Alexei Roudnev wrote:
O, my god. Primitive hack, primitive ssh exploit.... I watched it all 6 years ago, bnothing changed since this.
It is _minor_ incident, in reality.
Primitive I can understand, but _minor_?
First, I don't really see why an attack should be estimated by the tool used. If a 10 years old exploit would work, why should an attacker look for and use a 0day? It's silly allocation of resources. I agree. But I saw, how hackers intruded into XXX agency (USA's, I mean) 6 years ago. Cisco sources never was a great secret (a lot of people saw them; they are almost useless without Cisco's infrastructure; they are interesting for competitors in some cases, because of very interesting technical ideas, but not for the hackers). It is _MINOR_ in reality. Major can be, for example, stealing 100,000 credit card numbers, because it make sence for 100, 000 people. Just Cisco sources... hmm, 100 total people in the world will be affected, big deal...)
But I agree - it just showed old truth - good security is not technical issue. Just simplerst _never use standard ports_ policy could prevent this case. Better, _use One Time Passwords and single point signature_. Primitive host based IDS (Osiris, for example). Any _real_ security policy, of course (or better, ACCESS policy, because security is nothing - ACCESS mater! No access required - no security issues...) It is amazing. Cisco made a lot of noice about IDS, IPS, etc etc.... while no one in reality need these super expansive and complex tools (except few dozens of companies under the DDOS risk); but missed so simple thing as ssh exploit in their own nest. (It is not harmless - we found ssh trojan on my previous job, just exactly the same case - ssh opened to Internet, port #22! Since this, I never allow ssh on port 22, Terminal Service on port 3389, managemen t web on port 80 or 443, and so on... /even when servcie is allowed, which is policy issue/...
Burrowing from that, if the attack is successful, and the loss is significant, I think the way there - although cute, is irrelevant except
I mean _MINOR_ because lost was minor, in reality. No because it was ssh exploit.
for the defender.
Gadi.