Wednesday, December 12, 2007

Security Investment Opportunity

There are a lot of security vendors out there touting all kinds of security products from encrypting hard drives and emails to virus checking and spyware scanning, secure email products, and compliance auditing for those who have access to the systems directly.

However as far as I know, there is no good solution for monitoring and quickly pinpointing a man-in-the-middle attack.

This type of thing seems like it would require cooperation on both ends of a network. It may involve traces through networks and honeypots and traps to catch such attacks.

The more I think about it the more I think that is what is going on with our email service. But I cannot prove or disprove that fact because our email vendor, USA.net, will not help us resolve the problems.

Tuesday, December 11, 2007

Cisco Fraud Shut Down

Cisco theif shut down - one for the good guys.

http://www.networkworld.com/community/node/22850?nlhtsec=rn_121107&nladname=121107securityal

Don't the rest of us small businesses wish that we had the money and support to catch people hacking and stealing from us...

PCI Compliance

This company that recently moved their headquarters from Europe to Chicago and wants to get involved in PCI compliance testing of devices. This could be good or bad depending on the true motives of the people involved. I would love it if someone would step up and find and fix security flaws, as long as they are one of the good guys....

http://www.networkworld.com/news/2007/121007-nss-labs-pci.html?nlhtsec=rn_121107&nladname=121107securityal

Vendors trying to hide or ignore vulnerabilities

I agree with this article regarding vendors trying to sweep vulnerabilities under the rug:

Vendors trying to hide vulnerabilities

My beef in this whole blog lately is not that vendors have problems with their software - because hackers and foreign governments and organized crime rings are at war with us - but I do have a beef when vendors do not take responsibilities for problems and fix them.

I think the same applies to bugs, which may be nothing - or may be a shadow of a clue that a system is compromised in some way. Vendors should get to the bottom of bugs and in a technical, engineering approach, resolve or at least explain why a problem occurred if it is possible.

Recently I get the feeling that email hosting providers would rather kick a "whiny" customer off the system - who finds a flaw in their software - rather than take the time to get to the bottom of exactly what is causing the problem. In fact some of them turn around and blame the customer and tell them it was something they did that caused the problem even if they cannot prove it (and it is not true).

I had some employees like this in the past. A customer was complaining that her web site was failing randomly and they blamed the customer's computer and didn't really bother to ever truly research and pin down the problem. I finally had to let them go. The problem was a database server that was overloaded. An engineered approach to resolving the problem would have enlightened us all much sooner. I never blame a customer for the problem without the facts to provide a customer to show them that it looks like something they did caused the problem. If the customer denies they did that thing...maybe something else is still going on even if it looks like the customer did something to cause it.

My customer with a mac has nailed down the problem with USA.net's webmail program. The problem happens when she's using her mac - or any mac in the office - with a particular mail account (and no others). USA.net claims it is not their problem and that a system administrator changed something - no one on our end has touched anything. The Internet Service Provider came out and tested the modem - they claim there is nothing wrong with the network or the modem. All other web sites are operating just fine on these machines for this customer. USA.net has finally said they would escalate the problem. I doubt this will do any good however. This is probably all smoke to placate the customer until we move to a new email hosting provider. I'll let you know if it gets fixed before then.

What could be causing this problem? If someone is in the path between my customer and the email hosting vendor, perhaps they could do something to the request. Perhaps there is something in one of the emails in that account that is causing the problem. Perhaps there is some software glitch in Safari on a mac for that particular web site. The only way to pin this down is for the makers of the web site to check their logs and maybe add additional logging and perform some network traces to pin this down. If they won't do it, as far as I can tell we are out of luck.

Saturday, December 08, 2007

Small businesses don't protect their data

Here's a report about small businesses not protecting their data - they don't understand the risks and threats as a result of this...and vendors like the ones I have used are not helping. Sometimes I think their are people employed by large managed hosting companies that are related to the espionage mentioned in a previous article. And because small companies don't understand exactly what is going on or the risks involved - they don't complain about it like I do here.

