Security at schools, colleges, and other shared facilites

[GµårÐïåñ]

Not having used biometrics, I could be mistaken, and probably am, so please forgive me, but I was under the impression that bio was *in addition to*, or *instead of*, Windows user password protection, and not merely an alternative.

Windows pw protection had a long reputation of being weak and vulnerable. Idk if they've improved it in 7, but the idea of the biometric, IIUC, is that pw or not, *no one* gets in without that fingerprint. If I'm mistaken, please correct me.

Some biometric setup on enterprise level and using certain configurations, yes would require Biometrics only and no manual password login. In fact in many configurations, such as the company I have worked with DigitalPersona, it will randomly change and modify your system password on a schedule so the user technically has no idea what their password is, Biometric login is the only way to get in, which is good. In fact many government agencies such as NSA use their services. However, there are configurations/installs of it on local machines, like my own for example, that do not have the AD (Active Directory) server managed configuration, where you can in fact log in using your keyboard and password, OR, using the biometric device. Just thought the clarification might be helpful.

[GµårÐïåñ]

No, it's an alternative. And the old password hashing algorithm (LM hash) was indeed very weak and vulnerable so you could get the password if you had the hash. But leaving the hashing algorithm aside, if you have physical access you can always "get in" and at least access all non-encrypted stuff.

I humbly disagree with that as a general statement. It is not always an alternative, in fact in many cases where its setup in Enterprise systems (as discussed in the previous post) it is constantly rotating the password by random generation and the Biometrics is the ONLY way to get in, but there are alternative, parallel situations where you can do either as well, yes. But as a whole, its not JUST an alternative.

Also, gaining physical access to the machine, if you can get your hands on it, is elementary and I do it on a daily basis for systems where people just forget their passwords, misplace their encryption hash, etc, and its so easy its shocking. I can gain access to ANY windows machine, regardless of permissions, account levels, with or without a strong password, or how much glorified security is running on it, in less than 45 seconds. As long as it has a CD rom and/or a USB port, I am in with two shakes of a keyboard. Now for obvious reasons I won't discuss publicly how this is done but its rather elementary as the hash although cannot be modified anymore on the fly, can still be blanked out, which means you search the systems protected memory for the hash related to that user you are trying to access, I blank it, log in with no password into the Admin or any other account for that matter, reset the password for them, done, or if you were trying to be malicious which I am not, you can effectively hijack the machine by setting a new pass that they can't get around short of reformatting. As you see, no need to KNOW the password, credentials, or even the system encryption hash to do this. The simplest term I can use is "search and destroy" method. You find it, don't care how to break it, just remove it, and it becomes equivalent to a blank password.

I have also gained access to unstable and messed up machines using again a CD/USB by loading a memory payload and while running that make the modifications to the NTFS system that is "broken" and then reboot and voila, done. Good to go like it was nothing. Most common application is when the boot sector gets pooched with the message NTLoader not found or some similar gripe. If you can gain physical access to a machine, it CANNOT and almost never puts up enough of a fight for someone who knows what they are doing. It gets trickier when you try to do it remotely, but still not impossible.

[Tom T.]

Hmm... I thought I had notificatons set up to alert me of new posts... maybe not...

Look at the bottom of the page. If in the left, there's a link to "Unsubscribe this topic", it means you're subscribed. If there's a link to "subscribe', it means that you're not subscribed now.

Globally: User Control Panel (link in upper left of page) > Board Preferences > Edit Posting Defaults > "Notify me upon replies by default" check "Yes."

Initial questions about student discounts for software indicate the availability is restricted to Office Home and Student 2010. It is free as a download or $12 for the physical media. I will query this further when classes begin. A discounted upgrade for Windows 7 would be nice, but upgrading the XP machine is out of the question. It is a shared machine with several user accounts and multiple users on two of them. It would be impossible for me to please everyone and maintain the over 100 programs registered in Windows, not counting the ones which launch straight from an exe file.

I had found you some free VPN software, to connect to your home machine securely.

Open Office is a an open-source project that is 100% free to *everyone*, and offers all capabilities of MS Office, plus using the internationally accepted format as well as MS's proprietary format. In other words, you can create or open Word.doc, but also use OO's format, which meets global standards. Etc. I haven't used MS Word or Office in years. Why pay, when the other is free, and safer? (fewer security exploits discovered; open-source format lets lots of geeks eyeball the code and report any holes.)

What does "sw" stand for? software?

Yes.

Sorry. I dislike those who use jargon too much, but figured anyone who was into biometrics would know this universal abbreviation. My bad.

If it happens again, go to Wikipedia and type sw (or whatever) in the search box. You'll get a list of possibilities (southwest, etc.), but under
"Science, computing and electronics" (kind of what we do here ), you'd recognize "software" as being the most relevant.

I am hoping that security issues will be covered in the required introductory classes. In my own perfect world the reason for no positive replies to my queries on the topic are a result of misunderstanding the importance of security. --OR-- The typical user cares nothing about activities beyond using the machine for a desired task. Anything else which requires interaction is merely a nuisance.

B. (the second one)

I view this as a weak point of a good GUI. It encourages laziness.

A good GUI on a "really" good system allows laziness, because the security is baked in from the start. We work with weak systems (Windows, Mac, Linux-based -- none are remotely secure, nor are the mass-produced Intel and AMD processors), and try to tighten them up as best we can. But most people wouldn't pay for high-security systems. The US Gov used to, several decades ago, then inexplicably shifted to commercial systems for much of its work. Bad. Search "David Bell"+"High-assurance" (or "security") for some interesting papers on this and other related issues.

I will give some serious thought to encryption before embarking on the task of including it. Remote assistance and VPN are still occupying my decision process as I gain more information on them.

Just don't use Windows Remote Desktop. I had to administer Grandpa's machine, as the distance between us was not small. A combination of the free VPN and some inexpensive commercial software gave me complete control from my own puter. (that's short for "computer". )

I have found your dialog as informative as the direct replies to my posts. Thanks for making this public.

That's why it's a forum instead of e-mail or private message (PM). And you're quite welcome.

As an aside: I wish I could have included some of my comments about the IT department in [rant] [/rant] tags to include some animation.

Who says you can't?

I've used [soapbox] blah blah [/soapbox]. Doesn't actually do anything, but at least it lets readers know that you're aware that you're being preachy.

Cheers.

[w.learning]

Tom,

Well this is out of order, but I thought it best to clarify here before continuing. I am a relative newbie. My contact with computers in a meaningful manner began less than two years ago. Prior to that I used IBM 360 for about a year in the 1960's. After that I have only used a computer from the UI for Point Of Sale and time clock. My learning curve has been very steep for the current time period. My incurable curiosity has led me into many intermediate and advanced topics, some of which my more knowledgeable friends are in awe over. My unstructured quest for knowledge and understanding has left enormous holes in my understanding of some of the most basic topics and everyday tasks which most users are comfortable with.

I see this as a two edged sword. I have spent hundreds of dollars on books and untold hours in online research to build a knowledge base to bring me to my current level. This has made me competent enough to help friends with some computer problems and add some useful whistles and bells to my desktop computer. On the other hand I have never set up a new computer's user account settings (straight out of the box) or other similar easy tasks before purchasing my laptop. Understanding my deficiencies and targeting a near term goal has prompted me to enroll in classes to satisfy my current desire to improve my knowledge base. My planned studies will result in a double major associates degree in IT Support and Networking. I have even abandoned a full time job, started working part time, and tapped my retirement account to embark on this journey.

This is a roundabout way to address "sw" as the beginning of my reply. Please don't feel the need to apologize for using jargon. I find it useful to be more conversational in forums and face to face discussions of computer related topics. It represents one of my favorite learning tools. I thought I had figured "sw" out from context and wished to clarify. In short I am secure enough with who and what I am to expose my weaknesses without shame and gain knowledge in return.

The style of your replies leads me to believe that you will appreciate this: I found this dictionary and looked up "sw". There was no hit, but there was a hyperlink which landed me here, where I found "sw" defined. I did this just before beginning to compose this reply. (Yes. I have taught myself BB code also. I am manually typing the code, not using the toolbar. I compose in Notepad and paste in the reply text box once I am happy with the post. I have not used coded text in my previous posts because my typing skills are not very good, but I am attacking that deficiency also.)


I will revert to replying to you in the same chronology as your post now.

Thanks for the heads-up on notifications. I overlooked enabling notification when I posted in this thread. I made the bad assumption that selecting notification in the other thread would carry over to this one when it became a split thread. Oops! -- another lesson learned

My first intro to computers course includes the use of MS Office 2010 which will require me to use the free download offered by the school. I have Office 2007 on the desktop, but am familiar with Word only; so I will be introduced to the other Office programs. I have considered using Open Office to share documents with a friend who does not have MS Office, but he is unwilling to stray outside of his comfort area buy using OO. Therefore, I have not used OO yet.

As for the VPN software -- I'm attempting to fit this into my very full list of things to do in preparation for the upcoming semester. It's a time management/priorities deal. My level of experience makes some of these tasks take much longer than I would like. I have noted your warning about Windows Remote Desktop. I have been the "helpee" using Logmein once and am considering learning to be the "helper" using the same program.

On security issues you said

B. (the second one)

I agree and view it as a sad social comment.

I see the current state of GUIs as you explained to be a marketing consideration. ... How can the largest market be exploited with the minimal expense for development and deployment in that market? Do I have a good read on that?

That's why it's a forum instead of e-mail ...

This is one of the many reasons why I like friendly forums. I have found some forums where the members are very condescending and clickish in their replies to my queries. [rant]BOO! HISS! throw eggs and tomatoes[/rant]


Your friendly and helpful attitude is appreciated.

[dhouwn]

Also, gaining physical access to the machine, if you can get your hands on it, is elementary and I do it on a daily basis for systems where people just forget their passwords, misplace their encryption hash, etc, and its so easy its shocking.

So you are arguing from the angle of real-life practicality/usability? Well, security simply isn't that (NoScript might be considered impractical/unusable for the average person). Anyways, if I were to decide whether to introduce such a technology I guess I would smartcard- or dongle-based solution rather than biometrics (of course I am not oblivious to the fact that the keys in these devices can't be considered inaccessible).
Also, for sometimes it might be even better if someone loses access to his/her encrypted data than that it falls into the wrong hands, esp. if it's just duplicated data (example: businessman travels for a business meeting to the PRC with a copy of some of the secret stuff of his company on his laptop).

I can gain access to ANY windows machine, regardless of permissions, account levels, with or without a strong password, or how much glorified security is running on it, in less than 45 seconds.

That would not include the files encrypted using EFS. Unless you reverse the hash which with the new hashing algorithm should take a little bit longer in case the password is good.

If you can gain physical access to a machine, it CANNOT and almost never puts up enough of a fight for someone who knows what they are doing.

Except when you encrypt it securely (and of course the baddie has not access to the key).

[dhouwn]

The issue of cutting a finger is one I have pondered. I will have to cross that bridge when I come to it. About an hour of research rewarded me with a trick to improve my biometric access. Rubbing the enrolled finger against the thumb increases the amount of skin oil and improves recognition. My fingers are typically dry, and I have been in the habit of rubbing my finger on a piece of fabric to dry it before attempting access. Using this trick has improved easy access. However, I enrolled the fingers using the dry technique, and I bet that resulted in a less than optimum saved image. In the near future I will repeat the finger print enrollment procedure using the trick to see if my access improves. I also found scanner cleaning recommendations which I will employ.

At least for Linux I remember there being a tool that would display the scanned image to you. With this you could see for yourself which result each swiping method yields.

[GµårÐïåñ]

Open Office is a an open-source project that is 100% free to *everyone*, and offers all capabilities of MS Office, plus using the internationally accepted format as well as MS's proprietary format. In other words, you can create or open Word.doc, but also use OO's format, which meets global standards. Etc. I haven't used MS Word or Office in years. Why pay, when the other is free, and safer? (fewer security exploits discovered; open-source format lets lots of geeks eyeball the code and report any holes.)

If you like that, you will also like Libre Office, it has less of the idiosyncrasies of OO but to each their own taste. Give it a shot if you feel like it, you might just like it enough to replace or supplement your OO.

[GµårÐïåñ]

Also, gaining physical access to the machine, if you can get your hands on it, is elementary and I do it on a daily basis for systems where people just forget their passwords, misplace their encryption hash, etc, and its so easy its shocking.

So you are arguing from the angle of real-life practicality/usability? Well, security simply isn't that (NoScript might be considered impractical/unusable for the average person). Anyways, if I were to decide whether to introduce such a technology I guess I would smartcard- or dongle-based solution rather than biometrics (of course I am not oblivious to the fact that the keys in these devices can't be considered inaccessible).
Also, for sometimes it might be even better if someone loses access to his/her encrypted data than that it falls into the wrong hands, esp. if it's just duplicated data (example: businessman travels for a business meeting to the PRC with a copy of some of the secret stuff of his company on his laptop).

Yes and No but for all intents and purposes yes I agree, its from the point of practicality and usability. Dongles/VPN token keys are somewhat more secure but you need to understand that they are generated from an algorithm which if you know or can figure out, won't stop you from generating a completely valid token/key to gain access to what would be otherwise gibberish. Unfortunately that is straying so much into Black/Blue/Red hat area that its hard to go further into it without some level of understanding in that department. If a secure system gets lost then yeah its hard for people to access the data but if motivated enough, I can still get to it without more than several hours of mounted attack on the hash already stored to make it converge and allow access to the new emulated memory but that's a subject of a post grad level thesis.

I can gain access to ANY windows machine, regardless of permissions, account levels, with or without a strong password, or how much glorified security is running on it, in less than 45 seconds.

That would not include the files encrypted using EFS. Unless you reverse the hash which with the new hashing algorithm should take a little bit longer in case the password is good.

Even with EFS instead of blanking the password, you can replace it, flip the sid forcing a convergence and voila its done. Just takes a bit longer depending on how large the data you are trying to converge actually is and a big drive wholly encrypted can take some time, up to 24 hours. Now on systems I have setup myself, I use layered encryption so that means you use say EFS, or windows BitLocker, then you move on to second layer and if you are really inclined another third layer, so that way even if they break one, they have more layers to go and it takes exponentially longer which eventually makes it not worth it. Using a server farm with at least 1 petaflops of processing, you can bust it in about a week, even my own special blend. I have always said, security is designed to slow hackers, not stop them.

If you can gain physical access to a machine, it CANNOT and almost never puts up enough of a fight for someone who knows what they are doing.

Except when you encrypt it securely (and of course the baddie has not access to the key).

Even encrypted with physical access, as explained above, not that hard. Remotely without/or without the key, then its more difficult yes and I conceded that in my earlier post.

[Tom T.]

@ GµårÐïåñ: Are you including, say, TrueCrypt full-disk crypto with pre-boot authentication, and, of course, a crypto-strength pw? I haven't dug deeply into how and where the pre-boot auth creds are stored. If you have a way to defeat that, you would be doing the world a favor by notifiying the TC people privately, through a secure channel of course, so that they can try to find countermeasures. Or you could be a true hero to the world, and suggest some.

The style of your replies leads me to believe that you will appreciate this: I found this dictionary and looked up "sw". There was no hit, but there was a hyperlink which landed me here, where I found "sw" defined. I did this just before beginning to compose this reply.

I thought Wikipedia was faster .... (shrug)

I compose in Notepad and paste in the reply text box once I am happy with the post.

There have already been threads here about losing a long composition when the connection was dropped, etc. Definitely better for long posts. I prefer Wordpad because of the icons vs. menus and context-menus only; more generations of "undo"... OO Word doc adds auto-save periodically, in case you accidentally delete or foobar it; spell-check, though atrociously poor (doesn't know the diff between there/their/they're, etc.), even more generations of "undo", etc.

I have not used coded text in my previous posts because my typing skills are not very good, but I am attacking that deficiency also.)

Another tip: freeware "Texter" (the usual disclaimer: I didn't write it and don't control it. You're on your own.) Make up any hotkey you like for any string you want. Breaking up reply quotes the way I do, it's easier for me to set up q (enter) to yield

Code: Select all

[quote]

and qw (next letter on the keyboard) (enter) to yield

Code: Select all

[/quote]

and "addr" (enter) types my name, address, and phone and fax #s in business correspondence with only four keystrokes. Again, you choose your own hotkeys and results.

I have considered using Open Office to share documents with a friend who does not have MS Office, but he is unwilling to stray outside of his comfort area buy using OO. Therefore, I have not used OO yet.

To reiterate, OO can create MS Word docs. The GUI for that, or for OO format is not very different from that of Word. Same with the spreadsheets. Mostly intuitive. If your friend is comfortable on MS Office, shouldn't be a problem in OO. I haven't tested my friend Guardian's Libre solution, but his advice is always worthwhile to consider.

I see the current state of GUIs as you explained to be a marketing consideration. ... How can the largest market be exploited with the minimal expense for development and deployment in that market? Do I have a good read on that?

It's not the GUIs per se; it's the underlying operating systems. Given that, yes, it's all about the marketing hype and the margin of profit in the short run. Although in all fairness, Windows 7 seems to show some signs that MS learned something from the multi-billion-dollar disaster that was Vista.

Your friendly and helpful attitude is appreciated.

You're welcome, but in fairness to the time of others, we need to get back on topic, or regard this one as pretty much concluded.

[dhouwn]

Dongles/VPN token keys are somewhat more secure but you need to understand that they are generated from an algorithm which if you know or can figure out, won't stop you from generating a completely valid token/key to gain access to what would be otherwise gibberish.

Huh? Are you claiming that the security of these tokens is based on security through obscurity?! I doubt that this is the case, the only thing that should be necessary to be kept secret is the key that is used for authentication, re the key for generating the (kinda-)nonce.

to make it converge and allow access to the new emulated memory

I don't quite get what you mean by "converge" in this case. I would get if this was about creating collisions but that doesn't make any sense here.

Now on systems I have setup myself, I use layered encryption so that means you use say EFS, or windows BitLocker, then you move on to second layer and if you are really inclined another third layer, so that way even if they break one, they have more layers to go and it takes exponentially longer which eventually makes it not worth it.

That would be nice (it taking exponentially longer per layer in this setup), but that's not the case (nitpicking here, I know ).

Even encrypted with physical access, as explained above, not that hard. Remotely without/or without the key, then its more difficult yes and I conceded that in my earlier post.

But it's certainly on a totally different level than "biometrics" ("playing in a different league"?), and that was why I said that biometrics is not any form of security.

[Tom T.]

@ dhouwn: Why are you using Runab's signature-link? Are you he, or has your account been compromised, or are you just trying to give the project publicity, worthwhile though it might be? Only the first would be a legitimate use of it.

If you want to link to Fedora in general, or to your own wiki there, I can't speak for Giorgio, or for any of the other mods, but as a free OSS project, I'd not object. Just kind of surprised to see it!

[w.learning]

in fairness to the time of others, we need to get back on topic, or regard this one as pretty much concluded.

gotcha

[GµårÐïåñ]

@ GµårÐïåñ: Are you including, say, TrueCrypt full-disk crypto with pre-boot authentication, and, of course, a crypto-strength pw? I haven't dug deeply into how and where the pre-boot auth creds are stored. If you have a way to defeat that, you would be doing the world a favor by notifiying the TC people privately, through a secure channel of course, so that they can try to find countermeasures. Or you could be a true hero to the world, and suggest some.

Obviously most of the people who can do it, not that many actually who understand it and don't rely JUST on the tools, and they don't disclose it because that would defeat evil's efforts, why close that door for themselves. As far as MYSELF, I am unfortunately in a slightly difficult situation because these are techniques we use as part of military/government forensics on recovering data recovered from the "bad" guys and see what they were hiding. So as a result, we can't discuss publicly or give those vendors any hints on how to prevent it because that would have counterintelligence implications. Our philosophy is that if they built it and truly know what they built, they should be able to also know and/or see its deficiencies. Trust me, I wish I wasn't in this box, but we are and you know far more about the details of why than I care to discuss publicly, so I will leave it at that.

[GµårÐïåñ]

Dongles/VPN token keys are somewhat more secure but you need to understand that they are generated from an algorithm which if you know or can figure out, won't stop you from generating a completely valid token/key to gain access to what would be otherwise gibberish.

Huh? Are you claiming that the security of these tokens is based on security through obscurity?! I doubt that this is the case, the only thing that should be necessary to be kept secret is the key that is used for authentication, re the key for generating the (kinda-)nonce.

I am going to concede "to each their own" as I don't want to get caught up in a war of nick picking and semantics. However, what I said stands but I can't walk you through it to show you for reasons I have already stated prior. Yes obscurity is the key but its done with logic based on algorithms, will just say that much more.

to make it converge and allow access to the new emulated memory

I don't quite get what you mean by "converge" in this case. I would get if this was about creating collisions but that doesn't make any sense here.

