• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Computer Vulnerabilities
Written by Eric Knight, C.I.S.S.P.
Last Revision: March 9, 2000
Original Publication: March 6, 2000
DRAFT
This publication is Copyright \u00a9 2000 by Eric Knight, All Rights Reserved
Any feedback can be sent to knight@securityparadigm.com
Dedication
This book is dedicated to the people that believed in vulnerabilities enough to give some of their life toward
making this book a reality:
Kevin Reynolds, William Spencer, Andrew Green, Brian Martin, Scott Chasin, and Elias Levy

And also I wish to dedicate this to my parents, Dr. Douglas Knight and Rose Marie Knight, for giving me
the freedom even at a very young age to keep an open mind and encourage me to pursue my interests,
believing that I would not let them down.

Without each of these people, all of whom have inspired me, directed me, aided me, and informed me, it is
doubtful that this book would have ever been written.
Table of Contents
INTRODUCTION........................................................................................................................................ 6
ANATOMY OF A VULNERABILITY...................................................................................................... 7
VULNERABILITYATTRIBUTES.....................................................................................................................8

Fault........................................................................................................................................................ 9 Severity................................................................................................................................................... 9 Authentication....................................................................................................................................... 10 Tactic.................................................................................................................................................... 10 Consequence......................................................................................................................................... 11

ATTRIBUTES ANDVULNERABILITIES.........................................................................................................11
LOGIC ERRORS....................................................................................................................................... 12

OPERATINGSYSTEMVULNERABILITIES.....................................................................................................12 APPLICATIONSPECIFICVULNERABILITIES.................................................................................................13 NETWORKPROTOCOLDESIGN...................................................................................................................13 FORCEDTRUSTVIOLATIONS.....................................................................................................................14

SOCIAL ENGINEERING......................................................................................................................... 15
GAININGACCESS.......................................................................................................................................15

\u201cI forgot my password!\u201d....................................................................................................................... 15 \u201cWhat is your password?\u201d................................................................................................................... 16 Fishing for Information........................................................................................................................ 17 Trashing................................................................................................................................................ 17 Janitorial Right..................................................................................................................................... 17

CRIMINALSABOTAGE................................................................................................................................17

Corporate Sabotage.............................................................................................................................. 17 Internal Sabotage.................................................................................................................................. 18 Extortion............................................................................................................................................... 18

COMPUTER WEAKNESS........................................................................................................................ 19
SECURITY THROUGH OBSCURITY............................................................................................................... 19
ENCRYPTION..............................................................................................................................................19

Cryptographic Short Cuts..................................................................................................................... 20 Speed of Computer................................................................................................................................ 20 Lack of a Sufficiently Random Key....................................................................................................... 20

PASSWORDSECURITY................................................................................................................................20 SECUREHASHES........................................................................................................................................20 AGEDSOFTWARE ANDHARDWARE...........................................................................................................21 PEOPLE......................................................................................................................................................21

POLICY OVERSIGHTS............................................................................................................................ 22

RECOVERY OFDATA..................................................................................................................................22 RECOVERY OFFAILEDHARDWARE............................................................................................................23 INVESTIGATION OFINTRUDERS..................................................................................................................23 INVESTIGATION OF WHEN THECOMPANY ISACCUSED OFINTRUDING ONOTHERS....................................23 PROSECUTION OFINTRUDERS....................................................................................................................23 PROSECUTION OFCRIMINALEMPLOYEES..................................................................................................23 REPORTING OFINTRUDERS ANDCRIMINALEMPLOYEES TO THEPROPERAGENCIES.................................23 PHYSICALSECURITY OF THESITE..............................................................................................................24 ELECTRICALSECURITY OF THESITE..........................................................................................................24

of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...