Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "Attacks" from lax.qualys.com

From: Aarón Mizrachi <unmanarc () gmail com>
Date: Fri, 24 Apr 2009 11:09:48 -0430
On Martes 21 Abril 2009 06:37:01 Liran Cohen escribió:

I would like to point out an important issue:

Today I got an e-mail from qualys asking me to try and resolve this
issue off the list, this is commendable for a company working in such a
field to suggest support for a non-paying customer merely to "clear its
name" off such claims.


I do not know who sent the original e-mail but if you are reading this,
please contact me and I shall forward you to the Qualys representative.



שלוס לירן

you have to consider it as an attack, and take the same countermeassures  of 
an attack from a hacker. Doesnot matter the source, or whatever. 

Emails could be forged, and also ip addresses. Social engineering its a common 
technique in such days.

Supposing that is an pentest conducted by your own company using a complete 
blackbox...Then...

also must be blocked... 

Why: in a perfect blackbox, you dont know anything about the attack, and 
simulate the scenario when the attacker doesnot know anything about you. And 
your behavior defending the network are also tested. 

--------------------------

My recommendation: Qualys is not the issue. Say thanks to Qualys for the 
email, but dont talk anything else with this company unless you are requering 
the originating ip address from this scan..., From this point, block the 
Qualys ip netblock to prevent more incidents from this scanner... and 
"problema resuelto". 

BUT... You must assume that are a real attacker behind Qualys, using Qualys, 
and blocking this netblock are only delaying the real threat. Then, protect 
yourself for the next attack.

;-)


לירן כהן
RCT Internet Solutions
http://www.rct.co.il
http://www.icon-a.com
+972-54-5617070

לירן כהן wrote:

Jeremy - by what you're saying I would consider any traffic from such
service - a security hazard and do my best to block that subnet\s or
perform a back resolve and block those hosts.

I agree with all the rest, indeed assumptions do not exist when
talking about security, if you assume=you are not sure=there is a
risk=not safe, the equation is simple and the conclusion is take action.


Liran

http://www.rct.co.il

http://www.icon-a.com

ציטוט Jeremi Gosney:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No, Qualys is not known for "playing with their tools," and its never
safe to assume anything. Anyone with a Qualys account can scan any
external IP addr, it doesn't necessarily have to be someone in your
corporation. In fact I'd wager that it isn't someone within your
corporation. Qualys doesn't do vulnerability assessments per se, they
offer vulnerability management SaaS. You simply obtain an account,
and they give you access to a web console that hosts vulnerability
management tools. Its essentially the same as someone sitting at home
with Nessus scanning your external IP space; the only difference is
they're paying to scan from someone else's box, and they're paying
for a high level of anonymity as Qualys can't actually tell which
user is scanning which IP. They don't even have to be paying, in
fact, they could be scanning you with their 30-day free trial.


- -----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of The Security
Community
Sent: Monday, April 13, 2009 10:07 AM
To: security-basics () securityfocus com
Subject: "Attacks" from lax.qualys.com

For several days now our IDS has been telling us we're being
"attacked" by a host resolving to scanner[number].lax.qualys.com.

Considering the source, is it safe to assume "someone" purchased a
vulnerability assessment without informing the Security Department?

Nobody's talking, but it wouldn't be the first time.

Otherwise, is Qualys known for playing with their tools just for the
heck of it?

-
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a
computer or mobile device. Learn how to become a Computer Forensics
Examiner in InfoSec Institute's hands-on Computer Forensics Course.
Up to three industry recognized certs available, online computer
forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
-
------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAknkwBwACgkQIBHDN8vm6zu37ACgmVtqHlWWV5KR2qqH+qVW8xzl
gO4An3161celli0Fev0HIGBEFYDNbuyK
=+odi
-----END PGP SIGNATURE-----


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec
Institute's Ethical Hacking class. Totally hands-on course with evening
Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified
Penetration Tester exams, taught by an expert with years of real pen
testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: