Sys Admins need to be extra careful

March 21, 2014

Recently there have been revelations that the NSA is explicitly targetting sys admins. This is because they see sys admins as a good way to gain access to the users and data on the networks they manage. It’s worried me for a while now that gaining access to a typical sys admin account provides an attacker with a really easy way to get root access (for instance, there are plenty of sites out there which allow anyone in group “wheel” to gain extra privileges). Also, as I blogged recently, even when you cannot directly gain full root access, anyone who is permitted to do privileged admin tasks using sudo probably has some sort of illicit way of gaining extra privilege.

Even if we ignore concerns about government surveillance, when you can trivially find a huge list of sys admins via linkedin.com you know that attackers are going to be focussing their efforts on that list of targets. It’s clear to me that we have reached a time where sys admins are going to have to accept more onerous access restrictions than a “normal” user because they have the ability to easily acquire a lot more power than a “normal” user. We’re going to be obliged to use technologies such as multi-factor authentication, we’re going to have to avoid insecure web sites that require accounts but don’t have an https option, we’re going to have to use a secure VPN just to do simple things.


Security: Using the human perimeter

December 5, 2013

I recently came across an interesting security blog article on the Dark Reading site – "Using The Human Perimeter To Detect Outside Attacks". This is particularly interesting because, as part of our ongoing efforts to improve the security of our network, earlier this year I developed a new "log cabin" service which allows users to review all their SSH and web authentications. As well as providing a web interface where you can peruse all your login activity for the last few months we also send out terse monthly summaries to everyone by email. These summaries list only the most "interesting" connection sources and help to encourage users to keep checking. I will be speaking about this project at the next FLOSS UK conference which will be held in Brighton in March 2014. The talk is titled "Crowd-Sourcing the Detection of Compromised User Accounts" and it will look at how users can become involved in the whole process of keeping their account secure. I particularly like the term "human perimeter" I might have to borrow that one.