Wow, I mentioned this in a presentation a while back, talking about ‘remote sniffing’ via tunnels. Looks like a perfect storm of holes allowed someone to actually try to pull this off. Also, pay special attention to how the good guys caught it.
Cincinnati 2600
Technology and Security in Today’s Fast-Paced Society
Remote management FTL. Wouldn’t SSHing through to a server and back out to the router work just as well?
i finally got around to reading the article, and it’s pretty cool.
the comment about cliff stoll’s assessment on people who look over their shoulders is an interesting one.
what the article doesn’t mention is how much time was spent checking redundant change management systems before contacting the incident response team?
here’s a sobering thought: how many companies don’t have change management systems, incident response teams, or log alert systems like rancid?
xio2: the real reason you would configure a tunnel from a router back to $something, is to forward IP packets through it, and have your own ‘exit node’ on the net. Think of it as a much faster, private-just-for-you Tor exit node. So (I may not be understanding your question correctly), ssh/telnet was simply used to get into the router. The tunnel is ROUTING full IP. So it’s even more than Tor (UDP,etc). You basically are sitting ‘behind’ that router as if you were at that companies site / data center. It’s like open wifi but accessible from anywhere on the net, not just from the driveway