|
|
|
|
|
|
|
|
|
|
|
|
|
|
The security of common sense (continued)
It's just a flesh wound
I'm a religious supporter of backing-up data and keeping everything. If a hacker does manage to break in and destroy some files, if you have a good system of recovery, the most they would have done is damage one day's activity. You'll also come to appreciate back-ups if you start trying to trace a hacker. If you see you've been compromised, you can go through all your backed-up log files and user activity records and find out exactly what the hacker did and what he or she has access to.
The holes
There are two main ways an outside force will try and break into a Domino system.
Password files
Password files are tough nuts to crack for various reasons. It involves some significant reverse engineering to crack open a password file and decipher the contents. Beyond that, you have even more natural resistance to these attacks.
A password file is stored on a local machine and probably somewhere on the network. Beyond hacking into the network, the enemy would have to access the host computer to get the file. Presumably, your physical security department would make this difficult. Also, the enemy would have to hack into the workstation itself to get the password file (assuming it has a lockable operating system). Also, random attacks to crack a password file within Notes are subject to the increasing delay of repeated attempts, making it not very effective (after a few attempts they would have to close Notes, open it back up, and then repeat).
Forcing the server to check passwords when authenticating is a good trick to do. This is to ensure that even if a password file is somehow stolen and compromised, you can just change the password locally as opposed to getting rid of that ID altogether. Lotus defaults this to "no," probably because it will slow down authentication to stop a security breach that's likely to never happen.
Web browser passwords
This has recently been pointed out to be a "major" hole in Lotus Notes. It's stored on the server and hackers can try and crack it remotely. There are two kinds of stored Web browser passwords: strong encrypted and weak. Weak encryption is equivalent to the @Password function-the same password will always be encrypted to the same string on any computer. Strong encryption uses a salt (a value whose bits consist of random data) based on the milliseconds of the computer clock-which means that the same password will be encrypted differently if the encryption took place some milliseconds apart. Note: I'm not familiar with the exact means of strong encryption, and hopefully that information will be kept secret.
I have included two programs in this article that are designed to crack Web browser passwords.
Disclaimer
Programs don't hack people, people hack people. That said, a program can't be sued. Use of the programs below against other companies is most likely a criminal act in your state or country and is prosecutable. They are presented here as a concrete example of the methodologies used to compromise Domino security and are good learning tools in that respect. DominoPower in no way endorses the practice of hacking.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- Advertisement --
Learn Notes and Domino 8 at your place and pace!
Learn Notes and Domino in your office and/or home! TLCC's highly acclaimed distance learning courses for users, developers, and admins will enhance your career and your resume.
The many included activities and demos will make you a pro! Expert instructor help is a click away.
Click here to try a FREE demo course!! |
-- Advertisement --
Mark your calendar for in-depth Lotus training, May 12-14, Boston
Join experts and peers May 12-14 in Boston for educational and networking events that deliver real-world Lotus training so you can increase productivity and efficiency in your company, advance your skills, and squeeze the most from your current environment. One registration gets you into THE VIEW's Admin2010 and Lotus Developer2010.
Register by December 31 to save $350. |
|
|
|
|
|
|
|
|
|
|
