'Attack Trees' Help Model Potential Security Flaws 110
Our most prolific reader, Anonymous Coward, writes "Here is an article by Bruce Schneier of Counterpane Internet Security from Dr. Dobb's Journal that describes a way to 'model threats against computer systems'." This is Bruce Schneir at his best. Many of the thoughts in this article aren't about cryptography but about other ways intruders might defeat your security measures, and about how to determine what kind of attacks you might expect to face.
No it dosn't (Score:2)
Actualy it dosn't, The branches and leaves of the tree represent seperate options for compleating some action, not seperate steps in a process.
An 'attack tree' for calling some one on the phone would look somthing like this: 1 pick up phone
2 go to dialpad.com(or)
2.1 Use netscape(or)
2.1.1 click icon
2.1.2 run from command prompt.
2.2 use IE
Each node is a 'part' of the node above it, and option, diffrent ways you can do it 'using netscape' is a Part of using dialpad.com
An attack vector, would be to say, get a user acount, and then do a buffer overflow. You could impersonate that user and get the root password that way. Those options might show up in an attack tree, but they wouldn't nesseraly be connected to eachother
Re:A good model (Score:1)
One time pad (Score:2)
Mathematical attacks (Score:1)
And for that matter, how can you know the difficulty of cryptanalysis of a specific message encrypted by an algorithm, unless you happen to work for No Such Agency [nsa.gov] (link broken?).
Quick funny (Score:2)
Re:One time pad (Score:1)
It works only for known attacks (Score:2)
So, this model can only be used as a indication of the security of your system. Your system is likely to be less secure than the model says, eg. the "unknown" node is likely to be cheap.
Having said that, it's IMHO still a very good way to look at your security.
Too Flat model (Score:2)
1. It has a serious need on known data. However a big part of attacks are made with data not known apriori.
2. It is a linear model. Most of the decision-making is made trough choosing branches of the tree. However attacks are frequently a recursive operation (ex. exploiting several ways to login through an interface)
3. It is a flat model and here it is the biggest problem. Today most attacks are combined attacks where one tries several programs, packets makes decisions through experiment and tries to preform a break-in much like making a wormhole all over the system.
For those who like too much of maths I think that it would be much moe correct to draw a multidimensional net instead of this. And use more complex things like fuzzy logics. This way I think that we can give a more correct picture
Each dimension is a net that is constitued of a program or an application package. It has to be noted that one may visit a node several times.
Between each packet/dimension there are drawn lines of contact. These can be the UNIX forks, OLE/COM/DCOM/CABUUM, CORBA or any other stuff.
The idea is to draw contacts evaluating a probability of action. With a monetary or a subjective weight to it.
Under such assumption I would consider that a serious security flaw would be a very short path with a very short weight. A problem. Can we systematiza such thing? And how can we have a good evaluation of the possible unkonowns many crackers use?
Attack of the trees. (Score:2)
The trees are on the move, and they are pissed.
Reasons that this is helpful to Security personnel (Score:2)
- Each leaf or branch can be assigned valuations (assessments) of: risk, summed cost (all sub-leafs) to complete, time to complete, legal rick to attacker, physical risk to attacker, cost to correct, or just about any factor that you want to assign to the leaf/node.
- It helps you build the profile of attack by attacker if you happen to have formally though about who it is that might be interested in your system.
- It helps managers and planners think systematically about the structure and design of their security infrastrcuture.
- It illustrates weaknesses in another way, so that if you've developed tunnel vision by concentrating on one issue (PGP/BO/whatever), you'll see that you've been focusing on something that is harder to do than simply bribing the janitor to let someone in your office.
- Those values that you create (and you should assign a branch to 'Unknown attacks' with valuations) can be presented to management, showing you on behalf of the company are exercizing some due diligence just by thinking about this stuff.
- Each branch can be shared, if you so desire. If a specialist in physical security comes up with a novel way to bypass all standard deadbolts, they can post the new branch/node up and let people assign their own valuations to each step.
- You can constantly query a system that uses this model for the current weakpoints in your structure according to the most recent data and valuation. Of course, 'Unknown attack' may always be the highest weakness, but at least you can clean the rest of the slate as much as possible.
No, none of this is really revolutionary in terms of the structure. Game theroy has been around for a while, and been using this method for the same purposes, but an Industry Name such as Bruce's exposes it to a lot more people than the usual academics. It's not a solution or a cure, but a nice, illustrative TOOL.
Re:schneier should not much of an outlaw (Score:1)
You miss several key points. In my home town the manager of a local buisness and the two late night emploiees were caught steeling from the buisness. The manager had insurance, the two emploies made up an armed robber (black man, 5'10, average hight, dark winter hat on (this was in winter), brown trench coat - ie very average), and the three of them split the money. They had their story down well enough that insurance paid the loss, until one of them confessed.
I know in one buisness I worked for one of the managers (different from the one above) was stealing from the safe. We knew who, but had no proof. Now send that manager to fill in at a different store and she gets their safe combonation. She knows when the store is closed, tells the compbination to one of her more expirenced theif friends, and some night the safe is robbed, and she isn't implicated because she didn't work their that night. (and in fact they probably forgot she knew the combonation) The only thing really keeping this down is the monthly changing of the safe combonation, and she doesn't know when that happens.
Good social engineering can also get people to tell the safe combination without intending to. There exist people who can sell air conditioning to esqimos. There are people who can sell sand in a desert, or salt water on the ocean. Some people have the gift of getting people to tell what they should. There are eskimos who won't buy airconditioning from everyone, just like there are people who won't reveal the combination. Many people will give the combination though, and that is enough. (these people always make sure on the night the robbery occures that they have many witnesses that they are not their, that way they can say "Yea he told me, but I'm an honest guy who wouldn't use it or tell anyone. And I was at this party with many people. Joe even videotaped some of it, get his tape I'm probably on it." Add in a small bribe and some people become less honest.
Re:Useful for a company (Score:2)
Re:One time pad (Score:2)
Suppose the cryptotext is
120987210983109321387939
and you try "key" (in the brute force sense)
094502308749382827388383 and get a decode:
"Sell 1000 of MSFT now"
but how do you know that you shouldn't have used key
398320975298732932990239
which produces the decode
"Buy 2390 of RHAT now" ?
The point with one-time pads is that you can get any plaintext just by changing the decode key. This is why it there is no way to brute-force or otherwise break one-time pads. But for the system to work, they really have to be one time.
This doesn't happen with other forms of cryptography, because normally only one key produces anything resembling plain text, and all other keys produce garbage. (Of course, most decode keys for one-time pads give you garbage too).
Torrey Hoffman (Azog)
Re:A good model [OT?] (Score:4)
In addition to what pb mentioned in this comment's parent, I had some time to play around on a "locked down" system. You had to give the admin some credit, he did a better job than most people so, but even so...
On a totally locked down system, you can't access Windows Explorer, and My Computer only allows you to access your own files on the network server. Not even the C drive. But wait! WindowsKey+E brings up Explorer on C:\Windows. Oops. WinKey+F brings up Find, allowing you to check for each and every drive on the network. Find one, and you can right-click, and then select Explore, making it magicly appear in Windows Explorer.
The admin for this lab had gone and actually deleted command.com from the computers. Good idea, but unfortunately, the computers had web access. Problem solved. You could then create a shortcut to command.com.
At the command prompt, you could try to bring up regedit.exe, but no... Policies didn't allow that. Too bad the policies don't prevent you from using regedit's command line switches, eh? You can export the registry to a plain-text file, then use command line options to delete any entries you don't like.
Also from the command prompt, you could change the access properties on files on the network drives. I was able to change the both the internet website and the webpages on the LAN. Both were supposedly locked so that only the admin could get at them. Oops.
Anyway, you want security, you simply don't use Win9x. (This is why Norton's Ghost sells so well, no?)
------
E-commerce Security Consulting or software (Score:1)
Should I look for a third party software that monitors intruders? What are the available software for a Solaris system currently?
