[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: the case of a stolen notebook

On Wednesday 29 May 2002 04:38 pm, Rauno Linnam?e wrote:
> On Wed, May 29, 2002 at 03:37:50AM -0500, xbud wrote:
> > On Wednesday 29 May 2002 11:16 am, Rauno Linnamäe wrote:
> > > Hello,
> > >
> > > We are running a Debian (potato) box with Samba as PDC for user
> > > authentication and file server for W2k LAN clients. Recently one of our
> > > notebooks was stolen. As I can identify all the users who have ever
> > > logged in via that notebook, and may have their samba password stored
> > > on the machine, I revoked all these passwords.
> > >
> > > Can any of you think of any other steps I should take to minimise the
> > > risk of some black-hat abusing the information stored by W2k against
> > > our server/network?
> >
> > This is no way to think if you're a security geek, but if you want to
> > make yourself feel better the person who stole your notebook is a mere
> > theif and is incapable of using any information other than
> > credit/financial information that can lead again to more theft.
> I am quite aware of that. In fact, I was rather thinking about the
> consecutive owner/purchaser of the stolen hardware who might have some
> knowledge about computer security.
> > On the other hand, purge the users' login's make a significant change to
> > the username converntion since he/she knows what you currently use and
> > can use this to his/her advantage for later brute force attacks.
> The username can also often be guessed from e-mail addresses. Besides, I do
> employ a "strong" password policy, and several IDS-s, thus brute-forcing
> would not be of primary concern.
Brute force attacks can be evasive unders circumstances a patient one may try 
one password per day for several months in an automated fashion.  ( what are 
the odds eh?)
IDS's ?  If you have any ssl enabled webservers allowing users to check email 
remotely or login through say 'mindterm' to an internal machine etc...  Will 
the ids catch that too ? ( you willing to monitor after decryption has 
occured at the OS side ? ) 

> > He also knows your internal address space information (ie your Internal
> > ip addresses are now 'public),of course that is a significant network
> > change if your dealing with several thousand hosts.
> All internal addresses are in the 192.168.x.x address space, thus this is
> not highly sensitive information, is it?
This depends on you, evidently you're paranoid or you wouldn't be posting 
here :), why give out any information regarding your network when it's 
unnecessary ?
But I agree under these circumstances not highly sensitive.

> > -----------------------
> > Orlando Padilla
> > xbud@g0thead.com
> > "I only drink to make other people interesting"
> > www.g0thead.com/xbud.asc
> > -----------------------
> Many thanks,
> Rauno

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: