Full Disclosure mailing list archives
Re: A Botted Fortune 500 a Day
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Fri, 13 Apr 2007 15:03:11 +0100
On 13/04/07, Steven Adair <steven () securityzone org> wrote:
Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently?
Yes! Off the top of my head: 1. Corporations should have more of an economic incentive to prevent compromises on their internal networks. E.g. "TJX breach could cost company $1B" - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html Now, a typical spambot will cost almost nothing compared with that, but the point is you don't know the extent of the compromise until you've examined the machines involved. 2. Corporations have a lot more influence over their employee's behaviour than ISPs do over their customers. Customers can walk away to a new ISP with minimal fuss if sanctions are threatened. 3. Corporations can lock down their firewalls a lot tighter than ISPs can. If my ISP blocked the way my employer does, I would be looking for a new ISP. 4. ISPs don't own the data on their customer's computers. Corps very much do own most of the data on their employees computers. Therefore they need to worry about confidentiality in a way that ISPs do not. I used to look after security at a large-ish university and odd activity would stand out because there the baseline was largely 'normal' traffic. ISPs have little chance to detect 'odd' behaviour because everyone is doing 'odd' things. Corps should only have a very few 'odd' things happening on their networks and a single outgoing portscan or IRC session are grounds for serious concern. (Assuming IRC is forbidden by policy - if not, you can still profile the IRC servers you expect to be talking to and those you don't.) It's not hard to find infected machines at a corp.
Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case.
Based on the Received headers, or just on the From line ? The latter is trivial to forge and has been routinely forged pretty much forever. If Received headers show that mail has been relayed from within your organisation, then you have a serious problem, and it's better to learn of it by checking for outgoing spam than when someone notices something worse six months down the line. cheers, Jamie -- Jamie Riden / jamesr () europe com / jamie () honeynet org uk UK Honeynet Project: http://www.ukhoneynet.org/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- A Botted Fortune 500 a Day Gadi Evron (Apr 12)
- Re: A Botted Fortune 500 a Day James Matthews (Apr 12)
- Re: A Botted Fortune 500 a Day Steven Adair (Apr 13)
- Re: A Botted Fortune 500 a Day Jamie Riden (Apr 13)
- Re: A Botted Fortune 500 a Day Steven Adair (Apr 13)
- Re: A Botted Fortune 500 a Day Jamie Riden (Apr 13)
- Re: A Botted Fortune 500 a Day Simon Smith (Apr 13)
- Re: A Botted Fortune 500 a Day Jamie Riden (Apr 13)
- Re: A Botted Fortune 500 a Day Nick FitzGerald (Apr 17)
- Re: A Botted Fortune 500 a Day Troy (Apr 17)
- Re: A Botted Fortune 500 a Day Nick FitzGerald (Apr 17)
- Re: A Botted Fortune 500 a Day Valdis . Kletnieks (Apr 17)