Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 31

Thread: Resetting a Forgotten Password - I Have a Problem with This

  1. #21
    Join Date
    Nov 2012
    Beans
    27

    Re: Resetting a Forgotten Password - I Have a Problem with This

    Quote Originally Posted by CharlesA View Post
    As Cheesemill already covered, it is trivial to reset the BIOS to get around a boot password or bios password. Some systems don't let you do that, but most of the time I have only seen that type of security in business class laptops.



    Sure, encryption is one method, but what happens if someone decides to attack your machine while it is powered on and the encryption key is in memory?



    Are we talking home users or business users here? The price I work at is still running Pentium 4 machines with their epic DDR memory, but new technology is not really budgeted in. Other companies might be different, but from my experience if a piece of hardware works fine, there is no reason to replace it with something newer/more advanced.



    Again, home user vs business user? Storing your boot loader on a removable media sounds like a good idea, but what if you misplace the disk or thumb drive? What about booting to a livecd and installing GRUB to the main drive?



    Home or business user again? I doubt a home user would be using a smartcard. They might have a fingerprint reader on a laptop or another device, but how well does it work with Linux?



    I'll assume you are talking about business users, judging from tip #3, #4, #5 and #6. Are you talking about workstation or server logs? I have never seen logs stored offsite. Backups (which probably contain logs) yes, but not logs by themselves. If you have everyone running as a standard user, use apparmour or selinux and limit what those standard users have access to, you should be fine.

    I can only speak for myself, but when the place I work at hired a consultant, they made them a "normal" user with access to the tools they needed. I don't really see a reason to use the guest account unless the person is actually a guest (which is highly unlikely unless you have open wifi or something).
    1) A lot of newer consumer-level motherboards are actually made using the same materials and in the same factory as server/enterprise-level hardware. While they will differ in obvious areas, a lot of new consumer-level hardware is taking directly from stable enterprise-level design (Dual-BIOS chips, TPM, stronger security against trivial attacks like removing the battery or using a jumper/button to clear system settings). However, I am willing to concede and agree that this would indeed work in most normal conditions across several real-world situations. However, I can't stress enough (as I did in a previous post) that this is merely 1 of 6 steps. Individually they have obvious strengths/weaknesses, but together they can help make up for the others shortcomings to provide better overall physical security. If you really want to take each suggestion and only base them on their own merit and not within a layered implementation then I believe that is a slightly biased and flawed way of thinking. Anything in terms of security can be compromised on some level or in some time, and that is why defense-in-depth is the overall goal, not individual "solutions". Think of this step at the first line of defense, meant to stop clueless attackers (which is what most employees or friends/family will be, IMHO).

    2) In suggestion six I specifically warned about leaving the machine powered on. Don't get me wrong, it is a viable concern, but one a user/enterprise could easily correct with proper usage policies in place. Also, what stops the end-user/enterprise from encrypting the whole disk and partitioning another part of the disk to store sensitive information that is also encrypted? Then the user/employee/whoever could simply decrypt/mount the partition when they need access to the data and encrypt/unmount the partition then they are finished. If you really wanted to argue just for the sake of argument, then nothing on this planet is truly secure and you could go down an infinite rabbit hole that is a never ending echo of what if's, theoretical possibilities, etc. These are steps increase physical security, not make you completely immune to all forms of attack. With anything, user habit and policy is the most important factor when paired with reasonably strong encryption.

    3) I understand that a lot of offices across the globe use outdated hardware. However, how often do you expect someone to be able to perform a Cold Boot Attack in the required time frame? It isn't overly complex, and can certainly be done with commonly found (cheap or free) items/software, but it isn't something to really get worked up over. Offices with confidential data should already be utilizing strong physical security policies (security, CCTV, locked computer chests, etc) and was simply outside the scope of these suggestions and not directly related to the discussion, this is a huge reason why I didn't go into details regarding counter-measures, as most are unrelated. Also, I don't see a home user having to worry about this type of attack. Sure, it might be possible they would encounter a CBA, but it is also possible they could win the lottery twice - doesn't mean it will actually happen in their lifetime (and home users are more likely to be using newer hardware also).

    4) Why would it matter if an attacker installed a boot loader on an encrypted drive? If you used this suggestion then you would not be booting from it, it would give you one heck of an obvious clue that someone was tampering with your system, would not give them access to the encrypted contents of the drive, etc. If anything, all it would do is give them away since you wouldn't even be booting from their malicious new boot loader to begin with. Also, not losing removable media is not all that hard. If you managed to lose it, then that is simply the price of security and why recent/secure backups are very important.

    5) I don't specifically target enterprise or home users with my advice. You would be surprised how many home users do use smart cards and fingerprint scanners. Both are not very difficult to set up, are fairly inexpensive these days and offer increased security. For example, the FS88 fingerprint scanner can be bought for under $100 USD in a lot of locations. There are also a lot of decent smart card readers out there for under $100 USD also. To answer your other question, it isn't too difficult to set up the fingerprint scanners that come with laptops. Some might require you to use documented API to create the required modules/software to utilize the devices, but projects like fprint can help make such things possible for end-users with no programming experience. Heck, even in cases where you need to use the documented API, they almost always include an example that only needs slight modifications to meet most home user requirements.

    6) That is what I was driving at. I meant to say that you shouldn't be using the guest account and instead use a standard user account that is heavily restricted to only the software/access they need to perform a specific role/task. My fault, though. I didn't really convey that point correctly. Also, I have seen many people/organizations store off-site logs. It can be really nice to have an off-site logserv. It makes centralizing live log analysis easier in addition to hindering an attackers ability to hide nefarious actions by simply removing the log entries. Running as a standard user with SELinux, etc. was (I thought) implied by: "I meant to say that you shouldn't be using the guest account and instead use a standard user account that is heavily restricted to only the software/access they need to perform a specific role/task", so I do agree with that overall sentiment.

    Again, please take all of my suggestions as a whole and not individually. When they are all added together and properly implemented, do you really argue the overall physical security of your machine would not be improved?

  2. #22
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Resetting a Forgotten Password - I Have a Problem with This

    Improved, yes, but you'll run into the whole convenience vs security thing again.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #23
    Join Date
    Nov 2012
    Beans
    27

    Re: Resetting a Forgotten Password - I Have a Problem with This

    Quote Originally Posted by CharlesA View Post
    Improved, yes, but you'll run into the whole convenience vs security thing again.
    That is not really the point, though. The point is simply having physical access to the machine does not guarantee you will have full access to it, at least not trivially like you suggested in the first post I responded to. If you wan to say "in most cases physical access == full access" then I can agree with that. However, you make it sound like in all cases an attacker is guaranteed to compromise the machine if they have physical access to it, and that is simply misinformation, because a user can fortify themselves against such an attack and likely have a high chance to succeed in preventing access to their data.

  4. #24
    Join Date
    Feb 2010
    Location
    Winchester
    Beans
    8,047
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Resetting a Forgotten Password - I Have a Problem with This

    With a default installation, which most users have, physical access does mean full access. While encryption may slow access to data, a well versed cracker with a powerful system and the right software can crack the encryption key.
    Cheers & Beers,
    uRock™

    Ubuntu 14.04 is the Ubuntu I've always wanted!

  5. #25
    Join Date
    Apr 2011
    Location
    Mystletainn Kick!
    Beans
    4,148
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Resetting a Forgotten Password - I Have a Problem with This

    Quote Originally Posted by KaosuX View Post
    That is not really the point, though. The point is simply having physical access to the machine does not guarantee you will have full access to it, at least not trivially like you suggested in the first post I responded to. If you wan to say "in most cases physical access == full access" then I can agree with that. However, you make it sound like in all cases an attacker is guaranteed to compromise the machine if they have physical access to it, and that is simply misinformation, because a user can fortify themselves against such an attack and likely have a high chance to succeed in preventing access to their data.
    Physical access might not be a guarantee to root access, it does break a major barrier.
    Splat Double Splat Triple Splat
    Earn Your Keep
    Don't mind me, I'm only passing through.
    Once in a blue moon, I'm actually helpful
    .

