Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AFS - The Ultimate Sulution? -- What is the point?

From: Paul Sebastian Ziegler <psz () observed de>
Date: Sun, 17 Sep 2006 13:38:32 +0200
Those are good ideas to push the concept even further.
But this was a mindgame anyway. In answer to what Maguro said:
Yes, it would still be possible to root the system, but how would that
help to get another user?
Even if the system is rooted you would only have access to your own
files and could not even crack other user's pws since they aren't in
your password-file.

As you said this requires that the AFS-Server is being kept up to date.
But the Images wouldn't have to be. Apart from this AFS hasn't had a
major security-issue in the past several years.

Of course somebody could be hardlogging on a workstation, but it
wouldn't be possible to sniff pws from the kerberos-session due to
encryption. So also a rooted workstation with eth0 put into promiscuous
mode would be of no use.

Paul

Dude VanWinkle wrote:

why not just use a dumb terminal if you are going to go to all that trouble?

-JP

On 9/15/06, Dean Pierce <piercede () pdx edu> wrote:

There is the convenience issue of the speed that the image transfers
across the network.

There is also the issue that infected workstations may be collecting
passwords.

My suggestion would be to use the harddrives in the workstation to store
the boot images, and have the minimal operating system on some sort of
USB device or something that the employees can take home with them, and
carry around etc.

The employee can then..

 1. plug in the USB device
 2. boot the machine
 3. enter device password (to decrypt the rest of the device)
 4. the USB device should then be removed
 5. enter the network username and password (remote authentication)
 6. select which operating system to boot to
    - now the system checks the hash of the selected image,
      and submits it to a central server for approval
    - if image is approved, the system is booted
    - network mounts are mounted based on user policy etc

Workstations would then need to be locked down, allowed only to ever
boot to the USB device or whatever, and might employ some bios tricks to
only boot devices that have been signed etc. A decent chassis alarm
system would also need to be in place to avoid tampering.  Network
topology should also be static, and trigger alarms if anything is changed.

It would then be up to the sysadmins to keep the images up to date (not
just security-wise, but also with the latest software).

If the employee is working with sensitive information (that the
sysadmins should not have access to), the data should all be stored in
an encrypted state on the remote filesystems, and decrypted on the fly
on the workstation when needed.

problems that may still exist:

1. weak sysadmin security policies
2. weak add/remove/refresh user policies
3. weakness in the encryption protocols
4. USB devices can be cloned

1 and 2 can be mitigated with strict rules and a positive work
environment, and proactive education (preventing bribes/social
engineering etc).  3 is the fault of the cryptanalysts, and 4 can be
dealt with by using devices with non-readable sections and on-board
crypto (like a smartcard etc).

Different things can be enforced more or less based on paranoia levels,
but I would say this system is reasonably simple, and prevents most
nastiness, and could even remain pretty stable if the images were not
updated frequently.  With using old images, there is the chance of worms
 infecting the workstation in the morning, but a decent IPS should
prevent that, and it would be much easier to clean up later.

Also employees might use recent attacks against eachother to gain
information on other employees that they do not have access to.  IPS
should see this though, and if you are really worried, you can make it
so all writable directories that a user has are mounted without execute
permissions or something.

The user experience is not much more complicated than most current
setups, and I believe this does go pretty far to protect the
workstations from pretty much any sort of malicious tampering, which was
the goal I think.

   - DEAN


マグロ原子 wrote:

In-Reply-To: <4509C2FE.8020104 () observed de>

I don't really see the point... Possible vulnerabilities (if I didn't
horribly misunderstand something):

*The AFS server would still need to be updated to keep it secure.
*If the imaged OS is rootable:
**The AFS clients that load the images could be replaced by phishnets.
**The attacker could pose as the user having access to Kerberos
credentials. (So rm -r / would delete the users "securely kept files")

Or do users only have read-only access to their files?? That doesn't
seem useful.

Nyoro~n

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: