Re: A Botted Fortune 500 a Day

["Steven Adair" <steven () securityzone org>]

> On 13/04/07, Steven Adair <steven () securityzone org> wrote:
> > Is this in anyway surprising?  I think we all know the answer is no.
> > Many
> > Fortune 500 companies have more employees than some ISPs have customers.
> > Should we really expect differently?
>
> Yes! Off the top of my head:
>
> 1. Corporations should have more of an economic incentive to prevent
> compromises on their internal networks. E.g. "TJX breach could cost
> company $1B" -
> http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html
> Now, a typical spambot will cost almost nothing compared with that,
> but the point is you don't know the extent of the compromise until
> you've examined the machines involved.

You list incentives but this doesn't mean I should really expect any
differently.  You are also equating a compromise into TJ MAXX servers for
which details have not been given.  I doubt and hope the same user that's
an account for TJ MAXX and using e-mail isn't conencted or able to get to
a server that processes credit card transactions.

> 2. Corporations have a lot more influence over their employee's
> behaviour than ISPs do over their customers. Customers can walk away
> to a new ISP with minimal fuss if sanctions are threatened.

Well this is true but you seem to be missing the point of the comparison. 
These are large corporations with tens of thousands (some more, some less)
that are geographically dispersed across the countries.  This isn't a
small shop of 50 elite IT users.  This is probably like most other places
were 90% of the users can barely use Microsoft Word and Excel.  Once
again.. do I expect differently? No.

> 3. Corporations can lock down their firewalls a lot tighter than ISPs
> can. If my ISP blocked the way my employer does, I would be looking
> for a new ISP.

Sure they can in some instances.  How would locking down a firewall stop
this e-mail from going out?  Maybe you can lock down SPAM firewalls but
that doesn't stop the root cause.  You have 100,000 users at a Fortune 500
company with admin access to their Windows laptops.  Are you going to
block them form using the Internet and using e-mail?  If not I am going to
continue to expect them to keep getting infected.

> 4. ISPs don't own the data on their customer's computers. Corps very
> much do own most of the data on their employees computers. Therefore
> they need to worry about confidentiality in a way that ISPs do not.

Well usually corporations not only own the data on the machines, they own
the computers themselves as well.  You are equating a need and want for
protection with what would really be expected.

> I used to look after security at a large-ish university and odd
> activity would stand out because there the baseline was largely
> 'normal' traffic. ISPs have little chance to detect 'odd' behaviour
> because everyone is doing 'odd' things. Corps should only have a very
> few 'odd' things happening on their networks and a single outgoing
> portscan or IRC session are grounds for serious concern. (Assuming IRC
> is forbidden by policy - if not, you can still profile the IRC servers
> you expect to be talking to and those you don't.) It's not hard to
> find infected machines at a corp.

Not sure last time you ever looked at XDCC/iroffer bots, but they can
range from 10-50% .edu hosts.  Universities are ripe for the picking. 
I've participated in UNISOG related lists and I know it's getting better
and just like any organization it can very from location to location.  I
don't expect anything different here either.

> > Also, as a side note, I would like to add that just because SPAM is
> > coming
> > from a certain gateway does not necessarily mean that the machines on
> > their network are infected.  We could assume this, but then again I
> > would
> > have to assume Microsoft's network is full of bots because I get SPAM
> > originating from Hotmail.com.  It might be logical and in many cases to
> > assume this, but it's worth noting this may not be the case.
>
> Based on the Received headers, or just on the From line ? The latter
> is trivial to forge and has been routinely forged pretty much forever.

You are talking about forging a MAIL FROM field.  This is not what I am
talking about.

> If Received headers show that mail has been relayed from within your
> organisation, then you have a serious problem, and it's better to
> learn of it by checking for outgoing spam than when someone notices
> something worse six months down the line.

There's a field in most mail programs where you can enter in an
SMTP/IMAP/Exchange address etc.  This allows you to send e-mail using that
server.  This does not mean you are located on the internal network for
that server.  In fact you could even be using a forwarder server that it
doens't show you.  Hell you could be using a web form or webmail.  My
point is that seeing a header from a particular location does not
necessarily mean the sender is behind a firewall sitting on that network.

Do you want corporations to protect their data better?  Absolutely.  Are
companies and people becoming better about awareness training, best
practices, and trying to do better job?  Sure.  Do I expect them to not
get infected, hacked, spew SPAM? Hell no.  It's going to happen all the
time.  Why do you think all these worms in the past few years knocked so
many Fortune 500 companies offline?  In some cases it even caused ATMs not
to work.  We're talking about a corporate industry that was all but
crippled for a few days by a couple of worms and you would expect them to
be bullet proof all of the sudden?  I think not.

Many of these shops do not even have much of an IT security program.  It
is an after thought in many cases.  There are tons of federal laws,
memorandum, presidential directives, and other guidance that the
government has to follow.. which the corporate world does not and they
have marginal incentives to.  So with all of these protections in place
and the type of data the government has and processes.. do I expect them
not to get hacked, bot'd, and spew SPAM?  No.  I expect it will happen to
them just the same and it does.

Steven


> cheers,
>  Jamie
> --
> Jamie Riden / jamesr () europe com / jamie () honeynet org uk
> UK Honeynet Project: http://www.ukhoneynet.org/
>
> !DSPAM:461f8e03145624428914782!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/