>Compare the following quotes >"you can provide custom code that participates in the logon process AND >that controls the user interface for Logging on" - Paula Tomlinson WDJ That in and of itself is not new, and I don't read this as her saying that the key sequence is trappable. All she is saying is that you can write a custom GINA. Novell has been doing that for a long time to provide a single logon to an NT Workstation and a Novell Server. ZEN Works can even create the NT user account on the fly and delete it when the user logs off. So, this is not really earth-shattering. >"(In order to prevent password capture) "This key sequence cannot be >duplicated by an application programs" NT Security Handbook by Hadfield The key sequence itself does not protect against password capture by a trojan. It simply ensures that whatever is registered as the GINA is launched. The problem is that I can write a trojan that presents the logon dialog box without the key sequence. I can run that trojan under my own account. Joe DumbUser now shows up, sees the logon box and types in his username and password WITHOUT first doing the three-finger salute. My trojan writes his info to disk, puts up a dialog that says, password incorrect and asks him to press OK. He does that, and the trojan now logs him off and presents the real GINA. I have actually seen an entire lab with this kind of trojan on it. Now, can the three-finger salute key sequence be trapped? I'm not sure. However, if I can write my own GINA, which is not very hard, and replace the system one, it becomes a moot point. > there is no >documentation which widely advises not surfing the web under the >Administrator account (I know that NO one here does that anyway:) ) in >order to prevent an overflow in your browser(an app running with sufficient >privs) to do the damage. If you are looking at specifically surfing the web, I don't know of one either. But the ones worth anything advice against running routinely as an Admin. Sutton does in the NSA guide, on page 22. The SANS Step-by-Step guide does too (step 0.1). I think I even saw something coming out of Redmond saying that, although I believe it was just an e-mail from Paul Leach. Jesper M. Johansson
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:43 PDT