[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <453FBCAD.1000902@gatech.edu>
Date: Wed, 25 Oct 2006 15:36:13 -0400
From: Matthew Flaschen <matthew.flaschen@...ech.edu>
To: "North, Quinn" <QNorth@....com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Putty Proxy login/password discolsure....
Sounds cool. Battering ram is easier, though. I said, deal with, not
solve.
Matthew Flaschen
North, Quinn wrote:
> Sadly, Not even that will help you anymore ...
>
> http://www.hackaday.com/2005/08/24/lock-bumping-revisited/
>
>
>
> --=Q=--
>
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Matthew
> Flaschen
> Sent: Wednesday, October 25, 2006 3:20 PM
> To: cardoso
> Cc: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Putty Proxy login/password discolsure....
>
> I have a dual WinXP/Debian boot, and I deal with that problem by locking
>
> my door.
>
> Matt Flaschen
>
> cardoso wrote:
>> Exactly. A few years ago I used to deal with linux fanboys showing
> them
>> the cute trick of "linux single" at boot time. After a few hours
> begging
>> for the admin password, I teached the trick and they usually stopped
> the
>> brag about how security Linux was.
>>
>>
>> On Wed, 25 Oct 2006 12:34:49 -0500
>> Paul Schmehl <pauls@...allas.edu> wrote:
>>
>> PS> --On Wednesday, October 25, 2006 10:24:11 -0400
> mflaschen3@...l.gatech.edu
>> PS> wrote:
>> PS>
>> PS> > Windows offers no security against local users. It is trivial
> to boot to
>> PS> > a program like ERD Commander and replace admin passwords. On
> the other
>> PS> > hand, PuTTy is meant to protect against everyone; that's why it
> doesn't
>> PS> > allow saved passwords. Thus, this seems like a vulnerability to
> me.
>> PS> >
>> PS> Unix offers no security against local users either. If I can sit
> at the
>> PS> console, I can login in single user mode, mount the drives rw and
> edit
>> PS> /etc/passwd all day.
>> PS>
>> PS> Furthermore, I can take any hard drive, with any file system on
> it, and
>> PS> with the right tools I can read everything on the drive, even
> deleted stuff.
>> PS>
>> PS> So what's your point? That when you own the box you own the box?
>> PS>
>> PS> If you first have to own the box to get to the information, then
> it's not a
>> PS> vulnerability. It's not best practice, but it's not a
> vulnerability.
>> PS>
>> PS> Paul Schmehl (pauls@...allas.edu)
>> PS> Senior Information Security Analyst
>> PS> The University of Texas at Dallas
>> PS> http://www.utdallas.edu/ir/security/
>>
>> -------------------------------------------------------------
>> Carlos Cardoso
>> http://www.carloscardoso.com <== blog semi-pessoal
>> http://www.contraditorium.com <== ProBlogging e cultura digital
>>
>> "You lost today, kid. But that doesn't mean you have to like it"
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists