lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: Response to comments on Security and Obscurity

Dear James Tucker,

--Thursday, September 2, 2004, 12:05:21 AM, you wrote to 3apa3a@...urity.nnov.ru:


JT> Further on the physical to information systems comparison, how do you
JT> exploit a computer in russia from a computer in new york if there is
JT> no physical data path between them? (The answer is directed

You  may  be  really  good specialist in IT security familiar with every
law,  article  and  recommendation,  but  to  make  any real example for
informational  security  problems you MUST understand difference between
cracks, exploits, virii and backdoors you do not currently understand.

OK,  I  will  exploit  computer  in  Russia  by  first  researching open
materials   (for   example   conferences  participants  lists),  finding
appropriate  persons  with  interests in required fields who potentially
may  have  access  to required network and trying to contact them. After
researching  I  will  either try to attack their home computers (because
it's  very  common  case really secret materials are kept in home PCs or
notebooks  almost  unprotected)  or  simply hire them (money, blackmail,
etc).  For  attack I will most probably use client application (browser,
mail  reader, etc). Of cause my potential and knowledges for second case
are very limited :)

JT> would "impose upon business impressions". The CEO is a dear chap who
JT> forgets to lock his workstation when he goes to lunch. Where did all
JT> that  hard  effort  of  virtual security go? This is not an uncommon
JT> scenario. The stronger audits in the world fail you for this kind of
JT> possibility; again count yourself lucky in this regard.

Even  more.  This  is  very  common  scenario  and this scenario must be
covered  by security policy. You either unfamiliar with this problem our
your information is out of date.

  Simple,  but  unreliable  protection  for this problem is implementing
policy  for automatic workstation lockout (well, in my network with very
low  security  requirements  I  use  this  kind of protection). Reliable
solutions  are:  use  same  cart  for access both terminal and room (Sun
likes this kind of solutions - terminal locks automatically if smartcard
is  removed)  or  to  use  event  correlation  (it's currently a part of
Security  Information  Management  Systems).  If  event "user leaves the
room"  comes  without  first "user logs off" or "user locks workstation"
either  user access out of room is blocked or user's workstation is shut
down remotely.

Of   cause,  I  understand  you're  trying  to  catch  me  on  the  fact
informational  security  is  impossible  without physical one. Currently
information  security  and  physical security go together so close, that
border  is  very  unclear.  But you're going aside from initial problem:
examples and analogies from IT in your article are dummy.

-- 
~/ZARAZA
????????? ??????????! ??? ?? ??? ?????????? ?????.  (????)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