ssh is an evil of network security. I’m currently onsite at a customer that allows ssh outbound. Why? I’m not sure. But this is not the first customer that I’ve been to that did. Like many others they have sophisticated anti-spam, DLP, content filtering, proxies, firewalls, and ips in place. And then they screw the whole thing up with ssh.

Never allow this.

I’m currently circumventing their anti-spam, DLP, content filtering, proxies, firewalls, and ips by forwarding my traffic through an ssh tunnel I created to my home network. I’m using portable apps to do it, so there should be nothing left behind after I leave. And although my intent is not malicious it shouldn’t be possible. I’ve even got xwindows running from my ubuntu box. So the tunnel runs bi-directional. I could make it permanent. Earlier I was running metasploit through it. This is ridiculous.

Allowing ssh is too trusting. The should just eliminate the anti-spam, DLP, content filtering, proxies, firewalls, and ips and save their money.


I would have to say yes. I think this is partly a technology issue. As information security managers think we can design a system that can be managed by technology. We sit in front of consoles and we feel secure. Physical security requires work that involves people, and not just machines and technology. This process involves education, awareness, and training of actual people. This is something most people in information security don’t like to do. With so much emphasis given to DLP these days, I suspect that physical security will have to be stepped up as well. Most companies I consult with, have separate physical and network security departments. The physical security aspects are never thought about by most network security architects, and in the cases it is, it’s an afterthought. Something else that can be fixed with technology, e.g. video cameras and biometrics.

From time to time I’m asked to perform social engineering attacks as part of a vulnerability assessment or penetration test. So, I’ve been thinking about the types of social engineering attacks that could succeed on modern well protected networks. Have products evolved so much that these types of attacks can no longer work?

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.

This is an interested tidbit. Most banks and financial institutions don’t realize that they fall under PCI DSS requirements. I was doing an audit for a credit union and this came up on a discussion. They issue credit cards, and take credit card payments, but these transactions are handled by a third party, passing the PCI DSS requirements onto the third party. However, the ATMs they have take credit cards and debit cards, and the Primary Account Number (PAN) (the credit card number) is transmitted and stored in their computers. Now they fall into PCI DSS requirements and subsequently PCI audits will be necessary.