Date: Wed, 28 Feb 96 07:03:16 -0800 From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca> To: ewb@zygaena.com Cc: cschuber@orca.gov.bc.ca, freebsd-security@FreeBSD.org Subject: Re: Informing users of cracked passwords? Message-ID: <199602281503.HAA10286@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Wed, 28 Feb 96 09:03:14 EST." <199602281403.JAA05423@lochsa.i.com>
index | next in thread | previous in thread | raw e-mail
> Cy Schubert wrote: > >If a user trusts an account on another host and that host has been > >hacked, you have to assume your host has been compromised as well. > >You cannot assume otherwise because you have no evidence to the > >contrary. Once a hacker has an account on a system you or your users > >trust, it's just a matter of time before the hacker has root on your > >system. > > This is a rather sweeping statement that I don't think is true > in general. Certainly if there is root trust via /.rhosts > and the hack has root on the trusted system then you're a goner. > Otherwise, the hack simply has user level access - which I hope > is not a *guarantee* that they can get root. > > Are you suggesting that root on every un*x (or FreeBSD?) system is > inherently compromised by having untrusted users? If you take the point of view that auditors do, yes. That is why any host with .rhosts or hosts.equiv files ususally get poor audit reports. It is only a matter of time that a hacker can break gain root. If you're running SunOS 4.x (a SunOS 4.x system can be broken with two shell commands), elm, pine, or an improperly configured httpd, and the list goes on, your system is at risk. That's not to say a an absolute guarantee but at risk. If another system in your shop or a system that you or your users trust has been compromised that risk goes up. The key is that if a site that you or your users trust has been hacked, you must _CONSIDER_ your site compromised (at least user level) until you can prove it hasn't been. Otherwise you may be hacked and assume your not. Call me paranoid. On the other hand, in a government shop, like the one I work at, even a non-privileged user can do a lot of "political" damage. > > If so, I hope that you are helping to plug the particular hole(s) > that you know of! Of that you can be sure of! That is one of the reasons I and my clients have switched from Linux to FreeBSD. Under Linux it was a losing battle. Of the two broad classes of "free" UNIX the *BSD variants do a better job of security, even better than many commercial variants of UNIX I've worked on. > > -- > Will Brown ewb@zygaena.com > Zygaena Network Services http://www.zygaena.com Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it."help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602281503.HAA10286>