Puppy as a security nightmare for organisations

For discussions about security.
Post Reply
Message
Author
User avatar
tronkel
Posts: 1116
Joined: Fri 30 Sep 2005, 11:27
Location: Vienna Austria
Contact:

Puppy as a security nightmare for organisations

#1 Post by tronkel »

This forum section deals mostly with the threats to which Puppy Linux users expose themselves. Here is an example where it's Puppy Linux that poses the threat to others.

Can't mention names here. My brother currently works as financial controller for a not insignificant organisation that has a large turnover and also has an advanced and sophisticated IT systems admin. department.

Until fairly recently, having been an MS-only sort, he has now developed an interest in Linux in general and in Puppy Linux in particular. He is also a fan of Ubuntu.

As part of his job, he decided to conduct experiments concerning the security of the financial systems at his company - with the full permission of the boss, naturally.

Using a USB stick with Puppy on it, he was able to access the central financial accounts server in under 3 minutes - completely circumventing all of the normal security authorisation/authentication systems put in place by the IT department.

The boss was amazed. My brother has just received a chunk of a pay-rise for pointing out the security hole. Don't know what will happen to the IT department staff.

My brother is no expert in Linux as yet, although he's progressing very fast. If he can manage to do this with his as yet novice level of expertise, what could a real expert have managed?

If you were the boss, what steps would you take to try to lock down the system more effectively? Make it a dismissible offence to bring USB sticks and live CDs to work? Waste of time IMHO. If this can happen at this company, the mind boggles about other companies/government departments that have even more sensitive information at risk to this sort of exposure.

Need to look at encryption here amongst other things.
Life is too short to spend it in front of a computer

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#2 Post by alienjeff »

I'm curious how he tapped and logged in. What OS(s) do the servers run?
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

aarf

#3 Post by aarf »

well tell the boss that if he offered a substancial sum we could tell him. have lots of experience with not getting puppy to boot on windows internet cafe computers.

User avatar
tronkel
Posts: 1116
Joined: Fri 30 Sep 2005, 11:27
Location: Vienna Austria
Contact:

#4 Post by tronkel »

@alienjeff

I have only gotten hold of this information second-hand, so I don't know the real details. By the sound of it, it's probably an MS-based server(s)

@aarf

OK that's one way of looking at it. Maybe Puppy should indeed offer security consultancy as a service. Cash might come in handy!

If I were in their (the company's) shoes I would be thinking that there is no safe way of keeping out intruders as such. What about Android smartphones? They must represent a substantial security risk as well. Difficult to ban from the workplace though.

The IT department needs to look at designing a feasible encryption system that doesn't unduly interfere with day-to-day operations. A tall order, but necessary.

You have to assume that any stored data is accessible given that enough trouble is taken in order to access it. There is no such thing as "safe" nowadays in this regard. I reckon that encrypting the data itself though, is a reasonable enough approach to take. If the data does get accessed by some means or other, at least it can't be read.

This mad example with Puppy Linux is only the tip of a massive security nightmare iceberg. There's more than one way to skin a cat as well.
Life is too short to spend it in front of a computer

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#5 Post by Flash »

The biggest mistake the IT department made is allowing any of their network-connected computers to boot from USB or CD. What a bunch of maroons. :lol:

My brother discovered that a Puppy CD would boot in his work computer. Knowing that the policy of large organizations is to kill anyone who points out such lapses rather than fix the problem, he decided to keep that information to himself.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#6 Post by alienjeff »

Flash wrote:The biggest mistake the IT department made is allowing any of their network-connected computers to boot from USB or CD. What a bunch of maroons.
Can anyone say "custom BIOS"?
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#7 Post by CLAM01 »

The noted potential of puppies to be used to intrude is product of puppies being able to identify and mount partitions they recognize on hard disks they are installed to. This ability is not peculiar to puppies, it is common among knoppix-based 'live-cd' linuxes and mini and micro 'rescue disk' linuxes.

Puppies are excellent for rescue. They are able to rescue folders and files sunk with the wreckage where a MicroSoft installation has gone down, or gone into a pet (the other kind of pet, where the OS holds its breath until its screen turns blue and the black), refusing to do anything.

The ability to rescue data is the capability that makes puppies, and other rescue capable systems, able to 'break and enter' computer systems and 'mine' data from them. When a puppy is used to do this, or to rescue, on a standard linux installation, because puppies run as 'root', a trail of permissions changed from 'username' to 'root' is left showing everywhere a folder or file was been opened, except in the root account and in '/', itself, where permissions are not changed.

The normal defense against 'rescue-system' intrusions is to make data read-only and to hide partition to make them not enterable and not visible. There are several partition types that puppies, and other than system-specific rescue systems, don't recognize and so don't see. MS has its own ones of these, as do several other system providers and securers. Partitioning software, including gparted, usually lists at least most of the different partition types, though I don't know how many it can format to.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#8 Post by Flash »

alienjeff wrote:...Can anyone say "custom BIOS"?
A custom BIOS is not required. Every computer BIOS I've rummaged around in that was made in at least the last 5 years offers the option to password protect the BIOS. Depending on the physical location of the computer, a password is not guaranteed proof against reconfiguring the BIOS to allow booting from CD or USB - but it's an obvious first line of defense, provided by the manufacturer for the purpose. IT management don't want to require a password to get into the BIOS of every computer connected to the company's network because of the difficulty of of keeping track of the passwords and making sure they're available to authorized people when they need them. Still, booting only from a network server is the best way to deal with the threat represented by operating systems like Puppy invading your network. This means locking out any other boot option in the BIOS, and then not allowing access to the BIOS. To obviate the possibility of hidden partitions, remove all hard disk drives and add some RAM. RAM is far more reliable than any hard disk drive anyway, so the IT department may wind up doing less work. :)

Bruce B

#9 Post by Bruce B »

I was an IT manager's nightmare. Not really, because I didn't do anything wrong, except word has it that I had software on my computers I wasn't supposed to have.

Knock yourself out, go ahead and prove your theory and the rumors, find the software.

Once in a while IT thinks is has to know your passwords. I give over the password passme.

What about this domain and that domain? The same passme.

Then the frowns. Well, if it is such a weak password, then why did you have to ask?

Then after the password is out of the bag, change them all.

Next day IT says the password I gave was wrong. Dude, it's a new day. Security minded people change the passwords frequently.

What is it today? mepass

~

User avatar
Dave_G
Posts: 453
Joined: Thu 21 Jul 2011, 13:53

#10 Post by Dave_G »

The question is how much about security does the average I.T staff/manager really know ?
I would even go as far as saying that 90% of them can't even spell Linux.

That is why there are network security experts, which unfortunately are very often overlooked
by organizations in these financially challenging times.
Yet these companies are the first to cry foul when their network/system is compromised.

If you try and do the right thing and point out these weaknesses to them,
you will more often then not be brushed off and viewed as the baddie.
(After all when using a windows PC this kind of access is not possible so
you must be the hacker, how dare you use another O.S.)

I have no time or sympathy for these organizations that are very quick to try and get
and hang on to data about their customers (potentially you and I) but haven't the foggiest idea on how to keep it safe.

My two cents worth.
Dave.

CLAM01
Posts: 82
Joined: Sat 22 May 2010, 04:05

#11 Post by CLAM01 »

A correction to my previous post in this thread: Puppies do not leave trails of changed permissions on normal linux systems, as I said, they change permissions to 'root' only when they save, normally when a change has been made and is saved (by the user normally).

postfs1

#12 Post by postfs1 »

To reedit up to date.

Post Reply