Internet Attack Called Broad and Long Lasting by Investigators

SAN FRANCISCO, May 9 - The incident seemed alarming enough: a breach
of a Cisco Systems network in which an intruder seized programming
instructions for many of the computers that control the flow of
the Internet.

Now federal officials and computer security investigators have
acknowledged that the Cisco break-in last year was only part of a
more extensive operation - involving a single intruder or a small
band, apparently based in Europe - in which thousands of computer
systems were similarly penetrated.

....

http://www.nytimes.com/2005/05/10/technology/10cisco.html?hp&ex=1115784000&en=eeb27da2e75ec022&ei=5094&partner=homepage

    --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb

This part:

    "The crucial element in the password thefts that provided access
     at Cisco and elsewhere was the intruder's use of a corrupted
     version of a standard software program, SSH. The program is used
     in many computer research centers for a variety of tasks,
     ranging from administration of remote computers to data transfer
     over the Internet."

reminds me of the SourceForge attack a few years back
http://www.apache.de/info/20010519-hack.html

-Jim P.

Eventhough this article wasn't specifically regarding network operations,
it does come down to the most fundamental of network operating practices.
Create policies and the procedures that enable those policies. Then
enforce them VERY strictly.

   The crucial element in the password thefts that provided access at
   Cisco and elsewhere was the intruder's use of a corrupted version of a
   standard software program, SSH.

   The intruder probed computers for vulnerabilities that allowed the
   installation of the corrupted program, known as a Trojan horse

   In the Cisco case, the passwords to Cisco computers were sent from a
   compromised computer by a legitimate user unaware of the Trojan horse

Folks that handle sensitive info (proprietary code, personal info, HIPPA
FERPA, SOX, .mil, etc, etc) should be allowed to download software only
from company servers where all software has been cleared by folks that're
experts in evaluating software packages. Not from the general internet.

scott

Closing people's systems down from "any" other software installations isn't
necessarily the solution. It can delay progress in many cases, and not
everyone has IT staff that may be as up to speed as necessary.

The requirement should be more along the lines of software designed to scan
the system for things like that and alert/remove it. That kind of
requirement at least gives flexibility and a good kick in the butt to
implement good assessment tools at the PC or network level.

All it takes is one user outside the "norm" to mess up LOTS of work and
policies trying to keep things right!

Scott

: Eventhough this article wasn't specifically regarding network operations, it
: does come down to the most fundamental of network operating practices.
: Create policies and the procedures that enable those policies. Then enforce
: them VERY strictly.

: Folks that handle sensitive info (proprietary code, personal info, HIPPA
: FERPA, SOX, .mil, etc, etc) should be allowed to download software only from
: company servers where all software has been cleared by folks that're experts
: in evaluating software packages. Not from the general internet.

I don't see that as root of the problem.

To me the real problem is in the use and handling of usernames and
passwords. Take your typical contractor or SE (i use to be one) they
have usernames and passwords for their corporate systems as well as
customer systems. OK, so they may be careful who they share those
credentials with, but they aren't careful enough with how they use those
credentials themselves. I wish I had a nickle for every time I've seen
a person assume everything was a-ok since they were using ssh, even
though they couldn't have told you who installed ssh (or the remote
sshd) on the systems. So, the SE ssh's into *your* corporate systems
using ssh on their laptop (probably d/l'ed by googling for PuTTY or SSH
and pulling the first available URL) while on a service call to your
facility. Or how about the SE who ssh's into *their* corporate network
from some rogue contractor box inside your network. Then there are
those people who run bleeding edge O/Ses that constantly update from
god-only-knows-where servers all over the world... what version of ssh
is installed today? And there are those co-workers who "think" they
know what they are doing but really don't. Ever dropped a BSOD
screensaver on to a co-workers computer, dropping a bogus ssh executable
is even easier.

Use LDAP? Isn't it nice having one username and password for *all*
things? The l33t [ch]4ck3rs love LDAP credentials. Your SSH password
is the same as your IMAP/SMTP/POP3/HTTP/RDP password.

In short: people need to not only respect their login credentials, they
need to only use them from trusted systems and constantly be vigilant
about the level of trust they have for those systems. DON'T mix
usernames and passwords between differing classifications of systems.

-Jim P.