Small business security

Security Threats - New levels of Sophistication

CRN magazine reports in November 26, 2007 article:

"Many security professionals dispute exactly what constitutes the most serious security threat. But almost all sources agree that over the past two to three years, the tactics cybercriminals are using have become amazingly professional. What was onece about bragging rights is now about high-stakes payoofs illigitimately gained by large-scale Internet fraud andinfiltration."

For more informaiton go to security threats

Top Spy Threat

Information week reports in an article entitled "The Techno-Spy Threat" in the Nov 27, 2008 article the following:

"Chinese spying is the top threat to U.S. technology, says the U.S.-China Economic Security Review Commision in it's 2007 Report to Congress.

China's espionage activities in the United States are so extensive that they comprise the single greatest risk to the security of American technologies, according to a summary of the report from the congressionally appointed gropu of experts. Espionage saves China the time and cost of researching and developing advanced technologies, it says."

Security Threats

Friday, December 07, 2007

Traffic Patterns - How Hackers Work

Here's how hackers are working their bots or whatever right now to generate traffic by hiting a site about 5-6 times in a row in groups from different IPs. These groups of IPs are related in more ways than one.

We have a site that gets very low traffic and pretty much has nothing linking to it and nobody looking at it. And yet somehow this site gets blocks of hits in a row out of nowhere - 5 or 6 at a time - then stops for another hour.

Here's an example:

12/7/2007 4:08:58 PM 218.234.21.33
12/7/2007 4:09:04 PM 68.189.175.164
12/7/2007 4:09:25 PM 24.0.54.125
12/7/2007 4:09:33 PM 207.172.248.72
12/7/2007 4:09:36 PM 70.236.22.31
12/7/2007 4:09:43 PM 70.236.22.31

Here's an exmaple of traffic from the Ukraine which is probably hackers hitting that same site:

80.91.186.250

inetnum: 80.91.186.0 - 80.91.186.255
netname: INTERCONNECTIONS-DATAGROUP
descr: Subnets /30 for interconnections to DATAGROUP's clients
country: UA

I'm guessing all these IPs are related bots and hackers that hit this site in Decemeber:

1 172.129.227.254 12
1 193.47.80.38 12
2 200.107.59.51 12
1 200.226.134.53 12
1 200.226.134.53 12
1 200.226.134.53 12
2 200.226.134.53 12
1 200.88.114.166 12
2 202.115.130.23 12
1 202.115.130.23 12
1 203.88.192.104 12
1 207.172.248.72 12
1 218.234.21.33 12
1 218.246.118.22 12
2 218.249.83.87 12
1 221.100.70.25 12
1 222.221.6.144 12
1 24.0.54.125 12
2 24.164.91.236 12
1 58.65.235.194 12
1 58.65.235.194 12
1 58.65.235.194 12
1 61.247.217.35 12
4 61.61.132.129 12
2 62.85.45.65 12
2 62.85.45.65 12
4 62.85.45.72 12
1 64.22.93.154 12
3 64.22.93.154 12
1 64.246.161.30 12
3 64.86.69.5 12
3 65.32.175.224 12
1 66.56.149.238 12
1 67.100.29.213 12
2 68.166.98.6 12
1 68.189.175.164 12
2 70.236.22.31 12
1 72.232.25.226 12
3 72.36.134.242 12
3 72.36.134.242 12
1 75.125.47.162 12
1 76.168.39.111 12
3 77.50.7.167 12
2 80.91.186.250 12
3 80.91.186.250 12
3 80.91.186.250 12
3 83.31.185.72 12
3 85.114.133.77 12
1 85.194.127.10 12
1 85.21.125.100 12
1 85.228.96.63 12
1 86.123.67.229 12
1 87.111.102.25 12
3 87.118.106.4 12
2 87.118.116.8 12
2 87.240.5.90 12
1 88.131.106.2 12
1 97.76.5.224 12

Here's the same type of traffic from November:

