Internet Attack Called Broad and Long Lasting by Investigators
Scott Morris
swm at emanon.com
Tue May 10 11:12:34 UTC 2005
Closing people's systems down from "any" other software installations isn't
necessarily the solution. It can delay progress in many cases, and not
everyone has IT staff that may be as up to speed as necessary.
The requirement should be more along the lines of software designed to scan
the system for things like that and alert/remove it. That kind of
requirement at least gives flexibility and a good kick in the butt to
implement good assessment tools at the PC or network level.
All it takes is one user outside the "norm" to mess up LOTS of work and
policies trying to keep things right!
Scott
-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Scott Weeks
Sent: Tuesday, May 10, 2005 2:16 AM
To: nanog at nanog.org
Subject: Re: Internet Attack Called Broad and Long Lasting by Investigators
Eventhough this article wasn't specifically regarding network operations, it
does come down to the most fundamental of network operating practices.
Create policies and the procedures that enable those policies. Then enforce
them VERY strictly.
The crucial element in the password thefts that provided access at
Cisco and elsewhere was the intruder's use of a corrupted version of a
standard software program, SSH.
The intruder probed computers for vulnerabilities that allowed the
installation of the corrupted program, known as a Trojan horse
In the Cisco case, the passwords to Cisco computers were sent from a
compromised computer by a legitimate user unaware of the Trojan horse
Folks that handle sensitive info (proprietary code, personal info, HIPPA
FERPA, SOX, .mil, etc, etc) should be allowed to download software only from
company servers where all software has been cleared by folks that're experts
in evaluating software packages. Not from the general internet.
scott
More information about the NANOG
mailing list