Scanning the World

[InfoSec News <isn () C4I ORG>]

Forwarded by: infosec () infosec 20m com

http://www.securityfocus.com/news/56

Scanning the World A mysterious California company is sweeping the net
for live hosts, and touching off alarms around the world.

By Kevin Poulsen
July 7, 2000 12:38 AM PT

A secretive Silicon Valley startup is probing the Internet, tickling
firewalls and intrusion detection systems across the globe and raising
the ire of network administrators increasingly sensitized to potential
harbingers of hack attacks.

Security watchers began noticing the probes earlier this year. "When I
came in to work in the morning, I saw pages and pages of traceroutes
and pings," recalls Matthew Jach, a network security specialist under
contract with the state of Wisconsin. "Some customers called me,
really angry about lots of logs that they were reading, and asked me
to do something about that problem," says Fabio Oliva, director of
Safe Networks, a security services company in Sao Paolo, Brazil. Alif
Terranson, administrator at Missouri FreeNet, asks rhetorically, "If
someone is banging on your door for an hour, would you let it go, or
would you call the cops?"

Terranson didn't call the police when Missouri FreeNet's firewall
caught a flock of suspicious packets last month, but like other
network administrators and security gurus troubled by the scanning, he
traced the source of the probes and was surprised to find that the
culprit wasn't a teenage cyberpunk reconnoitering his next target.
Instead, it was Quova Inc., a six-month old technology company
boasting fifty employees and financial backing from such VC stalwarts
as Softbank and IDG Ventures.

The company web site told Terranson little about what Quova does, and
offered nothing to explain why it was scanning. Quova, the site read,
is an "Internet infrastructure company" operating in "stealth mode" --
a term of art that did nothing to reassure Terranson. "When I saw
that, it raised the hairs on the back of my neck."

Matthew Jach discovered Quova as the company swept through the
Wisconsin government's network last April. "It's not illegal, but to a
lot of people it's invasive and rude to come through a network and do
a ping scan," says Jach, who went so far as to complain to Quova's
upstream provider, Exodus Communications, which assured him that the
scans didn't violate Exodus' terms of service.

"I'm not aware of Quova doing anything invasive, or anything that
could be considered a denial of service attack," says Eric Uratchko,
policy enforcement specialist for Exodus. "If they were, we would
certainly take action."

Who is Quova?

It may be a reflection of the times that Quova's probes are raising
eyebrows.

The company's technique is to send every computer an ICMP Echo
request, colloquially known as a 'ping.' A ping is a small packet of
data that bounces harmlessly off of a system and back to the sender,
and is typically used to measure response time.

Whenever a system answers, indicating that it's alive and online,
Quova performs a "traceroute," determining the exact path Internet
traffic takes to reach the remote computer from the company's Mountain
View, California offices.

There are malicious uses of pings and traceroutes, but, generally,
both types of traffic are harmless, and they reveal far less about a
network than common hacker tools like "nmap" that probe each machine
multiple times in search of open ports. Ping and traceroute utilities
are standard on most flavors of Unix and Windows. "They're management
tools," says Martin Roesch, an intrusion detection expert at
Hiverworld. "They're not really invasive."

As little as four years ago, nobody would have noticed Quova's
efforts, says Roesch, but escalating network intrusion rates and a
spate of high-profile computer crimes are pushing administrators to
levels of sensitivity bordering on the touchy. "It's good that
everyone's awareness of computer security is so heightened that a
traceroute is setting off alarm bells. On the other hand, it might be
an overreaction, depending on the intent of people doing the
traceroutes," says Roesch, who adds that if nothing else, the
wholesale scanning may be a little rude. "I don't think Miss Manners
would approve."

More Stealth Promised

Quova officials acknowledge their scans, which they say will hit every
working, non-governmental Internet address, from corporate systems to
home PCs.

"We're trying to gain some information regarding performance and
geographic location," says CEO Rajat Bhargava. "We're not trying to be
invasive and gain information that's considered proprietary. We're
just using pings and traceroutes, among other techniques, to populate
a database which is used to help us deliver our service."

What that service is, and what the company's other techniques for
gathering information might be, remains a mystery. "We haven't really
been talking much about what we're doing. In general, our product and
service is under wraps," says Bhargava, explaining that Quova is still
in "stealth mode." The 27-year-old executive's last company, Service
Metrics, sold to Exodus Communications in October for $280 million. It
employs automated user agents at points scattered throughout the net
to monitor performance of client's web sites.

According to records in the U.S. Patent and Trademark Office, the
service mark "Quova" is registered for "providing demographic,
geographic and psychographic information to others." Psychography is
the science of targeting advertising to people with particular
lifestyles or beliefs.

Bhargava says that service mark description is a broad category
crafted by company attorneys, and has little to do with Quova's
business plan. "We're not interested in profiling people, we're not
interested in registration databases of people, or cookies," says
Bhargava. "We've taken a completely non-invasive approach to figure
out how to deliver a service that helps in areas of performance and
geography without invading people's privacy."

Company CTO Derald Muniz says there's nothing inappropriate about
Quova's probes, but that he's sympathetic to administrators who find
them alarming. "I had to talk to the guy who got a page at 3:00 in the
morning because his firewall was set off by what we were doing," says
Muniz. Quova follows through on every complaint with emails or phone
calls, and has sometimes exempted a network from scanning, Muniz says.

But after six months of constant probing, Quova says it's received
only 100 complaints. A 1998 Internet mapping project by Bell Labs
researcher Bill Cheswick drew 30 complaints after six months of
scanning.

"Obviously, I want to decrease that number," says Muniz. To that end,
the company is working to refine its technique, so as to fly
stealthily beneath the radar of firewalls and intrusion detection
systems. "It's a goal we have," says Muniz. "Someday I'd like to get
the system to the point where we don't set off anybody's alarms."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".