IT security people sleep well

Sean_Donelan · June 3, 2004, 12:36am

Survey: Despite dangers, IT personnel sleep well
By Bill Brenner, News Writer
27 May 2004 | SearchSecurity.com

Security practitioners know hackers are working overtime to attack their
networks; that they're relying on outdated and unreliable security
protocols. Despite it all, many still get a good night's rest.

Of 337 IT managers and administrators surveyed April 26-30, 32% worry
about "the next virus/worm" and an equal percentage fear "a security
breach to the enterprise's network." But 34% said they have "no worries"
at all and "sleep like a baby," according to results published this week
by a Michigan research firm.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci967353,00.html

And the press release
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/05-24-2004/0002179958&EDATE=

Two issues tied as being of prime concern to those network administrators
surveyed: 32% responded that they worry most about "the next virus/worm"
and an equal percentage answered they worry most about "a security breach
to the enterprise's network." The big surprise was that 34% of survey
respondents said they had "no worries and sleep like a baby."

Crist_Clark1 · June 3, 2004, 6:24pm

Sean Donelan wrote:

Survey: Despite dangers, IT personnel sleep well
By Bill Brenner, News Writer
27 May 2004 | SearchSecurity.com

I liked this quote,

   About 43% of respondents said they're using the Secure Shell (SSH)
   protocol to protect data, secure remote access, and perform network
   management. But while the current SSH2 is considered to be
   significantly more secure, nearly 45% said they are continuing to
   mostly use the older SSH1 protocol. A cause for greater concern,
   according to the surveyors, is that 54.9% said they continue to
   configure their network devices via Telnet, which is known by
   network security experts to be severely vulnerable to intruders
   because it sends data as clear text and offers only weak password
   authentication.

   For Marc Orchant, head of communications at VanDyke, that was one
   of the biggest shockers, especially since it costs little or nothing
   to upgrade these protocols.

It "costs little or nothing to upgrade?" Does it seem a bit
disingenuous for a remark like that to come from someone at a company
that sells a commerical SSH distribution?

Anyone from the real world knows that there are real and significant
costs to convert an existing infrucstructure with telnet, the
r-protocols, ftp, and all of their unencrypted, unauthenticated friends
to SSH and SSL secured connections. Yeah, maybe the software licencing
costs are little to nothing, but the administrative overehead of
converting all of your other scripts and software, plus lots and LOTS
of retraining of admin and users can be very expensive or simply
infeasible.

And just one more quote,

   "I guess the message here is that ignorance is bliss," said Steve
   Birnkrant, chief executive officer of Amplitude Research Inc.,
   which conducted the survey on behalf of Albuquerque, N.M.-based
   VanDyke Software Inc. "What most surprised me was the general
   sense of complacency. Much has been written in the media about
   security issues, and this makes me wonder if people are listening."

Why aren't people listening? I think Mr. Birnkrant needs to go way
back to old childhood fables and have a refresher on the boy who
cried, "Wolf!"

Michael_Lewinski · June 3, 2004, 7:32pm

Crist Clark wrote:

Anyone from the real world knows that there are real and significant
costs to convert an existing infrucstructure with telnet, the
r-protocols, ftp, and all of their unencrypted, unauthenticated friends
to SSH and SSL secured connections. Yeah, maybe the software licencing
costs are little to nothing, but the administrative overehead of
converting all of your other scripts and software, plus lots and LOTS
of retraining of admin and users can be very expensive or simply
infeasible.

NTM all that legacy hardware for which the vendor simply never released an SSH-capable version. And lots of deployed CPE which lacks sufficient flash space to load an SSH-capable version where one was released.

I can think of a hundred cases where there's a definite measurable hardware upgrade cost associated with enabling SSH and the like.

Internally, our policy is to establish telnet connections from the closest upstream point possible, in most cases, the other side of a serial interface where our biggest possible cleartext exposure is gremlins at the CO.

Eric_Kuhnke1 · June 3, 2004, 8:16pm

I liked this quote,

  About 43% of respondents said they're using the Secure Shell (SSH)
  protocol to protect data, secure remote access, and perform network
  management. But while the current SSH2 is considered to be
  significantly more secure, nearly 45% said they are continuing to
  mostly use the older SSH1 protocol. A cause for greater concern,
  according to the surveyors, is that 54.9% said they continue to
  configure their network devices via Telnet, which is known by
  network security experts to be severely vulnerable to intruders
  because it sends data as clear text and offers only weak password
  authentication.

