Date: Tue, 31 Jul 2001 02:16:01 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Mike Meyer" <mwm@mired.org> Cc: <questions@FreeBSD.ORG> Subject: RE: URGENT - Seems like i've been hacked... what to do now? Message-ID: <005f01c119a1$6b005ee0$1401a8c0@tedm.placo.com> In-Reply-To: <15205.18337.148080.887001@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Mike Meyer >Sent: Monday, July 30, 2001 4:40 AM >To: Ted Mittelstaedt >Cc: questions@FreeBSD.ORG >Subject: RE: URGENT - Seems like i've been hacked... what to do now? > >If I happen >> to get called in to the company to do something, I'm not going to find a >> convenient system that's got an SSH client installed, although all of the >> systems have Windows Telnet on them. > >Been there, done that. Putty is free, available over the network, and >takes just a few minutes to install. Except that with the customers I've dealt with the second I install anything on a customer system I will end up getting 3 calls over the subsequent 2 weeks from the customer complaining that I "broke" their system by installing something on it. Of course the problem would not be the installation of Putty, but you can't convince a fool with a head of stone of that. As it is I still end up getting at least 1 call that burns up 15 minutes of unbillable time just by even setting fingertips to a keyboard for baloney like this. At least if I haven't actually changed anything on their desktop I can convince them that possibly the problem might be _their_ crappy hardware and to get me out to fix it is going to be billable time. You quickly learn as a consultant to change as little as possible on a network that you are called in to administer. When I was first doing this I was much more idealistic and when I saw bandaids and screwed up messes on people's networks I would try to fix them. It's very unprofitable and unappreciated. People really don't want to be helped out of their mistakes. Sometimes I think the crackers have the right idea - you have to break their crummy systems badly before they will fix them properly. >The CISCO routers example require >telnet, but would also cause me to beat on CISCO. > Many Cisco routers, like the 1005, were designed and built years ago long before the usefulness of these standards became obvious, and do not have the ram or flash space to be upgraded to current code. Not everybody has a nice WAN with modern routers. > SSH is >freely available for most boxes with CPUs, has almost no cost, and >significantly reduces the risk associated with sending passwords over >the network. > And in hostile networks you need to have them. For example, I'd avoid doing anything unencrypted over a college dormotory network, you just know that there's a dozen wannabies running sniffers on that. But in internal corporate networks they have ways of dealing with smart asses that think they are going to sniff the administrators passwords that are far more effective than SSH. Not to mention on modern corporate nets the majority of the network is heavily switched and sniffers aren't generally effective without being more intrusive to the network than the wannabe is willing to go. > >This is a stupid thing from a security perspective, but has absolutely >nothing to do with either the cost of installing ssh, or the risks it >helps reduce. ssh reduces the risks associated with sending passwords >around the network. That the machines are trivialy stolen doesn't >change either that risk or the costs associated with installing >ssh. While you might spend less on other security measures because one >specific one is poor, neglecting them is a bad idea. Yes, this is the argument the people would use to justify NOT moving the servers. It's an effective argument right up to the day you come in and find a gaping hole and no servers left. If ONE security measure is deliberately forced to be insecure, then your better off from a political standpoint to simply declare the server totally insecure and don't even bother with spending time to support security measures on it. Otherwise all you do is give a security blanket to the users to make them feel safe that actually provides no real security. This is the same argument over password aging. Frankly, a system that has regular logins that require passwords, that does not enforce password aging is just as wide open as a system that requires no passwords at all. In fact it's worse because ultimately your going to have a few naughty people that steal some user accounts's passwords. Then you have a situation where the userbase all believes that they are secure because passwords are required when in reality some of them have been compromised. To do the security thing right it's either an all or nothing proposition. Either you lock the entire thing down, disable Telnet and only run SSH, physically secure it and control access to it and to the network, or you just consider the system already compromised and make sure that there's nothing of value on it. Doing a half-assed job like your advocating to where you secure some things and not others just leaves gaping holes and a false sense of security. >You wouldn't set >the machines to not have a root password just because they have poor >physical security. > This is just annother example of what I'm talking about. A FreeBSD system with an unaged root password that has poor physical security is IDENTICAL to a FreeBSD system that has no root password. Without physical security anyone can come by and reboot the system into single user mode and reset the root password to their own password in just a few minutes. >> Anyway, the DCMA is just waiting for a court test in front of the Supreme >> Court and it will happen eventually and the law will be tossed out and >> that will be that. > >You give the US legal system more credit than I do. While I certainly >hope it gets tossed out, I wouldn't bet on it. > I would - but I wouldn't bet on it being tossed out _soon_. The legal system takes years to digest things. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005f01c119a1$6b005ee0$1401a8c0>