<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Very insightful, thank you Bret.<br>
<br>
Barring packet sniffing (which can only be done along the route right?)
more secure passwords would make a real difference.<br>
<br>
Here is a question - has anyone on the list had an account hacked where
the password wasn't stupid (where stupid=(1234,1111,secret,${EXTEN},
etc))? <br>
<br>
My thought is, the botnets are probably looking for low hanging fruit.
I'd love to know if anyone has evidence that that isn't the case.<br>
<br>
Andy<br>
<div class="moz-signature">
<p align="left"><font face="Times New Roman, Times, serif" size="1">
<table border="0" width="317">
<tbody>
<tr valigh="top">
<td>
<div align="center"> <a href="http://www.anteil.com"><img
moz-do-not-send="false" src="cid:part1.04070400.08040008@anteil.com"
alt="Anteil, Inc." border="0"></a>
<table border="0" width="317">
<tbody>
<tr>
<td colspan="3">
<div align="center">
<table width="270">
<tbody>
<tr>
<td>
<hr></td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
<tr valign="top">
<td width="134">
<div align="right"><font color="#000000"
face="Times New Roman, Times, serif" size="2"> <strong>Andrew M.
Lauppe<br>
</strong> <em>Consultant</em> </font>
</div>
</td>
<td width="11"><br>
</td>
<td width="148"><font face="Times New Roman, Times, serif"><font
color="#666666" size="1">4051B Executive Park Dr.<br>
Harrisburg, PA 17111<br>
<hr align="left" width="105">+1 (877) OS-LINUX x23<br>
+1 (484) 421-9919 direct </font></font></td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
</tbody>
</table>
</font></p>
</div>
<br>
<br>
Trixter aka Bret McDanel wrote:
<blockquote cite="mid:1236718442.4885.184.camel@trixtop.0xdecafbad.com"
type="cite">
<pre wrap="">On Tue, 2009-03-10 at 16:14 -0400, Andrew M. Lauppe wrote:
</pre>
<blockquote type="cite">
<pre wrap="">We discussed this on freenode #freepbx today, and someone did the
following math.
A 20 digit numerical password/secret (numerical meaning only 0-9 -
obviously), attacked via brute force at 5,000,000 passwords per
second, would take more than 600,000+ years to crack. I didn't verify
but it looks about right.
</pre>
</blockquote>
<pre wrap=""><!---->20 digit is 100,000,000,000,000,000,000 combinations assuming that there
are no blacklisted ones in that space.
100,000,000,000,000 seconds at 5M/sec. (for reference about what the
total US debt is including social security and other things that
normally dont show on the national debt numbers).
about 3.1M years for an exhaustive search, statistically speaking it
would be half that time on average if you are doing multiple, or about
1.6M years.
If the password is alphanumeric then it goes from 100 million trillion
to 13,367,495,000,000,000,000,000,000,000,000 or 13,367 trillion
trillion and I am not even going into case sensitivity or other
characters that could be used.
If you just used upper case letters and numbers, 10 characters would be
about 23 years @ 5M/sec for an exhaustive search. 12 would be 30k
years. See below about how this time could be shortened.
</pre>
<blockquote type="cite">
<pre wrap="">Lesson of the day? Sure, more secure passwords aren't THE solution,
but they sure help. I'm pretty sure any attempt to brute force a SIP
password on an asterisk box at anything approching 5 million passwords
per second would have side effects that would bring the attack to your
attention (like bringing your sip stack to it's knees perhaps?)
</pre>
</blockquote>
<pre wrap=""><!---->
it depends on how they are doing it. Brute forcing *can* be via capture
packets, everything needed to get the password is in the auth packets in
sip. There are a lot of different ways to get the hashes, they may be
able to get the hash without really doing much else, or they may be in a
position to do much more evil things.
</pre>
<blockquote type="cite">
<pre wrap="">With most phones being auto-provisioned, the length of the password
shouldn't be a limiting factor. Make your passwords/secrets more
complex and we can be done with this conversation. Please.
</pre>
</blockquote>
<pre wrap=""><!---->Well it is MD5 in sip, so the 5M/sec doesnt really hold if they are
doing it on a botnet or similar that is outside your control via
captured headers. Of course stopping people from capturing headers is
beyond the scope of a packet filtering system.
</pre>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
--Bandwidth and Colocation Provided by <a class="moz-txt-link-freetext" href="http://www.api-digital.com">http://www.api-digital.com</a>--
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
<a class="moz-txt-link-freetext" href="http://lists.digium.com/mailman/listinfo/asterisk-biz">http://lists.digium.com/mailman/listinfo/asterisk-biz</a></pre>
</blockquote>
</body>
</html>