2 122.214.249.116 11
2 122.252.226.40 11
1 122.252.226.40 11
1 125.177.43.78 11
1 125.7.195.10 11
4 131.107.151.157 11
2 148.167.202.141 11
1 148.235.92.34 11
1 189.32.175.26 11
1 192.18.100.7 11
2 193.111.120.47 11
1 194.109.141.137 11
1 194.72.238.61 11
2 194.83.70.20 11
1 194.83.70.20 11
1 195.229.242.57 11
1 195.244.128.215 11
2 195.244.128.215 11
1 195.244.128.215 11
2 195.244.128.215 11
2 195.244.128.215 11
3 195.244.128.216 11
1 195.248.93.105 11
1 195.251.249.101 11
1 195.67.48.130 11
1 195.76.242.227 11
1 200.226.134.53 11
1 200.226.134.53 11
1 200.226.134.53 11
2 200.226.134.53 11
1 200.88.114.166 11
2 200.88.114.166 11
1 200.88.114.166 11
1 200.88.114.166 11
1 200.88.114.166 11
1 201.43.185.180 11
1 201.45.221.40 11
1 201.70.159.236 11
1 202.105.182.87 11
2 202.115.130.23 11
3 202.44.135.35 11
2 202.44.8.100 11
1 202.72.240.22 11
1 203.111.13.69 11
1 203.111.13.69 11
3 203.121.71.169 11
2 203.121.71.169 11
2 203.121.79.95 11
3 203.121.79.95 11
1 203.234.156.57 11
1 203.234.156.57 11
1 203.234.156.57 11
4 203.234.156.57 11
2 203.88.192.104 11
2 203.88.192.104 11
1 206.51.237.152 11
1 207.192.203.218 11
3 208.72.168.160 11
1 209.124.116.65 11
1 210.22.158.132 11
1 210.34.14.186 11
5 210.34.22.226 11
1 210.34.4.18 11
1 210.51.51.24 11
1 210.75.12.100 11
1 210.82.89.246 11
1 211.100.34.11 11
3 211.117.62.81 11
1 211.117.62.81 11
2 211.196.166.94 11
3 211.196.166.94 11
1 212.124.234.37 11
1 213.180.137.72 11
1 216.145.17.190 11
1 216.145.5.42 11
1 216.23.162.164 11
1 216.40.220.18 11
3 217.126.65.126 11
1 218.210.231.93 11
1 218.56.8.72 11
3 219.87.178.116 11
1 220.1.121.46 11
1 221.225.1.241 11
2 222.63.132.15 11
1 24.131.212.124 11
4 24.148.20.137 11
1 24.7.24.112 11
1 38.117.88.77 11
1 58.147.0.228 11
1 59.77.16.162 11
1 60.190.79.18 11
1 61.135.219.15 11
1 61.142.81.37 11
1 61.148.97.26 11
4 61.178.18.96 11
1 61.19.221.29 11
2 61.28.1.91 11
3 61.61.132.129 11
1 62.143.133.68 11
1 62.175.191.139 11
3 64.5.62.170 11
1 64.92.199.44 11
1 64.92.199.61 11
2 66.199.253.187 11
3 67.149.190.246 11
1 67.202.6.152 11
1 68.228.168.71 11
1 68.7.17.104 11
1 68.82.44.72 11
4 69.113.227.23 11
1 69.121.170.57 11
1 69.143.249.51 11
1 69.208.130.11 11
1 69.221.169.25 11
1 69.59.28.163 11
2 69.73.94.125 11
1 70.135.109.51 11
2 71.109.156.19 11
1 71.194.213.68 11
1 71.224.150.100 11
1 71.59.220.219 11
2 71.83.130.152 11
3 71.83.130.152 11
1 72.224.254.87 11
1 72.224.254.87 11
3 72.232.7.242 11
3 72.232.7.242 11
1 72.232.7.242 11
2 72.44.50.103 11
1 72.44.57.55 11
1 74.137.217.73 11
1 74.208.11.169 11
2 75.26.182.48 11
3 76.101.38.233 11
1 76.170.241.248 11
1 76.31.23.129 11
3 76.84.107.198 11
2 78.107.255.115 11
1 80.216.144.92 11
1 80.37.201.86 11
3 80.91.186.250 11
3 80.91.186.250 11
3 80.91.186.250 11
3 81.84.141.117 11
3 82.179.236.154 11
1 82.216.116.203 11
1 82.224.98.76 11
1 82.237.74.200 11
2 83.208.212.151 11
3 83.237.199.152 11
3 83.31.211.14 11
2 84.141.19.229 11
2 85.140.24.250 11
3 85.140.249.139 11
3 85.140.251.119 11
1 85.21.125.100 11
1 85.216.173.226 11
2 85.227.185.181 11
1 85.84.197.236 11
1 85.85.59.35 11
1 86.51.3.194 11
1 86.51.3.196 11
3 87.106.135.26 11
5 87.118.106.4 11
2 87.118.108.79 11
2 87.118.110.213 11
2 87.118.110.213 11
2 87.118.112.237 11
3 87.118.116.245 11
3 87.118.118.12 11
2 87.118.96.104 11
1 87.118.96.60 11
3 87.118.98.9 11
3 87.118.98.9 11
2 87.174.45.224 11
1 88.131.106.2 11
1 88.131.153.91 11
1 89.149.236.54 11
1 89.182.95.144 11
1 89.31.204.49 11
3 89.77.80.235 11
3 90.156.169.218 11
3 91.76.57.242 11

