Re: security scenario

From: theog (theog@theog.org)
Date: 01/31/03 

From: "theog" <theog@theog.org>
To: "Chris Berry" <compjma@hotmail.com>, <security-basics@securityfocus.com>
Date: Fri, 31 Jan 2003 02:22:40 +0200

Well , I think that instead of dealing with how many layers one can install
(and taking the time to install them) it is better (IMHO) to invest the time
in making the important layers secure.
having more layers won't increase your security level if you spent all the
time in installing those same layers , whatmore , you have more then CDROM
and Floppy to boot with (USB dev , etc...). I wouldnt use a grub password ,
or a bios password , as forgeting those , will cause more harm then the
security benefit they provide ,writing them down or putting weak passwords
is simply not worth the trouble .

TheOg

----- Original Message -----
From: "Chris Berry" <compjma@hotmail.com>
To: <security-basics@securityfocus.com>
Sent: Wednesday, January 29, 2003 9:44 PM
Subject: Re: security scenario

> >From: "theog" <theog@theog.org>
> >I agree , in my opinion , if someone got to the machine's keyboard ,
> >be it phisically or via a remote console device , he can do virtually
> >anything, in fact, the simplest thing to do (if I wanted to change the
> >root for a machine I dont have the password for) is to boot with a
> >linux cd , mount the root partition , then do chroot , and passwd ,
> >so ..... no point is having a grub password for the machine if you
> >have users you dont trust , with access to that machine console.
>
> Physical access will yield root access given time, knowledge, and tools.
> That said, I still disagree, security is not one thing, it is a
compilation
> of little things that add up. No one is hack proof, but by adding layer
> after layer of complications for the attacker, you make yourself an
> uninviting target, and become hack resistant. You have to draw the line
> somewhere or your administrative burden will grow greater than you can
> handle, but I believe that a grub password (or requiring root password for
> single user mode) would be a good idea as it's easy to setup and maintain,
> but makes things a little more difficult for the attacker (not to mention
> curious employees messing with things they shouldn't be). I also think
bios
> passwords are a good idea, sure any monkey who can open the case can pop
the
> battery and reset it, but that's one more step they have to do, and around
> most workplaces you'll get quite a bit of unwanted attention if you start
> taking your computer apart and you don't work in IT. On top of this,
> removing the CD-ROM drive and Floppy drive from any workstation that
doesn't
> require it, is a good idea as it slows them down even further, and
requires
> more knowledge, and some parts to bypass. With these three things in
place
> they'll need a screwdriver, a linux cd, a cd-rom drive, enough knowledge
to
> open the case install the cd-rom, set the jumpers on cd-rom and IDE, reset
> the cmos, then boot up and use their linux cd to bypass your grub
password.
> Can it be done sure, is it hard, not really for a trained person, I could
> probably do it in under 20 minutes, but how many people have that level of
> training, and can get unobserved access to the machine for that long?
> Personally I feel that would stop anything but a determined and
> knowledgeable attacker who has time and physical access. If you have good
> physical security (locks, alarms etc.) that makes it even harder. If
> someome is determined enough to get through all that there isn't any way
> you're going to stop him anyways, but I consider that a much lower order
of
> probability than the kind of people who could get in without having those
> three precautions.
>
> Chris Berry
> compjma@hotmail.com
> Systems Administrator
> JM Associates
>
> "For Sys Admins paranoia isn't a mental health problem, its a marketable
job
> skill."
>
> _________________________________________________________________
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>

Relevant Pages

  • Re: AGAIN: how can I install modules if Im not root?
    ... it is convenient to call the layers vendor/site/user. ... Perl about present modules, your feelings towards environment ... There is no way for a user in the context to install anything in base perl. ...
    (comp.lang.perl.moderated)
  • Re: security scenario
    ... security is sufficiant like ... Not being smart or anything but what layers in this scenerio do you see ... install it is better to ... > open the case install the cd-rom, set the jumpers on cd-rom and IDE, ...
    (Security-Basics)
  • Re: WHAT the Eff is this???
    ... # aptitude install x-window-system kdm kde synaptic openoffice.org ... Each command given is for 'root' (SEE ... GNU/Linux has several core layers, akin to the layers OS X ... Graphics Hardware Communication ...
    (Debian-User)
  • RE: security scenario
    ... Not being smart or anything but what layers in this scenerio do you see ... Subject: security scenario ... install it is better to ...
    (Security-Basics)
  • Re: 5 new critical patches with no bulletin ???
    ... > What is going on with Microsoft communications? ... > A security issue has been identified that could allow an ... > attacker to remotely compromise a computer running ... After you install this item, ...
    (microsoft.public.security)