Home page logo
/

basics logo Security Basics mailing list archives

Re: security scenario
From: "theog" <theog () theog org>
Date: Sat, 1 Feb 2003 13:46:50 +0200

Well , as I see it (again) if someone has physical access to a machine , you
cannot be certain that the machine hasn't been hacked/copied etc... , with
that said , I don't see security as a bunch of layers , with time as the
only parameter on my side , it is more like making it harder for a hacker to
access the data , when I think it should be next to impossible (thats what I
get paid for)  , if a sesitive machine needs to be accessed by users make
sure those people understand they are under suprvision , make sure physical
security (which in this case is the most important issue) is sufficiant like
a separate room , with only a few people allowed in , have video camera
which is affordable using a pc and webcam (see
http://www.icode.co.uk/icatcher/)  with motion detection turned on , and so
on , these will be musch more efficiant then passwording grub or the bios.

now , to you first question , making sure these machines are on a different
subnet protected by a firewall (an addition interface on the firewall...) ,
if the mcahine is a linux machine , run iptables to locally protect it ,
have an alert sent to you if and when the machine is rebooted , if the
application is specific and not an R&D machine that needs all the libreries
(it's too much hastle is so) , you can have that application run in a
crippled chrooted environment , and so on ....

TheOg



----- Original Message -----
From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
To: "theog" <theog () theog org>
Cc: <security-basics () securityfocus com>
Sent: Friday, January 31, 2003 9:04 PM
Subject: RE: security scenario


Not being smart or anything but what layers in this scenerio do you see
as the important ones?
How would you tackle this problem?

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: theog [mailto:theog () theog org]
Sent: 31 January 2003 00:23
To: Chris Berry; security-basics () securityfocus com
Subject: Re: security scenario


Well , I think that instead of dealing with how many layers one can
install (and taking the time to install them) it is better (IMHO) to
invest the time in making the important layers secure. having more
layers won't increase your security level if you spent all the time in
installing those same layers , whatmore , you have more then CDROM and
Floppy to boot with (USB dev , etc...). I wouldnt use a grub password ,
or a bios password , as forgeting those , will cause more harm then the
security benefit they provide ,writing them down or putting weak
passwords is simply not worth the trouble .


TheOg

----- Original Message -----
From: "Chris Berry" <compjma () hotmail com>
To: <security-basics () securityfocus com>
Sent: Wednesday, January 29, 2003 9:44 PM
Subject: Re: security scenario


From: "theog" <theog () theog org>
I agree , in my opinion , if someone got to the machine's keyboard ,
be it phisically or via a remote console device , he can do virtually

anything, in fact, the simplest thing to do (if I wanted to change
the root for a machine I dont have the password for) is to boot with
a linux cd , mount the root partition , then do chroot , and passwd ,

so ..... no point is having a grub password for the machine if you
have users you dont trust , with access to that machine console.

Physical access will yield root access given time, knowledge, and
tools. That said, I still disagree, security is not one thing, it is a
compilation
of little things that add up.  No one is hack proof, but by adding
layer after layer of complications for the attacker, you make yourself

an uninviting target, and become hack resistant.  You have to draw the

line somewhere or your administrative burden will grow greater than
you can handle, but I believe that a grub password (or requiring root
password for single user mode) would be a good idea as it's easy to
setup and maintain, but makes things a little more difficult for the
attacker (not to mention curious employees messing with things they
shouldn't be).  I also think
bios
passwords are a good idea, sure any monkey who can open the case can
pop
the
battery and reset it, but that's one more step they have to do, and
around most workplaces you'll get quite a bit of unwanted attention if

you start taking your computer apart and you don't work in IT.  On top

of this, removing the CD-ROM drive and Floppy drive from any
workstation that
doesn't
require it, is a good idea as it slows them down even further, and
requires
more knowledge, and some parts to bypass.  With these three things in
place
they'll need a screwdriver, a linux cd, a cd-rom drive, enough
knowledge
to
open the case install the cd-rom, set the jumpers on cd-rom and IDE,
reset the cmos, then boot up and use their linux cd to bypass your
grub
password.
Can it be done sure, is it hard, not really for a trained person, I
could probably do it in under 20 minutes, but how many people have
that level of training, and can get unobserved access to the machine
for that long? Personally I feel that would stop anything but a
determined and knowledgeable attacker who has time and physical
access.  If you have good physical security (locks, alarms etc.) that
makes it even harder.  If someome is determined enough to get through
all that there isn't any way you're going to stop him anyways, but I
consider that a much lower order
of
probability than the kind of people who could get in without having
those three precautions.

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"For Sys Admins paranoia isn't a mental health problem, its a
marketable
job
skill."

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail




****************************************************************************
**********

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

****************************************************************************
**********


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault