RE: Secure Home Networking?

From: Brewis, Mark (mark.brewis@eds.com)
Date: Thu May 29 2003 - 12:10:04 EDT

• Next message: Kurt Seifried: "Re: Scanning - anyone got ball park timings?"
• Previous message: Mark Phillips: "Scanning - anyone got ball park timings?"
• Maybe in reply to: Sandy Turner: "Secure Home Networking?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----Original Message-----
From: R. DuFresne [mailto:dufresne@sysinfo.com]
Sent: Tuesday, May 27, 2003 12:53 AM
To: Sandy Turner
Cc: pen-test@securityfocus.com
Subject: Re: Secure Home Networking?

>>Perhaps one of the more nasty tests to do on home users is to e-mail then
>>a trojan ot two that will backdoor the system. If they point and click
>>and let it run/install, then they are *not* a candidate for a vpn tunnel
>>into work.

There are obviously some fairly major legal issues with this approach,
without some form of authorisation/disclaimer. Also, I'm not sure how much
benefit you get from it, unless you send stuff from some innocuous email
address. If a sysadmin sends a user a mail with a subject of "Your
automatic VPN configuration utility", and it is a legitimate source and the
user activates it, what do you gain? They trust you (obviously never read
BOFH www.theregister.co.uk) - if they open an email from evil@hacker.org and
execute an attachment of the latest naked celebrity, then you don't want to
let them have a computer. Obviously those are the extremes, and there is
plenty of scope there for innocuous looking mail.

>>Aside from that get all the netbui/netbios toys you can get
>>your hands on and see what might be bound to the internet interface.

Best you can do is scan them on a periodic basis with nmap and Nessus etc,
if you aren't able to dictate the home network configuration. Make sure you
are covered legally for this, though.

Create a Security Policy for home users, and get them to sign up to it. See
if you can audit them against it periodically. Once you're out of the
corporate environment, though, there are limitations on what you can do.

Mark

Mark Brewis

Security Consultant
EDS
Information Assurance Group
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.

Tel: +44 (0)1908 28 4234/4013
Fax: +44 (0)1908 28 4393
E@: mark.brewis@eds.com

This email is confidential and intended solely for the use of the
individual(s) to whom it is addressed. Any views or opinions presented are
solely those of the author. If you are not the intended recipient, be
advised that you have received this email in error and that any use,
dissemination, forwarding, printing, or copying of this mail is strictly
prohibited.

Precautions have been taken to minimise the risk of transmitting software
viruses, but you must carry out your own virus checks on any attachment to
this message. No liability can be accepted for any loss or damage caused by
software viruses.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Kurt Seifried: "Re: Scanning - anyone got ball park timings?"
• Previous message: Mark Phillips: "Scanning - anyone got ball park timings?"
• Maybe in reply to: Sandy Turner: "Secure Home Networking?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:33 EDT