Closing people's systems down from "any" other software installations isn't necessarily the solution. It can delay progress in many cases, and not everyone has IT staff that may be as up to speed as necessary. The requirement should be more along the lines of software designed to scan the system for things like that and alert/remove it. That kind of requirement at least gives flexibility and a good kick in the butt to implement good assessment tools at the PC or network level. All it takes is one user outside the "norm" to mess up LOTS of work and policies trying to keep things right! Scott -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Scott Weeks Sent: Tuesday, May 10, 2005 2:16 AM To: nanog@nanog.org Subject: Re: Internet Attack Called Broad and Long Lasting by Investigators Eventhough this article wasn't specifically regarding network operations, it does come down to the most fundamental of network operating practices. Create policies and the procedures that enable those policies. Then enforce them VERY strictly. The crucial element in the password thefts that provided access at Cisco and elsewhere was the intruder's use of a corrupted version of a standard software program, SSH. The intruder probed computers for vulnerabilities that allowed the installation of the corrupted program, known as a Trojan horse In the Cisco case, the passwords to Cisco computers were sent from a compromised computer by a legitimate user unaware of the Trojan horse Folks that handle sensitive info (proprietary code, personal info, HIPPA FERPA, SOX, .mil, etc, etc) should be allowed to download software only from company servers where all software has been cleared by folks that're experts in evaluating software packages. Not from the general internet. scott

On Tue, 2005-05-10 at 10:24 -1000, Scott Weeks wrote:

Don't give folks that have access to machines that hold sensitive info the ability to download software unless you know they're savvy enough to do so safely.

I don't see that as root of the problem. To me the real problem is in the use and handling of usernames and passwords. Take your typical contractor or SE (i use to be one) they have usernames and passwords for their corporate systems as well as customer systems. OK, so they may be careful who they share those credentials with, but they aren't careful enough with how they use those credentials themselves. I wish I had a nickle for every time I've seen a person assume everything was a-ok since they were using ssh, even though they couldn't have told you who installed ssh (or the remote sshd) on the systems. So, the SE ssh's into *your* corporate systems using ssh on their laptop (probably d/l'ed by googling for PuTTY or SSH and pulling the first available URL) while on a service call to your facility. Or how about the SE who ssh's into *their* corporate network from some rogue contractor box inside your network. Then there are those people who run bleeding edge O/Ses that constantly update from god-only-knows-where servers all over the world... what version of ssh is installed today? And there are those co-workers who "think" they know what they are doing but really don't. Ever dropped a BSOD screensaver on to a co-workers computer, dropping a bogus ssh executable is even easier. Use LDAP? Isn't it nice having one username and password for *all* things? The l33t [ch]4ck3rs love LDAP credentials. Your SSH password is the same as your IMAP/SMTP/POP3/HTTP/RDP password. In short: people need to not only respect their login credentials, they need to only use them from trusted systems and constantly be vigilant about the level of trust they have for those systems. DON'T mix usernames and passwords between differing classifications of systems. -Jim P.