[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    an incident
From:       smb () research ! att ! com
Date:       1992-12-10 18:03:24
[Download RAW message or body]

An incident occurred here that's worth mentioning to the mailing list.
Someone tried poking our gateway via tftp.  No harm done here; it simply
rang the usual alarms.  The reverse finger output showed only one user
active, and she was logged in from an unlikely spot.  I traced things
back to that point, and again found just one active user, this time with
a suspicious userid.  (Yes, I'm deliberately being vague...)  I was
unable to finger the source of that login; there appeared to be a firewall
in my way.

After talking with administrators a bit, I learned what had happened.
Someone came in to an unprotected terminal server via a modem pool.
This wasn't seen as a threat, since the configuration was set up so
that dial-up users had no access beyond the local net.  But one of
the machines behind their firewall was insecure, and that allowed an
illicit outgoing call.

Moral 1:  Back doors are just as good as front doors.
Moral 2:  A chain is as strong as its weakest link.
Moral 3:  You don't go through security barriers, you go around them.

But we all knew those things, right?


		--Steve Bellovin

[prev in list] [next in list] [prev in thread] [next in thread]