And here's October...

1 123.236.96.154 10
4 124.128.248.88 10
5 131.107.151.157 10
2 144.118.29.81 10
1 147.29.152.239 10
1 147.29.152.239 10
2 17.149.0.104 10
1 189.52.78.146 10
1 190.7.62.202 10
1 193.137.239.115 10
5 193.219.28.144 10
5 193.219.28.146 10
2 195.2.114.1 10
2 195.2.114.1 10
3 195.2.114.1 10
3 195.2.114.1 10
2 195.2.114.33 10
1 195.2.114.33 10
1 195.76.242.227 10
1 196.20.65.210 10
1 200.130.24.21 10
1 200.206.242.52 10
2 200.83.4.3 10
1 200.83.4.3 10
1 200.83.4.6 10
2 200.88.114.166 10
2 201.220.124.165 10
1 202.28.27.3 10
1 203.113.137.131 10
2 203.121.71.169 10
2 203.121.71.169 10
2 203.121.71.169 10
2 203.121.79.95 10
1 203.213.211.206 10
1 203.69.39.251 10
1 203.88.192.104 10
1 207.38.5.194 10
1 207.44.238.95 10
1 209.10.61.194 10
1 209.59.180.114 10
1 210.21.12.94 10
1 210.34.22.226 10
1 210.42.140.5 10
2 211.117.62.81 10
1 211.117.62.81 10
1 211.140.138.39 10
1 211.214.198.55 10
1 211.239.150.148 10
2 211.239.150.148 10
1 211.239.150.148 10
1 212.11.191.67 10
1 212.72.30.140 10
1 212.72.30.140 10
1 213.180.137.71 10
1 213.180.137.73 10
1 213.61.157.93 10
1 216.145.14.142 10
3 217.127.161.223 10
1 217.171.176.46 10
3 217.174.98.198 10
1 218.233.166.197 10
2 218.234.21.33 10
1 218.234.21.33 10
3 218.234.21.33 10
2 218.234.21.33 10
1 218.234.21.33 10
1 218.58.136.4 10
1 218.58.136.4 10
1 218.58.136.4 10
1 218.63.252.219 10
1 218.66.103.253 10
1 218.71.136.105 10
1 218.71.136.105 10
1 219.148.197.154 10
1 219.240.36.173 10
1 220.202.69.18 10
1 220.75.215.78 10
4 221.142.222.235 10
1 221.232.159.112 10
1 221.233.134.87 10
1 221.233.134.87 10
1 222.221.6.144 10
1 222.221.6.144 10
2 222.231.63.18 10
1 222.231.63.18 10
1 24.13.0.209 10
1 24.131.61.205 10
4 24.161.224.99 10
3 24.179.161.48 10
1 24.37.128.57 10
1 24.98.188.175 10
1 41.204.194.181 10
2 58.127.102.142 10
1 59.17.63.2 10
3 59.17.63.2 10
1 59.77.17.173 10
3 59.77.21.250 10
1 59.77.21.250 10
1 60.12.17.10 10
2 60.190.228.93 10
2 60.190.79.18 10
1 60.190.79.18 10
1 61.139.37.12 10
1 61.142.81.37 10
3 61.144.78.167 10
1 61.144.78.190 10
1 61.144.78.190 10
1 61.27.78.51 10
3 62.141.52.219 10
2 62.141.58.167 10
3 62.141.58.167 10
1 62.231.243.139 10
1 62.231.243.139 10
1 62.94.22.196 10
1 62.94.22.196 10
1 64.127.57.5 10
1 64.237.57.194 10
