lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 15 May 2009 10:56:59 +0200
From: Ansgar Wiechers <bugtraq@...netcobalt.net>
To: bugtraq@...urityfocus.com
Subject: Re: Insufficient Authentication vulnerability in Asus notebook

On 2009-05-14 nameless wrote:
> Steve Quan wrote:
>> Is there something like su/sudo in the Windows world ? How do windows
>> administrators handle this (ie accountability) ?
> 
> There is "runas".

Indeed. There's also a variety of third-party tools like SuperiorSU [1].

> There is no accountability with the local admin account.  You can
> disable the account and use domain credentials, but when the domain
> isn't available, you're screwed, so it is a poor decision.

I wouldn't agree entirely. It depends on who is given the password for
the local administrator account. You only have no accountability if more
than one person knows that password.

[...]
> In regards to changing the Admin account name, why make it easy for
> the kiddiots?  It is trivial for any of us to bypass this, right?

Please elaborate. What attack scenarios do you see that aren't mitigated
by a strong password? Besides, even if you change the login name, the
SID of the account (which is well-known) still remains the same.

[...]
> Changing the Administrator name is just another layer in the onion of
> your defensive strategy.

I entirely fail to see what additional security that will gain you, so
please explain.

[...]
> And I'm not trying to be a smart ass, but does anyone really use
> LM-hashes anymore?

I don't believe they're actually used by anyone anymore. However, the
use of LM-hashes is still enabled by default on any XP.

[1] http://www.stefan-kuhr.de/cms/index.php?option=com_content&view=article&id=62&Itemid=73

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