[Dshield] Password Strength
cef at optus.net
Wed Oct 20 01:38:35 GMT 2004
On Tue, 19 Oct 2004 21:48, Gary Warner wrote:
> I guess the questions, to recap, are:
> 4) is anyone actually stopping (domain-wide) the
> Linux-bootable-flash-your-Admin-password-in-one-minute-or-less technique
> that doesn't leave you with crippled machines?
Some suggestions: Remove the floppy drive, fix the boot order in the BIOS, and
then put a password on changing the BIOS config. Fixing the boot order stops
things like booting off USB keys, USB floppy drives, a CD-Rom, etc.
Note that if they take the machine out of the office, or open it up and clear
the BIOS, then this doesn't really help. It is at most a deterrent, and not
really a full security measure. But then, it doesn't matter how much you
protect something, chances are someone out there can break it. It's just a
matter of wether it's worth the time to do so, or wether it's worth moving on
to easier pickings. If you have been targetted, then making them spend a few
minutes extra may actually be just enough to make a difference to them being
noticed somehow, or even just how much they get can away with in their
'window of opportunity'.
Of course this all boils back to physical security, such as how can someone
actually get into your workplace and either open up a machine or walk off
with it. Outside of business hours, you need to look at your security system,
and inside of business hours, you need to look at your people. Particularly
just how lax or open to being conned they are (ie: wether they question
trades people who just walk in and do stuff), and just how hard it is for
someone to walk in off the street and get access to the physical location of
the systems in question. If you make any changes, be careful not to make them
too hard though. If you make restrictions too harsh, people just have a
tendency to ignore them completely, or shortcut the rules rendering them
useless possibly more so than easier but less secure rules.
A simple example of this is having a laborious procedure that requires having
to sign for a key to access the server room, providing a reason to access it,
doing all this in triplicate, etc. The most likely thing that will happen is
that someone will just wait nearby and when someone else uses it, con them
into letting them in, wether they need to legitimately access it or not,
simply to save the rigmarole of going through the procedure. And the person
who has gone through the procedure will most likely take pity on them
(remember themselves just how annoying it was) and let them in, shortcutting
the whole procedure. Unless the person who has gone through the procedure is
somewhat aware of the issues and/or is responsible enough, these things can
easily be a problem.
Stuart Young - aka Cefiar - cef at optus.net
"To summarize the summary of the summary: People are a problem."
The Restaurant at the End of the Universe by Douglas Adams
More information about the list