[Dshield] Password Strength

Cef cef at optus.net
Wed Oct 20 01:38:35 GMT 2004

On Tue, 19 Oct 2004 21:48, Gary Warner wrote:

> I guess the questions, to recap, are:
> <SNIP!>
> 4) is anyone actually stopping (domain-wide) the
> Linux-bootable-flash-your-Admin-password-in-one-minute-or-less technique
> that doesn't leave you with crippled machines?

Some suggestions: Remove the floppy drive, fix the boot order in the BIOS, and 
then put a password on changing the BIOS config. Fixing the boot order stops 
things like booting off USB keys, USB floppy drives, a CD-Rom, etc.

Note that if they take the machine out of the office, or open it up and clear 
the BIOS, then this doesn't really help. It is at most a deterrent, and not 
really a full security measure. But then, it doesn't matter how much you 
protect something, chances are someone out there can break it. It's just a 
matter of wether it's worth the time to do so, or wether it's worth moving on 
to easier pickings. If you have been targetted, then making them spend a few 
minutes extra may actually be just enough to make a difference to them being 
noticed somehow, or even just how much they get can away with in their 
'window of opportunity'.

Of course this all boils back to physical security, such as how can someone 
actually get into your workplace and either open up a machine or walk off 
with it. Outside of business hours, you need to look at your security system, 
and inside of business hours, you need to look at your people. Particularly 
just how lax or open to being conned they are (ie: wether they question 
trades people who just walk in and do stuff), and just how hard it is for 
someone to walk in off the street and get access to the physical location of 
the systems in question. If you make any changes, be careful not to make them 
too hard though. If you make restrictions too harsh, people just have a 
tendency to ignore them completely, or shortcut the rules rendering them 
useless possibly more so than easier but less secure rules.

A simple example of this is having a laborious procedure that requires having 
to sign for a key to access the server room, providing a reason to access it, 
doing all this in triplicate, etc. The most likely thing that will happen is 
that someone will just wait nearby and when someone else uses it, con them 
into letting them in, wether they need to legitimately access it or not, 
simply to save the rigmarole of going through the procedure. And the person 
who has gone through the procedure will most likely take pity on them 
(remember themselves just how annoying it was) and let them in, shortcutting 
the whole procedure. Unless the person who has gone through the procedure is 
somewhat aware of the issues and/or is responsible enough, these things can 
easily be a problem.

Good luck!

 Stuart Young - aka Cefiar - cef at optus.net
 "To summarize the summary of the summary: People are a problem."
  The Restaurant at the End of the Universe by Douglas Adams

More information about the list mailing list