lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-id: <4625FB7A.20035.9C09EF02@nick.virus-l.demon.co.uk>
Date: Wed, 18 Apr 2007 11:05:30 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: botnets@...testar.linuxbox.org, funsec@...uxbox.org,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] A Botted Fortune 500 a Day

Steven Adair wrote:

> Is this in anyway surprising?  ...

Surprising?  Not really.

> ...  I think we all know the answer is no.  Many
> Fortune 500 companies have more employees than some ISPs have customers. 

And that means the corporates should be expected to be (as) botted?

> Should we really expect differently?

Indeed we should.

It's easy to compare numbers, but that's not the real story.  Almost by 
definition an ISP has no administrative control of the computers its 
customers use to connect via its service.  Corporates are totally 
different in this regard -- in fact, diametrically opposite.  
Corporates own and thus are responsible for the control of all the 
computers they attach to their LANs and should be responsible for the 
actions of all those machines.

So, in answer to your question, yes, we definitiely should expect more
-- a great deal more.

Will they be perfect?  Sadly, no; partly because of human fallibility 
and partly because too many of them take what seems to be your view --
"controlling all this is a hopeless task so why even bother trying".

And finally, I don't think SI's efforts show that any F500s are as bad 
as a "typical ISP".  SI is, however, showing that at least some F500s 
have lazy arse/stupid/otherwise incompetent admins and/or oversight 
procedures and/or policies driving the whole mess of their IT systems, 
and as a result the rest of us pay for their incompetence.

> Also, as a side note, I would like to add that just because SPAM is coming
> from a certain gateway does not necessarily mean that the machines on
> their network are infected.  ...

Did you read any of their reports fully?

They don't assume that.  They track the mail back "behind" the gateways 
and they know what forms of what spam are being sent through bot-nets 
because of other systems they run (honeypots, etc) and analysis they 
perform.

> ...  We could assume this, but then again I would
> have to assume Microsoft's network is full of bots because I get SPAM
> originating from Hotmail.com.  It might be logical and in many cases to
> assume this, but it's worth noting this may not be the case.

And they made an obvious (or much more subtle) error like this where?


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