Should we bring in a security consulting company and ask them for a network and code review check? What are the best companies that are doing this type of thing now?
We are leaning towards the second option right now, but any advice would be great!
Re:Um... (Score:2)
Like this????
Jedi Hacker (Apprentice) and Code Poet
Re:process, not product (Score:3)
Example: sysadmin abruptly changes policy to frequently expiring passwords, with no recycling of old passwords.
Result: users start picking passwords that are dead easy to guess, in fear that they may forget them. They're also very careful to write down their password somewhere near their machine.
Re:My reply to the JERK (Score:2)
Anyone know anymore (Rob, feel free to respond, here)??
Jedi Hacker (Apprentice) and Code Poet
Re:A good model (Score:2)
Say you're a random visitor to a company and you get two minutes' access to a critical workstation. Push Ctrl-Alt-F1 at any time. Then push Ctrl-Alt-Delete. Of course, if you're in a hurry, push the reset button.
Insert a floppy loaded with the Linux Kernel. You could use a Debian installer disk--or a customized disk would be ideal. Get to a console, which of course is an instant root shell. Mount the main hard drive, add your sniffer or whatever to
The point is that any time a stranger has physical access to an x86 (be it Unix, Windows, or whatever) and no one is watching, security is lost. This factor should be added to your attack trees!
Re:process, not product (Score:2)
Smart-card key systems are reasonably cheap and should be used for anything worth protecting (clue: most corporate networks are not worth protecting). If your data is important to you (clue: five terabytes of Powerpoint presentations are not important) then you should be prepared to pay up for a system that can be kept physically secure.
For everything else, you can afford to be lax. Occasionally come down hard on someone for installing a virus, have a compulsory passworded screensaver to protect your system from the cleaners, but don't turn the IT department into laughable NSA wannabes.
The way I look at it is this -- if you get a serious compromise on an average network, you could lose a day's work. Draconian password practices will cost you that every six months in forgotten passwords, etc.
jsm
Damn! (Score:1)
Guess I better put down the Picante and pick up the Pace (tm) !
Now compare Unix and EROS (Score:4)
For those who do not want to read the essays in detail, here is an explanation "from 20,000 feet" to give you a sense. Unix is based on the idea of an access control list. You have permissions based on who you are, and every process you run will (by default) have permissions to do on your behalf anything that you can do. EROS is based on the idea of a capability. Capabilities can be thought of as handles through which you can request some action and you can do nothing without explicitly being handed the appropriate capability.
The difference is obvious when you consider trying to cat a file. In Unix you hand a program like cat the names of the files you want it to open and trust it to do nothing other than what you asked. In EROS you have the capability to produce capabilities which we will call file-handles would hand cat the open file-handles from which it could read those files and be guaranteed that it is unable to talk to anything other than you, or read anything other than those files, since it has no other capabilities (not even the ability to produce another file-handle). Note that in Unix you explicitly have to trust that cat won't do anything else while in EROS there is no way that it could.
This ensuring that processes never have any ability that they do not need to have results in far fewer processes with sufficient permission to cause damage, and therefore results in the attack tree by default being substantially pared down from what is possible even in a heavily locked down Unix system. As a result verifying the security of the operating system becomes a far simpler task. While attempting to verify the security of a Unix system is possible, the OpenBSD [openbsd.org] folks have done an extremely good job of it, the equivalent task for a capability system is far simpler.
Food for thought.
Cheers,
Ben
How to break a one-time pad (Score:1)
Key points:
So, although OTP's are theoretically secure, in practise you must be very careful to use them properly. Remember, process not product!
Charlie Brown's Kite (Score:1)
But anyhow, the logic behind attack trees looks solid. If you can compromise one system it you can use it as a stepping stone to move on to the next.
Phrack [phrack.com] once ran an article called "Distributed Metastasis" which might make an interesting read.
Re:Take out the flopy (Score:1)
Re:Charlie Brown's Kite (Score:1)
Re:Attack trees? (Score:1)
Or a home security option that doesn't need Winalot?
