North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SSH on the router - was( IT security people sleep well)
Hmm. I watched it _exactly_ as you described, and guess where? In hacker's sniffered files. (4 years ago, sorry) One idiot telnet to his scientific lab (which has not any security and had a few layers of sniffers installed by a few generations of hackers), and then slogin by the chain of 4 more systems, revealing all 4 passwords to the happy hacker. (On the other hand, we used... telnet on non-standard port + S/Key one time passwords... and it was enough to prevent any hackers from snifferring and any chance to login after us, except _man in the middle_ attack which was blocked by other ways... I can say, that 1 time password is more important than ssh (and I prefer both -:)). (It can be S/key, otp, secureid, hand scan...) ----- Original Message ----- From: <[email protected]> To: <[email protected]> Sent: Tuesday, June 08, 2004 4:38 AM Subject: Re: SSH on the router - was( IT security people sleep well) > > > > Consider the case of a staff member lounging in the backyard on > > > a lazy Saturday afternoon with their iBook. They have an 802.11 > > > wireless LAN at home so they telnet to their Linux box in the > > > kitchen and run SSH to the router. Ooops! > > > > I see. SSH doesn't solve all problems, and therefore must be > > worthless. > > No. > SSH doesn't solve all problems because it is only a protocol. > The human element is the most important one to consider in > network security. > > > Now let's look at kerberized telnet. Someone logs in via > > kerberized telnet over an insecure network, then decides to > > change his/her password. Oops. > > Exactly! > Technology is worthless if it is not used properly. Network > engineers are technology experts not security experts. They > often need training to raise their awareness of security issues. > Remember the study a while back that found that the largest > single factor that caused network failures was human error? > > > > The only way to protect against that sort of situation is to > > > encourage everyone to be security-minded and not take risks > > > where the network is concerned. > > > > Definitely. Alas, I'm seeing more "it won't happen to me" than > > in the past. It's almost as if the "logic" is "I hear more about > > this, but haven't noticed anything awful, and therefore must be > > invincible." > > The question in that case is: "Do you know, in enough detail, what > is going on in your network that you can confidently say that nothing > awful is happening?". > > --Michael Dillon >
|