An incident occurred here that's worth mentioning to the mailing list.
Someone tried poking our gateway via tftp. No harm done here; it simply
rang the usual alarms. The reverse finger output showed only one user
active, and she was logged in from an unlikely spot. I traced things
back to that point, and again found just one active user, this time with
a suspicious userid. (Yes, I'm deliberately being vague...) I was
unable to finger the source of that login; there appeared to be a firewall
in my way.
After talking with administrators a bit, I learned what had happened.
Someone came in to an unprotected terminal server via a modem pool.
This wasn't seen as a threat, since the configuration was set up so
that dial-up users had no access beyond the local net. But one of
the machines behind their firewall was insecure, and that allowed an
illicit outgoing call.
Moral 1: Back doors are just as good as front doors.
Moral 2: A chain is as strong as its weakest link.
Moral 3: You don't go through security barriers, you go around them.
But we all knew those things, right?
--Steve Bellovin
|
|
