On Wednesday 29 May 2002 04:38 pm, Rauno Linnam?e wrote: > On Wed, May 29, 2002 at 03:37:50AM -0500, xbud wrote: > > On Wednesday 29 May 2002 11:16 am, Rauno Linnamäe wrote: > > > Hello, > > > > > > We are running a Debian (potato) box with Samba as PDC for user > > > authentication and file server for W2k LAN clients. Recently one of our > > > notebooks was stolen. As I can identify all the users who have ever > > > logged in via that notebook, and may have their samba password stored > > > on the machine, I revoked all these passwords. > > > > > > Can any of you think of any other steps I should take to minimise the > > > risk of some black-hat abusing the information stored by W2k against > > > our server/network? > > > > This is no way to think if you're a security geek, but if you want to > > make yourself feel better the person who stole your notebook is a mere > > theif and is incapable of using any information other than > > credit/financial information that can lead again to more theft. > > I am quite aware of that. In fact, I was rather thinking about the > consecutive owner/purchaser of the stolen hardware who might have some > knowledge about computer security. > > > On the other hand, purge the users' login's make a significant change to > > the username converntion since he/she knows what you currently use and > > can use this to his/her advantage for later brute force attacks. > > The username can also often be guessed from e-mail addresses. Besides, I do > employ a "strong" password policy, and several IDS-s, thus brute-forcing > would not be of primary concern. > Brute force attacks can be evasive unders circumstances a patient one may try one password per day for several months in an automated fashion. ( what are the odds eh?) IDS's ? If you have any ssl enabled webservers allowing users to check email remotely or login through say 'mindterm' to an internal machine etc... Will the ids catch that too ? ( you willing to monitor after decryption has occured at the OS side ? )
> > He also knows your internal address space information (ie your Internal > > ip addresses are now 'public),of course that is a significant network > > change if your dealing with several thousand hosts. > > All internal addresses are in the 192.168.x.x address space, thus this is > not highly sensitive information, is it? > This depends on you, evidently you're paranoid or you wouldn't be posting here :), why give out any information regarding your network when it's unnecessary ? But I agree under these circumstances not highly sensitive. > > ----------------------- > > Orlando Padilla > > [EMAIL PROTECTED] > > "I only drink to make other people interesting" > > www.g0thead.com/xbud.asc > > ----------------------- > > Many thanks, > > Rauno -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
