memory pages nulling when releasing
R. B. Riddick
arne_woerner at yahoo.com
Mon Jun 19 15:17:00 UTC 2006
--- Nick Borisov <neiro21 at gmail.com> wrote:
> [...] Allowing an intrunder to deal with your
> system even one extra minute may lead to tremendous losses depending
> [...]
>
:-) OK.. Let's see, if I understood this right:
1 minute <-could be-> 1 tremendous loss
50 minutes <-could be-> 50 tremendous losses
But what if a system just contains 5 tremendous chunks of secrets? Then it
would not matter if we catch the attacker after 50 minutes or after 51
minutes... Even if we had a preparation time (before the loss starts) of 10
minutes (e. g. to install an evil kernel)...
According to my experience attackers are not caught so quickly (and how should
one do it? if the software is bad, than every connection could be evil; and of
course even unusal connections (e. g. IP was never seen before or very high
traffic to a single IP) could be good). I know personally of a case where
somebody (mis(?))configured a NFS service (maybe it was a honey-pot, or so?),
so that everyone had read/write access as _root_. It was possible to transfer
about 20MB of data over about one hour from a single IP, that was never seen
there before... The carrier of the system was a research centre (that works for
several departments of the federal GERM government) with its own specially
trained network/security administrators and a little nuclear power plant...
-Arne
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the freebsd-security
mailing list