lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040216174043.5343.qmail@web25009.mail.ukl.yahoo.com>
From: brightwell_151 at yahoo.co.uk (John Brightwell)
Subject: Removing Fired admins

Changing passwords would be a good move. It may be
worth cracking the old password - if it's not known -
and doing a quick scan of scripts just to make sure
the admin password isn't embedded in a script (an
appalling practise that should be eliminated ... but
you don't want to wait for something to fail before
finding out about it)

Make sure that everybody knows that the admin is no
longer allowed access to the system (everybody! you
don't want the admin to be able to call a remote user
and get their credentials). Advise any service
providers or support organisations who may otherwise
assume that the admin has access to systems.

If you have any external services which allow
automated updates (Domain registration details,
nameserver details) then you need to change these
authentication credentials as well.

Make sure that any physical access credentials that
the admin may have known get changed (keycode entry
systems etc)

If you have any remote access systems then make sure
these are completely reviewed - if they are a black
box solution (cisco, nortel etc) - with very little
opportunity for software modifications then have the
configuration checked by an expert. If your remote
access system is home-grown (windows, Linux etc) then
you may want to reinstall from scratch - just to make
sure there aren't any backdoors.

If you are using passwords for remote access then all
passwords must be changed... not just the admin's
password (I recommend using two-factor authentication
for remote access anyway). 

If you allow on-demand connections to other networks
(analog or ISDN) you should change the authentication
(PAP/CHAP password etc) ... I know you can't trust
CallerID for analog circuits - I'm not sure about
ISDN.

Admin passwords on the network equipment should be
changed as well.

Check your system connections looking for any modems
or wireless access points that the admin may have
installed to make their access easier (I've heard of
an admin who installed a modem and hid it under the
raised floor in a systems room ... so that he could
have access to the company's extensive library even
after he left the company ... he was still using  it a
year after he left!). You will need to check
everywhere

Any dial-out solutions you have will also need to be
checked (connection to dial-out banking services,
payroll, links for internet testing etc) ... even
though they are supposedly dial-out they may have a
dial-in facility (which the admin knows about)
Get a list of all analog and ISDN lines from your
accounts dept and make sure you know what each line is
used for

Unfortunately, having been an admin he/she may have
previously cracked people passwords (to test the
password strength) or users may have disclosed their
password. So all passwords should be expired (bear in
mind that people may use the same password in multiple
systems, so the password may need to be expired in
systems that weren't administered by the rogue admin).

Lock down as much as you can at the outset - if you
have any systems which hold particularly sensitive
data then pay them special attention (check code
checksums against supplier checklists) go through all
listening network services, check cron jobs and boot
scripts ... if unsure, rebuild the system. You can't
do much about data they stole while they were a valid
administrator, however, if this could include
sensitive personal data you may need to inform the
authorities.

You can't really contend for an admin who just 'turns
bad' - obviously most companies want to keep their
employees motivated and (where possible) happy and
that should apply to the admin as much as anyone else.


Having multiple admins can be a benefit - or regular
audits from a contracted admin. Make sure the admin
takes all his/her holidays and have a suitably expert
replacement while they're away.

An admin with a grudge is a great inconvenience - it's
always worthwhile expending time and money at the
outset - to fully check the references and ensure
there are no recorded offences which ring alarm bells
for you. 


From: "Michael T. Harding"
<michael_t_harding@...mail.com>
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Removing Fired admins
Date: Fri, 13 Feb 2004 11:01:46 -0500

<html><div style='background-color:'><DIV class=RTE>
<P>Guys;</P>
<P>Thanks for the input and I love the philosophical
debate about how this happened, what I can do in the
future to prevent it, etc.</P>
<P>A little more info; I am being brought in to help
consult on this project, the ex-admin is, well, let's
just say the local and state law enforcement teams are
being brought in today to assist, and therefore the
problem is probably pretty deep. He has been a fully
entrenched admin since the inception of the
agency.</P>
<P>What I really am looking for is some kind of
checklist/ information sheet so we don't forget
anything major, at least to check.</P>
<P>&nbsp;</P>
<P>Depending on what we might find today, the decision
is already on the table as to whether we should treat
this as a total breech and scrub the whole plant and
start over. That remains to be seen.</P>
<P>While an automated solution would be great to have,
I don't have time to research them before we get to
work. (I am of the belief that they won't work
well&nbsp;anyway but that is another debate.)</P>
<P>Does anyone know of a SANS, or GIAC or any other
security body who has a "minder" list of some sort? I
know others have gone through this and have learned
some lessons, both good and bad ones, that I hope they
can share.</P>
<P>If not, I will try and document what we do and
maybe look to publish something for future
reference.</P>
<P>Thanks,<BR><BR></P></DIV>
<DIV></DIV>&gt;From: "James Patterson Wicks"
<PWICKS@...GEN.COM>
<DIV></DIV>&gt;To: full-disclosure@...ts.netsys.com 
<DIV></DIV>&gt;Subject: RE: [Full-Disclosure] Removing
FIred admins 
<DIV></DIV>&gt;Date: Fri, 13 Feb 2004 08:06:57 -0500 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;Only the senior administrator and the
CTO have the root password to the 
<DIV></DIV>&gt;Unix systems.&nbsp;&nbsp;The senior
admin does not "own" and servers, but is the 
<DIV></DIV>&gt;manager for all of the other
admins.&nbsp;&nbsp;Could he get mad and make changes 
<DIV></DIV>&gt;to the interpreter, but the server
"owner" would notice this and check 
<DIV></DIV>&gt;the changes against the change
management log.&nbsp;&nbsp;Any unusual events would 
<DIV></DIV>&gt;be sent to the CTO. 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;Like you said, there is no magic button
to press and instantly remove an 
<DIV></DIV>&gt;admin's influence from an
enterprise.&nbsp;&nbsp;BUT if you have a good process
in 
<DIV></DIV>&gt;place that leverages existing
technologies, you can do a good job of 
<DIV></DIV>&gt;protecting your
enterprise.&nbsp;&nbsp;Admins leave companies all the
time, but 
<DIV></DIV>&gt;enterprises continue to operate without
a problem. 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;If all else fails, make sure that the
company lawyer is in the office 
<DIV></DIV>&gt;when you fire the admin.&nbsp;&nbsp;A
good threat can go a long way. 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;-----Original Message----- 
<DIV></DIV>&gt;From:
full-disclosure-admin@...ts.netsys.com 
<DIV></DIV>&gt;[mailto:full-disclosure-admin@...ts.netsys.com]
On Behalf Of Volker 
<DIV></DIV>&gt;Tanger 
<DIV></DIV>&gt;Sent: Friday, February 13, 2004 2:51 AM

<DIV></DIV>&gt;To: full-disclosure@...ts.netsys.com 
<DIV></DIV>&gt;Subject: Re: [Full-Disclosure] Removing
FIred admins 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;Hi! 
<DIV></DIV>&gt; 
<DIV></DIV>&gt; &gt; We are working on something
called "The Button", which is nothing but 
<DIV></DIV>&gt; &gt; small script that activates a
series of scripts that change all root, 
<DIV></DIV>&gt; &gt; local and domain administrator
passwords on our Unix and Windows 
<DIV></DIV>&gt; &gt; servers when run. 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;The ex-admin had ROOT access to "his"
servers, right? So he can change 
<DIV></DIV>&gt;ANYTHING, right? Including the script,
e.g. like NOT changing passwords 
<DIV></DIV>&gt;or adding secret admin-level accounts,
right? 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;You said "script", so it uses BASH,
PERL or something. ROOT can change 
<DIV></DIV>&gt;anything, right? So he could have
changed the BASH, PERL interpreter or 
<DIV></DIV>&gt;something, right? 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;There is no technical solution to a
social problem - well, except in 
<DIV></DIV>&gt;this case maybe reformatting the disks
and reinstalling from scratch and 
<DIV></DIV>&gt;clean media. 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;Sorry 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;Volker Tanger 
<DIV></DIV>&gt;ITK-Security 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;_______________________________________________

<DIV></DIV>&gt;Full-Disclosure - We believe in it. 
<DIV></DIV>&gt;Charter:
http://lists.netsys.com/full-disclosure-charter.html 
<DIV></DIV>&gt; 
<DIV></DIV>&gt; 
<DIV></DIV>&gt;This e-mail is the property of Oxygen
Media, LLC.&nbsp;&nbsp;It is intended only for the
person or entity to which it is addressed and may
contain information that is privileged, confidential,
or otherwise protected from disclosure. Distribution
or copying of this e-mail or the information contained
herein by anyone other than the intended recipient is
prohibited. If you have received this e-mail in error,
please immediately notify us by sending an e-mail to
postmaster@...gen.com and destroy all electronic and
paper copies of this e-m



	
	
		
___________________________________________________________
BT Yahoo! Broadband - Free modem offer, sign up online today and save ?80 http://btyahoo.yahoo.co.uk


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