It came to my attention, after reviewing the Debian report, that there are many mail systems out there, which use userland accounts for POP mail (not secure, but plaintext) that also have SSH logins enabled. I was guessing that this might've been how they got in with a "sniffed password".
I don't know how they could get a keyboard sniffer on a developer's machine without first compromising that machine, in a similar fashion; so I'm assuming that something like a shared [plaintext] password was packet-sniffed initially... which still begs the question of where the packets were sniffed. Was an ISP compromised or some insider helping out? Maybe a developer was working via wifi, without considering the implications? What do you think of this, Hal? Thanks, Ben On Wed, 3 Dec 2003 12:06:33 -0800 Bob Miller <[EMAIL PROTECTED]> wrote: | Hal Pomeranz wrote: | | > The only thing that worries me about the write up is the fact that a | > "sniffed password" was used to break into several machines. I have to | > ask why they're not using SSH for all communications to/from these | > boxes and why they're not using something better than re-usable | > passwords for access control. It's not clear that these | > "vulnerabilities" that led to the original compromise have been closed, | > although the kernel bug that allowed the "break root" apparently has | > been. | | I believe they are using ssh, and the password was sniffed by a | keystroke sniffer on a developer's machine. | | As for something better than reusable passwords, what would you | recommend? Most developers never get within a thousand miles of the | servers, so anything that requires physical access is out. There is | no budget, so smart card and biometric based systems are out. Public | key systems don't help -- if an attacker can install a keyboard | sniffer, he can copy a private key. | | Could S/KEY be used here? How would the keys be distributed securely? | | If there's a good solution available here, I'm too dumb to see it. _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug