« Facebook: Too Good for You, But HR Gets a Pass | Main | Some Context on Cisco's Bad China Week »
May 20, 2008
While You Were Out Fiddling With Wireshark ...
Paul Rubens on the importance of physical security:
“While physical access attacks are serious when carried out on laptops, they are potentially far more serious when it’s a Windows server, rather than a user laptop, that a hacker has access to. Instead of rebooting the machine into a Linux environment and resetting a password, they could copy the SAM and SYSTEM files from the Windows directory’s system32/config folder to a memory stick and remove them.
“Why would they do that? Because on another Linux machine, the hacker can then get to work using a pair of open source Linux tools called bkhive and samdump2
“First they’d run bkhive on SYSTEM to get the system key:
bkhive (path to)/SYSTEM systemkey.txt
“And then they’d use samdump2 to get at the account names and password hashes from the SAM:
samdump2 (path to)/SAM systemkey.txt>hashes.txt
(Link)
I had just started working for this company in late 2000 when I got sent to COMDEX. One of the nights of the show there was a media reception/vendor crawl. We got free drinks and walked around chatting with reps from companies that had set up very small tables, if any.
I noticed my boss talking to some guys at one of the tables who were looking sort of unhappy. They were pointing to a small laptop and there was a lot of shrugging going on. I walked over and my boss said “They’re locked out of their laptop and they wanted to do a demo here … any way to get back in?”
I opened my mouth to answer and someone leaned over my shoulder and said “That’s a Linux laptop! You’ll never, ever get into that thing! Once you forget your password, you’re screwed!”
So I rebooted the laptop, waited for the LILO prompt to appear, quickly fed it “linux 1” (or something similar to put it into single user mode) and we all stood around watching while the laptop gave me root. At that point, it was pretty easy to fix their password for them, reboot the machine and go back to my beer.
Frankly, I doubt I’d even remember this story if the guy hadn’t made such a big deal out of the laptop’s alleged impregnability. But he had, and it turned out he was a security contractor, and he was the son of a notorious coot science fiction writer with a record of public opinion that suggested cluelessness might be genetic, so the incident has stayed with me.
When I worked at a high school, I watched a coworker tasked with securing a computer lab deal with the same problem from the other end: She’d managed to secure the operating systems on each box in the lab, but she’d forgotten the BIOS password and she was going nuts trying to figure out how it was her carefully secured machines were visiting places they shouldn’t be able to visit and showing porn for wallpaper instead of a big picture of the school mascot. It was trivial for the attackers … o.k., “children,” if you insist … to bring their own boot floppies along and circumvent all the OS-based security.
I have no conclusion besides “Don’t let strange people have physical access to anything on your network,” and “think like a teenage boy who sees your security measures as an impediment to his porn surfing when you’re considering ways to compromise endpoints.”
Posted by mhall at 8:12 PM | Add Comment
Leave a comment