[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Email passwords are.. special?

To: "Dustin Puryear" <dustin@puryear-it.com>, sage-members@sage.org
Subject: Re: [SAGE] Email passwords are.. special?
From: Brad Knowles <brad@shub-internet.org>
Date: Wed, 14 Feb 2007 22:03:50 -0600
In-Reply-To: <329528150.20070214101136@puryear-it.com>
References: <329528150.20070214101136@puryear-it.com>
Sender: owner-sage-members@usenix.org

At 10:11 AM -0600 2/14/07, Dustin Puryear wrote:

>  Now, let's assume that the communication channel is encrypted with
>  SSL. That should just be a given.

Unless you can guarantee that SSLv2 and earlier cannot possibly be 
used, then even using SSL is not secure -- MITM attacks can still be 
performed.

>                                     But we still have the issue of
>  people having passwords stored on their phones, laptops, home
>  computers, etc., for their email. I know I've had several phones lost
>  in the past few years. None had my network information, but that could
>  have been there.

As Mark Bergman pointed out, don't forget about the web browsers that 
have been configured to auto-remember all passwords.  Or any other 
kind of situation where one of your users might use an external 
computer belonging to a different person or organization -- with 
possible keyloggers, etc....

>  What are your thoughts on whether email accounts should be separate
>  from normal network accounts? Pros? Cons? Should companies just not
>  allow external access to email via POP or IMAP and just require
>  Webmail access so users have to manually enter passwords? Does that
>  solve the real problem? I'm interested in hearing what everyone has to
>  say.

If your management really cares about this sort of thing but you 
still have to provide external access, then use a two-factor 
authentication system such as SecurID, or somesuch.  But then you 
have to deal with the problem of what happens when someone loses 
their token/calculator, or the battery dies, or whatever.

If your management doesn't care that much, then you could make one 
set of passwords for e-mail only, but you could just as easily ensure 
that no one can get into any kind of shell account from the outside, 
so that loss of a password would just give someone else access to 
e-mail for that account (although that does have certain risks).

Either way, you should make sure you have processes in place to 
handle rapidly changing all potentially affected passwords if need 
be.  And you will need IDS systems to make sure that the same account 
isn't logging in simultaneously from different places, or is used in 
one place at Time-A, and used in a radically different place at 
Time-A+epsilon, for sufficiently small epsilon.

If your management was really paranoid, you wouldn't be allowed to 
provide any kind of external access at all, and therefore this 
wouldn't be a problem.

-- 
Brad Knowles <brad@shub-internet.org>, Consultant & Author
LinkedIn Profile: <http://tinyurl.com/y8kpxu>
Slides from Invited Talks: <http://tinyurl.com/tj6q4>

Follow-Ups:
- Re: [SAGE] Email passwords are.. special?
  - From: "Michael T. Halligan" <michael@halligan.org>

References:
- [SAGE] Email passwords are.. special?
  - From: "Dustin Puryear" <dustin@puryear-it.com>

Prev by Date: Re: [SAGE] Email passwords are.. special?
Next by Date: [SAGE] is anyone a postmaster at Yahoo?
Prev by thread: Re: [SPAM:*] [SAGE] Email passwords are.. special?
Next by thread: Re: [SAGE] Email passwords are.. special?
Index(es):
- Date
- Thread