Security Incidents mailing list archives
Re: @home: Is *anyone* really home there???
From: woods () MOST WEIRD COM (Greg A. Woods)
Date: Mon, 28 Feb 2000 11:32:39 -0500
[ On Friday, February 25, 2000 at 18:41:39 (-0700), Wozz wrote: ]
Subject: Re: @home: Is *anyone* really home there??? I'm the head of the security department for a large nationwide cable modem provider that is in the exact same situation @home is. We get hundreds and hundreds of complaints a day, often times about how someone's "hacking" them, when in fact, someone misdirected a web browser in their direction.
I work with the front-line "postmaster@" and "abuse@" folks at a number of small ISPs, including small local cable companies now deploying cable modems. Wozz are a lot of your reports those of the type generated automatically by various so-called "security" products for PCs? We get lots of similar complaints, but often from third party users claiming it is our users who are "attacking" them. For example I get lots of automated complaints like these: Subject: "Hacker's attack from your server" This report was automatically generated by Jammer. Jammer offers complete protection against NetBus and BackOrifice. Type of attack: TCP port scanning Time: The time is Sat Feb 26 21:09:56 2000 [Local GMT bias -6:00] Hacker IP: NNN.NNN.NNN.NN () Ports: 39108->51210 __________________________________________________________________________ For further information visit http://jammer.comset.net I've had words with the Jammer support folks to try and convince them that (a) this kind of event is not necessarily a "scan" of any type and it is most definitely not a "TCP port scan" when seen on its own, and (b) it's just as likely that the source address is forged, (c) to use a better choice of words and to avoid "hack" and "attack" and their derivatives, and finally (d) to include the IP number of the client at the time of the incident. Unfortunately I don't think I've had any success at convincing them to change anything at all. In the above case obviously someone could be playing tricks, however I get a larger number of similar reports where the target port is "21" or "80" or "25"! These make me want to jam Jammer somewhere very painful for the recipient, and I alternate my preferred target of revenge to be either the authors of such software or sometimes even the ISPs of the users sending these reports as they also have at least a partial responsibilty to educate their users and to deal with these kinds of incidents for them. I've thought of forwarding all obviously errant reports to the software support folks, but I doubt that would help unless all of us did this simultaneously. BTW everyone, I really really really detest the misuse of the words "attack" and "hacker" in any of these situations. Wozz put the word in quotes which is correct, but the Jammer folks don't and the Jammer subject line nearly drives me up the wall even before I read the messages! (Yes I manage my own stress level so as to avoid popping any important blood vessels over this! ;-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: @home: Is *anyone* really home there??? Maniac . (Feb 23)
- Re: @home: Is *anyone* really home there??? The Undernet Bonk (Feb 24)
- Received message from Russian hackers David Meissner (Feb 25)
- <Possible follow-ups>
- Re: @home: Is *anyone* really home there??? Jeffrey Papen (Feb 24)
- Re: @home: Is *anyone* really home there??? Jeffrey Papen (Feb 24)
- Re: @home: Is *anyone* really home there??? Wozz (Feb 25)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 28)
- Re: @home: Is *anyone* really home there??? Wozz (Feb 28)
- Re: @home: Is *anyone* really home there??? David Kennedy CISSP (Feb 28)
- TIS and fingerprinting Dino Amato (Feb 28)
- Re: @home: Is *anyone* really home there??? Wozz (Feb 28)
- Re: @home: Is *anyone* really home there??? Wozz (Feb 25)
- ssh wierdness spiff (Feb 26)
- Re: ssh wierdness Markus Friedl (Feb 28)