RE: Actual Security Cases

["David Gillett" <gillettdavid () fhda edu>]

> -----Original Message-----
> From: H C [mailto:keydet89 () yahoo com]
> Sent: January 30, 2003 13:13
>
> Unfortunately, some of what you're asking isn't really
> the issue you may think it is...for example, "no
> remote access via modem" (depending on exactly what
> you mean).  Remote access isn't that much of a
> security risk, as long as it's implemented,
> configured, and managed/monitored appropriately.

  Relatively few things are much of a risk if implemented,
configured, and managed/monitored appropriately.  But doing
so is a lot harder for some things than for others.
  My own feeling is that operating banks of modems and
terminal servers is best left to ISPs, and so official
dial-up remote access simply rolls into remote network
access.
  On the other hand, users setting up their own dial-in
modems at their desks is virtually impossible to
"implement, configure, and manage/monitor appropriately".
 
> W/ regards to "no weak passwords", that's easy
> enough...MS released a security advisory in Aug, and
> re-released it in Sept.  Evidently there was a rash of
> systems getting infected w/ IRC bots, due to weak or
> non-existant Administrator passwords.

  The "Lioten" worm that struck in early December used a
short list of trivial passwords such as "12345".  .1%
compromise (4 machines out of 4000) by it was enough to 
cripple one of our less-restricted networks for two days.
 
David Gillett