Information Security

USB Stick of Death: Not Really Low Severity

by kriggins on October 22, 2012

in Uncategorized

On October 21st, 2012, Mateusz “j00ru” Jurczyk, published a blog post describing an exploit he developed which allows one to execute a privilege escalation attack on Windows 7. The attack results in one having SYSTEM level permissions on the machine. SYSTEM is the highest level of permissions one can have, even higher than administrative permissions.

You can read the details about the exploit here. I Suggest you do read it. It is very interesting.

In the post the following statement is made:

...requires the attacker to obtain physical access to the machine and have a local user in the system. Consequently, the only scenario in which it might be a problem security-wise is a local computer shared between multiple users with restricted privileges (e.g. schools, universities, hostels) and thus has been rated as low-severity by both us and MSRC,...

Let's see. Where else might there be situations where this might be of concern? How about any organization that restricts its users from having administrative privileges on their workstations.

Wait, you mean there are places that enforce least privilege on their users?

Yup.

I work for one. I also know of several government entities that also restrict administrative privileges for most users.

Color me crazy, but I'm pretty sure those organizations would not consider the ability to easily elevate privileges as a "low-severity" vulnerability.

Just sayin'.

What do you think?

-Kevin

{ 9 comments }

If You Want It Done Right, Do It Yourself

by kriggins on February 8, 2009

in General

Jeff Atwood has a post up titled Don't Reinvent The Wheel, Unless You Plan on Learning More About Wheels.

Go read it first. The comments too. Go on, I'll wait.
.
.
.
.
.

Welcome back! Good post, huh?

First, I agree with Jeff that there are times when it is more important to figure something out for yourself. Second, I also think there are times when re-use is the right way to go. That brings us to Information Security.

We have all these "best practices" and standards flying around that people are always pointing to and saying you should do THAT.

There are instances where this is completely true. If you are subject to PCI DSS requirements then you really ought to  adhere to the requirements. Unless you want to pay fines and such.

However, if you aren't, does it really make sense to apply those requirements to your networks and systems? It might, but then again, it might not. The exact same thing can be said for ISO:27002.

This is where re-inventing the wheel comes in.

We must examine our businesses and make sure that we are not just plugging in the accepted standards and "best practices" without understanding whether they matter in our environment.

Our job as information security professionals is to maintain the Confidentiality, Availability and Integrity of the data under our care. As such, we must make sure we do so with a full understanding of what that data is and how the business uses it. Implimenting policies, processes and technologies exactly the same way everybody else is doing it, is not the way to effectively use our resources.

I fully support the use of standards and "best practices" and believe that PCI DSS, ISO:27002 and other standards and requirements are good things. We just need to be careful that we are paying attention when we use them.

What say you?

-Kevin

Reblog this post [with Zemanta]

{ 9 comments }