May 09, 2005

Threats are two a penny

Good story about a success at defending from a DDOS. As a company sprung out of it, this is obviously a marketing story, but it still gives a lot of good background into the DDOS world. Postini reports that phishing traffic is 45% down in April, over March. Also, viruses are down a bit. Valid email is 13% of messages.

Whoops - here's a wakeup - SSH has been attacked and was implicated in the Cisco source code heist:

Shortly after being stolen last May, a portion of the Cisco programming instructions appeared on a Russian Web site. With such information, sophisticated intruders would potentially be able to compromise security on router computers of Cisco customers running the affected programs.

There is no evidence that such use has occurred. "Cisco believes that the improper publication of this information does not create increased risk to customers' networks," the company said last week.

(I'll bet they're regretting that statement in the post-Choicepoint world. Here's the details on SSH.)

The crucial element in the password thefts that provided access at Cisco and elsewhere was the intruder's use of a corrupted version of a standard software program, SSH. The program is used in many computer research centers for a variety of tasks, ranging from administration of remote computers to data transfer over the Internet.

The intruder probed computers for vulnerabilities that allowed the installation of the corrupted program, known as a Trojan horse, in place of the legitimate program.

In many cases the corrupted program is distributed from a single computer and shared by tens or hundreds of users at a computing site, effectively making it possible for someone unleashing it to reel in large numbers of log-ins and passwords as they are entered.

Once passwords to the remote systems were obtained, an intruder could log in and use a variety of software "tool kits" to upgrade his privileges - known as gaining root access. That makes it possible to steal information and steal more passwords.

The operation took advantage of the vulnerability of Internet-connected computers whose security software had not been brought up to date.

In the Cisco case, the passwords to Cisco computers were sent from a compromised computer by a legitimate user unaware of the Trojan horse. The intruder captured the passwords and then used them to enter Cisco's computers and steal the programming instructions, according to the
security investigators.

Peversely this is good long expected news: it confirms that which we have always predicted, that when SSH is attacked it will be attacked around the system rather than the supposed weakness of the MITM. This is an economically rational attack; break in some other way, and replace a trusted tool with a trojan. Security experts may be wild-eyed zealots, but at least their attackers are economically rational.

In closing, cautionary tale of a security breaches misanalysed. Bob spotted this one:

Sherlock Holmes and Dr Watson go on a camping trip. After a good dinner and a bottle of wine, they retire for the night, and go to sleep.

Some hours later, Holmes wakes up and nudges his faithful friend. "Watson, look up at the sky and tell me what you see."

"I see millions and millions of stars Holmes," replies Watson.

"And what do you deduce from that?"

Watson ponders for a minute.

"Well, astronomically, it tells me that there are millions of galaxies and potentially billions of planets. Astrologically, I observe that Saturn is in Leo. Logically, I deduce that the time is approximately a quarter past three. Meteorologically, I suspect that we will have a beautiful day tomorrow. Theologically, I can see that God is all powerful, and that we are a small and insignificant part of the universe. What does it tell you, Holmes?"

Holmes is silent for a moment and then says: "Watson you idiot, someone has stolen our tent!"

Posted by iang at May 9, 2005 07:44 AM | TrackBack
Comments
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.