Re: un-hibernating laptop using old network settings

• Previous message: Sardaņons, Eliel: "Cisco IOS HTTP Exploit (another)"
• Next in thread: Ron DuFresne: "Re: un-hibernating laptop using old network settings"
• Next in thread: Marukka: "Re: un-hibernating laptop using old network settings"
• Reply: Ron DuFresne: "Re: un-hibernating laptop using old network settings"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I have a feeling that there might be more subtle security issues
> relating to hibernating a system in a trusted environment and awakening it
> in an untrusted one, apart from user education issues, but can't put my
> finger on any just now.

The threat that immediately occurs to me is the reverse: having the laptop in 
an untrusted environment, then moving it to a trusted environment. Let's say 
the laptop gets cracked when it's on the untrusted net. Then the user moves 
the laptop to a trusted network where a background program wakes up and 
automatically cracks machines on the trusted network. I read about someone 
using their own laptop with such a program to do a red team assessment for a 
customer (I think it was on /. but I'm not sure). They put the program on the 
laptop (so they didn't crack their own box, but having the program introduced 
by a remote attacker is the next logical step) then they took the laptop into 
the customer site under the pretext of doing a presentation to a member of the 
technical staff. As soon as the red team member plugged into the local 
(trusted) network, the laptop started cracking servers, installing backdoors 
and punching holes in the firewall. The person claimed that during their 30 
minute presentation this automatic program pretty much took over the entire 
company's network.

Returning to your original question, consider if the automated program didn't 
install any backdoors, it just grabbed the information the attackers wanted 
and stored that info on the laptop for retrieval once the laptop moved from 
the trusted to the untrusted network. Or even more straightforward, the user 
deliberately puts company proprietary information on the laptop when connected 
to the trusted company network and the laptop doesn't get compromised until 
it's moved to an untrusted (home perhaps?) network, whereupon the attackers 
compromise the laptop and grab the proprietary information.

The only solution is defense in depth. The two best practices that occur to me 
in this case is to use network intrusion detectors even behind your firewalls 
and keep all your machines patched. While patching may be particularly 
problematic for laptops since they aren't always there, it's probably more 
important for them than it is for desktop systems just because of all the odd 
networks they may end up on. If you're more paranoid, consider keeping your 
laptops on a separate network or sanitize them when leaving or returning to a 
trusted network.

My $.02,
Terry

#include <stddisclaimer.h>

• Next message: Fredrik Widlund: "Re: Getting passwords from the heap?"
• Previous message: Sardaņons, Eliel: "Cisco IOS HTTP Exploit (another)"
• Next in thread: Ron DuFresne: "Re: un-hibernating laptop using old network settings"
• Next in thread: Marukka: "Re: un-hibernating laptop using old network settings"
• Reply: Ron DuFresne: "Re: un-hibernating laptop using old network settings"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 04 2001 - 12:08:04 PDT