"Ideal for home security. Attractive *and* functional, guaranteed to enhance and secure any driveway"
Are they fierce? Can they tell the difference between friend and foe?
--
Attack trees (Score:1)
Re:A Useful Application of A Profound Tool (Score:2)
The typical safety approach using something like Fault Trees starts off with an aim of a safe system, identifies the principle hazards to that system (e.g. bomber releasing an armed bomb in a closed bomb bay), then works down decomposing those hazards using AND/OR junctions to reach a list of specific things which we have to prove about the system (e.g. no software write to location 0xf0001234 which is not immediately preceded by a check of the Bomb_Bay_Open sensor).
See http://www.cs.york.ac.uk/hise/ for and Nancy G. Leveson's book "Safeware" for more info on safety engineering. My post doesn't even scratch the surface of the subject.
Adrian
Speaking for myself, not for my employer
Re:unrelated but still... (Score:1)
In the real world, we avoid eye contact with strangers, we lock our doors, we don't walk down the streets in "that neighborhood", and sometimes we carry protection. Why shouldn't the same apply to the electronic world?
Re:Capabilities for Linux being developed (Score:1)
Re:schneier should not much of an outlaw (Score:1)
Yeah, I know. It was just a very lame early morning attempt at being funny. I got what was coming to me for it I guess.
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
Re:It works only for known attacks (Score:1)
You can even make educated guesses about classes of attacks that aren't known to exist but might. E.g., you could always add a "read the victim's mind telepathically" node into Bruce's PGP attack tree, and assign it your best guess of difficulty.
But the bottom line is, if it isn't known yet -- and can't be reasonably speculated about -- you're screwed. So don't sweat it.
-Peter
Review Past Attacks When Building New Attack Trees (Score:1)
-Peter
Attack Graphs Not Always Trees (Score:2)
An obvious example comes from 2-out-of-3 secret sharing:
Directed acyclic graphs are usually known acronymically as 'DAGs'. Structures with this form are sometimes known as 'polyhierarchies'.
Back Orfice? (Score:1)
Is it just me, or does the author have a thing with BackOrfice? He didn't mention anything else, like MS SMS.
If you're at an SMS infected workplace, then you basically have no privacy, so PGP will do you no good (well, if you can't guarentee that the message is secure, what good is it?), even over SSH.
Um... (Score:1)
You could have put it in reply to the absurd post you were talking about, though. I'm guessing it's the one about turning JonKatz to stone.
Either way, we really need to have a mod category for "wierd." Either that, or an archive (that would actually be pretty cool; a "Slashdot Hall of Fame," perhaps?)
Re:Back Orfice? (Score:1)
Which makes me think of something else - because of the presense of SMS on a machine, then the security of everything the user of that machine has access to is dependant on the security of SMS - i.e. cracking SMS is the leaf node of .
Yet another reason not to use crap like that.
Re:My reply to the JERK (Score:1)
Attack trees? (Score:1)
Re:My reply to the JERK (Score:1)
But, I don't really see how it's flamebait.
process, not product (Score:4)
It's amazing how many people who should know better miss that simple point. I've worked at places that spent fortunes on security products, and yet all the workers wrote their login/passwords right on the monitor because it took the IT security staff so long to create new logins that everybody just shared the same ones.
NT workstation is one of those perfect examples of a decent product with an easy attack path. The basic security model is reasonable, but then they integrate the web browser and e-mail package with everything else on the system, allowing so many security holes that they'll never really be plugged.
Re:A good model (Score:1)
this stuff is not that original (Score:1)
Heh, Attack Trees. (Score:2)
Pablo Nevares, "the freshmaker".
Re:process, not product (Score:2)
Going from a shop that has little security (like mine (sigh)) to one with good security will be a bit harsh. However, that's a Good Thing(tm).
I would guess you live at or close to Stanford. Question: do you lock your doors at night? When you leave, maybe? Always? Maybe you or your household had to be bugalurized once or twice before you did that. See the parallel (tenuous, I know)?
My point is that security is more than passwords. It is, truly, social engineering. People may pick passwords that are `dead easy' to guess, but if the IS department is expecting that, then it only takes one or two deletions of imperitive project software (with apropos backups, to be sure) for the (l)user to catch on.
Eventually, the easy passwords will pass and the user, understanding the consequense on having stupid-type security, will embrace passwords like 1guYbv%^&bbejkkc.
Jedi Hacker (Apprentice) and Code Poet
Re:A good model (Score:1)
I allow Ctrl-Alt-Del, 'cause I'm generally the only one here, but it's easily disabled in
However, the other flaw you mentioned, the boot disk, is a PC hardware/BIOS issue, not a Linux one:
I do not allow booting from floppies, or anything but the hard drive, and I have a password on my BIOS setup. That is the correct way to secure an x86 machine, configure that in your BIOS.
Do this also with your Windows machines, etc., since you could just as easily reboot a Windows machine and insert a Linux boot disk. (I've done this before, to mount NTFS and stuff...
Of course, if you have physical access to any machine for long enough, it's compromised. There are BIOS password cracking/bypassing programs available for some BIOSes (at least there were, for DOS)
Past that you can always take out the hard drive, or insert another one as the first hard drive... This should work, x86 or not! (assuming you can get to the case, and open it. Locked cabinet, anyone?)
---
pb Reply or e-mail rather than vaguely moderate [152.7.41.11].
Re:A good model (Score:1)
Re:E-commerce Security Consulting or software (Score:3)
If you need to ask these questions, you have no business doing ANY online commerce.
As the Sysadmin for a large e-commerse site, I spend roughly 50% of my time on security. While no system is full-proof, the sysadmin MUST be well versed in security and MUST address it on a daily basis.
All it takes is one stolen credit card number from your site. Lawsuits. Bad publicity. Bankrupt startup.
For an e-commerce site, system security can potentially MAKE or BREAK your business.
generic defense algorithm? (Score:1)
Maybe I'll actually be closer to winning network RT-strategy games now.
Re:process, not product (Score:2)
The more difficult the password is to rememeber, the more likely the user will write it down (somewhere the admin can't see). There needs to be a balance between the guessability of the password and the likeliness of the user writing it down.
Re:process, not product (Score:1)
your password with another employee was a flogging offense. If your were to write it somewhere and leave it where it
could be found, you would be thrown from a fourth floor window.
The Best way I found was to use the password on the the NoteIt and change the desktop pattern while not at the desk, (Single guess as to the amount of clothes worn in the pic's), or for the Mac heads a 4000+ Folder storm to the desktop while boss is talking to them usually got the point across.
You have to do this its the only way to get the point across. Works like a charm and saves wear and tear on the parkinglot. [/:-)
Re:Um... (Score:1)
Something like:
Hmmmm, maybe not
Re:One time pad [OT] (Score:1)
Think of your standard alphabetic subsitituion code. Except that EVERY SINGLE BYTE of the message has a different, random, substitution matrix.
So for the -first- letter, A--X, while the fourth is A--M.
You could just generate every possible cipher, and you would indeed get the encrypted message -- as well as every other combination of letters N bytes long.
So "ATTACK AT DAWN" would be disclosed -- as would "ATTACK AT NOON", "FALL BACK NOW!", and "LETS DO LUNCH."
Heuristsics, Fuzzy Logic models (Score:1)
Heuristsics, Fuzzy Logic models (Score:2)
Now, to bring this thing to a monster of a science, would be to create fuzzy diagrams, and especially to incorporate Peter Senge's archetypes (they apply to learning organizations, but since they deal with goals and interaction - they should apply here)
Anyone want to start a peer review journal for "Attack Analysis"... I'm sure you could get some extra funding from the DoD or NSA to pull that one off
SMS (Score:1)
As soon as we can get a good Linux system with the necessary applications to do our database and telephony interfacing, we're going to dump NT and all the crap that's written for it.
Re:My reply to the JERK (Score:2)
However, there is an "overrated" and an "underrated" category that just effects the score, but not the description.
Article Mirror (Score:2)
A good model (Score:5)
No startling new thoughts, just my own musings. If you can't tell, I found the article pretty interesting, and I've never thought about a hierarchical method of analyzing security risks.
Good article. (Score:2)
Re:Attack trees? (Score:2)
Especially on a quickie. How else do you reply to a quickie but with humor?
I dunno, maybe it's me.
m2 karma (Score:1)
I got two upmods the other day, and Then I lost one. It really makes you a lot more aware of what you submit, since you cant get more easy anymore.
Also, if you get negative karma, you loose the ability to metamodreate. When the karma system opend up, I had -2, in a few days I had gone down to -9 (-10 would have started me out at score 0, not good)
It took me forever to get back in the black, but after that it was a straight shot to 30...
Re:process, not product (Score:2)
I've been system security guy #5 in a couple of different company's and the first step in teaching a new person the security proccess was to ask them what there password was, and if they told me I would slap them.
Understand that these people deserved what ever I dished out, the most common complaint at these jobs was that there monitor wouldnt work after they had poured two liters of Orange Crush in the back of it.
Security was maintained by limiting everones access and making them strickly responsible for there own actions, sharing your password with another employee was a flogging offense. If your were to write it somewhere and leave it where it could be found, you would be thrown from a fourth floor window.
The only security measures that where purchased, was a smart card swipe at the front door, and big dude named Machette that would growl at you on a regular basis.
moderation (Score:1)
Good point (Score:2)
I remember reading about how a hacker had broken into a military faciliy, now of course all the 'classifed' stuff was not on the network, right? Wrong. Each user had two computers on there desk, one was on the 'net, and the other was not. all the 'good stuff' was supposed to be on the disconneced one, however Dissconnected, 'black boxes' had to go through a 3 year long auditing process, so by the time the users got them, they sucked.
What happend? users put tons of nucliar infomation on there net-connected boxes, beacuse they were simply faster. not good.
Re:Back Orfice? (Score:1)
Re:Useful for a company (Score:2)
I completley dissagree. Part of designing anything involves thinking about not just the object, but how it will be used. While its true that you can't control what users do with passwords, I think that a designer who takes the wetware into account will end up with a more secure product. If the analysis shows that the most likley way for the product to fail is through a human factor, its time to change your notions of how people were interact with the product.
Re:A good model (Score:1)
I got annoyed by it eventually, though, and moved to less secure way of just having my "data" filesystems encrypted and mounted/unmounted interactively.
In the end, though, nothing can really substitute for physical security. Bios cannot be trusted (reset CMOS settings jumper anyone? cutting battery off?), lack of floppy can be trusted to a degree, and non-encrypted filesystems cannot be trusted at all.
So, if you want machine without attendant to boot properly, physical security cannot be overlooked. If you're willing to enter the filesystem decryption password every boot, security from physical things becomes better, but not total (keyboard snooping anyone?).
Just a nitpick (Score:4)
It dosn't matter how close the node is to the root, but how many branches there are in total. Even if all the paths to the UNIX root were hundreds of nodes deep, if they exsist at all, the system is vulnerable. The integration of nodes in MS operating systems do add a lot more nodes that connect, at some point, to the root. so the attacker has a lot more options
Re:moderation (Score:1)
Look at #4, #6, #7, etc.
Hopefully it's been fixed... at least temporarily.
Time to open the (rest of the) source for slash, it's already pretty fast for some things, but it has some weird bugs...
Incidentally, slashdot *does* pump out html at a frighteningly fast rate, that isn't the bottleneck. I don't know what we can do about the image server, though. At least it's somewhat better now.
---
pb Reply or e-mail rather than vaguely moderate [152.7.41.11].
Take out the flopy (Score:2)
Easy compromize... (Score:2)
steal computer
step two:
cut open case
step three:
+install hard drive in your computer, and browse away
Actualy, I remember reading about IBM security teams. They were about 20% effective in breaking techinical security, and were able to just walk out of buildings with computers under there arms 70% of the time....
Useful for a company (Score:4)
However, it doesn't seem very useful to the designer of a security product. Any security product needs to be used properly in order to be effective hence most of the social engineering routes on the attack tree are irrelevant to the designer of the software (he cannot control what people do with their passphrases). An attack tree of bugs in the program isn't as helpful because a succesful attack is always one which is unanticipated.
If you realize their is a danger of buffer overflow you add code to prevent the overflow hence at release the developers should always think any route on the attack tree is impossible (in theory the code CAN be safe (unlikely in practice) unlike the implementation of the scheme (people can always be blackmailed etc..) ). Of course a properly designed modular cryptographic program would probably distrust results from its own subroutines (check against faulty returns from your own procedures just as you do against user input) but the attack tree seems to add nothing to this.
Re:Back Orfice? (Score:2)
In my opinion it was just an author choosing a well known example for his article. By doing this he made the article that much easier to understanhd by the common reader.
(BTW, the issue of dobbs in question is rather good. Especially the article about Elliptic Curve Cryptography. It made my brain hurt a little, but thats the breaks.)
A Useful Application of A Profound Tool (Score:2)
The basic "tool of thought" here is that of the decision tree, which is one of the essential tools provided to us by Von Neumann in the establishment of Game Theory.
This "establishment of decision trees" can be extremely useful in organizing processes when there are a whole lot of approaches to choose from, and when you need to pick the most feasible ways of "attacking" problems.
If some good security checklists can fall out of this, that will be a useful thing...
Re:Attack trees? (Score:1)
Re:A good model (Score:4)
Win '98 doesn't really have administrative accounts. Accounts are all wrong. They might have some "Policies and profiles" stuff, but that's pretty flawed too. I routinely get around Windows "security", and even that usually involves continually taking out OS "features", until there isn't anything usable left.
I'd be happy to discuss this with anyone. The effort required to really secure a Win '95/'98 box generally isn't worth it, which is why Microsoft sells NT. (not that that's *so* much better, it has its own problems.
Simple exploits:
F5 or F8 to bypass or mess with boot sequence. Good to disable this, and put a BIOS password on your computer.
Ctrl-Esc before you're logged in: can still bring up the Task Manager!
Cancel the log in, if it asks you for one. Often still brings up Windows.
Ctrl-Alt-Del. 'nuff said.
On a "locked-down" Windows box, try to get a command prompt or shell window, so as to execute the commands you want to use. Alt-F3, I think, will often still bring up "Find". See if they disabled "Run", "My Computer", etc.
If you can get to a web browser, set--say--the app for telnet to C:\COMMAND.COM.
If you can get Macros running, in Word or Excel, I think SHELL("C:\COMMAND.COM") works in Word Basic, but you can look up the SHELL command in the help.
Originally, you could just shut down Windows '95, and then type in DOS commands--it just dropped you to a prompt, and left you in graphics mode, saying "It is now safe to shutdown your computer"! You could type in, say, "MODE CO80", get back to text mode, and play in DOS from there...
These are just the pretty obvious ones, of course there are more interesting ways to hack Windows, like copying/editing binaries to run other programs, this sometimes gets around that Policies & Profiles crap...
On UNIX:
Login:
Password:
Damn damn damn damn damn!
---
pb Reply or e-mail rather than vaguely moderate [152.7.41.11].
Re:Back Orfice? (Score:2)
But seriously.. the fact remains.. if you want to own a windows box, what are you going to use....
SMS or bo2k? Which is easier to deploy? Which is stealthier? Which is WAY SMALLER?
I'm not knocking bo2k.. but if I did want to violate someone's system.. I'd certainy count BO as one of my main tools!
Also, if you are in a workplace, you probably don't HAVE an expectation of privacy, or at least, you shouldn't. It's not your computer, not your email account, and not your work (this can, of course, be debated endlessly, and I don't fully believe this myself.. )
The article is dealing with analyzing threats to systems. Your boss looking at *his* computer on your desk is hardly a threat... unless you're goofin....