programs are NEVER [what never? no! > never!] secure. No kidding. The 4.1BSD [I think] `lock' had a hardcoded magic unlock password ("hasta la vista"), and ^Z would stop it as well. Steve -- Stephen J. Friedl 3B2-kind-of-guy friedl@vsi.com V-Systems, Inc. attmail!vsi!friedl Santa Ana, CA USA +1 714 545 6442 {backbones}!vsi!friedl Nancy Reagan on my new '89 Mustang GT Convertible: "Jus
heilpern@ibd.BRL.MIL (Mark A. Heilpern ) (12/20/88)
In article <971@vsi.COM> friedl@vsi.COM (Stephen J. Friedl) writes: >In article <2292@cuuxb.ATT.COM>, dlm@cuuxb.ATT.COM (Dennis L. Mumaugh) writes: >No kidding. The 4.1BSD [I think] `lock' had a hardcoded magic >unlock password ("hasta la vista"), and ^Z would stop it as >well. > Steve Immediately after reading this, like any curious user, I checked it out on our 4.2BSD system. Yes, using ^Z DOES abort lock, as does "hasta la vista." My initial attempt at typeing "hasta..." was misspelled, and STILL went through. This lead me to discover ANY two word (separated by a space) combination will satisfy the lock program. Rather than tell you how you should feel about this, I'll let you form your own conclusions. Mark {These are the opinions of myself and NOT those of my employer.} -- |\/| | | | _ |< / \_(_(_)\_/ \______