The part about Telnet is truly scary... Among people who have "clue", the biggest reason I have heard to continue running ssh1 is for emergency access via hand-held smartphones or other pocket sized devices. The Handspring Treo 180 and similar keyboarded cellphone-pda devices don't have the CPU power necessary for a SSH2 key exchange, unless I'm drastically mistaken about the FPU abilities of a 33 MHz Motorola Dragonball...

Jeff_Shultz2 · June 3, 2004, 9:26pm

** Reply to message from Eric Kuhnke <eric@fnordsystems.com> on Thu, 03
Jun 2004 13:16:44 -0700

The part about Telnet is truly scary... Among people who have "clue",
the biggest reason I have heard to continue running ssh1 is for
emergency access via hand-held smartphones or other pocket sized
devices. The Handspring Treo 180 and similar keyboarded cellphone-pda
devices don't have the CPU power necessary for a SSH2 key exchange,
unless I'm drastically mistaken about the FPU abilities of a 33 MHz
Motorola Dragonball...

I wonder if they asked the people using Telnet if they were using over
the internet - or inside a corporate intranet, shielded from the
outside?

Valdis_Kletnieks · June 3, 2004, 9:32pm

Unless the Dragonball is an 8-bit CPU, it shouldn't be *too* painful - looking at
the ssh 3.2.9.1 tree from ssh.com, the *only* reference to 'float' or 'double'
in the entire include/*.h tree is a "typedef double SshTimeT;". Since a sane
key wont fit in an int, float, or double, it's all done using integer/logical
operations on arrays (more or less).

I just retired an IBM RS6000/350 - that had a whole whopping 50mz Power
chipset in it, and ran ssh2 just fine. I know that the model 220 was a 33MHz
ppc 601 chipset, and that did SSH without burping too (The 601 chipset was
also used in the Macintosh 6600 machines).

If it's got enough CPU to connect to an SSL webpage, it's got enough for SSH.

Daniel_Senie2 · June 3, 2004, 9:56pm

> The part about Telnet is truly scary... Among people who have "clue",
> the biggest reason I have heard to continue running ssh1 is for
> emergency access via hand-held smartphones or other pocket sized
> devices. The Handspring Treo 180 and similar keyboarded cellphone-pda
> devices don't have the CPU power necessary for a SSH2 key exchange,
> unless I'm drastically mistaken about the FPU abilities of a 33 MHz
> Motorola Dragonball...

Cisco 26xx, 36xx routers at least, current 12.3 IOS, no ssh support in the basic loads that I can find. Telnet is the only way in other than the console port.

Jonathan_Nichols · June 4, 2004, 2:33am

The part about Telnet is truly scary... Among people who have "clue", the biggest reason I have heard to continue running ssh1 is for emergency access via hand-held smartphones or other pocket sized devices. The Handspring Treo 180 and similar keyboarded cellphone-pda devices don't have the CPU power necessary for a SSH2 key exchange, unless I'm drastically mistaken about the FPU abilities of a 33 MHz Motorola Dragonball...

I've heard there's an SSH2 client for the Treo.
Ah, here it is: pssh: SSH 2 for Palm OS 5

The Danger Sidekick can do SSH2 with "Terminal Monkey" which was free up until recently. It's fun, but kind of hard to get any real work done with the tiny screen.

-Jonathan

John_Ferriby · June 4, 2004, 3:21am

I've heard there's an SSH2 client for the Treo.
Ah, here it is: pssh: SSH 2 for Palm OS 5

The Danger Sidekick can do SSH2 with "Terminal Monkey" which was free up
until recently. It's fun, but kind of hard to get any real work done
with the tiny screen.

I've been reasonably pleased with using the Idokorro client. It's at
http://www.idokorro.com It uses SSH2 w/3DES & AES. It's useful for
emergencies, but nothing of great detail or scope for the screen
size on my 6820.

-John

Jonathan_Nichols · June 4, 2004, 5:13am

I've been reasonably pleased with using the Idokorro client. It's at
http://www.idokorro.com It uses SSH2 w/3DES & AES. It's useful for
emergencies, but nothing of great detail or scope for the screen
size on my 6820.

-John

Wow. $195 for the Blackberry client? I'll carry around the PowerBook and get a T-Mobile account, thanks! It's a lot easier to find a Starbucks in San Francisco than anything else. Just spin around a few times and you'll find one.

I wonder how many "IT Security" folks sit down at free Wi-Fi hotspots and telnet into various machines... quite a bit scarier than SSH1 on a PDA, especially after seeing it happen. =/

John_Kinsella · June 4, 2004, 5:38am

I like my Tungsten C, but I don't do security-stupid things with it.

Another neat trick, for those who haven't seen - Intel has
maps.yahoo.com setup so it'll show you where alot of the hotspots are -
here's a map of downtown SF as an example:

http://tinyurl.com/36s5y

John

Alexei_Roudnev · June 4, 2004, 6:23am

This is very bad - they have SSH in extended versions, why did not they
included it into all versions, where it was possible
without running out of flash memory.

Through, it is not so unsecured - in most cases people restricts access to a
few IP sources, which are located on the internal network, or even allows
only console access; but anyway, not a good thing. They could (at least)
allow changing telnet port

>
>
> > The part about Telnet is truly scary... Among people who have

"clue",

Alexei_Roudnev · June 4, 2004, 6:32am

I received adv., in russian, saying:

E.B_Dreger · June 4, 2004, 8:02am

Date: Thu, 3 Jun 2004 14:26:01 -0700
From: Jeff Shultz

I wonder if they asked the people using Telnet if they were
using over the internet - or inside a corporate intranet,
shielded from the outside?

Good to know that malicious things are always on the other side
of the router. I must be hallucinating when I encounter pwned
boxes with sniffers running inside of a network. Everyone
restricts MAC addresses at their switches. Nobody is vulnerable
to cable taps, wireless sniffing, ICMP redirects, or any other
trickery.

Sarcasm aside, I don't think being shielded from the outside
makes that much difference. It's foolish to assume that a
corporate intranet is squeaky clean.

Eddy

E.B_Dreger · June 4, 2004, 8:08am

Date: Thu, 03 Jun 2004 17:56:55 -0400
From: Daniel Senie

Cisco 26xx, 36xx routers at least, current 12.3 IOS, no ssh
support in the basic loads that I can find. Telnet is the
only way in other than the console port.

Correct. One must shell out more money for a bigger feature set
to obtain SSH. I don't recall specifics off the top of my head,
and don't have a javascript-cable machine handy to use Feature
Navigator[*], but certain { feature sets | trains } only support
SSHv1.

[*] Quick gripe: Did anyone at Cisco ever consider that people
might like to use Feature Navigator without javascript?
What's next? Mandatory Flash Player?

Eddy

Joel_Jaeggli1 · June 4, 2004, 3:30pm

>
> I've been reasonably pleased with using the Idokorro client. It's at
> http://www.idokorro.com It uses SSH2 w/3DES & AES. It's useful for
> emergencies, but nothing of great detail or scope for the screen
> size on my 6820.
>
> -John

openssh on the zarus is exactly like openssh on any other platform. with
the bluez bluetooth stack I can leave my phone in my pocket.

Paul_Jakma · June 6, 2004, 1:12am

What's really scary is that the people here complaining about a certain vendor charging extra for SSH and hence forcing them to use "insecure" telnet havnt the cop-on to read that vendor's "AAA" documentation and realise that the base feature set _already_ includes capability to do secure authentication.

Eg, challenge/response via RADIUS or even Kerberised telnet (and many people here probably already have kerberos servers in their organisations, aka Windows Active Directory).

regards,

Michael_Lewinski · June 6, 2004, 2:23am

Paul Jakma wrote:

What's really scary is that the people here complaining about a certain vendor charging extra for SSH and hence forcing them to use "insecure" telnet havnt the cop-on to read that vendor's "AAA" documentation and realise that the base feature set _already_ includes capability to do secure authentication.

And that provides protection against MITM attacks how?

Paul_Jakma · June 6, 2004, 4:50am

kerberised telnet can be encrypted (typically DES - sufficient to guard MITM).

regards,

Henning_Brauer · June 6, 2004, 10:15am

* Paul Jakma <paul@clubi.ie> [2004-06-06 09:03]: