mailing list archives
RE: Securing workstations from IT guys
From: "Holtz,Robert" <Robert.Holtz () edwardjones com>
Date: Tue, 27 Nov 2007 17:21:49 -0600
You may also want to perform an after hours walk through of the HR
department and see what's lying on desks and sitting in trash cans.
I was in the unlucky position of having an HR department being
compromised and the inevitable blame falling on IT. We did a late night
walk through and the problem was apparent: there were reports lying on
desks and sitting unshredded in trashcans awaiting for someone to grab
This also wasn't one of those letter or CV leaking out problems: credit
cards were being issues on hundreds of employees and charges were coming
in from all over the place.
If you are not the intended recipient of this message (including attachments), or if you have received this message in
error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward
Jones, please send this request to messages () edwardjones com You must include the e-mail address that you wish not
to receive e-mail communications. For important additional information related to this e-mail, visit
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Erin Carroll
Sent: Tuesday, November 27, 2007 4:24 PM
To: 'Mark Owen'; 'Liam Jewell'
Cc: 'Depp, Dennis M.'; 'Lim Ming Wei'; 'WALI'; 'security-basics'
Subject: RE: Securing workstations from IT guys
Mark is correct.
I've been watching this thread with some interest. While there are
multiple approaches you can take to reduce the problem, and many
excellent suggestions have been mentioned, the simple fact is that at
the end of the day you can't stop a sufficiently knowledgeable admin (or
user) from bypassing whatever controls you put into place... You can
only make it harder to hide their tracks.
For the example below that has been under discussion, it's much easier
to assume the credentials of an authorized account (SYSTEM, domain
whatever) and in some cases you don't even need to know what the
password to that account is in order to elevate and bypass controls.
With physical access, a standard user login, and your privilege
escalation of choice ("at [time] /interactive cmd", odd spaces in cmd
.exe invocations...pick your poison) you could use tool like the USB
(http://wiki.hak5.org/wiki/USB_Switchblade) to snag the password hashes
and/or LSA of the target system. Then, using any number of brute-force
tools to crack the password of your target account (large Rainbow tables
are useful), subsequently access files/information by impersonating the
target privileged user. You could also use something like CORE's
(http://oss.coresecurity.com/projects/pshtoolkit.htm) to effectively do
the same impersonation with no password cracking necessary.
In my opinion, the most severe threat to any organization from a
security perspective are also the most critical resources you need to
flowing: your Security team and the Domain Admins. Pay them well :)
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Mark Owen
Sent: Tuesday, November 27, 2007 1:51 PM
To: Liam Jewell
Cc: Depp, Dennis M.; Lim Ming Wei; WALI; security-basics
Subject: Re: Securing workstations from IT guys
On Nov 27, 2007 3:05 PM, Liam Jewell <ljjewell () gmail com> wrote:
Anybody who has physical access to the machine becomes a
vulnerability. Even if you encrypt files under an administrator
account on the local machine, simply resetting the password with a
program like Passware, will not disable the encryption. Then an
unauthorized user can log in to the admin account with a blank
password (or a password of their choosing) and have access to all
This is not entirely true. If you reset or delete the password for an
account then that account will no longer be able to decrypt the files.
RE: Securing workstations from IT guys Vandenberg, Robert (Nov 27)
Re: Securing workstations from IT guys James Alcasid (Nov 28)
RE: Securing workstations from IT guys Petter Bruland (Nov 28)
RE: Securing workstations from IT guys Big Joe Jenkins (Nov 28)