> I have a feeling that there might be more subtle security issues > relating to hibernating a system in a trusted environment and awakening it > in an untrusted one, apart from user education issues, but can't put my > finger on any just now. The threat that immediately occurs to me is the reverse: having the laptop in an untrusted environment, then moving it to a trusted environment. Let's say the laptop gets cracked when it's on the untrusted net. Then the user moves the laptop to a trusted network where a background program wakes up and automatically cracks machines on the trusted network. I read about someone using their own laptop with such a program to do a red team assessment for a customer (I think it was on /. but I'm not sure). They put the program on the laptop (so they didn't crack their own box, but having the program introduced by a remote attacker is the next logical step) then they took the laptop into the customer site under the pretext of doing a presentation to a member of the technical staff. As soon as the red team member plugged into the local (trusted) network, the laptop started cracking servers, installing backdoors and punching holes in the firewall. The person claimed that during their 30 minute presentation this automatic program pretty much took over the entire company's network. Returning to your original question, consider if the automated program didn't install any backdoors, it just grabbed the information the attackers wanted and stored that info on the laptop for retrieval once the laptop moved from the trusted to the untrusted network. Or even more straightforward, the user deliberately puts company proprietary information on the laptop when connected to the trusted company network and the laptop doesn't get compromised until it's moved to an untrusted (home perhaps?) network, whereupon the attackers compromise the laptop and grab the proprietary information. The only solution is defense in depth. The two best practices that occur to me in this case is to use network intrusion detectors even behind your firewalls and keep all your machines patched. While patching may be particularly problematic for laptops since they aren't always there, it's probably more important for them than it is for desktop systems just because of all the odd networks they may end up on. If you're more paranoid, consider keeping your laptops on a separate network or sanitize them when leaving or returning to a trusted network. My $.02, Terry #include <stddisclaimer.h>
This archive was generated by hypermail 2b30 : Wed Jul 04 2001 - 12:08:04 PDT