Re: @home: Is *anyone* really home there???

[woods () MOST WEIRD COM (Greg A. Woods)]

[ On Friday, February 25, 2000 at 18:41:39 (-0700), Wozz wrote: ]
> Subject: Re: @home: Is *anyone* really home there???
>
>   I'm the head of the security department for a large nationwide
>   cable modem provider that is in the exact same situation @home
>   is.  We get hundreds and hundreds of complaints a day, often times
>   about how someone's "hacking" them, when in fact, someone misdirected
>   a web browser in their direction.

I work with the front-line "postmaster@" and "abuse@" folks at a number
of small ISPs, including small local cable companies now deploying cable
modems.

Wozz are a lot of your reports those of the type generated automatically
by various so-called "security" products for PCs?

We get lots of similar complaints, but often from third party users
claiming it is our users who are "attacking" them.  For example I get
lots of automated complaints like these:

        Subject: "Hacker's attack from your server"

        This report was automatically generated by Jammer.
        Jammer offers complete protection against NetBus and BackOrifice.
        
        Type of attack: TCP port scanning
        Time: The time is Sat Feb 26 21:09:56 2000 [Local GMT bias -6:00]
        Hacker IP: NNN.NNN.NNN.NN ()
        Ports: 39108->51210
        __________________________________________________________________________
        For further information visit http://jammer.comset.net

I've had words with the Jammer support folks to try and convince them
that (a) this kind of event is not necessarily a "scan" of any type and
it is most definitely not a "TCP port scan" when seen on its own, and
(b) it's just as likely that the source address is forged, (c) to use a
better choice of words and to avoid "hack" and "attack" and their
derivatives, and finally (d) to include the IP number of the client at
the time of the incident.  Unfortunately I don't think I've had any
success at convincing them to change anything at all.

In the above case obviously someone could be playing tricks, however I
get a larger number of similar reports where the target port is "21" or
"80" or "25"!  These make me want to jam Jammer somewhere very painful
for the recipient, and I alternate my preferred target of revenge to be
either the authors of such software or sometimes even the ISPs of the
users sending these reports as they also have at least a partial
responsibilty to educate their users and to deal with these kinds of
incidents for them.  I've thought of forwarding all obviously errant
reports to the software support folks, but I doubt that would help
unless all of us did this simultaneously.

BTW everyone, I really really really detest the misuse of the words
"attack" and "hacker" in any of these situations.  Wozz put the word in
quotes which is correct, but the Jammer folks don't and the Jammer
subject line nearly drives me up the wall even before I read the
messages!  (Yes I manage my own stress level so as to avoid popping any
important blood vessels over this!  ;-)

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>