RE: Stanford break in

["Victor Williams" <vbwilliams () essvote net>]

I don't think anyone should assume it should be easy or something done
quickly.  It takes time to implement correctly.

Also, this is the same-ol same-ol problem.  How do you secure a system, but
keep badly coded applications that run on that system working...when
security will often-times break your application?

Getting off-original-topic, so I will shut up now.

 
Victor Williams 


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Carric
Dooley
Sent: Friday, April 23, 2004 1:58 AM
To: Victor Williams
Cc: ltaylor () relevanttechnologies com; 'R. DuFresne'; 'Chuck Vose';
firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Stanford break in


Until you root the box, which is often pretty trivial as well...

A password file in plain view, an unpatched or misconfigured service...  
these are all part of a bigger problem. While I agree that discretionary
access control at all levels is good, it becomes difficult to manage unless
you can come up with a standard build and replicate it. Also, using a
network directory reduces the need for local accounts.


On Thu, 22 Apr 2004, Victor Williams wrote:

> I'm still wondering why anyone would put their password file in plain 
> view of anyone that logs in...but maybe I missed something...
>
> Sticky bits and chmod/chown are your friend.  It's a pretty trivial 
> deal to lock someone in a chmod "jail" on any Unix-like OS current 
> within the last 8 years.  They've even got filesystem and directory 
> level ACLs now!  My advice to anyone is "use them...liberally."
>
>  
> Victor Williams
> Network Architect, RHCE #809003618508044 
> Election Systems & Software 
> http://www.essvote.com <http://www.essvote.com> 
> vbwilliams () essvote com 
> (800) 247-8683 
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail transmission and any documents, files or previous e-mail
> messages attached to it may contain information that is confidential,
> protected by the attorney/client or other privileges, and may constitute
> non-public information. It is intended to be conveyed only to the
designated
> recipient(s) named above. Any unauthorized use, reproduction, forwarding,
> distribution or other dissemination of this transmission is strictly
> prohibited and may be unlawful. If you are not an intended recipient of
this
> e-mail transmission, please notify the sender by return e-mail and
> permanently delete any record of this transmission. Your cooperation is
> appreciated.
>
>
>
> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Laura 
> Taylor
> Sent: Thursday, April 22, 2004 4:40 PM
> To: 'R. DuFresne'; 'Carric Dooley'
> Cc: 'Chuck Vose'; firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] Stanford break in
>
>
> You need some user behavior/rules of engagement policies to deal with 
> users bringing home password files and cracking them. And they should 
> be enforced. Laura
>
> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com
> [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of R. 
> DuFresne
> Sent: Thursday, April 22, 2004 1:11 PM
> To: Carric Dooley
> Cc: Chuck Vose; firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] Stanford break in
>
>
> > Network synced passwords are the only way to manage a large number 
> > of
> > users. If you have 10 workstations and 1 server, it might be fine to 
> > have no network directory, but with 300,000 users, I would say it's 
> > impossible. I would consider: LDAP, NDS, AD, SecureID, RADIUS, TACACS. 
> > (notice the conspicuous absence of NIS, and I wanted to leave out AD, 
> > but it seems to be unavoidable these days.
>
>
> HP made this usless, unless they have finally enabled a shadow setup 
> in new versions of the OS.  We played the single sing-on game at 
> nortel, and played with password cracking and all that, but, since 80% 
> of the servers were hp's and they lacked any seperation of passwords 
> from the required /etc/passwd file, users wanting to up their privs on 
> a system just took copies of the /etc/passwd file home and cracked to 
> the point they felt they needed.  And our CISSP's spent alot of time 
> putting together all these metrics on strong passwords and how 
> effective they were making security of the network, without facing the 
> reality of the 80% exposure faced.  HP folks a few years ago hinted 
> that HP was going to change theit OS to include shadow password 
> implimentations, but, I've long since moved on and these days don;t 
> have to play on much but SUN's and AIX systems, so I do not know if 
> they have something beside the horrid TCB that would break most 
> interal apps for companies and require alot of retrofitting.
>
> Thanks,
>
> Ron DuFresne
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity.  It 
> eliminates dreams, goals, and ideals and lets us get straight to the 
> business of hate, debauchery, and self-annihilation."
>                 -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

-- 
Carric Dooley
COM2:Interactive Media
http://www.com2usa.com


_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards