Re: [Full-disclosure] A Botted Fortune 500 a Day
On 4/11/07, Gadi Evron [EMAIL PROTECTED] wrote: Support Intelligence releases daily reports on different fortune 500 companies which are heavily affected by the botnet problem, with many compromised machines on their networks. So what happened to the daily update schedule? Nothing new posted since 4/12... According to their page at (http://blog.support-intelligence.com/2007/03/30-days-of-bots.html) We will continue this coverage until corporate america is clean (ETA 2012) I guess they completed ahead of schedule. Kevin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
Steven Adair wrote: Is this in anyway surprising? ... Surprising? Not really. ... I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. And that means the corporates should be expected to be (as) botted? Should we really expect differently? Indeed we should. It's easy to compare numbers, but that's not the real story. Almost by definition an ISP has no administrative control of the computers its customers use to connect via its service. Corporates are totally different in this regard -- in fact, diametrically opposite. Corporates own and thus are responsible for the control of all the computers they attach to their LANs and should be responsible for the actions of all those machines. So, in answer to your question, yes, we definitiely should expect more -- a great deal more. Will they be perfect? Sadly, no; partly because of human fallibility and partly because too many of them take what seems to be your view -- controlling all this is a hopeless task so why even bother trying. And finally, I don't think SI's efforts show that any F500s are as bad as a typical ISP. SI is, however, showing that at least some F500s have lazy arse/stupid/otherwise incompetent admins and/or oversight procedures and/or policies driving the whole mess of their IT systems, and as a result the rest of us pay for their incompetence. Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. ... Did you read any of their reports fully? They don't assume that. They track the mail back behind the gateways and they know what forms of what spam are being sent through bot-nets because of other systems they run (honeypots, etc) and analysis they perform. ... We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case. And they made an obvious (or much more subtle) error like this where? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
On 4/17/07, Nick FitzGerald [EMAIL PROTECTED] wrote: SI is, however, showing that at least some F500s have lazy arse/stupid/otherwise incompetent admins and/or oversight procedures and/or policies driving the whole mess of their IT systems, and as a result the rest of us pay for their incompetence. I've worked in a large corporate environment. I don't think it's a matter of the admins being lazy or incompetent. It's more a matter of corporate politics. The admins roll out a policy that locks down all workstations, prohibits the installation of unapproved software, and prevents visiting restricted web sites, and all is well. Then, Melllvar, the CEO's nephew in accounting, complains that he can't play World of Star Trek. The CEO comes down on the IT department, and the admins either lose their jobs or open a few holes for Melllvar, who promptly installs a crack for his game, unleashing a bot on the local LAN. -- Troy ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
On 4/13/07, RMueller [EMAIL PROTECTED] wrote: How is the information gathered? The page mentions different types of spam, so it's really just a matter of doing whois lookups / reverse dns checks and stuff like that to see where the stuff comes from. Once you filter out all the end user ranges you can easily do some manual sorting of the list to find juicy stuff, aka things that are fun to laugh at. -- Knud ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
Did someone get out of bed on the wrong side?? From: poo [mailto:[EMAIL PROTECTED] Sent: Friday, April 13, 2007 6:03 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] A Botted Fortune 500 a Day gadi.. SHUT UP On 4/13/07, RMueller [EMAIL PROTECTED] wrote: Gadi wrote: -- Message: 8 Date: Wed, 11 Apr 2007 21:35:47 -0500 (CDT) From: Gadi Evron [EMAIL PROTECTED] Subject: [Full-disclosure] A Botted Fortune 500 a Day To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: TEXT/PLAIN; charset=US-ASCII Support Intelligence releases daily reports on different fortune 500 companies which are heavily affected by the botnet problem, with many compromised machines on their networks. You can find more information on their blog: http://blog.support-intelligence.com/ They are good people, and they know botnets. Gadi. -- How is the information gathered? ___ Fidelity Communications Webmail - http://webmail.fidnet.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- smile tomorrow will be worse ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case. Steven Support Intelligence releases daily reports on different fortune 500 companies which are heavily affected by the botnet problem, with many compromised machines on their networks. You can find more information on their blog: http://blog.support-intelligence.com/ They are good people, and they know botnets. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ !DSPAM:461e546e15211693416514! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Yes! Off the top of my head: 1. Corporations should have more of an economic incentive to prevent compromises on their internal networks. E.g. TJX breach could cost company $1B - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html Now, a typical spambot will cost almost nothing compared with that, but the point is you don't know the extent of the compromise until you've examined the machines involved. 2. Corporations have a lot more influence over their employee's behaviour than ISPs do over their customers. Customers can walk away to a new ISP with minimal fuss if sanctions are threatened. 3. Corporations can lock down their firewalls a lot tighter than ISPs can. If my ISP blocked the way my employer does, I would be looking for a new ISP. 4. ISPs don't own the data on their customer's computers. Corps very much do own most of the data on their employees computers. Therefore they need to worry about confidentiality in a way that ISPs do not. I used to look after security at a large-ish university and odd activity would stand out because there the baseline was largely 'normal' traffic. ISPs have little chance to detect 'odd' behaviour because everyone is doing 'odd' things. Corps should only have a very few 'odd' things happening on their networks and a single outgoing portscan or IRC session are grounds for serious concern. (Assuming IRC is forbidden by policy - if not, you can still profile the IRC servers you expect to be talking to and those you don't.) It's not hard to find infected machines at a corp. Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case. Based on the Received headers, or just on the From line ? The latter is trivial to forge and has been routinely forged pretty much forever. If Received headers show that mail has been relayed from within your organisation, then you have a serious problem, and it's better to learn of it by checking for outgoing spam than when someone notices something worse six months down the line. cheers, Jamie -- Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] UK Honeynet Project: http://www.ukhoneynet.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Yes! Off the top of my head: 1. Corporations should have more of an economic incentive to prevent compromises on their internal networks. E.g. TJX breach could cost company $1B - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html Now, a typical spambot will cost almost nothing compared with that, but the point is you don't know the extent of the compromise until you've examined the machines involved. You list incentives but this doesn't mean I should really expect any differently. You are also equating a compromise into TJ MAXX servers for which details have not been given. I doubt and hope the same user that's an account for TJ MAXX and using e-mail isn't conencted or able to get to a server that processes credit card transactions. 2. Corporations have a lot more influence over their employee's behaviour than ISPs do over their customers. Customers can walk away to a new ISP with minimal fuss if sanctions are threatened. Well this is true but you seem to be missing the point of the comparison. These are large corporations with tens of thousands (some more, some less) that are geographically dispersed across the countries. This isn't a small shop of 50 elite IT users. This is probably like most other places were 90% of the users can barely use Microsoft Word and Excel. Once again.. do I expect differently? No. 3. Corporations can lock down their firewalls a lot tighter than ISPs can. If my ISP blocked the way my employer does, I would be looking for a new ISP. Sure they can in some instances. How would locking down a firewall stop this e-mail from going out? Maybe you can lock down SPAM firewalls but that doesn't stop the root cause. You have 100,000 users at a Fortune 500 company with admin access to their Windows laptops. Are you going to block them form using the Internet and using e-mail? If not I am going to continue to expect them to keep getting infected. 4. ISPs don't own the data on their customer's computers. Corps very much do own most of the data on their employees computers. Therefore they need to worry about confidentiality in a way that ISPs do not. Well usually corporations not only own the data on the machines, they own the computers themselves as well. You are equating a need and want for protection with what would really be expected. I used to look after security at a large-ish university and odd activity would stand out because there the baseline was largely 'normal' traffic. ISPs have little chance to detect 'odd' behaviour because everyone is doing 'odd' things. Corps should only have a very few 'odd' things happening on their networks and a single outgoing portscan or IRC session are grounds for serious concern. (Assuming IRC is forbidden by policy - if not, you can still profile the IRC servers you expect to be talking to and those you don't.) It's not hard to find infected machines at a corp. Not sure last time you ever looked at XDCC/iroffer bots, but they can range from 10-50% .edu hosts. Universities are ripe for the picking. I've participated in UNISOG related lists and I know it's getting better and just like any organization it can very from location to location. I don't expect anything different here either. Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case. Based on the Received headers, or just on the From line ? The latter is trivial to forge and has been routinely forged pretty much forever. You are talking about forging a MAIL FROM field. This is not what I am talking about. If Received headers show that mail has been relayed from within your organisation, then you have a serious problem, and it's better to learn of it by checking for outgoing spam than when someone notices something worse six months down the line. There's a field in most mail programs where you can enter in an SMTP/IMAP/Exchange address etc. This allows you to send e-mail using that server. This does not mean you are located on the internal network for that server. In fact you could even be using a forwarder server that it doens't show you. Hell you could be using a web form or webmail. My point is that seeing a header from a particular location does not necessarily mean the sender is behind a firewall sitting on that network. Do you want corporations to protect their data better? Absolutely.
Re: [Full-disclosure] A Botted Fortune 500 a Day
Hi Steven, I believe security of an organisation is orthogonal to the number of employees/users and how savvy they are. It depends more on the will and resources to secure the network properly. Two, corporations do have many financial incentives to make sure they are secure - if they are doing their risk analyses properly, they can see that. So, yes I do expect them to fare better - a lot better - than ISPs. More comments are in-line. On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Yes! Off the top of my head: 1. Corporations should have more of an economic incentive to prevent compromises on their internal networks. E.g. TJX breach could cost company $1B - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html Now, a typical spambot will cost almost nothing compared with that, but the point is you don't know the extent of the compromise until you've examined the machines involved. You list incentives but this doesn't mean I should really expect any differently. You are also equating a compromise into TJ MAXX servers for which details have not been given. I doubt and hope the same user that's an account for TJ MAXX and using e-mail isn't conencted or able to get to a server that processes credit card transactions. A compromise is a compromise and you don't know the extent until you've looked at everything. If one of your machines is spewing spam, how do you know it is also not leaking confidential data to a third party? Any compromise has the potential to be *extremely* costly. 2. Corporations have a lot more influence over their employee's behaviour than ISPs do over their customers. Customers can walk away to a new ISP with minimal fuss if sanctions are threatened. Well this is true but you seem to be missing the point of the comparison. These are large corporations with tens of thousands (some more, some less) that are geographically dispersed across the countries. This isn't a small shop of 50 elite IT users. This is probably like most other places were 90% of the users can barely use Microsoft Word and Excel. Once again.. do I expect differently? No. There is no reason for an admin to let users compromise the company's security. If the company cares about security, they can disable admin rights, lock down the firewall and run an IDS. I can buy the argument that most companies don't care sufficiently, but this is really orthogonal to the number and experience level of their users. 3. Corporations can lock down their firewalls a lot tighter than ISPs can. If my ISP blocked the way my employer does, I would be looking for a new ISP. Sure they can in some instances. How would locking down a firewall stop this e-mail from going out? Maybe you can lock down SPAM firewalls but that doesn't stop the root cause. You have 100,000 users at a Fortune 500 company with admin access to their Windows laptops. Are you going to block them form using the Internet and using e-mail? If not I am going to continue to expect them to keep getting infected. Block the infection vectors: screen email, http and ftp traffic. No personal laptops on company networks. No admin rights as far as possible. Monitor and react to new vectors and threats as they arise. Yes, I would disable people's Internet access - in fact all intranet access too. My main interaction with Cisco kit to date is shutting down Ethernet ports and re-enabling them after the problem has been resolved. If there's an incident, the plug gets pulled until someone has examined the machine, and if necessary reinstalled from known good media. 4. ISPs don't own the data on their customer's computers. Corps very much do own most of the data on their employees computers. Therefore they need to worry about confidentiality in a way that ISPs do not. Well usually corporations not only own the data on the machines, they own the computers themselves as well. You are equating a need and want for protection with what would really be expected. They have a financial incentive to look after their machines, so I do expect them to look after them. An ISP has no such incentive to look after their customer's machines. I used to look after security at a large-ish university and odd activity would stand out because there the baseline was largely 'normal' traffic. ISPs have little chance to detect 'odd' behaviour because everyone is doing 'odd' things. Corps should only have a very few 'odd' things happening on their networks and a single outgoing portscan or IRC session are grounds for serious concern. (Assuming IRC is forbidden by policy - if not, you can still profile the IRC servers you expect to be talking to and
Re: [Full-disclosure] A Botted Fortune 500 a Day
Just to add my two cents... The fact is that the cost in damages of a single compromise is usually far greater than the cost of implementing and maintaining good security. TJX is a golden example of that. On 4/13/07 11:05 AM, Jamie Riden [EMAIL PROTECTED] wrote: Hi Steven, I believe security of an organisation is orthogonal to the number of employees/users and how savvy they are. It depends more on the will and resources to secure the network properly. Two, corporations do have many financial incentives to make sure they are secure - if they are doing their risk analyses properly, they can see that. So, yes I do expect them to fare better - a lot better - than ISPs. More comments are in-line. On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Yes! Off the top of my head: 1. Corporations should have more of an economic incentive to prevent compromises on their internal networks. E.g. TJX breach could cost company $1B - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html Now, a typical spambot will cost almost nothing compared with that, but the point is you don't know the extent of the compromise until you've examined the machines involved. You list incentives but this doesn't mean I should really expect any differently. You are also equating a compromise into TJ MAXX servers for which details have not been given. I doubt and hope the same user that's an account for TJ MAXX and using e-mail isn't conencted or able to get to a server that processes credit card transactions. A compromise is a compromise and you don't know the extent until you've looked at everything. If one of your machines is spewing spam, how do you know it is also not leaking confidential data to a third party? Any compromise has the potential to be *extremely* costly. 2. Corporations have a lot more influence over their employee's behaviour than ISPs do over their customers. Customers can walk away to a new ISP with minimal fuss if sanctions are threatened. Well this is true but you seem to be missing the point of the comparison. These are large corporations with tens of thousands (some more, some less) that are geographically dispersed across the countries. This isn't a small shop of 50 elite IT users. This is probably like most other places were 90% of the users can barely use Microsoft Word and Excel. Once again.. do I expect differently? No. There is no reason for an admin to let users compromise the company's security. If the company cares about security, they can disable admin rights, lock down the firewall and run an IDS. I can buy the argument that most companies don't care sufficiently, but this is really orthogonal to the number and experience level of their users. 3. Corporations can lock down their firewalls a lot tighter than ISPs can. If my ISP blocked the way my employer does, I would be looking for a new ISP. Sure they can in some instances. How would locking down a firewall stop this e-mail from going out? Maybe you can lock down SPAM firewalls but that doesn't stop the root cause. You have 100,000 users at a Fortune 500 company with admin access to their Windows laptops. Are you going to block them form using the Internet and using e-mail? If not I am going to continue to expect them to keep getting infected. Block the infection vectors: screen email, http and ftp traffic. No personal laptops on company networks. No admin rights as far as possible. Monitor and react to new vectors and threats as they arise. Yes, I would disable people's Internet access - in fact all intranet access too. My main interaction with Cisco kit to date is shutting down Ethernet ports and re-enabling them after the problem has been resolved. If there's an incident, the plug gets pulled until someone has examined the machine, and if necessary reinstalled from known good media. 4. ISPs don't own the data on their customer's computers. Corps very much do own most of the data on their employees computers. Therefore they need to worry about confidentiality in a way that ISPs do not. Well usually corporations not only own the data on the machines, they own the computers themselves as well. You are equating a need and want for protection with what would really be expected. They have a financial incentive to look after their machines, so I do expect them to look after them. An ISP has no such incentive to look after their customer's machines. I used to look after security at a large-ish university and odd activity would stand out because there the baseline was largely 'normal' traffic. ISPs have little chance to detect 'odd' behaviour because everyone is doing 'odd'
Re: [Full-disclosure] A Botted Fortune 500 a Day
From: poo [mailto:[EMAIL PROTECTED] Sent: Friday, April 13, 2007 6:03 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] A Botted Fortune 500 a Day gadi.. SHUT UP On 4/13/07, Randall M [EMAIL PROTECTED] wrote: Did someone get out of bed on the wrong side?? or have their CC bots shut down :-P -JP aww, poor baby -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
Dude VanWinkle [EMAIL PROTECTED] wrote: From: poo [mailto:[EMAIL PROTECTED] Sent: Friday, April 13, 2007 6:03 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] A Botted Fortune 500 a Day gadi.. SHUT UP On 4/13/07, Randall M [EMAIL PROTECTED] wrote: Did someone get out of bed on the wrong side?? or have their CC bots shut down :-P -JP aww, poor baby -JP HaHaha!! that was good. Dammit I should have thought of that! thanks Randall ___ Fidelity Communications Webmail - http://webmail.fidnet.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] A Botted Fortune 500 a Day
Support Intelligence releases daily reports on different fortune 500 companies which are heavily affected by the botnet problem, with many compromised machines on their networks. You can find more information on their blog: http://blog.support-intelligence.com/ They are good people, and they know botnets. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
Maybe they can use this site also! On 4/11/07, Gadi Evron [EMAIL PROTECTED] wrote: Support Intelligence releases daily reports on different fortune 500 companies which are heavily affected by the botnet problem, with many compromised machines on their networks. You can find more information on their blog: http://blog.support-intelligence.com/ They are good people, and they know botnets. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] A Botted Fortune 500 a Day
Gadi wrote: -- Message: 8 Date: Wed, 11 Apr 2007 21:35:47 -0500 (CDT) From: Gadi Evron [EMAIL PROTECTED] Subject: [Full-disclosure] A Botted Fortune 500 a Day To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: TEXT/PLAIN; charset=US-ASCII Support Intelligence releases daily reports on different fortune 500 companies which are heavily affected by the botnet problem, with many compromised machines on their networks. You can find more information on their blog: http://blog.support-intelligence.com/ They are good people, and they know botnets. Gadi. -- How is the information gathered? ___ Fidelity Communications Webmail - http://webmail.fidnet.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/