2 64.246.161.190 10
1 64.246.165.160 10
1 64.246.187.42 10
2 64.5.62.170 10
1 64.5.62.170 10
2 64.59.139.153 10
2 65.102.234.72 10
1 65.196.51.21 10
1 65.44.66.100 10
3 66.232.100.156 10
1 66.232.125.138 10
1 66.249.2.50 10
1 66.25.72.150 10
2 66.250.64.30 10
1 67.159.44.8 10
6 67.202.12.183 10
1 67.202.4.188 10
1 67.62.84.180 10
1 68.106.204.9 10
1 68.197.36.143 10
1 68.199.229.88 10
1 68.74.112.43 10
1 68.81.222.236 10
3 69.121.127.225 10
1 69.141.53.8 10
2 69.141.53.8 10
1 69.245.195.3 10
1 69.245.195.3 10
1 69.250.241.42 10
1 69.36.158.19 10
1 69.74.165.135 10
1 69.9.167.198 10
2 70.255.107.115 10
1 70.48.115.231 10
3 70.84.55.194 10
1 70.87.230.66 10
2 70.87.7.56 10
1 71.109.113.203 10
1 71.158.214.55 10
1 71.193.86.213 10
1 71.59.220.219 10
1 71.65.60.93 10
1 71.87.113.228 10
1 72.232.61.162 10
2 74.52.245.146 10
1 75.3.9.109 10
3 75.43.208.130 10
3 75.53.1.246 10
1 75.69.76.233 10
3 75.69.76.233 10
1 76.101.38.233 10
1 76.190.177.232 10
1 76.210.34.207 10
1 76.25.195.169 10
2 76.25.195.169 10
1 76.26.251.165 10
3 76.73.131.148 10
1 76.98.227.200 10
3 77.50.7.167 10
3 80.91.186.250 10
3 80.91.186.250 10
3 80.91.186.250 10
3 80.91.186.250 10
3 80.96.191.144 10
3 80.96.191.144 10
3 80.96.191.144 10
3 81.0.232.77 10
1 81.190.75.54 10
3 81.29.251.17 10
1 82.158.197.63 10
1 82.230.82.38 10
1 82.232.80.128 10
1 82.243.246.184 10
1 82.247.201.64 10
1 82.67.175.47 10
3 83.10.100.89 10
1 83.141.161.100 10
2 83.149.95.109 10
3 83.167.116.7 10
3 83.31.183.135 10
2 83.31.254.59 10
1 84.108.215.96 10
2 84.112.144.174 10
2 84.16.227.85 10
3 84.16.235.197 10
3 84.19.188.158 10
2 84.240.45.110 10
2 85.140.181.5 10
1 85.65.22.214 10
1 85.69.127.206 10
5 87.118.106.4 10
5 87.118.106.4 10
2 87.118.110.213 10
2 87.118.112.237 10
2 87.118.112.237 10
2 87.118.112.25 10
3 87.118.112.25 10
3 87.118.112.25 10
2 87.118.112.30 10
2 87.118.112.30 10
3 87.118.116.8 10
3 87.118.116.8 10
3 87.118.98.9 10
3 87.230.30.38 10
1 87.240.14.95 10
3 87.99.76.124 10
1 88.131.153.91 10
1 88.198.25.14 10
2 89.149.202.137 10
2 89.77.80.235 10
3 91.124.141.47 10
3 91.124.163.50 10
3 91.124.163.50 10
3 91.124.163.50 10
3 91.124.163.50 10
3 91.192.104.2 10
1 91.90.183.53 10
1 98.194.76.111 10

Solid Oak - Symantec flagged as virus - is it?

