Firewall Wizards mailing list archives
RE: Stanford break in
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 22 Apr 2004 17:51:43 -0400 (EDT)
Aside from frisking every user that walks into and out of the nortel campuses <honeywell used to do this at the corp HQ in MN, and they lost alot of proprietary info anyways>, what would you suggest that would mitigate the issues that non-perm contrators and sigruntled soon-to-be-non employees and those just stealing corp resources outright to fund their private enterprises might work in this setting? Experinces has taught me that unless one can keep someone out of something they should not have a finger or eyeball into; asking, telling, demanding they not look/peak/grab etc is useless at best, and like telling a child not to stick beans up their nose and then making sure the DR's emergency number is posted on the fridg and each bathroom mirror in the home as well as on each phone. I'm not saying stregthening passwords is totally a waste of time, as long as the encrypted hashes are not in plain sight, and with systems that lack a shadow password system, and when TCB is a burden best avoided, then strong passwords and all the efforts and time invested in trying to keep them so might be an effort of some waste. Of course, like most HUGE corporations, nortel was and is a beast unto itself, and often in such settings fingers on the same hand have problems knowing what the other fingers are doing let alone trying to track the other hand. Thanks, Ron DuFresne On Thu, 22 Apr 2004, Laura Taylor wrote:
You need some user behavior/rules of engagement policies to deal with users bringing home password files and cracking them. And they should be enforced. Laura -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of R. DuFresne Sent: Thursday, April 22, 2004 1:11 PM To: Carric Dooley Cc: Chuck Vose; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Stanford break inNetwork synced passwords are the only way to manage a large number of users. If you have 10 workstations and 1 server, it might be fine to have no network directory, but with 300,000 users, I would say it's impossible. I would consider: LDAP, NDS, AD, SecureID, RADIUS, TACACS. (notice the conspicuous absence of NIS, and I wanted to leave out AD, but it seems to be unavoidable these days.HP made this usless, unless they have finally enabled a shadow setup in new versions of the OS. We played the single sing-on game at nortel, and played with password cracking and all that, but, since 80% of the servers were hp's and they lacked any seperation of passwords from the required /etc/passwd file, users wanting to up their privs on a system just took copies of the /etc/passwd file home and cracked to the point they felt they needed. And our CISSP's spent alot of time putting together all these metrics on strong passwords and how effective they were making security of the network, without facing the reality of the 80% exposure faced. HP folks a few years ago hinted that HP was going to change theit OS to include shadow password implimentations, but, I've long since moved on and these days don;t have to play on much but SUN's and AIX systems, so I do not know if they have something beside the horrid TCB that would break most interal apps for companies and require alot of retrofitting. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Stanford break in Chuck Vose (Apr 22)
- Re: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Victor Williams (Apr 22)
- Re: Stanford break in Chuck Vose (Apr 22)
- Re: Stanford break in Darren Reed (Apr 22)
- Re: Stanford break in Carric Dooley (Apr 22)
- Re: Stanford break in R. DuFresne (Apr 22)
- RE: Stanford break in Laura Taylor (Apr 22)
- RE: Stanford break in R. DuFresne (Apr 22)
- RE: Stanford break in Chuck Vose (Apr 22)
- RE: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Victor Williams (Apr 22)
- RE: Stanford break in R. DuFresne (Apr 22)
- RE: Stanford break in Carric Dooley (Apr 23)
- RE: Stanford break in Victor Williams (Apr 23)
- Re: Stanford break in R. DuFresne (Apr 22)
- Re: Stanford break in Paul D. Robertson (Apr 22)
- Re: Stanford break in mlh (Apr 23)
- Re: Stanford break in Luca Berra (Apr 23)
- Re: Stanford break in Adam Shostack (Apr 22)