'Relentless' pace of hack attacks

[Maestr0]

Todays BBC news http://news.bbc.co.uk/2/hi/technology/3131512.stm


-Maestr0

[slarty]

Their figures are meaningless because:

1. They haven't said what constitutes an "attack" - it's likely that the vast majority (99% perhaps) were from worms, not crackers.
2. How do they decide where one attack stops and the next starts ... is a port scan a single attack or do they count every packet?

I have seen that recently nearly all attacks detected by IDS come from worms. This is particularly true when a new one comes out (about every week at the moment it seems).

Even now, there still seem to be some codered infected boxes - they're still attacking!

I did set up an IDS a while ago, and decided to turn off the rules for the common worms, as they were spamming my logs.

Slarty

[Tiger Shark]

Maestro: I don't think there is anything particularly startling in that report other than the fact that PSINet can sit back and blandly state that 50% of their customers don't even have the most bacis of firewall's in place..... I would suggest that that statement implies two things about PSINet themselves. Namely, they have identified an issue within their own network that they are clearly not addressing aggressively enough and, secondly, there's a business opportunity out there that they are just letting slip by.

What does bother me though about the whole issue is the number of networks that have "administrators" and have no viable security. Just the other day I got a call from an ex-boss asking how we had fared through the M$Blast/Sobig.etc. storm of a couple of weeks ago. I told him we remained clean throughout. He promptly asked me if I would do a contract job for him to come and look over thier security measures, (and kick some @$$, (his words)), since they seem to be getting hit with every new thing that comes out, (worms and viruses). The sad part is that this is a national company with offices from coast to coast that does some form of ecommerce or other...... These people should have more sense and a better understanding of the risk.... His office alone has three admins..... Yet they get everything that's going around out there..... C'mon.... That's not right..... If his company decide they want me snooping I'll have to take my "big" hand so I can slap these three properly....

[RoadClosed]

Lol Tiger, I am with ya!

My buddy has 20, count 20, IT staff for a network of 800 to 900 computers. Not a bad ratio of staff to computers and he has dedicated admins for different system, like a SQL admin, net admins (plural), an EVEN a friggin Exchange Admin, etc. DEDICATED to their own boxes. And they get hit with everything. They were all working like mad trying to contain the blaster and mutants. While I was lurking here bored and semi content while I ran more security scans just to make quadruple sure.

Alas, but you reach a point where money isn't that important when lacking sleep and social engagements. So I have been turning down a lot of offers, especially since the MS Blaster. Have to admit, on the dark side its good for business.

[Tiger Shark]

RoadClosed: 20 admins!!!!!! 900 computers.....

He has a 1:45 ratio... I have a 1:85 ratio. I run SQL Server, Exchange server, 20 other servers and 18 locations spread across three counties all connected by dedicated Point-to-Point T1's and we can manage to keep this crap out...... This is exactly the point I was trying to make above. Think of the unnecessary cost his organization incurs at every new outbreak. The loss of productivity has to be immense across 900 machines..... And let's be really honest..... The trend over the last couple of years has not to be destructive.... What will they do when they get one of these "nasties" that propogates x times and then destroys the machine it is on..... They could be down for weeks/months.

I'm with you on the "bored and semi-content".... I call it "fat, dumb and happy".....

If this ex-bosses company wants me I'll take a couple of days away from here and do it then. Mostly for the reasons you stated but also I want to see the "normal" daily traffic on thier network..... See how much unknown/undetected crap is going on there. Like you I rarely do side stuff any more..... Right now I have a regular "side job" that takes me about 5 hours a month and they pay me $3000/month to do it...... I can live with that kind of pressure....

[bpiedlow]

I call it "fat, dumb and happy".

Hehehe... That fits soo well too...


Here I was running at a ratio of 1:45 (actually we were running at exactly 1admin and 45pcs) - at that time we were only ever hit with a few email viruses (dropping exes, vbs, scr files from email stopped those)...

Now we got a new manager, and another admin - so we're running at about 1:25 admin to pc ratio now... But since this new manager has never seen what happens when bad security lets the worms in, so he's slowly getting more and more 'dump and happy' with our network...

To the point now, as i've mentioned in another thread, he's allowing the new admin to skip running things like IISLockdown, etc on new servers. Saying 'we're secure enough' we can let W2K run with its all it defaults left alone...


Fat, dumb, and happy - untill something breaks and they have to own up to it...
Its really quite a sad thing...

RRP

[Tiger Shark]

BP:

Saying 'we're secure enough' we can let W2K run with its all it defaults left alone..

And there, my friend, is the end of your network...... It is just the kind of attitude that gets you bitten in the @$$ in this business..... Security is a constantly morphing beast that alters it's state almost daily. If your admin thinks that he can skate along he is a moron.... And, please, feel absolutely free to show him this..... Just keep pointing out the error of his ways to his boss and sit back and wait for the day when he turns white, starts to shake and sweats like a horse after a race in summer as he realizes that, for the minimal effort required, he wouldn't now need to be going to his boss' office to explain why your company secrets/customers SSN's/bosses emails to his mistress or whatever are floating around the internet for everyone to see. Then, when you pick yourself back up off the floor you can give him the time tested "I told you so", snikker to his face, swoon and tell him you need some personal time off just to rub it in...... And best yet..... Make sure your computer is untouched and offer his boss the use of yours while his gets fixed......<ROFL> Me? Evil???? Naaaahhh....

[Lansing_Banda]

My shcool has a government grade firewall that cost them over 10,000 dollars. The reason is that there are government computers on the network. The school spent 20,000 dollars setting up a server for our residence hall (12,000 for an 8,000 dollar server and 8,000 for some guy to set it up). Anyways, with all this govenment securtiy, 85% of the campus got msblaster and the whole network was down for 2 weeks. Go figure.

[Tiger Shark]

Lansing: You said "Government" and "security" in the same sentence.....

Please fully patch the next 100 Windows boxes you come across as pennance......

Just how long ago did the security expert set up the firewall? I bet it was more than a week ago...... Back to my point.... Security is ever changing......

[Astroflux13]

I really believe that if those hired for the Admin. positions knew how to hack and what goes into it they can go into what a person thinks. Just like how a locksmith knows how to break into cars, I am sure they are very good at preventing it. Think about it: instead of lock knobs easily used to break into they opt for the sleak ones, instead of leaving a new Jaguar on the street and park their 86 Yugo (no offense) in the garage they park the Jaguar in there.