RE: security scenario

Not being smart or anything but what layers in this scenerio do you see as the important ones?
How would you tackle this problem?

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499

-----Original Message-----
From: theog [mailto:theog@theog.org]
Sent: 31 January 2003 00:23
To: Chris Berry; security-basics@securityfocus.com Subject: Re: security scenario

Well , I think that instead of dealing with how many layers one can install (and taking the time to install them) it is better (IMHO) to invest the time in making the important layers secure. having more layers won't increase your security level if you spent all the time in installing those same layers , whatmore , you have more then CDROM and Floppy to boot with (USB dev , etc...). I wouldnt use a grub password , or a bios password , as forgeting those , will cause more harm then the security benefit they provide ,writing them down or putting weak passwords is simply not worth the trouble .

TheOg

• Original Message ----- From: "Chris Berry" <compjma@hotmail.com> To: <security-basics@securityfocus.com> Sent: Wednesday, January 29, 2003 9:44 PM Subject: Re: security scenario

> >From: "theog" <theog@theog.org>

> >anything, in fact, the simplest thing to do (if I wanted to change
> >the root for a machine I dont have the password for) is to boot with

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> >so ..... no point is having a grub password for the machine if you
> >have users you dont trust , with access to that machine console.
>
> Physical access will yield root access given time, knowledge, and
compilation
> of little things that add up. No one is hack proof, but by adding

> an uninviting target, and become hack resistant. You have to draw the

> line somewhere or your administrative burden will grow greater than
bios
> passwords are a good idea, sure any monkey who can open the case can
the
> battery and reset it, but that's one more step they have to do, and

> you start taking your computer apart and you don't work in IT. On top

> of this, removing the CD-ROM drive and Floppy drive from any
doesn't
> require it, is a good idea as it slows them down even further, and
requires
> more knowledge, and some parts to bypass. With these three things in
place
> they'll need a screwdriver, a linux cd, a cd-rom drive, enough
to
> open the case install the cd-rom, set the jumpers on cd-rom and IDE,
password.
> Can it be done sure, is it hard, not really for a trained person, I
of
> probability than the kind of people who could get in without having
job
> skill."

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.

If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or postmaster@sysnet.ie