RE: [fw-wiz] Stanford break in

From: Victor Williams (
Date: 04/23/04

  • Next message: R. DuFresne: "RE: [fw-wiz] K----'s Waning Security"
    To: <>, "'R. DuFresne'" <>, "'Carric Dooley'" <>
    Date: Thu, 22 Apr 2004 18:09:56 -0500

    I'm still wondering why anyone would put their password file in plain view
    of anyone that logs in...but maybe I missed something...

    Sticky bits and chmod/chown are your friend. It's a pretty trivial deal to
    lock someone in a chmod "jail" on any Unix-like OS current within the last 8
    years. They've even got filesystem and directory level ACLs now! My advice
    to anyone is "use them...liberally."

    Victor Williams
    Network Architect, RHCE #809003618508044
    Election Systems & Software <>
    (800) 247-8683

    This e-mail transmission and any documents, files or previous e-mail
    messages attached to it may contain information that is confidential,
    protected by the attorney/client or other privileges, and may constitute
    non-public information. It is intended to be conveyed only to the designated
    recipient(s) named above. Any unauthorized use, reproduction, forwarding,
    distribution or other dissemination of this transmission is strictly
    prohibited and may be unlawful. If you are not an intended recipient of this
    e-mail transmission, please notify the sender by return e-mail and
    permanently delete any record of this transmission. Your cooperation is

    -----Original Message-----
    [] On Behalf Of Laura Taylor
    Sent: Thursday, April 22, 2004 4:40 PM
    To: 'R. DuFresne'; 'Carric Dooley'
    Cc: 'Chuck Vose';
    Subject: RE: [fw-wiz] Stanford break in

    You need some user behavior/rules of engagement policies to deal with users
    bringing home password files and cracking them. And they should be enforced.

    -----Original Message-----
    []On Behalf Of R. DuFresne
    Sent: Thursday, April 22, 2004 1:11 PM
    To: Carric Dooley
    Cc: Chuck Vose;
    Subject: Re: [fw-wiz] Stanford break in

    > Network synced passwords are the only way to manage a large number of
    > users. If you have 10 workstations and 1 server, it might be fine to
    > have no network directory, but with 300,000 users, I would say it's
    > impossible. I would consider: LDAP, NDS, AD, SecureID, RADIUS, TACACS.
    > (notice the conspicuous absence of NIS, and I wanted to leave out AD,
    > but it seems to be unavoidable these days.

    HP made this usless, unless they have finally enabled a shadow setup in new
    versions of the OS. We played the single sing-on game at nortel, and played
    with password cracking and all that, but, since 80% of the servers were hp's
    and they lacked any seperation of passwords from the required /etc/passwd
    file, users wanting to up their privs on a system just took copies of the
    /etc/passwd file home and cracked to the point they felt they needed. And
    our CISSP's spent alot of time putting together all these metrics on strong
    passwords and how effective they were making security of the network,
    without facing the reality of the 80% exposure faced. HP folks a few years
    ago hinted that HP was going to change theit OS to include shadow password
    implimentations, but, I've long since moved on and these days don;t have to
    play on much but SUN's and AIX systems, so I do not know if they have
    something beside the horrid TCB that would break most interal apps for
    companies and require alot of retrofitting.


    Ron DuFresne

            admin & senior security consultant:
    "Cutting the space budget really restores my faith in humanity.  It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation."
                    -- Johnny Hart
    testing, only testing, and damn good at it too!
    firewall-wizards mailing list
    firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: R. DuFresne: "RE: [fw-wiz] K----'s Waning Security"