Rookit infections: AARRGH!
Kevin D. Clark
clark_k at pannaway.com
Tue May 10 21:06:10 EDT 2005
Fred <puissante at biz.puissante.com> writes:
> I am suspicious that they are somehow breaking in through ssh --
http://www.nytimes.com/2005/05/10/technology/10cisco.html
Internet Attack Called Broad and Long Lasting by Investigators
By JOHN MARKOFF and LOWELL BERGMAN
Published: May 10, 2005
[....]
The crucial element in the password thefts that provided access
at Cisco and elsewhere was the intruder's use of a corrupted version
of a standard software program, SSH. The program is used in many
computer research centers for a variety of tasks, ranging from
administration of remote computers to data transfer over the Internet.
[...]
Comment: I designed and implemented a network protocol in one of my
past jobs. I found it useful to provide my SQA folks with a
bastardized version of the protocol stack, one that allowed them to
basically do everything possible to try to deceive/overrun a valid
protocol endpoint. I slept well at night knowing that the SQA staff
had the tools to try to crash/overrun a protocol endpoint, but they
never could find a way to do it. Developing tools to test your own
code is a part of doing a job.
--kevin
--
GnuPG ID: B280F24E And the madness of the crowd
alumni.unh.edu!kdc Is an epileptic fit
-- Tom Waits
More information about the gnhlug-discuss
mailing list