Re: Internet Attack Called Broad and Long Lasting by Investigators
Eventhough this article wasn't specifically regarding network operations, it does come down to the most fundamental of network operating practices. Create policies and the procedures that enable those policies. Then enforce them VERY strictly. The crucial element in the password thefts that provided access at Cisco and elsewhere was the intruder's use of a corrupted version of a standard software program, SSH. The intruder probed computers for vulnerabilities that allowed the installation of the corrupted program, known as a Trojan horse In the Cisco case, the passwords to Cisco computers were sent from a compromised computer by a legitimate user unaware of the Trojan horse Folks that handle sensitive info (proprietary code, personal info, HIPPA FERPA, SOX, .mil, etc, etc) should be allowed to download software only from company servers where all software has been cleared by folks that're experts in evaluating software packages. Not from the general internet. scott
Re: Internet Attack Called Broad and Long Lasting by Investigators
This part: The crucial element in the password thefts that provided access at Cisco and elsewhere was the intruder's use of a corrupted version of a standard software program, SSH. The program is used in many computer research centers for a variety of tasks, ranging from administration of remote computers to data transfer over the Internet. reminds me of the SourceForge attack a few years back http://www.apache.de/info/20010519-hack.html -Jim P. On Mon, 2005-05-09 at 22:37 -0700, Steven M. Bellovin wrote: SAN FRANCISCO, May 9 - The incident seemed alarming enough: a breach of a Cisco Systems network in which an intruder seized programming instructions for many of the computers that control the flow of the Internet. Now federal officials and computer security investigators have acknowledged that the Cisco break-in last year was only part of a more extensive operation - involving a single intruder or a small band, apparently based in Europe - in which thousands of computer systems were similarly penetrated. http://www.nytimes.com/2005/05/10/technology/10cisco.html?hpex=1115784000en=eeb27da2e75ec022ei=5094partner=homepage --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
RE: Internet Attack Called Broad and Long Lasting by Investigators
Closing people's systems down from any other software installations isn't necessarily the solution. It can delay progress in many cases, and not everyone has IT staff that may be as up to speed as necessary. The requirement should be more along the lines of software designed to scan the system for things like that and alert/remove it. That kind of requirement at least gives flexibility and a good kick in the butt to implement good assessment tools at the PC or network level. All it takes is one user outside the norm to mess up LOTS of work and policies trying to keep things right! Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Weeks Sent: Tuesday, May 10, 2005 2:16 AM To: [EMAIL PROTECTED] Subject: Re: Internet Attack Called Broad and Long Lasting by Investigators Eventhough this article wasn't specifically regarding network operations, it does come down to the most fundamental of network operating practices. Create policies and the procedures that enable those policies. Then enforce them VERY strictly. The crucial element in the password thefts that provided access at Cisco and elsewhere was the intruder's use of a corrupted version of a standard software program, SSH. The intruder probed computers for vulnerabilities that allowed the installation of the corrupted program, known as a Trojan horse In the Cisco case, the passwords to Cisco computers were sent from a compromised computer by a legitimate user unaware of the Trojan horse Folks that handle sensitive info (proprietary code, personal info, HIPPA FERPA, SOX, .mil, etc, etc) should be allowed to download software only from company servers where all software has been cleared by folks that're experts in evaluating software packages. Not from the general internet. scott
RE: Internet Attack Called Broad and Long Lasting by Investigators
: Eventhough this article wasn't specifically regarding network operations, it : does come down to the most fundamental of network operating practices. : Create policies and the procedures that enable those policies. Then enforce : them VERY strictly. : Folks that handle sensitive info (proprietary code, personal info, HIPPA : FERPA, SOX, .mil, etc, etc) should be allowed to download software only from : company servers where all software has been cleared by folks that're experts : in evaluating software packages. Not from the general internet. On Tue, 10 May 2005, Scott Morris wrote: : Closing people's systems down from any other software installations isn't : necessarily the solution. It can delay progress in many cases, and not : everyone has IT staff that may be as up to speed as necessary. Ok, for smaller companies, yes. You have to trade off productivity and risk. But in a smaller company you will likely know each individual and their level of tech savvy. Red flags should pop up if they have a low level of understanding, have access to machines with sensitive or proprietary info and have the permission level to install software. Also, in this case we're talking Cisco, NASA, .mil networks and research labs. They have the ability to enforce policy and the need to be VERY risk adverse WRT losing sensitive data. In organizations that size, it's the enforement that's hard to pull off. It requires strict policy definition and procedure adherence. Don't give folks that have access to machines that hold sensitive info the ability to download software unless you know they're savvy enough to do so safely. If you do allow the less savvy folks whom have access to sensitive machines to install software, force the packages to be downloaded from a company repository. : The requirement should be more along the lines of software designed to scan : the system for things like that and alert/remove it. That kind of : requirement at least gives flexibility and a good kick in the butt to : implement good assessment tools at the PC or network level. In the article, it was too late by that time. The data was compromised. They didn't trade off risk and productivity well, or didn't enforce policy through procedure, or... : All it takes is one user outside the norm to mess up LOTS of work and : policies trying to keep things right! Anyone with access to machines that hold sensitive material should be held to a higher standard than the rest of the organization. You risk losing your treasure through these people. scott
RE: Internet Attack Called Broad and Long Lasting by Investigators
On Tue, 2005-05-10 at 10:24 -1000, Scott Weeks wrote: Don't give folks that have access to machines that hold sensitive info the ability to download software unless you know they're savvy enough to do so safely. I don't see that as root of the problem. To me the real problem is in the use and handling of usernames and passwords. Take your typical contractor or SE (i use to be one) they have usernames and passwords for their corporate systems as well as customer systems. OK, so they may be careful who they share those credentials with, but they aren't careful enough with how they use those credentials themselves. I wish I had a nickle for every time I've seen a person assume everything was a-ok since they were using ssh, even though they couldn't have told you who installed ssh (or the remote sshd) on the systems. So, the SE ssh's into *your* corporate systems using ssh on their laptop (probably d/l'ed by googling for PuTTY or SSH and pulling the first available URL) while on a service call to your facility. Or how about the SE who ssh's into *their* corporate network from some rogue contractor box inside your network. Then there are those people who run bleeding edge O/Ses that constantly update from god-only-knows-where servers all over the world... what version of ssh is installed today? And there are those co-workers who think they know what they are doing but really don't. Ever dropped a BSOD screensaver on to a co-workers computer, dropping a bogus ssh executable is even easier. Use LDAP? Isn't it nice having one username and password for *all* things? The l33t [ch]4ck3rs love LDAP credentials. Your SSH password is the same as your IMAP/SMTP/POP3/HTTP/RDP password. In short: people need to not only respect their login credentials, they need to only use them from trusted systems and constantly be vigilant about the level of trust they have for those systems. DON'T mix usernames and passwords between differing classifications of systems. -Jim P.