I meant what I said and if you are familiar with convergence when it comes to networking and routers (ie. Cisco/Juniper routing tables) then you can draw the comparison on your own and see what I said what exactly what was meant. Encryption is an algorithm, NO MATTER HOW ITS IMPLEMENTED, which means it follows a logical progression and converges into a state of "validity". If you can inject yourself and manipulate that process, you embed yourself into it, simple as that. I can't go further into it, so I have to respectfully say, "take it or leave it" to each their own and you can stick with your understanding and I will respect you no less, its your choice and I am all for that. All I can do is provide the information, motivation after that is not up to me and what anyone does with it or doesn't.

Now on systems I have setup myself, I use layered encryption so that means you use say EFS, or windows BitLocker, then you move on to second layer and if you are really inclined another third layer, so that way even if they break one, they have more layers to go and it takes exponentially longer which eventually makes it not worth it.

That would be nice (it taking exponentially longer per layer in this setup), but that's not the case (nitpicking here, I know ).

If you try to brute your way through something that is 4 alpha/num character long versus 8 alpha/num/symbol/char, will it take the same time? No, the possibilities will increase exponentially. So when you encrypt on top of encrypt and use layers, you are increasing the brute span. So if you are familiar with advanced math, statistics, multidimensional or spacial calculus, you know that this kind of stacking results in a logarithmic growth, hence exponential. Now you can nit pick on semantics but the result is the same. Tomato, tomato. Potato, potato If layer one is (N^N+1) and layer two is (N^e+1), then you already have ((N^[N+1])^(N^[e^2])), hence exponential, now keep adding layers, and expand that out, see what I mean? Now unless I am protecting something that is so critical that I need someone to spend over 1.6 billion years to decode, then I will keep adding layers but I think my one/two layer lasting 800 million years to decode is sufficient I keep my state secrets on my head anyway

Even encrypted with physical access, as explained above, not that hard. Remotely without/or without the key, then its more difficult yes and I conceded that in my earlier post.

But it's certainly on a totally different level than "biometrics" ("playing in a different league"?), and that was why I said that biometrics is not any form of security.

Ok, yeah I see where I caused the confusion. So let me try to make this as clear as mud as I can Biometrics, focus on the [metrics] part, is the weight of any factor based on variables resulting in a decision being made. Example, in networking using say EIGRP or RIP2, the metrics are calculated based on Bandwidth+Delay (offset by load and hold time), so if the router has two paths with equally valid source to destination in its table, it will pick the one with the lowest metrics (AKA cost) and use that, even if it ends up with a higher hop count. Because going through 20 hops of T1 and T3 lines will get you there faster than going through 1 HOP using a 56k connection? So you see, metrics makes every difference. Now the metrics for "BIO"-metrics, is various points of a finger print, body heat, retinal scans, and in some NSA facilities a combination including even DNA analysis (marker check). So these are all variables making up the metrics. So not even all Biometrics are equally created, because depends on how many variables they use making them stronger/weaker. Although the variables may be biological in this case and not in others is just a matter of semantics. Ultimately its just variables comprising the metrics, including Biometrics, Encryption, etc.

[Tom T.]

@ GµårÐïåñ: Are you including, say, TrueCrypt full-disk crypto with pre-boot authentication, and, of course, a crypto-strength pw? I haven't dug deeply into how and where the pre-boot auth creds are stored. If you have a way to defeat that, you would be doing the world a favor by notifiying the TC people privately, through a secure channel of course, so that they can try to find countermeasures. Or you could be a true hero to the world, and suggest some.

Obviously most of the people who can do it, not that many actually who understand it and don't rely JUST on the tools, and they don't disclose it because that would defeat evil's efforts, why close that door for themselves. As far as MYSELF, I am unfortunately in a slightly difficult situation because these are techniques we use as part of military/government forensics on recovering data recovered from the "bad" guys and see what they were hiding. So as a result, we can't discuss publicly or give those vendors any hints on how to prevent it because that would have counterintelligence implications. <snip>.

Lending fuel to the tinfoil-hat crowd's conspiracy theories that the Gov keeps backdoors in all OSs, all approved cryptosystems -- hey, they're the ones who ran the contest to choose the new AES standard.

We definitely need to add the tinfoil hat icon to our smiley collection here. Any support for that?