Re: SSH on the router - was( IT security people sleep well)

["Alexei Roudnev" <alex () relcom net>]

Hmm.

I watched it _exactly_ as you described, and guess where? In hacker's
sniffered files. (4 years ago, sorry)

One idiot telnet to his scientific lab (which has not any security and had a
few layers of sniffers installed by a few generations of hackers), and then
slogin by the chain of 4 more systems, revealing all 4 passwords to the
happy hacker.

(On the other hand, we used... telnet on non-standard port + S/Key one time
passwords... and it was enough to prevent any hackers from snifferring and
any chance to login after us, except _man in the middle_ attack which was
blocked by other ways... I can say, that 1 time password is more important
than ssh (and I prefer both -:)).

(It can be S/key, otp,  secureid, hand scan...)

----- Original Message ----- 
From: <Michael.Dillon () radianz com>
To: <nanog () merit edu>
Sent: Tuesday, June 08, 2004 4:38 AM
Subject: Re: SSH on the router - was( IT security people sleep well)


> > > Consider the case of a staff member lounging in the backyard on
> > > a lazy Saturday afternoon with their iBook. They have an 802.11
> > > wireless LAN at home so they telnet to their Linux box in the
> > > kitchen and run SSH to the router. Ooops!
> >
> > I see.  SSH doesn't solve all problems, and therefore must be
> > worthless.
>
> No.
> SSH doesn't solve all problems because it is only a protocol.
> The human element is the most important one to consider in
> network security.
>
> > Now let's look at kerberized telnet.  Someone logs in via
> > kerberized telnet over an insecure network, then decides to
> > change his/her password.  Oops.
>
> Exactly!
> Technology is worthless if it is not used properly. Network
> engineers are technology experts not security experts. They
> often need training to raise their awareness of security issues.
> Remember the study a while back that found that the largest
> single factor that caused network failures was human error?
>
> > > The only way to protect against that sort of situation is to
> > > encourage everyone to be security-minded and not take risks
> > > where the network is concerned.
> >
> > Definitely.  Alas, I'm seeing more "it won't happen to me" than
> > in the past.  It's almost as if the "logic" is "I hear more about
> > this, but haven't noticed anything awful, and therefore must be
> > invincible."
>
> The question in that case is: "Do you know, in enough detail, what
> is going on in your network that you can confidently say that nothing
> awful is happening?".
>
> --Michael Dillon