RE: [fw-wiz] Stanford break in

• Previous message: Crispin Cowan: "Re: [fw-wiz] Waning Security"
• In reply to: Victor Williams: "RE: [fw-wiz] Stanford break in"
• Next in thread: Victor Williams: "RE: [fw-wiz] Stanford break in"
• Reply: Victor Williams: "RE: [fw-wiz] Stanford break in"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Victor Williams <vbwilliams@essvote.net>
Date: Fri, 23 Apr 2004 02:58:20 -0400 (EDT)

Until you root the box, which is often pretty trivial as well...

A password file in plain view, an unpatched or misconfigured service...
these are all part of a bigger problem. While I agree that discretionary
access control at all levels is good, it becomes difficult to manage
unless you can come up with a standard build and replicate it. Also, using
a network directory reduces the need for local accounts.

On Thu, 22 Apr 2004, Victor Williams wrote:

> I'm still wondering why anyone would put their password file in plain view
> of anyone that logs in...but maybe I missed something...
>
> Sticky bits and chmod/chown are your friend. It's a pretty trivial deal to
> lock someone in a chmod "jail" on any Unix-like OS current within the last 8
> years. They've even got filesystem and directory level ACLs now! My advice
> to anyone is "use them...liberally."
>
>
> Victor Williams
> Network Architect, RHCE #809003618508044
> Election Systems & Software
> http://www.essvote.com <http://www.essvote.com>
> vbwilliams@essvote.com
> (800) 247-8683
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail transmission and any documents, files or previous e-mail
> messages attached to it may contain information that is confidential,
> protected by the attorney/client or other privileges, and may constitute
> non-public information. It is intended to be conveyed only to the designated
> recipient(s) named above. Any unauthorized use, reproduction, forwarding,
> distribution or other dissemination of this transmission is strictly
> prohibited and may be unlawful. If you are not an intended recipient of this
> e-mail transmission, please notify the sender by return e-mail and
> permanently delete any record of this transmission. Your cooperation is
> appreciated.
>
>
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Laura Taylor
> Sent: Thursday, April 22, 2004 4:40 PM
> To: 'R. DuFresne'; 'Carric Dooley'
> Cc: 'Chuck Vose'; firewall-wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] Stanford break in
>
>
> You need some user behavior/rules of engagement policies to deal with users
> bringing home password files and cracking them. And they should be enforced.
> Laura
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of R. DuFresne
> Sent: Thursday, April 22, 2004 1:11 PM
> To: Carric Dooley
> Cc: Chuck Vose; firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] Stanford break in
>
>
> >
> > Network synced passwords are the only way to manage a large number of
> > users. If you have 10 workstations and 1 server, it might be fine to
> > have no network directory, but with 300,000 users, I would say it's
> > impossible. I would consider: LDAP, NDS, AD, SecureID, RADIUS, TACACS.
> > (notice the conspicuous absence of NIS, and I wanted to leave out AD,
> > but it seems to be unavoidable these days.
> >
>
>
> HP made this usless, unless they have finally enabled a shadow setup in new
> versions of the OS. We played the single sing-on game at nortel, and played
> with password cracking and all that, but, since 80% of the servers were hp's
> and they lacked any seperation of passwords from the required /etc/passwd
> file, users wanting to up their privs on a system just took copies of the
> /etc/passwd file home and cracked to the point they felt they needed. And
> our CISSP's spent alot of time putting together all these metrics on strong
> passwords and how effective they were making security of the network,
> without facing the reality of the 80% exposure faced. HP folks a few years
> ago hinted that HP was going to change theit OS to include shadow password
> implimentations, but, I've long since moved on and these days don;t have to
> play on much but SUN's and AIX systems, so I do not know if they have
> something beside the horrid TCB that would break most interal apps for
> companies and require alot of retrofitting.
>
> Thanks,
>
> Ron DuFresne
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: sysinfo.com
> http://sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
> -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>

-- 
Carric Dooley
COM2:Interactive Media
http://www.com2usa.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Crispin Cowan: "Re: [fw-wiz] Waning Security"
• In reply to: Victor Williams: "RE: [fw-wiz] Stanford break in"
• Next in thread: Victor Williams: "RE: [fw-wiz] Stanford break in"
• Reply: Victor Williams: "RE: [fw-wiz] Stanford break in"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]