Hmm. I watched it _exactly_ as you described, and guess where? In hacker's sniffered files. (4 years ago, sorry) One idiot telnet to his scientific lab (which has not any security and had a few layers of sniffers installed by a few generations of hackers), and then slogin by the chain of 4 more systems, revealing all 4 passwords to the happy hacker. (On the other hand, we used... telnet on non-standard port + S/Key one time passwords... and it was enough to prevent any hackers from snifferring and any chance to login after us, except _man in the middle_ attack which was blocked by other ways... I can say, that 1 time password is more important than ssh (and I prefer both -:)). (It can be S/key, otp, secureid, hand scan...) ----- Original Message ----- From: <Michael.Dillon@radianz.com> To: <nanog@merit.edu> Sent: Tuesday, June 08, 2004 4:38 AM Subject: Re: SSH on the router - was( IT security people sleep well)
Consider the case of a staff member lounging in the backyard on a lazy Saturday afternoon with their iBook. They have an 802.11 wireless LAN at home so they telnet to their Linux box in the kitchen and run SSH to the router. Ooops!
I see. SSH doesn't solve all problems, and therefore must be worthless.
No. SSH doesn't solve all problems because it is only a protocol. The human element is the most important one to consider in network security.
Now let's look at kerberized telnet. Someone logs in via kerberized telnet over an insecure network, then decides to change his/her password. Oops.
Exactly! Technology is worthless if it is not used properly. Network engineers are technology experts not security experts. They often need training to raise their awareness of security issues. Remember the study a while back that found that the largest single factor that caused network failures was human error?
The only way to protect against that sort of situation is to encourage everyone to be security-minded and not take risks where the network is concerned.
Definitely. Alas, I'm seeing more "it won't happen to me" than in the past. It's almost as if the "logic" is "I hear more about this, but haven't noticed anything awful, and therefore must be invincible."
The question in that case is: "Do you know, in enough detail, what is going on in your network that you can confidently say that nothing awful is happening?".
--Michael Dillon