Firewall Wizards mailing list archives
RE: Stanford break in
From: "Victor Williams" <vbwilliams () essvote net>
Date: Fri, 23 Apr 2004 09:07:43 -0500
I don't think anyone should assume it should be easy or something done quickly. It takes time to implement correctly. Also, this is the same-ol same-ol problem. How do you secure a system, but keep badly coded applications that run on that system working...when security will often-times break your application? Getting off-original-topic, so I will shut up now. Victor Williams -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Carric Dooley Sent: Friday, April 23, 2004 1:58 AM To: Victor Williams Cc: ltaylor () relevanttechnologies com; 'R. DuFresne'; 'Chuck Vose'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Stanford break in Until you root the box, which is often pretty trivial as well... A password file in plain view, an unpatched or misconfigured service... these are all part of a bigger problem. While I agree that discretionary access control at all levels is good, it becomes difficult to manage unless you can come up with a standard build and replicate it. Also, using a network directory reduces the need for local accounts. On Thu, 22 Apr 2004, Victor Williams wrote:
I'm still wondering why anyone would put their password file in plain view of anyone that logs in...but maybe I missed something... Sticky bits and chmod/chown are your friend. It's a pretty trivial deal to lock someone in a chmod "jail" on any Unix-like OS current within the last 8 years. They've even got filesystem and directory level ACLs now! My advice to anyone is "use them...liberally." Victor Williams Network Architect, RHCE #809003618508044 Election Systems & Software http://www.essvote.com <http://www.essvote.com> vbwilliams () essvote com (800) 247-8683 CONFIDENTIALITY NOTICE: This e-mail transmission and any documents, files or previous e-mail messages attached to it may contain information that is confidential, protected by the attorney/client or other privileges, and may constitute non-public information. It is intended to be conveyed only to the
designated
recipient(s) named above. Any unauthorized use, reproduction, forwarding, distribution or other dissemination of this transmission is strictly prohibited and may be unlawful. If you are not an intended recipient of
this
e-mail transmission, please notify the sender by return e-mail and permanently delete any record of this transmission. Your cooperation is appreciated. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Laura Taylor Sent: Thursday, April 22, 2004 4:40 PM To: 'R. DuFresne'; 'Carric Dooley' Cc: 'Chuck Vose'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Stanford break in You need some user behavior/rules of engagement policies to deal with users bringing home password files and cracking them. And they should be enforced. Laura -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of R. DuFresne Sent: Thursday, April 22, 2004 1:11 PM To: Carric Dooley Cc: Chuck Vose; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Stanford break inNetwork synced passwords are the only way to manage a large number of users. If you have 10 workstations and 1 server, it might be fine to have no network directory, but with 300,000 users, I would say it's impossible. I would consider: LDAP, NDS, AD, SecureID, RADIUS, TACACS. (notice the conspicuous absence of NIS, and I wanted to leave out AD, but it seems to be unavoidable these days.HP made this usless, unless they have finally enabled a shadow setup in new versions of the OS. We played the single sing-on game at nortel, and played with password cracking and all that, but, since 80% of the servers were hp's and they lacked any seperation of passwords from the required /etc/passwd file, users wanting to up their privs on a system just took copies of the /etc/passwd file home and cracked to the point they felt they needed. And our CISSP's spent alot of time putting together all these metrics on strong passwords and how effective they were making security of the network, without facing the reality of the 80% exposure faced. HP folks a few years ago hinted that HP was going to change theit OS to include shadow password implimentations, but, I've long since moved on and these days don;t have to play on much but SUN's and AIX systems, so I do not know if they have something beside the horrid TCB that would break most interal apps for companies and require alot of retrofitting. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- Carric Dooley COM2:Interactive Media http://www.com2usa.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Stanford break in, (continued)
- Re: Stanford break in Darren Reed (Apr 22)
- Re: Stanford break in Carric Dooley (Apr 22)
- Re: Stanford break in R. DuFresne (Apr 22)
- RE: Stanford break in Laura Taylor (Apr 22)
- RE: Stanford break in R. DuFresne (Apr 22)
- RE: Stanford break in Chuck Vose (Apr 22)
- RE: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Victor Williams (Apr 22)
- RE: Stanford break in R. DuFresne (Apr 22)
- RE: Stanford break in Carric Dooley (Apr 23)
- RE: Stanford break in Victor Williams (Apr 23)
- Re: Stanford break in R. DuFresne (Apr 22)
- Re: Stanford break in mlh (Apr 23)
- Re: Stanford break in Luca Berra (Apr 23)
- Re: Stanford break in Adam Shostack (Apr 22)
- Re: Stanford break in Carric Dooley (Apr 23)
- Passwords (was: Stanford break in) Ben Nagy (Apr 23)
- RE: Stanford break in Carric Dooley (Apr 23)