On Sun, 24 Jun 2001, Tonton Rabena wrote:
>
> I myself is using telnet, do you think they can sniff my password??
>
Yes, of course. They can also see EVERYTHING you're doing. And it's not
only by means of sniffing. They can also do a MITM attack and fool you
into believing you're connecting to your host when in reality you're
connecting to them and they're silently forwarding your traffic to the
real host.
> security breaches were made by running exploitable daemons ...
Not just. There are many, many ways a compromise can occur. I've learned
this lesson the hard way. If someone guesses passwords which are pitifuly
obvious, if you get socially engineered, there are SO many ways that a
break can occur. Don't be so foolish as to believe that buggy services
are the only way security breaches can happen.
> in the first place how could they run a sniffer if they dont have access to
> your servers?
>
It's this attitude of complacency that gets your systems cracked. And as
previously mentioned, unencrypted protocols are vulnerable to MITM
attacks. In an extreme case, your opponents could have TEMPEST hardware
that listens to stray electromagnetic emissions by your computers. :)
> I dont think you can use SSH only at all times, for instance you can't use
> ssh on a router.
Some newer model Ciscos have SSH support built in, by the way, so this is
not absolutely true. And that's the reason for having host PC's on serial
ports that do speak SSH.
> why would you put a host pc to console a router? do you think you have only
> one router at one place?
Of course not. Every router would have a host PC console. The extra
expense involved in adding such host PC's (which need not be expensive
computers, obsolete machines like old 486's running FreeBSD or Linux whose
only job would be to listen to SSH connections and to allow people with
access to use minicom on the routers) far outweighs the cost of having a a
router compromise. A few weeks ago we learned how expensive such a
compromise can be. We thought that since none of these compromisers have
real knowledge of Cisco IOS it didn't matter if our routers were
compromised. Boy were we wrong. I'll leave it to Migs to tell the rest
of that story, he's my boss, and I'll let him explain what exactly
happened in that incident if he will.
> Cant you have a secure telnet connection?
>
Yes, it's called Secure Shell.
Maybe you ought to watch the episode of Digitaltour which featured Ian and
me. :)
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63(2) 8177746 ext. 8311
Programmer, InterdotNet Philippines +63(917) 4458925
http://dido.engr.internet.org.ph/
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GAT d- s:- a- C++++ UL+++ P+++ L+++ E++ W++ N+ o K- w---
O- M-- V- PS+ PE Y+ PGP++ t+ 5 X+ R tv+ b+++ DI++ D+
G e++ h! r++ y+
------END GEEK CODE BLOCK------
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