  6. #26
    Join Date
    Nov 2012
    Beans
    27

    Re: Resetting a Forgotten Password - I Have a Problem with This

    Quote Originally Posted by uRock View Post
    With a default installation, which most users have, physical access does mean full access. While encryption may slow access to data, a well versed cracker with a powerful system and the right software can crack the encryption key.
    We're not talking about a default installation, though. I was talking about ways people can fortify themselves against physical attacks. That would be like me making recommendations for securing a workstation with Internet access and you arguing that an unpatched machine is vulnerable. I have said time and time again that nothing is guaranteed in the realm of information security and that people are correct to assume that physical access will result in a full compromise in most cases, but not all cases. It is almost like people are arguing against ways to harden their physical security because it has been so ingrained into them for so long that it is impossible to protect yourself against a physical breach. This isn't 2003, people now have easy access to things like full-disk encryption using AES, newer motherboards that provide better security against physical attacks that were once exclusive to enterprise customers, affordable and powerful fingerprint scanners / smart card readers and built-in support for them within the consumer-level OS (Windows) and free Unix-like OSes, affordable locked cabinets, cases that now support various types of lock mechanisms at affordable rates, etc. Notice the trend? Technology that the Government/Enterprise used to enhance physical security are now available to any interested consumer without having to invest a small fortune into it.

    Times change, security changes, but you guys seem like you're stuck in the past when it comes to physical security. Sure, a common default installation will be vulnerable to physical attacks - period. However, so is a machine on the Internet that is not properly maintained. Implementing most of my suggestions is as easy (or easier) than basic OS security (patching, updating, hardening, firewall configurations). None of them are going to make you immune to physical attacks, but make it such a hassle that it is unlikely they would have the skill, time, desire or prolonged access to circumvent them without you noticing.

    Also, a powerful system with the "right software" is not going to magically bypass AES. Sure, if the user chooses a crappy password or leaves their token out in the open to be copied/stolen then it would be rather easy to defeat it. Heck, even if they boot from an unencrypted partition stored within the same system it would be easy to defeat. However, I already stated that user habit and enterprise policy are the major factors to consider when paired with reasonably strong encryption. It isn't like someone with a powerful computer and "the right software" will just magically get access to your AES protected data if you use a strong passphrase. If this were the case, then it would not be the industry standard and AES256 would not be certified for top secret files by the NSA. Sure, some AES implementations are poor and can be attacked, that is why it is important to use a well tested and vetted implementation.

    Quote Originally Posted by deadflowr View Post
    Physical access might not be a guarantee to root access, it does break a major barrier.
    Again, this depends on many variables. It might break a major barrier in some cases, but breaking one barrier just to access another strong barrier is not much of a gain. I agree, it does give the attacker an edge, but that is based on the attackers overall skill. If we were talking about the NSA wanting access then maybe AES wouldn't be up to the task (not that anything shows it wouldn't be), but in almost all cases if you opted-in for all 6 suggestions, implemented them correctly and followed a good policy/had good user habits, then you wouldn't likely have to worry about anyone circumventing them unless you left them alone with the machine for a very long time, and even then they still might fail.

    I just want people to step out of the dark ages and realize you now have real options to greatly enhance physical security. Choosing to have a default installation and then claiming that physical security is pointless would be akin to never updating your OS, using incorrect permissions/restrictions, running a bunch of Internet-facing services without a firewall or any sort of maintenance and claiming all forms of Internet-related security suck or are pointless.

