-----Original Message----- From: R. DuFresne [mailto:dufresneat_private] Sent: Tuesday, May 27, 2003 12:53 AM To: Sandy Turner Cc: pen-testat_private Subject: Re: Secure Home Networking? >>Perhaps one of the more nasty tests to do on home users is to e-mail then >>a trojan ot two that will backdoor the system. If they point and click >>and let it run/install, then they are *not* a candidate for a vpn tunnel >>into work. There are obviously some fairly major legal issues with this approach, without some form of authorisation/disclaimer. Also, I'm not sure how much benefit you get from it, unless you send stuff from some innocuous email address. If a sysadmin sends a user a mail with a subject of "Your automatic VPN configuration utility", and it is a legitimate source and the user activates it, what do you gain? They trust you (obviously never read BOFH www.theregister.co.uk) - if they open an email from evilat_private and execute an attachment of the latest naked celebrity, then you don't want to let them have a computer. Obviously those are the extremes, and there is plenty of scope there for innocuous looking mail. >>Aside from that get all the netbui/netbios toys you can get >>your hands on and see what might be bound to the internet interface. Best you can do is scan them on a periodic basis with nmap and Nessus etc, if you aren't able to dictate the home network configuration. Make sure you are covered legally for this, though. Create a Security Policy for home users, and get them to sign up to it. See if you can audit them against it periodically. Once you're out of the corporate environment, though, there are limitations on what you can do. Mark Mark Brewis Security Consultant EDS Information Assurance Group Wavendon Tower Milton Keynes Buckinghamshire MK17 8LX. Tel: +44 (0)1908 28 4234/4013 Fax: +44 (0)1908 28 4393 E@: mark.brewisat_private This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. Any views or opinions presented are solely those of the author. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this mail is strictly prohibited. Precautions have been taken to minimise the risk of transmitting software viruses, but you must carry out your own virus checks on any attachment to this message. No liability can be accepted for any loss or damage caused by software viruses. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu May 29 2003 - 09:45:05 PDT