Here is some interesting information: Stephen Dawes B.A. B.Sc. Web Business Office, City of Calgary PHONE:? (403) 268-5527. FAX: (403) 268-6423 E-MAIL ADDRESS:? sdawes at gov.calgary.ab.ca -----Original Message----- From: SecurityWatch@xxxxxxxxxxxx [mailto:SecurityWatch at bdcimail.com] Sent: Thursday, June 29, 2000 1:57 PM To: sdawes at gov.calgary.ab.ca Subject: SECURITY WATCH: Network protection commentary from InfoWorld.com ======================================================== SECURITY WATCH InfoWorld.com ======================================================== Thursday, June 29, 2000 Network protection commentary by: McClure & Scambray Advertising Sponsor - - - - - - - - - - - - - - - - - - Symantec New Enterprise Security Website Launched! Symantec, a world leader in internet security technology, provides a broad range of content security solutions, including anti-virus, Internet content and e-mail filtering, and mobile code detection technologies. For up-to-the-minute information regarding enterprise security issues you are facing, visit our website at: http://www.symantec.com/specprog/sym/63000.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - TRACKING AN ATTACK OFTEN PROVIDES LITTLE BENEFIT; TOP DETERRENT IS SECURE SYSTEMS EVERYWHERE Posted at June 23, 2000 01:01 PM Pacific EVER SINCE JACK installed his personal firewall on his cable modem, he's seen hundreds of port scans hitting the box. At first he took them seriously, worrying about what these cybermiscreants were up to. As Jack quickly learned, finding out the answers to these questions requires enormous investigative work and can lead to absolutely nothing. Trying to track down the knocks on your cyberdoor can quickly turn into a passion. But each ping, trace route, port scan, Whois, and American Registry of Internet Numbers (ARIN) search often reveals only what little can be done to stop these preludes to an attack. The final desperate act will inevitably be the abuse at whateverisp.com inbox black hole that is ISP abuse reporting. Now imagine that every single computer banging away at your door is the end of a long string of computers being used to channel an attack. Tracking down this last hop reveals only the tail of an enormous, multiheaded dragon. The days of direct computer attacks are long gone. Today, only hacker wanna-bes use their own computers to direct the attack at the target system. More than a decade ago, the serious malicious hackers broke into vulnerable systems not to collect credit card numbers or turn off the power grid to a city neighborhood. Instead, they gained access to these systems simply to use them for further attacks on the Internet. Just as the distributed DoS (denial of service) attacks in February required a number of compromised "zombie" machines to generate the necessary traffic to disable e-commerce sites, these zombie machines can also be used as jumping-off points for malicious attacks. To build this elaborate diving platform, attackers will scan for vulnerable systems on the Internet. DSL and @Home customers such as those with AT&T and Pacific Bell are easy targets. To find these juicy targets, attackers will look up subnets on ARIN and Network Solutions, looking for netblocks that house high-speed, poorly secured home systems. Another popular target is educational institutions. Using automated attack scripts, attackers can literally break into these systems overnight and "own" more than a hundred systems within hours. Attacking Windows NT home users begins with port scanning on TCP ports 135 and/or 139. Once the ports are open, the attackers will launch the typical Windows NT-based assaults, including simple password guessing, input validation attacks, and buffer overflow attacks. NT systems tend to be juicier targets than are Windows 9x systems simply because NT's remote control capabilities are far superior. Using programs such as netcat, NTRK remote, and RemotelyAnywhere, attackers can control an NT system with ease -- and then upload and kick off the same attacks from that system. Attacking and controlling Unix systems such as Red Hat and Mandrake Linux can be even simpler using numerous remote buffer overflow attacks. Vulnerabilities such as those in several Unix daemons can be trivially exploited with publicly available source code. Once owned, the attackers will set up backdoors and remote control capabilities, kicking off the same Linux attack scripts to further invade systems. And let's not forget about open proxy relays, often unwittingly left dangling by customers of those very same consumer-oriented services. With the growing focus on application-layer vulnerabilities, most attacks nowadays take the form of a maliciously malformed URL; it's point-and-shoot simply to bounce these off of a proxy if it isn't properly configured. We recently visited a site that had been compromised by just such a bullet, a single URL anonymously relayed by a misconfigured SOHO (small office/home office) proxy device out in the void. Does anyone remember the infamous Wingate and squid proxy-scanning tools that circulated the Net about a year ago? Try turning WinScan (one of the most popular Wingate scanners) loose on your favorite network and see what pops up. How many of those do you think were run by unwitting end-users who thought they were improving the security of the Internet? Or just browse to proxys4all.cgi.net and take your pick. All an attacker needs to begin a reign of terror is that first vulnerable system. Each subsequent attack will actually be coming from a compromised system and not the original attacker. And that is what makes security-incident response an enormously difficult and often fruitless task. Tracking down an attempted hack may turn up your grandmother's computer rather than the real culprit. Can you see yourself knocking on the door of an @Home user asking to look at the computer? The fact is, unless the crime causes more than $5,000 in damage, the FBI won't get involved, and without the FBI, knocking on the door during Sunday brunch will have little motivational impact for cooperation. The solution to the problem of island-hopping is not trivial, requiring nothing less than absolute security on all systems attached to the Internet -- not a small task. So what is the stopgap measure? Tell us what you think about a resolution at security_watch at infoworld.com. Stuart McClure is president and CTO and Joel Scambray is Managing Principal at security consultant Foundstone ( www.foundstone.com ). - - - - - - - - - - - - - - - - - - - - - - - - - - - - MORE SECURITY WATCH For a complete archive of his InfoWorld columns visit http://www.infoworld.com/opinions/moresecuritywatch.html INFOWORLD OPINIONS Weekly commentary from the most trusted voices in IT at: http://www.infoworld.com/opinions/index.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - QUOTE OF THE DAY: "There is a more honest attitude now. There will be a Darwinian selection process, and the end of opportunism." --Enrique Carrier, director of Prince & Cooke, Argentina, speaking about the future of dot-coms. http://www.infoworld.com/articles/hn/xml/00/06/21/000621hnmortality.xml?0629 thse - - - - - - - - - - - - - - - - - - - - - - - - - - - - SUBSCRIBE To subscribe to any of InfoWorld's e-mail newsletters, tell your friends and colleagues to go to: http://www.iwsubscribe.com/newsletters/ To subscribe to InfoWorld.com, or InfoWorld Print, or both, go to http://www.iwsubscribe.com UNSUBSCRIBE If you want to unsubscribe from InfoWorld's Newsletters, go to http://www.iwsubscribe.com/NewsletterEdit CHANGE E-MAIL If you want to change the e-mail address where you are receiving InfoWorld newsletters, go to http://www.iwsubscribe.com/newsletters/EmailChange.htm - - - - - - - - - - - - - - - - - - - - - - - - - - - - InfoWorld announces our new recruiting service: ITcareers.com We're not just in the work place...we are the work place! InfoWorld's new career service, ITcareers.com, is where tech talent looks for new and better opportunities. Post for thirty days at only $200. Or buy a package and get the whole job done. We deliver the news, the readers and the hires. You can be up today. Check us out. http://www.ITcareers.com Forward this to your recruiting team. Advertising Sponsor - - - - - - - - - - - - - - - - - - Symantec New Enterprise Security Website Launched! Symantec, a world leader in internet security technology, provides a broad range of content security solutions, including anti-virus, Internet content and e-mail filtering, and mobile code detection technologies. For up-to-the-minute information regarding enterprise security issues you are facing, visit our website at: http://www.symantec.com/specprog/sym/63000.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - Copyright 2000 InfoWorld Media Group Inc.
