Firewall Wizards mailing list archives
RE: ssh holes? Trojans?
From: "Paul D. Robertson" <proberts () clark net>
Date: Fri, 22 Sep 2000 19:41:15 -0400 (EDT)
On Thu, 21 Sep 2000 sean.kelly () lanston com wrote:
This raises an interesting question -- at what point is accountability more important than security? Is deliberately constructing an insecure system justifiable in the interest of more accurate auditing?
At the point where the organization or individual feels that they can't accept the risk of not doing so. In the US, I'm pretty sure that brokerage houses have a legal requirement to monitor all wire traffic, including voice and data. Folks who can't live with that need to pick a new field of work or perhaps consider one-time authentication.
With ssh, the data stream is encrypted at the users workstation andtunnels 'through' the firewall so we never get a chance to monitor it.And neither does a hacker, which is kind of the point.
But tranport protection *isn't* network protection, especially when either endpoint isn't a compartmented system, which is also kind of the point. I wouldn't allow generic SSL access at my last position because of the tunneling risk.
In addition, there have been 'strange' networks (like the internet)showing up on our network monitoring facilities. (None now, but there may be again.) Unfortunately, we have not been able to 'catch' anyone 'in the act' as it were...Do you have dialup access or a VPN set up for your network? This is the most likely culprit. I heard a story recently that seems applicable (though
Win2k, Macs and probably recent Win98 boxen will assign themselves an address out of a B netblock if they can't get DHCP. Also, roving laptop configs tend to cause the same symptoms and have been for years. I've heard of leakage via AOL's stuff misbehaving too but can't verifiy it with personal experience.
Now then, what we would like to do is to set up an ssh 'proxy' inside the DMZ so that whatever is passed to the sshd on the proxy host crosses our monitoring hosts 'in the clear'.As someone else said, one of the points of ssh is to defeat such attempts. What you are trying to do is mount a "man in the middle" attack against the ssh session. If such a thing were simple, ssh wouldn't be a very useful protocol, would it? If you are really interested in tracking users to this degree, why not install monitoring software on the PCs on your network? There's no reason to try to do all your auditing from the firewall.
It is simple, as long as the user is aware. "You must ssh to our ssh server to ssh to the Internet" is a pretty good MITM. It's also valid in environments where the tunneling risk isn't acceptable or legal requirements force it. The intermediate server is a great place for anti-ECPA warning banners.
After hearing from another source (an employee discussed our 'new' policy with their SO at home), we 'heard' that there are ssh 'trojans'... Any truth to the rumor?I did a quick websearch and ran across a few references. Obviously, it's possible to release a trojaned version of any program, though this is much easier for open-source apps. I'd say that if the PCs on your network are
Is it that difficult to wrapper a binary with a trojan and jump to its normal entry point or insert malicious calls into an exe? I generally don't do Win32 programming, so I've never even looked, but I always assumed you could probably even do it in VB or with a self-extracting zip toolkit kind of approach.
Windows-based rather than some version of UN*X then the chances that someone is using a trojaned version of ssh are quite small. Also, for someone to be
Hmm, that's an interesting point of view. I'd say it depends more on the user population. If they're paranoid Unix people, they'd have built SSH from source after checking the signature and if they're unsophisticated Windows users, they'd have installed any binary called ssh.exe. Most of the places I've worked the Windows users are likely to have trojans and the Unix people are more likely to be IT and security aware and check. YMMV.
able to use a trojaned program it would have to be installed on the PC -- most corporate users are generally unable to install applications. While
Funnily enough, most of the corporate users I've dealt with have had no problems installing dancing baby applications, Monopoly games, screensaver programs, AIM, RealAudio, etc. Most of them from the 'Net directly with no origin verification or signing at all.
ssh trojans appear to exist, it's not something I would put at the top of my list of concerns.
I wouldn't rate it as high as other vectors, but I wouldn't dismiss it based on platform or wide source availability either. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- ssh holes? Trojans? Gregory Hicks (Sep 19)
- Re: ssh holes? Trojans? John Ladwig (Sep 22)
- <Possible follow-ups>
- RE: ssh holes? Trojans? sean . kelly (Sep 22)
- RE: ssh holes? Trojans? Paul D. Robertson (Sep 22)