Security Incidents mailing list archives

Re: @home: Is anyone really home there???

From: ebrockway () EARTHLINK NET (Erick Brockway)
Date: Tue, 29 Feb 2000 19:38:33 -0800


    Here's a complaint SOMEBODY will get soon. Somebody want to post a
response that will work on ALL these requests? If I had a canned response I
could head some of it off (a trickle maybe).
    Still using Wozz's original post as boilerplate.

    Erick

-----Original Message-----
From: Jazereel <jazereel () aol com>
Newsgroups: comp.security.firewalls
Date: Tuesday, February 29, 2000 1:11 PM
Subject: Using Conseal & ZA-Would like to report this geek

Hi,

I recently discovered Zone Alarm and it worked well.  I then found Conseal,

and

I like it better.  The problem is, Zone Alarm isn't notifying me any longer

of

attempted connections or intrusions.  I'm just wondering, does anyone know

if

running the two programs can effectively disable the other?

Also, I am getting at least 5-10 windows every time I'm signed on...several
connection attempts, ICMP blocks...someone tried to send me NetBus the

other

day.  Most of the windows say "IP address wants to talk to you" and I

simply

block it which creates a new rule.  I'm no hacker guru, just trying to

protect

my privacy and PC.

Conseal returns all the information regarding these attempts in....is there
anyone out there on the Net who will handle such abuse?  I'm a member of

AOL.

I contacted the Research Dept and was informed that unless this user

threatens

my life, they will not act on it.   I can't believe there's such an open

black

hole to their member's pc's  and they don't have a department which deals

with

intrusions.

Any information regarding this would be greatly appreciated.

Email is cool.  :)

Jaz


-----Original Message-----
From: Wozz <wozz+incidents () WOOKIE NET>
To: INCIDENTS () SECURITYFOCUS COM <INCIDENTS () SECURITYFOCUS COM>
Date: Tuesday, February 29, 2000 12:18 PM
Subject: Re: @home: Is *anyone* really home there???

On Mon, Feb 28, 2000 at 11:32:39AM -0500, Greg A. Woods wrote:

[ On Friday, February 25, 2000 at 18:41:39 (-0700), Wozz wrote: ]

Subject: Re: @home: Is *anyone* really home there???

  I'm the head of the security department for a large nationwide
  cable modem provider that is in the exact same situation @home
  is.  We get hundreds and hundreds of complaints a day, often times
  about how someone's "hacking" them, when in fact, someone misdirected
  a web browser in their direction.


I've had words with the Jammer support folks to try and convince them
that (a) this kind of event is not necessarily a "scan" of any type and
it is most definitely not a "TCP port scan" when seen on its own, and
(b) it's just as likely that the source address is forged, (c) to use a
better choice of words and to avoid "hack" and "attack" and their
derivatives, and finally (d) to include the IP number of the client at
the time of the incident.  Unfortunately I don't think I've had any
success at convincing them to change anything at all.


Jammer is the worst offender.  Its gotten to the point where I'm ready to
start ignoring Jammer reports, since i think i've had 1 out of maybe 2000
reports from Jammer state anything useful.  I've also talked to them abotu
this "port scan" message and never got a response.

BTW everyone, I really really really detest the misuse of the words
"attack" and "hacker" in any of these situations.  Wozz put the word in
quotes which is correct, but the Jammer folks don't and the Jammer
subject line nearly drives me up the wall even before I read the
messages!  (Yes I manage my own stress level so as to avoid popping any
important blood vessels over this!  ;-)


The overuse of these home "firewall" solutions is making overall security
worse, IMHO.  I spend a majority of my time at work filtering through stuff
like this, and not spending time working on things that would actually

improve

security.  Thankfully, I've just recently gotten approval to hire someone

to

just sit there and sift through all this junk for me.

Current thread:

Re: CNET Hackers hit e-commerce site, (continued)
- - - Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
    - Port 65535 Murray, Mike (Mar 02)
    - @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
    - Re: Port 65535 Pavel Kankovsky (Mar 04)
    - Re: Port 65535 Murray, Mike (Mar 04)
    - Re: Port 65535 Richard Bejtlich (Mar 04)
    - Re: Port 65535 Keith Pachulski (Mar 06)
    - Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)
    - Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)
  - Re: @home: Is *anyone* really home there??? Wozz (Feb 29)
- Re: @home: Is *anyone* really home there??? Erick Brockway (Feb 29)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 29)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 29)
- Re: @home: Is *anyone* really home there??? Rob Quinn (Mar 01)
- Re: @home: Is *anyone* really home there??? Jon Burdge (Mar 02)
  - Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
    - Re: @home: Is *anyone* really home there??? William Annis (Mar 03)
    - scans with spoofed address (was @home: Is *anyone*...) Russell Fulton (Mar 07)
    - Re: @home: Is *anyone* really home there??? Ville (Mar 03)
    - ingreslock message Dino Amato (Mar 05)
    - Re: ingreslock message Graeme Fowler (Mar 07)

(Thread continues...)