lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1cae6d0168bf8b56db316febdc596fef3f0e144b@sci-aust.com.au>
From: ccozad at sci-aust.com.au (Chris Cozad)
Subject: Networking security problem?

Greg,

I don't understand what the problem is here. Comparing Windows 98 security
and Windows XP security is like comparing chalk with cheese! One is based on
the DOS file system, while the other is based on the NT file system.

And the screen saver password is only to lock out the screen and keyboard -
it has nothing to do with  file-level security.

Security is to be approached in a multi-layered fashion. Physical security
seems OK (locked door, password protected screen saver), but OS and network
security are non-existant in this case.

Chris

-----Original Message-----
From: gregh [mailto:chows@...mail.com.au]
Sent: Friday, 11 July 2003 10:56 AM
To: Disclosure Full
Subject: [Full-Disclosure] Networking security problem?


Tested on XP Home and 98SE only.
------------------------------------


I wont make this a real long formal thing as it is quite simple and rather
than make it a bug style report, I am asking for your input.

Scenario:
----------

Last year I was working on a 98SE network problem that turned out to be a
busted NIC. The particular NIC was in a payroll machine with obviously very
sensitive info in it. In order to give some sense of security to the payroll
woman, at some time in the past, someone had set up a screen saver password
that she knew how to change. Eg, resume from screen saver required typing
the password to get any further on the machine to a novice and as she kept
the payroll room door locked anyway, it was deemed "enough" by management.
Unfortunately, though, along came I to fix a minor problem and to be sure
the NIC was responding each way (eg, it could be seen by the machine in the
same office) I installed the NIC, then went to the other machine to ping it
and see if programs were working OK. Normal routine. Prior to me getting to
the other machine, she had questions and we spent 10 minutes talking and
then I went to the other machine and ran programs, pinged, searched the C
drive on the !
 payroll machine and came back to the payroll machine. I found the machine
was locked out by password and as she was standing nearby, I got her to type
the password in and away it all went.

Then it hit me - I had been running programs on the payroll machine from the
other machine in the network. Curious, I went to another office and did the
same thing after forcing the screen saver on. Again it all worked and I
could look up sensitive data. The LAN they have there does have internet
access and has a basic "out of the box" firewall and they think they are
safe. I pointed out how I easily got in from within their office and others
could do the same straight to the payroll machine from outside but the
manager said they couldn't as "we have a firewall". Well, not wanting to
push the point as this was the first time I had been there, I left it alone
but then decided to report those findings to MS. Eventually they did respond
but they said they don't see it as a problem but WOULD make it an OPTION in
the next SP for XP and also I presume the next full OS (Longhorn?) they
issue.

Am I being pedantic here? To my mind, if a password is required to use the
machine locally, it should automatically require the network connection to
be broken. XP goes back to the Welcome screen depending on your settings or
the NT looking username and password box you would all know. I find it
totally mystifying that a machine that is "protected" at keyboard level by a
password so people cant get into it and look up sensitive info can still be
gotten into at least by the local LAN and info STILL gained. The problem
here is if a disgruntled employee went postal and knew this info, he/she
could do what they want. I understand the programs and data could be
protected in other ways but it also hit me that there must be quite a few
small to medium companies living in a delirious limbo like this, too.

Any comments? Am I just pedantic or is this really a headbanger?

Greg.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
----------------------------------------------------------------------------
----------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.
If you have received this email in error please notify the
originator of the message. This footer also confirms that this
email message has been scanned for the presence of computer viruses.

Any views expressed in this message are those of the individual
sender, except where the sender specifies and with authority,
states them to be the views of Service Corporation International Australia.

Scanning of this message and addition of this footer is performed
by SurfControl SuperScout Email Filter software in conjunction with 
virus detection software.
--------------------------------------------------------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.
If you have received this email in error please notify the
originator of the message. This footer also confirms that this
email message has been scanned for the presence of computer viruses.

Any views expressed in this message are those of the individual
sender, except where the sender specifies and with authority,
states them to be the views of Service Corporation International Australia.

Scanning of this message and addition of this footer is performed
by SurfControl SuperScout Email Filter software in conjunction with 
virus detection software.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030711/8dcd1de8/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