At 08:40 AM 12/7/99 -0600, Robert Horvick wrote: >While this does require admin rights for this to work the implications of >social engineering or an exploit to run after compromising the admin account >are obvious. If you can get to be admin, why not just install a keyboard sniffer, and get everything that comes into the console? It is still a good idea to fix the problem, but if I can get an admin-level user to run a trojan, or otherwise compromise a local admin account, the number of ways to hack any subsequent user are bounded only by one's imagination. As a friend used to say, "the mind boggles at the possibilities" <g>. I've got an overall problem with 'exploits' that require admin access to run - kind of like worrying about the windows being locked when the front door has been successfully hit with the crowbar attack. If you can get to be admin, you can modify the OS, and from there, you can do anything to any user. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:19:03 PDT