http://directory.fedora.redhat.com/wiki/Security_Problems
I'm building up a list of general, problematic security vulnerabilities that are common across computer networks today. Hopefully we'll be able to explain how to target many of these on the realsecurity website (so I have a bias for problems that can be tackled using the DS/CS/smartcard combo, but we should open it up beyond that too). Would love for other people to jump in and add some (or discuss them in this thread).
Here's what I've jotted down thus far:
Problem: People choose passwords that are easily guessable/crackable Attack vector: passwords are cracked and the systems compromised
Problem: People post important passwords around their workplaces Attack vector: anyone gaining physical access to a building can harvest large numbers of passwords AND account names (usernames are usually derived from the person's name which is also present around their workplace), and use them covertly remotely at a later time
Problem: People forget their passwords and have to get them reset frequently Attack vector: as the frequency of password resets increases, it is natural for, e.g. help desk personel to become lax in when and why they will re-issue a password. This increases vulnerability to social engineering. If resetting passwords is a big deal and an unusual event, this is much less likely to occur. But that is only feasible if people don't forget their passwords.
Problem: Computer screens are rarely locked when unattended Attack vector: By gaining physical access to a computer not only can a variety of keylogging and other intrusive programs be installed, not only can data be taken, but immediate access to other resources is often granted (from open ssh logins to file shares). This is particularly problematic on modern operating systems featuring a "keychain" which caches passwords for a login. Once the computer is unlocked access to a variety of remote resources is typically also granted.
Problem: Stored data and sent messages, even highly sensitive ones, are rarely encrypted Why? Its a PITA to encrypt things, maintain a set of keys/certs between systems, etc
Problem: Its relatively easy to learn secret information such as passwords through social engineering, and this is typically all that is required to gain access to a computer system
Problem: Computers are not updated and contain many security vulnerabilities This is often ameliorated by the presence of a firewall, but it does render the inside of the network extremely soft once penetrated
-Seth
Seth Nickell wrote:
http://directory.fedora.redhat.com/wiki/Security_Problems
I'm building up a list of general, problematic security vulnerabilities that are common across computer networks today. Hopefully we'll be able to explain how to target many of these on the realsecurity website (so I have a bias for problems that can be tackled using the DS/CS/smartcard combo, but we should open it up beyond that too). Would love for other people to jump in and add some (or discuss them in this thread).
Hi,
How is this relevant to a directory server wiki, which is about a directory server product and how to use it?
Out of the seven things you listed, all are common problems, and only one can be mitigated by FDS features - the first one (password policy).
BTW, what is the realsecurity website, the one that says "coming soon" in big green letters? Why didn't you just post these things there to begin with?
BR, -- mike
Hey Mike,
The fedora directory server is one piece of the larger identity/security problem the hurricane team inside RH is tackling. Other major pieces include CA bits (http://www.redhat.com/software/rha/certificate/), a number of components for dealing with smart cards, and work on client-side software such as thunderbird and nss. Most of these are open source (and the ones that aren't are at least moving in that direction), but we haven't built any sort of public visibility for the other bits.... yet.
I think one of the problems that becomes painfully obvious when n3wbz start playing with a directory server is that its really a pretty low-level nitty gritty component, and you have to know what you want to do with it today (which, coincidentally, mostly involves authentication, identity, credentials, etc, not so much the "storing data" part). We want to take many of the things people are finding the directory server useful for, and make those goals really direct and easy to achieve.
That's what we're working toward now with realsecurity.org, which we'll hopefully be throwing up in a week or two. This isn't going to be some big polished thing yet, but hey, at least we're getting the info out there, right? :-)
-Seth (interaction designer, red hat)
On 7/17/06, Mike Jackson mj@sci.fi wrote:
Seth Nickell wrote:
http://directory.fedora.redhat.com/wiki/Security_Problems
I'm building up a list of general, problematic security vulnerabilities that are common across computer networks today. Hopefully we'll be able to explain how to target many of these on the realsecurity website (so I have a bias for problems that can be tackled using the DS/CS/smartcard combo, but we should open it up beyond that too). Would love for other people to jump in and add some (or discuss them in this thread).
Hi,
How is this relevant to a directory server wiki, which is about a directory server product and how to use it?
Out of the seven things you listed, all are common problems, and only one can be mitigated by FDS features - the first one (password policy).
BTW, what is the realsecurity website, the one that says "coming soon" in big green letters? Why didn't you just post these things there to begin with?
BR,
mike
-- Fedora-directory-devel mailing list Fedora-directory-devel@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-devel
389-devel@lists.fedoraproject.org