RE: [fw-wiz] Stanford break in
From: Victor Williams (vbwilliams_at_essvote.net)
Date: 04/23/04
- Previous message: Melson, Paul: "RE: [fw-wiz] Stanford break in"
- In reply to: Carric Dooley: "RE: [fw-wiz] Stanford break in"
- Next in thread: mlh_at_zipworld.com.au: "Re: [fw-wiz] Stanford break in"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Fri, 23 Apr 2004 09:07:43 -0500
I don't think anyone should assume it should be easy or something done
quickly. It takes time to implement correctly.
Also, this is the same-ol same-ol problem. How do you secure a system, but
keep badly coded applications that run on that system working...when
security will often-times break your application?
Getting off-original-topic, so I will shut up now.
Victor Williams
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Carric
Dooley
Sent: Friday, April 23, 2004 1:58 AM
To: Victor Williams
Cc: ltaylor@relevanttechnologies.com; 'R. DuFresne'; 'Chuck Vose';
firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] Stanford break in
Until you root the box, which is often pretty trivial as well...
A password file in plain view, an unpatched or misconfigured service...
these are all part of a bigger problem. While I agree that discretionary
access control at all levels is good, it becomes difficult to manage unless
you can come up with a standard build and replicate it. Also, using a
network directory reduces the need for local accounts.
On Thu, 22 Apr 2004, Victor Williams wrote:
> I'm still wondering why anyone would put their password file in plain
> view of anyone that logs in...but maybe I missed something...
>
> Sticky bits and chmod/chown are your friend. It's a pretty trivial
> deal to lock someone in a chmod "jail" on any Unix-like OS current
> within the last 8 years. They've even got filesystem and directory
> level ACLs now! My advice to anyone is "use them...liberally."
>
>
> Victor Williams
> Network Architect, RHCE #809003618508044
> Election Systems & Software
> http://www.essvote.com <http://www.essvote.com>
> vbwilliams@essvote.com
> (800) 247-8683
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail transmission and any documents, files or previous e-mail
> messages attached to it may contain information that is confidential,
> protected by the attorney/client or other privileges, and may constitute
> non-public information. It is intended to be conveyed only to the
designated
> recipient(s) named above. Any unauthorized use, reproduction, forwarding,
> distribution or other dissemination of this transmission is strictly
> prohibited and may be unlawful. If you are not an intended recipient of
this
> e-mail transmission, please notify the sender by return e-mail and
> permanently delete any record of this transmission. Your cooperation is
> appreciated.
>
>
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Laura
> Taylor
> Sent: Thursday, April 22, 2004 4:40 PM
> To: 'R. DuFresne'; 'Carric Dooley'
> Cc: 'Chuck Vose'; firewall-wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] Stanford break in
>
>
> You need some user behavior/rules of engagement policies to deal with
> users bringing home password files and cracking them. And they should
> be enforced. Laura
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of R.
> DuFresne
> Sent: Thursday, April 22, 2004 1:11 PM
> To: Carric Dooley
> Cc: Chuck Vose; firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] Stanford break in
>
>
> >
> > Network synced passwords are the only way to manage a large number
> > of
> > users. If you have 10 workstations and 1 server, it might be fine to
> > have no network directory, but with 300,000 users, I would say it's
> > impossible. I would consider: LDAP, NDS, AD, SecureID, RADIUS, TACACS.
> > (notice the conspicuous absence of NIS, and I wanted to leave out AD,
> > but it seems to be unavoidable these days.
> >
>
>
> HP made this usless, unless they have finally enabled a shadow setup
> in new versions of the OS. We played the single sing-on game at
> nortel, and played with password cracking and all that, but, since 80%
> of the servers were hp's and they lacked any seperation of passwords
> from the required /etc/passwd file, users wanting to up their privs on
> a system just took copies of the /etc/passwd file home and cracked to
> the point they felt they needed. And our CISSP's spent alot of time
> putting together all these metrics on strong passwords and how
> effective they were making security of the network, without facing the
> reality of the 80% exposure faced. HP folks a few years ago hinted
> that HP was going to change theit OS to include shadow password
> implimentations, but, I've long since moved on and these days don;t
> have to play on much but SUN's and AIX systems, so I do not know if
> they have something beside the horrid TCB that would break most
> interal apps for companies and require alot of retrofitting.
>
> Thanks,
>
> Ron DuFresne
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: sysinfo.com
> http://sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
> -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-- Carric Dooley COM2:Interactive Media http://www.com2usa.com _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Melson, Paul: "RE: [fw-wiz] Stanford break in"
- In reply to: Carric Dooley: "RE: [fw-wiz] Stanford break in"
- Next in thread: mlh_at_zipworld.com.au: "Re: [fw-wiz] Stanford break in"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
