[ISN] Who's That Knocking At My Door? Go Away!

From: InfoSec News (isnat_private)
Date: Tue May 15 2001 - 11:25:41 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, May 16, 2001"

    May 14, 2001 
    One of the nagging problems in information security is the difficulty
    of finding out how many security incidents occur. Unfortunately, this
    information is difficult to obtain.
    Companies fear the public relations and share-value impact of
    disclosing a security breach. Perversely, revealing even an
    unsuccessful attack can be a public relations disaster. And once an
    organization announces that it has been attacked, it may suffer
    further attacks as a result of the news coverage.
    For other crimes, we can use police statistics or insurance claims
    data to measure the change in risk over time. Currently, however,
    there isn't much of a market for cyberinsurance, so insurance data
    isn't available. Police data isn't much better because companies are
    hesitant to report computer crimes. Some distrust the police,
    believing them to have a low level of awareness of computer security
    issues. Laws like the Freedom of Information Act and the low rate of
    successful prosecutions add to this distrust.
    But companies can't hide everything. The highest-profile attacks in
    the current environment are Web site defacements. A useful resource in
    this area is Attrition.org's Web site. Hackers notify this group when
    they deface a site, and Attrition.org makes a mirror copy of it as a
    record. This means it has accurate data reflecting trends in this
    area. And the current trend isn't good. Attrition.org's Web site is
    seeing about 30 defacements per day, an increase from 13 per day a
    year ago and two per day two years ago. And it doesn't look like this
    will improve anytime soon.
    To supplement this data from the outside world, we also regularly
    examine data from our systems to ensure that our defense is properly
    focused. We have an intrusion-detection sensor outside the firewall
    that logs many attacks, and we also log a great deal at our firewalls.
    As an exercise, we recently analyzed a week's worth of data down to
    the last packet and noticed some remarkable trends. I hadn't looked at
    this data in detail for some time, and I was startled by what we
    My company was an early adopter of the Internet, so we have a large
    address range. This means that if an attacker picks an address at
    random, we have a 1 in 65,000 chance that we'll be the target. We are
    a major financial organization, making us a possible target of choice
    for directed attacks.
    So, given all that, how many attacks and probes do you think we
    detect? One per month? One per day? I thought the result would be
    something in the range of once per hour. My research uncovered a much
    higher figure: We detected 1.5 attacks every second.
    Of the non-Web connections (such as Domain Name System, File Transfer
    Protocol or e-mail), 85% were unauthorized, consisting of attempts to
    gather information or compromise our systems. Our firewall or our
    intrusion- detection system blocked these unauthorized connectionsno
    doubt a few of them were errors caused by people mistyping IP
    addresses. It's also possible that some much more competent attacks
    penetrated our outer shell.
    The most popular attacks are those that use scanning tools to target
    known vulnerabilities. The top attacks in our sample week were DNS
    BIND buffer overflow probes (379,273), Back Orifice probes (64,932),
    WU-FTP buffer overflow probes (64,824) and NetBIOS share name probes
    From the perspective of an attacker, the DNS and FTP attacks make a
    certain amount of sense. Recent high- profile, easy-to-exploit
    problems have been discovered in these servers that some companies
    haven't yet patched. Exploiting these problems can give the attacker
    root access to critical servers.
    But the next two? These include some foolish attacks by obviously
    unskilled individuals. To run a scripted attack doesn't take very much
    skill, but at least you're trying to break into a system on your own
    behalf. Those that scan for Back Orifice and SubSeven Trojan horse
    programs are bottom feeders.
    These are script kiddies that are too lazy to break into systems
    themselves but are looking for systems that other people have already
    broken into and left back doors into. Does this ever work? Anyone with
    even the most simple firewall will have blocked attacks to these
    ports, and all antivirus software detects and protects against these
    The volume of these probes for prebroken systems is worryingsurely,
    these kids must sometimes succeed, meaning that there must be many
    machines with Back Orifice or SubSeven running, leaving them open to
    the least competent hackers. If someone were to try the real-world
    equivalent of these four scanning attackschecking each car in a lot to
    see if it is unlocked by trying every door - someone would surely
    notice, and the perpetrator would almost certainly be warned off. The
    brazenness and sheer mass of these attempts show that these attacks
    aren't being noticed or that when they're reported, no effective
    action is being taken.
    This doesn't bode well for the future of the Net. More and more people
    are coming online, often without sufficient security protection.
    Within a second after a Web site goes online, strangers are trying to
    break into the systems. Users may expect that law enforcement will
    protect them from malicious strangers, but no such protection exists
    at present. Indeed, once a machine has been hacked, even if users
    become aware of the intrusion, they may find fumigating their machines
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Wed May 16 2001 - 00:49:52 PDT