Full Disclosure mailing list archives
Re[4]: Response to comments on Security and Obscurity
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 2 Sep 2004 13:13:29 +0400
Dear James Tucker, --Thursday, September 2, 2004, 12:05:21 AM, you wrote to 3apa3a () security nnov ru: JT> Further on the physical to information systems comparison, how do you JT> exploit a computer in russia from a computer in new york if there is JT> no physical data path between them? (The answer is directed You may be really good specialist in IT security familiar with every law, article and recommendation, but to make any real example for informational security problems you MUST understand difference between cracks, exploits, virii and backdoors you do not currently understand. OK, I will exploit computer in Russia by first researching open materials (for example conferences participants lists), finding appropriate persons with interests in required fields who potentially may have access to required network and trying to contact them. After researching I will either try to attack their home computers (because it's very common case really secret materials are kept in home PCs or notebooks almost unprotected) or simply hire them (money, blackmail, etc). For attack I will most probably use client application (browser, mail reader, etc). Of cause my potential and knowledges for second case are very limited :) JT> would "impose upon business impressions". The CEO is a dear chap who JT> forgets to lock his workstation when he goes to lunch. Where did all JT> that hard effort of virtual security go? This is not an uncommon JT> scenario. The stronger audits in the world fail you for this kind of JT> possibility; again count yourself lucky in this regard. Even more. This is very common scenario and this scenario must be covered by security policy. You either unfamiliar with this problem our your information is out of date. Simple, but unreliable protection for this problem is implementing policy for automatic workstation lockout (well, in my network with very low security requirements I use this kind of protection). Reliable solutions are: use same cart for access both terminal and room (Sun likes this kind of solutions - terminal locks automatically if smartcard is removed) or to use event correlation (it's currently a part of Security Information Management Systems). If event "user leaves the room" comes without first "user logs off" or "user locks workstation" either user access out of room is blocked or user's workstation is shut down remotely. Of cause, I understand you're trying to catch me on the fact informational security is impossible without physical one. Currently information security and physical security go together so close, that border is very unclear. But you're going aside from initial problem: examples and analogies from IT in your article are dummy. -- ~/ZARAZA Почтенные ископаемые! Жду от вас дальнейших писем. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Response to comments on Security and Obscurity, (continued)
- RE: Response to comments on Security and Obscurity Dave Aitel (Sep 01)
- Security & Obscurity: First-time attacks and lawyer jokes Peter Swire (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Georgi Guninski (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Honza Vlach (Sep 03)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Dave Aitel (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Mr. Rufus Faloofus (Sep 02)
- Re[2]: Response to comments on Security and Obscurity 3APA3A (Sep 01)
- Re: Re[2]: Response to comments on Security and Obscurity James Tucker (Sep 01)
- Re: Response to comments on Security and Obscurity Barry Fitzgerald (Sep 01)
- Re: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[4]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Re[4]: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[6]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Re[6]: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[8]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Response to comments on Security and Obscurity gadgeteer (Sep 01)
- [OT] Re: Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 02)
- Re: [OT] Re: Re: New paper on Security and Obscurity Stormwalker (Sep 02)
- Re: [OT] Re: Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 03)