Re: un-hibernating laptop using old network settings

[Ron DuFresne <dufresne () winternet com>]

How does this differ from the effects of a home pc or laptop taken from
work to home, and used to surf the net when not used in a vpn tunnel to
the workplace?  Same threat, yes?

Thanks,

Ron DuFresne

On Tue, 3 Jul 2001, Zow Terry Brugger wrote:

> > I have a feeling that there might be more subtle security issues
> > relating to hibernating a system in a trusted environment and awakening it
> > in an untrusted one, apart from user education issues, but can't put my
> > finger on any just now.
>
> The threat that immediately occurs to me is the reverse: having the laptop in 
> an untrusted environment, then moving it to a trusted environment. Let's say 
> the laptop gets cracked when it's on the untrusted net. Then the user moves 
> the laptop to a trusted network where a background program wakes up and 
> automatically cracks machines on the trusted network. I read about someone 
> using their own laptop with such a program to do a red team assessment for a 
> customer (I think it was on /. but I'm not sure). They put the program on the 
> laptop (so they didn't crack their own box, but having the program introduced 
> by a remote attacker is the next logical step) then they took the laptop into 
> the customer site under the pretext of doing a presentation to a member of the 
> technical staff. As soon as the red team member plugged into the local 
> (trusted) network, the laptop started cracking servers, installing backdoors 
> and punching holes in the firewall. The person claimed that during their 30 
> minute presentation this automatic program pretty much took over the entire 
> company's network.
>
> Returning to your original question, consider if the automated program didn't 
> install any backdoors, it just grabbed the information the attackers wanted 
> and stored that info on the laptop for retrieval once the laptop moved from 
> the trusted to the untrusted network. Or even more straightforward, the user 
> deliberately puts company proprietary information on the laptop when connected 
> to the trusted company network and the laptop doesn't get compromised until 
> it's moved to an untrusted (home perhaps?) network, whereupon the attackers 
> compromise the laptop and grab the proprietary information.
>
> The only solution is defense in depth. The two best practices that occur to me 
> in this case is to use network intrusion detectors even behind your firewalls 
> and keep all your machines patched. While patching may be particularly 
> problematic for laptops since they aren't always there, it's probably more 
> important for them than it is for desktop systems just because of all the odd 
> networks they may end up on. If you're more paranoid, consider keeping your 
> laptops on a separate network or sanitize them when leaving or returning to a 
> trusted network.
>
> My $.02,
> Terry
>
> #include <stddisclaimer.h>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.