RE: ssh holes? Trojans?

["Paul D. Robertson" <proberts () clark net>]

On Thu, 21 Sep 2000 sean.kelly () lanston com wrote:

> This raises an interesting question -- at what point is accountability more
> important than security?  Is deliberately constructing an insecure system
> justifiable in the interest of more accurate auditing?

At the point where the organization or individual feels that they can't
accept the risk of not doing so.  In the US, I'm pretty sure that
brokerage houses have a legal requirement to monitor all wire traffic,
including voice and data.  Folks who can't live with that need to pick a
new field of work or perhaps consider one-time authentication.
 
> > > With ssh, the data stream is encrypted at the users workstation and
> > tunnels 'through' the firewall so we never get a chance to monitor it.
>
> And neither does a hacker, which is kind of the point.

But tranport protection *isn't* network protection, especially when either
endpoint isn't a compartmented system, which is also kind of the point.  I
wouldn't allow generic SSL access at my last position because of the
tunneling risk.
 
> > > In addition, there have been 'strange' networks (like the internet)
> > showing up on our network monitoring facilities.  (None now, but there
> > may be again.)  Unfortunately, we have not been able to 'catch' anyone
> > 'in the act' as it were...
>
> Do you have dialup access or a VPN set up for your network?  This is the
> most likely culprit.  I heard a story recently that seems applicable (though

Win2k, Macs and probably recent Win98 boxen will assign themselves an
address out of a B netblock if they can't get DHCP.  Also, roving laptop
configs tend to cause the same symptoms and have been for years.  I've
heard of leakage via AOL's stuff misbehaving too but can't verifiy it with
personal experience.

> > Now then, what we would like to do is to set up an ssh 'proxy' inside
> > the DMZ so that whatever is passed to the sshd on the proxy host
> > crosses our monitoring hosts 'in the clear'.
>
> As someone else said, one of the points of ssh is to defeat such attempts.
> What you are trying to do is mount a "man in the middle" attack against the
> ssh session.  If such a thing were simple, ssh wouldn't be a very useful
> protocol, would it?  If you are really interested in tracking users to this
> degree, why not install monitoring software on the PCs on your network?
> There's no reason to try to do all your auditing from the firewall.

It is simple, as long as the user is aware.  "You must ssh to our ssh
server to ssh to the Internet" is a pretty good MITM.  It's also valid in
environments where the tunneling risk isn't acceptable or legal
requirements force it.  The intermediate server is a great place for
anti-ECPA warning banners.

> > After hearing from another source (an employee discussed our 'new'
> > policy with their SO at home), we 'heard' that there are ssh
> > 'trojans'...  Any truth to the rumor?
>
> I did a quick websearch and ran across a few references.  Obviously, it's
> possible to release a trojaned version of any program, though this is much
> easier for open-source apps.  I'd say that if the PCs on your network are

Is it that difficult to wrapper a binary with a trojan
and jump to its normal entry point or insert malicious calls into an exe?

I generally don't do Win32 programming, so I've never even looked, but I
always assumed you could probably even do it in VB or with a
self-extracting zip toolkit kind of approach.

> Windows-based rather than some version of UN*X then the chances that someone
> is using a trojaned version of ssh are quite small.  Also, for someone to be

Hmm, that's an interesting point of view.  I'd say it depends more on the
user population.  If they're paranoid Unix people, they'd have built SSH
from source after checking the signature and if they're unsophisticated
Windows users, they'd have installed any binary called ssh.exe.  

Most of the places I've worked the Windows users are likely to have
trojans and the Unix people are more likely to be IT and security aware
and check.  YMMV.


> able to use a trojaned program it would have to be installed on the PC --
> most corporate users are generally unable to install applications.  While

Funnily enough, most of the corporate users I've dealt with have had no
problems installing dancing baby applications, Monopoly games, screensaver
programs, AIM, RealAudio, etc.  Most of them from the 'Net directly with
no origin verification or signing at all.

> ssh trojans appear to exist, it's not something I would put at the top of my
> list of concerns.

I wouldn't rate it as high as other vectors, but I wouldn't dismiss it
based on platform or wide source availability either.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards