[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: an incident
From: smb () research ! att ! com
Date: 1992-12-10 18:03:24
[Download RAW message or body]
An incident occurred here that's worth mentioning to the mailing list.
Someone tried poking our gateway via tftp. No harm done here; it simply
rang the usual alarms. The reverse finger output showed only one user
active, and she was logged in from an unlikely spot. I traced things
back to that point, and again found just one active user, this time with
a suspicious userid. (Yes, I'm deliberately being vague...) I was
unable to finger the source of that login; there appeared to be a firewall
in my way.
After talking with administrators a bit, I learned what had happened.
Someone came in to an unprotected terminal server via a modem pool.
This wasn't seen as a threat, since the configuration was set up so
that dial-up users had no access beyond the local net. But one of
the machines behind their firewall was insecure, and that allowed an
illicit outgoing call.
Moral 1: Back doors are just as good as front doors.
Moral 2: A chain is as strong as its weakest link.
Moral 3: You don't go through security barriers, you go around them.
But we all knew those things, right?
--Steve Bellovin
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic