Re: Internet attack called broad and long lasting

[Gadi Evron <ge () linuxbox org>]

> I agree. But I saw, how hackers intruded into XXX agency (USA's, I mean) 6
> years ago. Cisco sources never was a great secret

Then you shouldn't be talking about it.

> (a lot of people saw them; they are almost useless without Cisco's
> infrastructure; they are interesting for competitors
>  in some cases, because of very interesting technical ideas, but not for the
> hackers). It is _MINOR_ in reality. Major can be,
> for example, stealing 100,000 credit card numbers, because it make sence for
> 100, 000 people. Just Cisco sources... hmm, 100 total people in the world
> will be affected, big deal...)

Okay, so if it is a Good Thing for competitors and a Bad Thing for Cisco
which is a commercial company with a vested interest in not giving away
their secrets to competitors, how is this not a major loss? _EVEN_ if
only in reputation?

Sorry, but I really don't understand why you keep trying to under-play
this from different angles, and am just trying to understand your meaning.

> But I agree - it just showed old truth - good security is not technical
> issue. Just simplerst _never use standard ports_ policy could prevent this
> case. Better, _use One Time Passwords and single point signature_. Primitive
> host based IDS (Osiris, for example). Any _real_ security policy, of course
> (or better, ACCESS policy, because security is nothing - ACCESS mater! No
> access required - no security issues...)

It's not a technical issue, yet you just told me how to do security in
detail.

> It is amazing. Cisco made  a lot of noice about IDS, IPS, etc etc.... while
> no one in reality need these super expansive and
> complex tools (except few dozens of companies under the DDOS risk); but

IDS.. IPS.. etc.. etc... DDoS risk?

I can agree with many on the complete uselessness of IDS for most
companies (I can't live without it!).. IPS systems are a different matter.

> missed so simple thing as ssh exploit in their own nest. (It is not
> harmless - we found ssh trojan on my previous job, just exactly the same

Let me Google you and find where you worked. :o)

> case - ssh opened to Internet, port #22! Since this, I never allow ssh on
> port 22, Terminal Service on port 3389,  managemen t web on port 80 or 443,
> and so on... /even when servcie is allowed, which is policy issue/...

And I'll port-scan you to find out what port you are running SSH on, as
it is open to the net.

> > Burrowing from that, if the attack is successful, and the loss is
> > significant, I think the way there - although cute, is irrelevant except
>
> I mean _MINOR_ because lost was minor, in reality. No because it was ssh
> exploit.

Okay, I still don't follow you. I don't mean to be annoying but I really
don't. Let's not move too much into the realm of security and stay in
net ops.

How is this not a loss and not a risk? If we can't reach an agreement I
suggest we take this off-list.

        Gadi.