Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 29 Jul 2014, 10:52
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Puppy as a security nightmare for organisations
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [12 Posts]  
Author Message
tronkel


Joined: 30 Sep 2005
Posts: 1101
Location: Vienna Austria

PostPosted: Sat 06 Aug 2011, 11:26    Post subject:  Puppy as a security nightmare for organisations
Subject description: Beware of the Cute Pup
 

This forum section deals mostly with the threats to which Puppy Linux users expose themselves. Here is an example where it's Puppy Linux that poses the threat to others.

Can't mention names here. My brother currently works as financial controller for a not insignificant organisation that has a large turnover and also has an advanced and sophisticated IT systems admin. department.

Until fairly recently, having been an MS-only sort, he has now developed an interest in Linux in general and in Puppy Linux in particular. He is also a fan of Ubuntu.

As part of his job, he decided to conduct experiments concerning the security of the financial systems at his company - with the full permission of the boss, naturally.

Using a USB stick with Puppy on it, he was able to access the central financial accounts server in under 3 minutes - completely circumventing all of the normal security authorisation/authentication systems put in place by the IT department.

The boss was amazed. My brother has just received a chunk of a pay-rise for pointing out the security hole. Don't know what will happen to the IT department staff.

My brother is no expert in Linux as yet, although he's progressing very fast. If he can manage to do this with his as yet novice level of expertise, what could a real expert have managed?

If you were the boss, what steps would you take to try to lock down the system more effectively? Make it a dismissible offence to bring USB sticks and live CDs to work? Waste of time IMHO. If this can happen at this company, the mind boggles about other companies/government departments that have even more sensitive information at risk to this sort of exposure.

Need to look at encryption here amongst other things.

_________________
Life is too short to spend it in front of a computer
Back to top
View user's profile Send private message Visit poster's website AIM Address 
alienjeff


Joined: 08 Jul 2006
Posts: 2291
Location: Winsted, CT - USA

PostPosted: Sat 06 Aug 2011, 11:38    Post subject:  

I'm curious how he tapped and logged in. What OS(s) do the servers run?
_________________
hangout: ##b0rked on irc.freenode.net
diversion: http://alienjeff.net - visit The Fringe
quote: "The foundation of authority is based upon the consent of the people." - Thomas Hooker

Back to top
View user's profile Send private message 
aarf

Joined: 30 Aug 2007
Posts: 3620
Location: around the bend

PostPosted: Sat 06 Aug 2011, 12:06    Post subject:  

well tell the boss that if he offered a substancial sum we could tell him. have lots of experience with not getting puppy to boot on windows internet cafe computers.
_________________

ASUS EeePC Flare series 1025C 4x Intel Atom N2800 @ 1.86GHz RAM 2063MB 800x600p ATA 320G
_-¤-_

<º))))><.¸¸.•´¯`•.#.•´¯`•.¸¸. ><((((º>
Back to top
View user's profile Send private message Visit poster's website 
tronkel


Joined: 30 Sep 2005
Posts: 1101
Location: Vienna Austria

PostPosted: Sat 06 Aug 2011, 12:54    Post subject:  

@alienjeff

I have only gotten hold of this information second-hand, so I don't know the real details. By the sound of it, it's probably an MS-based server(s)

@aarf

OK that's one way of looking at it. Maybe Puppy should indeed offer security consultancy as a service. Cash might come in handy!

If I were in their (the company's) shoes I would be thinking that there is no safe way of keeping out intruders as such. What about Android smartphones? They must represent a substantial security risk as well. Difficult to ban from the workplace though.

The IT department needs to look at designing a feasible encryption system that doesn't unduly interfere with day-to-day operations. A tall order, but necessary.

You have to assume that any stored data is accessible given that enough trouble is taken in order to access it. There is no such thing as "safe" nowadays in this regard. I reckon that encrypting the data itself though, is a reasonable enough approach to take. If the data does get accessed by some means or other, at least it can't be read.

This mad example with Puppy Linux is only the tip of a massive security nightmare iceberg. There's more than one way to skin a cat as well.

_________________
Life is too short to spend it in front of a computer
Back to top
View user's profile Send private message Visit poster's website AIM Address 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 10937
Location: Arizona USA

PostPosted: Sat 06 Aug 2011, 16:12    Post subject:  

The biggest mistake the IT department made is allowing any of their network-connected computers to boot from USB or CD. What a bunch of maroons. Laughing

My brother discovered that a Puppy CD would boot in his work computer. Knowing that the policy of large organizations is to kill anyone who points out such lapses rather than fix the problem, he decided to keep that information to himself.
Back to top
View user's profile Send private message 
alienjeff


Joined: 08 Jul 2006
Posts: 2291
Location: Winsted, CT - USA

PostPosted: Sat 06 Aug 2011, 16:54    Post subject:  

Flash wrote:
The biggest mistake the IT department made is allowing any of their network-connected computers to boot from USB or CD. What a bunch of maroons.


Can anyone say "custom BIOS"?