This company Solid Oak is complaining because Symantec flagged their software as a virus - this article has the details:

http://www.pcmag.com/article2/0,2704,2229576,00.asp

Now the company is complaining that because symantec deleted or disabled files in their program people had to "rebuild their entire operating systems".

I don't know about you but if some software is doing things that cause me to have to rebuild my entire operating system if it fails or gets deleted - I'd have to say what the heck is that software doing and I definitely wouldn't want it on my machine - for security reasons.

Someone should take a closer look at exactly what this software does exactly and why removal of files would have such a disastrous effect.

I wonder if PCMag checked to make sure that the real problem does not lie with the software vendor.

Wednesday, December 05, 2007

Server problems - related to /_vti_bin/owssvr.dll?

We got three requests for /_vti_bin/owssvr.dll a short time before our server had some serious issues. We were getting database connection errors and our SSL functionality was hosed. These requests were made by two different IPs. there is one similar request at the bottom from an earlier date. Some actions today also deleted all our request logs prior to: 05/12/2007:20:55:17 -0800

However I have some backup logs.

Not sure if the two are linked by here is more information so far related to this hack:

A few different requests were made, first from 216.104.48.200 and then from 130.76.32.144

Rquest details:
ipAddress: 216.104.48.200
server:
referer:
queryString: UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0
method: GET
uri:
session: 27pg82u8olfo6
existing session
session created: Wed Dec 05 15:15:48 PST 2007Accept: */*
XVermeerContentType: application/octetstream
AcceptEncoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Host:
Connection: keepalive
CacheControl: nocache
CAPREQ: 0
STRMVER: 4
ACT: 4
BUILD: 6551
UL: 1

Could be this person at Valley Medical Center doesn't know their machine is hacked...or an accident by some IT person but I doubt it based on the consistency at which this appears in our logs.

OrgName: Valley Medical Center
OrgID: VMC-11
Address: 400 S 43rd Street
City: Renton
StateProv: WA
PostalCode: 98055
Country: US

NetRange: 216.104.48.0 - 216.104.63.255


Second set of requests for this particular file were from:

******WEBTOOLS.DUMPREQUEST**********
ipAddress: 130.76.32.144
server:
referer:
queryString: UL=1&ACT=4&BUILD=6551&STRMVER=4&CAPREQ=0
servletPath:
method: GET
uri:
session: 3gero4ss5ih8m
new session
session created: Wed Dec 05 15:04:58 PST 2007Accept: */*
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Boeing Kit; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host:
Connection: keepalive
XBlueCoatVia: 996B7CB4B02B592C
XVermeerContentType: application/octetstream
Pragma: nocache
CAPREQ: 0
STRMVER: 4
ACT: 4
BUILD: 6551
UL: 1
************

I also had a related but not exactly the same request from New Zeland IP 125.236.206.207

Could this be the same guy who was just stopped by the BotRoast program?

Network Speed Test Results

Here is a summary of speed test results:

Comcast "power boost" - 28922 KBPS download 1466 upload
Clearwire - approx 1200 download - 225 upload
AT&T Wireless Modem (Cellular)143 KPBS upload 170 kbps download
T-mobile hotspot at popular Starbucks - 1400 upload and download (may vary by location as I believe this is a fixed line from an ISP called The Planet.)
Qwest (not sure which specific service and this particular IP range has a name assigned to it- so I don't know if this is the service for the whole office building or what...) - 4172 download 431 upload

The story:

I am testing out a new Internet provider and have to say the guy was to the point and provided most excellent service. I tried uploads from this company and get constant speed of 25K - even 9K when FTP'ing files up to another location. He was able to quickly and thoroughly show me that their service is actually working at the speed they profess (well very close to it) and that probably this is a problem with the ftp server, VPN or something else on the network. So now...to my server hosting company and let's see if they can be as helpful in pinning down this problem.

Next I did a test to the part of the country in which my server is located. Same thing - I got good speed on this new network.

OK so that pins it down to either my computer, or the computer at the other end, or the VPN. Right? Unless it is my hosting providers network...so I start with my ftp software. I switch out WSFTP with Globalscape - and the average speed goes up to 88-95K. MUCH better....! More here FTP Software

So, back to Comcast. Now that I have this nifty little site I run the test on comcast network. At speedtest.net I get 28922 KBPS and 1466 KBPS. A file upload still is far less than these speeds report - about 300KBPS, though better than the other provider so far.

