Re: so, shall we get started?
David Wiseman (magi@csd.uwo.ca)
Tue, 23 Aug 94 9:51:33 EDT
*Hobbit*
>>
>> Most of the traffic here has been introductions, which are all well and
>> good, but yow, are we detecting any intruders yet?
>>
>> I'm going to throw out a couple of "things to watch for" on an IP link,
>> and hope to see a lot more of it discussed.
Good stuff. Sorry I don't have any answers :-) Let me start another thread
then...
Yes, watching the network (IP level) for weird stuff is a good idea. Yes, we
need to do it when and where we can.
But (there had to be one, didn't there?) this has not been the area where we
have had the most trouble. We are, perhaps, fortunate that our cable plant is
"reasonably" secure; it is our user base that isn't.
There has been LOTS of discussion about how to secure a system (with better
passwords more often checked, various IP wrappers, COPS, tripwire, etc.)
And we should all be doing what we can. However, I am still being hit
(occasionally) by people who "gain" access to another person's account while
that person is out of the country (or the like). No matter how much education
we provide (force feed sometimes) there are still people who are going to give
their passwords away or who have accounts on remote, insecure, machines and
who allow .rhosts access to their accounts here.
Anyone have any thoughts on how to build an account profile so that a sudden
change in behaviour will be obvious?
magi --------------------------------------------------------------------------
Dogs seem to function on the logic that it is best to eat everything;
whatever turns out to be a non-food item can always be gacked up later.
If it's a noun, a dog somewhere in Iowa has eaten it.
-- Dave Barry