_________________
hangout: ##b0rked on irc.freenode.net
diversion: http://alienjeff.net - visit The Fringe
quote: "The foundation of authority is based upon the consent of the people." - Thomas Hooker

Back to top
View user's profile Send private message 
CLAM01

Joined: 22 May 2010
Posts: 78

PostPosted: Sat 06 Aug 2011, 18:55    Post subject:  

The noted potential of puppies to be used to intrude is product of puppies being able to identify and mount partitions they recognize on hard disks they are installed to. This ability is not peculiar to puppies, it is common among knoppix-based 'live-cd' linuxes and mini and micro 'rescue disk' linuxes.

Puppies are excellent for rescue. They are able to rescue folders and files sunk with the wreckage where a MicroSoft installation has gone down, or gone into a pet (the other kind of pet, where the OS holds its breath until its screen turns blue and the black), refusing to do anything.

The ability to rescue data is the capability that makes puppies, and other rescue capable systems, able to 'break and enter' computer systems and 'mine' data from them. When a puppy is used to do this, or to rescue, on a standard linux installation, because puppies run as 'root', a trail of permissions changed from 'username' to 'root' is left showing everywhere a folder or file was been opened, except in the root account and in '/', itself, where permissions are not changed.

The normal defense against 'rescue-system' intrusions is to make data read-only and to hide partition to make them not enterable and not visible. There are several partition types that puppies, and other than system-specific rescue systems, don't recognize and so don't see. MS has its own ones of these, as do several other system providers and securers. Partitioning software, including gparted, usually lists at least most of the different partition types, though I don't know how many it can format to.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 10937
Location: Arizona USA

PostPosted: Sat 06 Aug 2011, 21:09    Post subject:  

alienjeff wrote:
...Can anyone say "custom BIOS"?

A custom BIOS is not required. Every computer BIOS I've rummaged around in that was made in at least the last 5 years offers the option to password protect the BIOS. Depending on the physical location of the computer, a password is not guaranteed proof against reconfiguring the BIOS to allow booting from CD or USB - but it's an obvious first line of defense, provided by the manufacturer for the purpose. IT management don't want to require a password to get into the BIOS of every computer connected to the company's network because of the difficulty of of keeping track of the passwords and making sure they're available to authorized people when they need them. Still, booting only from a network server is the best way to deal with the threat represented by operating systems like Puppy invading your network. This means locking out any other boot option in the BIOS, and then not allowing access to the BIOS. To obviate the possibility of hidden partitions, remove all hard disk drives and add some RAM. RAM is far more reliable than any hard disk drive anyway, so the IT department may wind up doing less work. Smile
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11080
Location: The Peoples Republic of California

PostPosted: Sat 06 Aug 2011, 22:11    Post subject:  

I was an IT manager's nightmare. Not really, because I didn't do anything wrong, except word has it that I had software on my computers I wasn't supposed to have.

Knock yourself out, go ahead and prove your theory and the rumors, find the software.

Once in a while IT thinks is has to know your passwords. I give over the password passme.

What about this domain and that domain? The same passme.

Then the frowns. Well, if it is such a weak password, then why did you have to ask?

Then after the password is out of the bag, change them all.

Next day IT says the password I gave was wrong. Dude, it's a new day. Security minded people change the passwords frequently.

What is it today? mepass

~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
Dave_G


Joined: 21 Jul 2011
Posts: 459

PostPosted: Sun 07 Aug 2011, 04:15    Post subject:  

The question is how much about security does the average I.T staff/manager really know ?
I would even go as far as saying that 90% of them can't even spell Linux.

That is why there are network security experts, which unfortunately are very often overlooked
by organizations in these financially challenging times.
Yet these companies are the first to cry foul when their network/system is compromised.

If you try and do the right thing and point out these weaknesses to them,
you will more often then not be brushed off and viewed as the baddie.
(After all when using a windows PC this kind of access is not possible so
you must be the hacker, how dare you use another O.S.)

I have no time or sympathy for these organizations that are very quick to try and get
and hang on to data about their customers (potentially you and I) but haven't the foggiest idea on how to keep it safe.

My two cents worth.
Dave.
Back to top
View user's profile Send private message 
CLAM01

Joined: 22 May 2010
Posts: 78

PostPosted: Sun 14 Aug 2011, 19:38    Post subject:  

A correction to my previous post in this thread: Puppies do not leave trails of changed permissions on normal linux systems, as I said, they change permissions to 'root' only when they save, normally when a change has been made and is saved (by the user normally).
Back to top
View user's profile Send private message 
postfs1


Joined: 27 Mar 2010
Posts: 831

PostPosted: Tue 16 Aug 2011, 16:57    Post subject:  

tronkel wrote:
Puppy as a security nightmare for organisations


License for Puppy Linux is not from Microsoft.

_________________
  • I don't know why laboratories are named a hospitals.
  • The alive personage is like a tea bag with granules of unknown density inside, at that one the packet was made of organic material and was placed in the evaporated liquid or liquid.

Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [12 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0816s ][ Queries: 12 (0.0037s) ][ GZIP on ]