Note that the Comcast test was not done during peak hours. I will post more results later. Comcast degrades when more people are online so I need to compare at different times of day. Basically if you live in a crowded area with lots of other people on comacst in your area your speed will be slower because more people are sharing it. If you live next to a gamer and you use Comcast, I'm sorry.

Tuesday, December 04, 2007

IP looking for perl - eNet Inc.

IP looking for perl: 209.51.212.82

OrgName: eNET Inc.
OrgID: ENET
Address: 3000 East Dublin Granville Rd.
City: Columbus
StateProv: OH
PostalCode: 43231
Country: US

NetRange: 209.51.192.0 - 209.51.223.255

Monday, December 03, 2007

IPs trying to access /_vti_bin/owssvr.dll

The following IPs have been trying to access this file on our server: /_vti_bin/owssvr.dll


11/30/2007 5:15:55 PM 71.231.107.92
11/30/2007 5:15:41 PM 71.231.107.92
11/30/2007 3:48:04 PM 66.165.57.43
11/29/2007 4:12:52 PM 64.122.102.72
11/29/2007 4:12:38 PM 64.122.102.72
11/29/2007 3:09:41 PM 205.229.151.150
11/29/2007 3:07:34 PM 205.229.151.150
11/28/2007 11:30:07 AM 63.166.226.83
11/28/2007 12:56:21 AM 206.81.222.24
11/27/2007 9:09:48 AM 130.76.32.182
11/27/2007 9:09:35 AM 130.76.32.182

Some of these IPs belong to large companies such as Boeing, REI and F5 which I find somewhat odd. Are their servers hacked or people randomly hitting the wrong IP address on accident?

Fight Spam

I love this - if you hate spam, check out this site. Better yet, contribute to the fight:

Fight Spam

Spyware - biggest threat?

Some business owners feel spyware is the biggest threat suddenly:

Spyware threat

Spyware. Servers can be taken down - and rebuilt. Spam spewing out of servers is a big nasty pain. If someone takes over a server that is really bad because they can divert your revenue and steal your source code.

But spyware seems like the evilist of evils. Why? Because with spyware someone can do all of the above easily and more. With spyware someone can log all your passwords - like when you log into your online banking site or your server or VPN. Spyware can potentially allow reading any communications you are sending so someone can know what you want and are going to do before the third party to whom the message is being sent. For instance are you sending a quote? They can undercut your bid easily and woo your potential customer.

With spyware a hacker can learn about your infrastructure and potentially find ways to intercept, block and change messages in transit. I am not 100% certain how much of this is possible or why or why not -- but don't tell me it is not possible because hackers find a way to do everything.

If you know you have a hacker on your system and use your computer in any way to communicate about it, they can read it. A great engineer I knew who worked at Excite way back in the day said they were fighting a hacker and called him some name in an email communication. They then all got a response "My name is Jim".

How can you fight someone who knows your every move? Spyware is the ultimate cyber evil and cyber espionage tool.

And these days, hackers are more crafty and harder to spot than ever, so I could be sitting here typing this while some guy in Russia is reading every letter using a keylogger. How should I know?

List of Criminals Arrested for Bots

This article details criminals arrested for spreading bots:

Botnet Criminals

And here's another one of the criminals targeted by Botroast:

New Zealand Bot hacker

This one is interesting because I was getting a lot of bad traffic from a New Zealand network with the word "hug" in it. I wonder if this is related in any way.

Report Hacker Sites at Google

This is cool. Google set up a site to help catch hackers:
Google helps track down malicious sites

Governments Using Hackers - On The Rise

Governments using Internet espionage is nothing new. I've been posting links about this for a long time and suggesting it is more prevalent than we think here. So is this really "on the rise" or is it that people are just noticing it? I've been digging in the Internet trenches here for years and seeing oddities that look like a bit more than a 13 year old kid messing around...Whatever the reality is, I am glad someone is noticing:

Cyberattacks by Governments