    There is no magic pill for being secure. You need strong and sane layers of security to achieve anything of value, so why simply ignore physical security and just automatically assume it would be compromised no matter what? That is just the kind of thinking that never really progresses.
    Last edited by KaosuX; April 6th, 2013 at 04:48 AM.

  7. #27
    Join Date
    Feb 2010
    Location
    Winchester
    Beans
    8,047
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Resetting a Forgotten Password - I Have a Problem with This

    Your definition of a small fortune and mine is completely different. Nobody I know uses full disk encryption, a locked case, biometrics, nor any of the other hardware features you speak of. End users just don't bother with that for their home systems. With the use of power tools, I could cut through a hardened lockable case within a matter of minutes. AES may be hard to crack, but again, studies show that most people use the same password for everything. You missed where I said "a well versed cracker". A well versed cracker knows how the different softwares work to create the encryption algorithm. I am looking at this from a forensics angle. It is what I study. In a case where I am planning to crack someone's system for forensic evidence, I am going to look at everything possible to find what I need to know about the subject user. I will know his common interests, his favorite teams and players. I will most likely find everything I need to set up a usable dictionary attack against the suspect system, then I am going to use every system at my disposal to crack their encryption.

    Most people I know of do not have 6 figure incomes to afford to buy a new PC every year to keep up with technology, nor do they have the money for much more than the cheapest of AV softwares. Half of them are still running Windows XP systems. One of them brought me her laptop because she forgot her admin password she had set years ago. In less than 5 minutes, I burnt a disk, booted her system from it, and cleared her passwords from all of her accounts on it. Android phones offer the capability to encrypt your info. Out of everyone I have asked, I am the only person I know who has taken advantage of that capability. Most people I know of do not lock their smart phone. I recognize the latest and greatest technologies and I except the fact that most people do not care enough to use them.

    Needless to say, we have hijacked this thread. What we are talking about has nothing to do with the simple question the OP asked.
    Cheers & Beers,
    uRock™

    Ubuntu 14.04 is the Ubuntu I've always wanted!

  8. #28
    Join Date
    Nov 2012
    Beans
    27

    Re: Resetting a Forgotten Password - I Have a Problem with This

    Quote Originally Posted by uRock View Post
    Your definition of a small fortune and mine is completely different. Nobody I know uses full disk encryption, a locked case, biometrics, nor any of the other hardware features you speak of. End users just don't bother with that for their home systems. With the use of power tools, I could cut through a hardened lockable case within a matter of minutes. AES may be hard to crack, but again, studies show that most people use the same password for everything. You missed where I said "a well versed cracker". A well versed cracker knows how the different softwares work to create the encryption algorithm. I am looking at this from a forensics angle. It is what I study. In a case where I am planning to crack someone's system for forensic evidence, I am going to look at everything possible to find what I need to know about the subject user. I will know his common interests, his favorite teams and players. I will most likely find everything I need to set up a usable dictionary attack against the suspect system, then I am going to use every system at my disposal to crack their encryption.

    Most people I know of do not have 6 figure incomes to afford to buy a new PC every year to keep up with technology, nor do they have the money for much more than the cheapest of AV softwares. Half of them are still running Windows XP systems. One of them brought me her laptop because she forgot her admin password she had set years ago. In less than 5 minutes, I burnt a disk, booted her system from it, and cleared her passwords from all of her accounts on it. Android phones offer the capability to encrypt your info. Out of everyone I have asked, I am the only person I know who has taken advantage of that capability. Most people I know of do not lock their smart phone. I recognize the latest and greatest technologies and I except the fact that most people do not care enough to use them.

    Needless to say, we have hijacked this thread. What we are talking about has nothing to do with the simple question the OP asked.
    I agree that this thread has been hijacked. I will leave this conversation with just a few key points made:

    A) Please note the following bolded text below;
    Again, this depends on many variables. It might break a major barrier in some cases, but breaking one barrier just to access another strong barrier is not much of a gain. I agree, it does give the attacker an edge, but that is based on the attackers overall skill. If we were talking about the NSA wanting access then maybe AES wouldn't be up to the task (not that anything shows it wouldn't be), but in almost all cases if you opted-in for all 6 suggestions, implemented them correctly and followed a good policy/had good user habits, then you wouldn't likely have to worry about anyone circumventing them unless you left them alone with the machine for a very long time, and even then they still might fail.


    B) The situations you described are not people who are fortifying themselves, not following good user habits or even basic security guidelines. So, they are not really that important to the debate regarding it being accessible and possible to harden a machine against a physical attack. These people you speak of are literally in the dark ages when it comes to security. As I said before, just because most people choose not to defend themselves against these types of attacks does not mean it isn't practical or possible.

    C) Sure, you might do some information gathering on your target, but the type of attack(s) you described are rather basic and highly ineffective. The FBI tried to use an inefficient/outdated attack model like this against a Brazilian banker using TrueCrypt, and after around a year or two of non-stop attempts they failed miserably. Trying to use a simple dictionary attack, even if it is a targeted list, would only work against individuals that do not follow even the most basic security guidelines, choosing strong passphrases is security 101. Sure, a lot of users use the same password for everything, use weak passwords, etc. However, we're talking about security oriented individuals. I don't think the target audience you speak of would even frequent a security discussion forum. Also, in the described situation, this "well versed cracker" or "forensic examiner" relying on dictionary attacks, attacking weak implementations using (semi)automated software, etc. would not succeed against the six suggested steps if the end-user followed them all, implemented them all correctly and had good policies/user habits (as described in the quote above).

    D) I suppose our definition of small fortune could be different. However, I think most people would agree that a $80-$200 (basic biometrics that are at the very least FBI certified. the FS88 was only $89.00 or so) investment would not be too much of a hit if they really valued security.
    Don't be so over dramatic either, you don't need a six-figure income to afford a new computer every year. Heck, that was not even what I was saying. My point was, if someone wanted to build a new machine with physical security in mind they could do so. Most people that build for "gaming" usually end up with similar hardware. The price tag on the items are not the cheapest, but are very accessible to even home consumers

    E) Yeah, you could cut through the case. You just better hope the machine was not powered down before you started working on it, because you would likely lose your chance of a CBA in that time Also, if the machine was powered on, and you had enough physical access to use power tools, then I would not consider this to be someone using a good policy or good user habits, because they clearly left the machine on and unattended for longer than they should have.

    Like I said before, too many people still believe good physical security is a myth, but all it really takes is just a little time, money and effort.

    Anyway, I have made all of the points about this topic that I need to. I will simply not respond anymore and just respectfully agree to disagree with the general consensus.

    Thanks for the discussion.
    Last edited by KaosuX; April 6th, 2013 at 07:31 AM.

  9. #29
    Join Date
    Feb 2006
    Beans
    457

    Re: Resetting a Forgotten Password - I Have a Problem with This

    KaosuX +1, a good posting.

  10. #30
    Join Date
    Feb 2010
    Location
    Winchester
    Beans
    8,047
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Resetting a Forgotten Password - I Have a Problem with This

    Quote Originally Posted by KaosuX View Post
    Like I said before, too many people still believe good physical security is a myth, but all it really takes is just a little time, money and effort.[/COLOR]
    Nobody said it was a myth. Most people would rather spend their time, hard earned money, and efforts on things they enjoy, not hardening the system they use for Facebook, Youtube and iTunes. Most of those folks don't even bother with backups. I can't image a true gamer wasting processes on encryption, when most of the ones I know turn off anti-virus and any other services they can in order to speed up their system.
    Cheers & Beers,
    uRock™

    Ubuntu 14.04 is the Ubuntu I've always wanted!

Page 3 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •