Is revealing a PC account user name bad?
I guess no. Why? Because if you secure your environment in such way that it can eliminate bruteforce attacks/dictionary attacks or any other attack that is trying to force the login, then exposing usernames won't do anything to it, thereafter you can limit the attempts in your LSP. If you look more into the psych of a possible attack, they can generate strings that are based on your username for example username is am123
, they can put ham123
or aM93
in their dict list).
Should i keep my username of roastedbeans.ru secret? Yeah you should because it's not your environment, you do not manage it. Therefore you do not know if it is secure at all.
Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.
In this statement you assume that an attacker is specifically targeting you. This is often not the case, it is more about having an opportunity.
Specific tooling and/or script that are executed from an attacker's machine will scan the internet for common vulnerabilities in order to gain access to any (random) machine.
Sometimes the tools are a lot more simple and only try to guess usernames and passwords by attacking TCP/22 (SSH) for example.
The logs therefore reveal the account user name to anyone who may download the log file.
The thing with log files is that not anyone should be able to download it. Only a select amount of people should be able to access these logs. In case anyone with an account on the system has access to this log file, the file permissions are set too lose (world readable).
In a corporate environment log files should not be stored locally but transmitted to a syslog server. Limited users should have access to this syslog server.
Additionally, auditing the system (the logs should also be written to a syslog server) should log anyone that access these files for trace-ability.
And everyone including non-authenticated visitors, can download log files.
If this is really the case, this is a major design flaw. I would not be too worried about revealing a username (as mentioned above) but rather worry about this. Log files should never be (directly) accessible over the internet, especially unauthenticated users.
Is revealing a PC account user name bad?
In my opinion exposing a username on an operating system is not necessarily a bad thing as long as a strong password policy is in place. This means a minimum of at least twelve characters, using upper and lowercase characters, specials characters and digits. Additionally, this policy should also trigger an action if X amount of failed attempts are made from a specific IP address (e.g. blocking the IP for Y amount of time)
Another more pressing issue I see here is something we call "Internal Path Disclosure" . Exposing internal paths to an attacker could be very useful combined with other type of attacks such as local file inclusions or SQL injections in case of a web application that is also exposed to the internet.
Is revealing a PC account user name bad?
In short NO.Why?
- Well for starters your PC username is not a information that is unique to you.A lot of people in the world can have the same windows username.
- Since its not unique to a person like an email address where two people cant have the same email address an attacker cant gain much information or even tell with a certain degree that the username belongs to you and you alone.
- sure if that username of yours is your name itself the attacker might use that knowledge to further OSINT you but that's just about it
Googling typically gets me back to the first two of these articles. These answers show that on a website it may be bad to reveal the username for the website account, because it gives malicious users needed information to try to crack an account. The "hacking" is rendered easier because the bad guy already knows where on the internet to try the passwords to crack the website account.
That is because a username in a website is unique and furthermore in a brute force attack two pieces of information are needed.An attacker could(if the website allows) try a combination of password since he already knows that the username is valid.
Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.
The assumption that you make here is wrong.Never think that by hiding IP address you might be "secure". The concept of defence in depth has to be applied here.The internet is being scanned for vulnerabilities as you read this answer
The logs therefore reveal the account user name to anyone who may download the log file. And everyone including non-authenticated visitors, can download log files. Some users obfuscate these path names because they feel that having their user names out on the web is bad.
In my opinion there is nothing insecure here,Plus you already say half of the people fake the names.There is nothing substantial to gain here for an attacker except maybe a bit of information about the person but THAT'S ALL!