Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.computer.security
Security issue of cross server job on UNIX and the solution

Security issue of cross server job on UNIX and the solution

Security issue of cross server job on UNIX and the solution. Discuss Security issue of cross server job on UNIX and the solution, on Wireless Forums.

Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 02-10-2012, 09:08 AM
WZIS Software
Guest
  
Posts: n/a
Default Security issue of cross server job on UNIX and the solution
Say you have an UNIX (such as AIX, HP-UX, Linux) application server
alpha, and an UNIX database server delta, and the application is
running use account Charlie's privilege, and database using account
Sam's privilege.
The application generates data that will send to server delta, and the
data to be loaded into database by Sam and the a report will be
generated using the data in the database.
In today's technology, most likely sftp will be chosen for the file
transfer from alpha to delta, and most people will think this is the
very secure solution.
So what's the issue with this solution?

With this solution, you need to ask one person to do the file transfer
job, then ask the same person or another to load the data into
database and then run report generation program.

Here, the person who does the file transfer job needs to either Sam's
password or the pass phrase for the private key of the key pair used
for public key authentication, or else, you have to choose public key
authentication with no pass phrase protection for the private key.
We assume that you will use the pass phrase protected public key
authentication way, as this is the most secure way among them.

Then what's security issue with this arrangement?

Lets talk about the security risk with the pass phrase protection
itself first.

One common issue here is the pass phrase needs be known by all the
people who will do the file transfer, which is unlikely to be only one
person.

And then a malicious person on the machine with same or root privilege
could use system call tracer, like tusc on HP-UX, to steal the pass
phrase when you type it.
And a malicious person with root privilege could replace the sftp
program to steal the pass phrase.

And on Solaris 10 platforms, anybody with root privilege can easily
use dtrace to capture the pass phrases when anybody uses ssh to
connect to other machines. The dtrace tool is good for debugging
issue, but is a nightmare for password/pass phrase security.

Then lets talk about another big security issue with the arrangement:
when a person is able to use sftp to transfer the data from server
alpha to server delta through account Sam on delta, that person is
also able to make changes to Sam's .profile, so if the person is
malicious, he/she will be able to set up a trap in Sam's .profile, so
when Sam logs on to the server delta, the trap will be triggered and a
false transaction to be added into to database, causing big damage to
the company.

WZIS Software has a very secure solution for this and it can save you
huge operation costs.
Please check our solutions at http://www.wziss.com/




Reply With Quote
Reply


« SOMETIMES WE NEED TO HIDE! | ANONYMOUS POST & TEST AND HOW TO SEND ANONYMOUS EMAIL »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 10:34 PM.

Wireless Support Forum - Archive - Top - Privacy Policy - Terms of Use


Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45