[ISN] Study: Hackers take a trip through Asia

From: InfoSec News (isnat_private)
Date: Mon Mar 18 2002 - 23:40:13 PST

  • Next message: InfoSec News: "[ISN] Computer Security Lacking At State DMVs - GAO Report"

    http://zdnet.com.com/2100-1105-862936.html
    
    By Robert Lemos 
    Special to ZDNet News
    March 18, 2002, 3:50 PM PT
    
    Servers based in South Korea and China are the most commonly used in
    attacks on the Internet, following servers housed in the United
    States, according to a study released Monday by an infrastructure
    consulting firm.
    
    Using its more than 50 sensors around the Internet to study more than
    12 million probes and attacks, New York-based Predictive Systems found
    that 49 percent of all attacks took advantage of servers in the United
    States, 17 percent used South Korean servers, and about 15 percent
    used servers based in China.
    
    While the results don't suggest which nations have the most hackers,
    they do indicate that unsecured infrastructure is often co-opted by
    attackers in other countries and poses a significant risk to others
    connected to the Internet, said Richard Smith, a senior information
    security analyst with Predictive.
    
    "Countries that are not technologically advanced or very high up on
    the security evolution chain had a higher probability" of seeing their
    servers used in attacks, Smith said, adding that "those with more
    users also gravitated to the top."
    
    The United States has the largest Internet infrastructure and most
    online users, so it's no surprise that it takes the top slot, Smith
    said. The fact that servers in South Korea and China are used in so
    many attacks should be a wake-up call for the countries, he said.
    
    "South Korea has a large broadband population, so they are especially
    at risk," Smith said, adding that between always-on broadband
    connections and poor user education, the country is a perfect
    launching point for attacks.
    
    Despite post-Sept. 11 doomsday prophesies regarding attacks over the
    Internet by religious factions in the Middle East, servers in Middle
    Eastern countries didn't account for a significant number of attacks.
    
    "The main thing is that they don't have the infrastructure yet," Smith
    said. "Broadband and dial-up services are very expensive, and in many
    places, they don't really have a telecommunications infrastructure
    yet, not to say a data infrastructure."
    
    Predictive focused on more than 12 million "events" that the company's
    54 sensors, which monitor the firm's clients, detected in the last
    quarter of 2001. Each event could be a simple scan of a service--such
    as e-mail, file sharing or a Web site--offered by a server, a probe
    for a specific vulnerability, or a real attack.
    
    By correlating the Internet address of the source of the event with
    addresses owned by Internet service providers in each country,
    Predictive could determine the last server from which an attack came.
    
    However, the country from which the hacker is truly attacking remains
    a mystery, Smith said.
    
    "There is no way of really knowing the original source without getting
    access to the logs to see if the attacks originate there or they use
    the (country) as a jumping point," Smith said.
    
     
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 02:21:59 PST