mailing list archives
RE: Actual Security Cases
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 31 Jan 2003 10:30:37 -0800
From: H C [mailto:keydet89 () yahoo com]
Sent: January 30, 2003 13:13
Unfortunately, some of what you're asking isn't really
the issue you may think it is...for example, "no
remote access via modem" (depending on exactly what
you mean). Remote access isn't that much of a
security risk, as long as it's implemented,
configured, and managed/monitored appropriately.
Relatively few things are much of a risk if implemented,
configured, and managed/monitored appropriately. But doing
so is a lot harder for some things than for others.
My own feeling is that operating banks of modems and
terminal servers is best left to ISPs, and so official
dial-up remote access simply rolls into remote network
On the other hand, users setting up their own dial-in
modems at their desks is virtually impossible to
"implement, configure, and manage/monitor appropriately".
W/ regards to "no weak passwords", that's easy
enough...MS released a security advisory in Aug, and
re-released it in Sept. Evidently there was a rash of
systems getting infected w/ IRC bots, due to weak or
non-existant Administrator passwords.
The "Lioten" worm that struck in early December used a
short list of trivial passwords such as "12345". .1%
compromise (4 machines out of 4000) by it was enough to
cripple one of our less-restricted networks for two days.
- RE: Actual Security Cases David Gillett (Feb 01)