Security Incidents mailing list archives

RE: RPAT - Realtime Proxy Abuse Triangulation

From: "Rob Shein" <shoten () starpower net>
Date: Fri, 27 Dec 2002 20:00:16 -0500

SNMP is used to manage networks.  As it has weak authentication (except
in some implementations, which are not entirely interoperatble with
other such implementations), it is insecure, profoundly so, over
untrusted lines.  It is definitely NOT used to manage the internet, just
certain parts of it, and even then SNMP is not allowed in or out of the
border of those networks, when properly done.  Queries are illegal in
some jurisdictions, as they are both more informational and less casual
than, say, a ping sweep.  Simply put, SNMP is something that we have
inherited from the time when the entire internet was a trustable
network.

-----Original Message-----
From: Kevin Reardon [mailto:Kevin.Reardon () oracle com] 
Sent: Friday, December 27, 2002 1:55 PM
To: Incidents List
Subject: Re: RPAT - Realtime Proxy Abuse Triangulation

Is not SNMP used to manage the Internet?  I would think that 
queries on 
public would not be illegal at all.  More like a passerby 
looking at the 
  sign on the door.  Breaking into the system into the read/write 
community might land you in the clink (or if somebody got 
rambunctious, 
in Cuba).

---K

Jay D. Dyson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 24 Dec 2002, Mathias Wegner wrote:

I would be very nervous about running this, remote SNMP queries of 
someone elses system (say a .gov or .mil proxy) may be considered 
illegal activity in some jurisdictions.

Depending on the SNMP daemon, it would/should be as illegal

as opening

an ssh investigating the system from the command line.  Most SNMP 
offers at least some amount of configuration via the read/write 
community.  I know that when I see SNMP queries on network hardware 
that I manage, I consider it hostile activity.


    Color me jaded, but if someone has an open proxy and

spam is spewed

my way via that avenue, it's a pretty fair bet that the system I'm 
scanning is run by an admin who -- whether through

ignorance or sloth

-- doesn't know or do jack about securing or monitoring his system. 
Moreover, open is open; whether a relay, proxy or anonymous FTP 
server. It is impossible to be charged with breaking and

entering when

there's no breaking involved.

    With that in mind, I would not waste any time or energy

worrying

about whether or not my scan would be picked up.  Let's face it, a 
spammer just spewed through the idiot's proxy.  Yet we're

supposed to

believe that this otherwise lazy dope now possesses the

Eagle Eye of

All Intrusion Detection Systems?  Maybe I'm just cynical,

but I really

doubt it.

    All that said, I should point out that I am not a

lawyer.  I prefer

to make an honest living.

- -Jay

   (    (

      _______

   ))   ))   .-"There's always time for a good cup of

coffee."-.   >====<--.

 C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net

------<) |    = |-'

  `--' `--'  `How about a 10-day waiting period on YOUR rights?'  
`------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE+DJooTqL/+mXtpucRAjy+AKCZ9eiSmvKyuSzZuNX9hbXTF9IDRACg4/gN
2Gs+0tVYEQqykUc+/AUgFBg=
=/ofa
-----END PGP SIGNATURE-----

----------------------------------------------------------------------

------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer 
service. For more information on this free incident handling, 
management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RPAT - Realtime Proxy Abuse Triangulation Stephen Friedl (Dec 20)
- Re: RPAT - Realtime Proxy Abuse Triangulation Kurt Seifried (Dec 24)
  - Re: RPAT - Realtime Proxy Abuse Triangulation Mathias Wegner (Dec 27)
    - Re: RPAT - Realtime Proxy Abuse Triangulation Jay D. Dyson (Dec 27)
    - Re: RPAT - Realtime Proxy Abuse Triangulation Kevin Reardon (Dec 27)
    - RE: RPAT - Realtime Proxy Abuse Triangulation Rob Shein (Dec 30)
    - Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
    - Re: RPAT - Realtime Proxy Abuse Triangulation Gary Flynn (Dec 30)
    - RE: RPAT - Realtime Proxy Abuse Triangulation Rob Shein (Dec 30)
    - Re: RPAT - Realtime Proxy Abuse Triangulation Syzop (Dec 30)
- <Possible follow-ups>
- Re: RPAT - Realtime Proxy Abuse Triangulation Stephen Friedl (Dec 27)
- Re: RPAT - Realtime Proxy Abuse Triangulation Jay D. Dyson (Dec 30)
  - Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
    - Re: RPAT - Realtime Proxy Abuse Triangulation Jay D. Dyson (Dec 30)
    - Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
    - Virus? Trojan? David Gillett (Dec 30)

(Thread continues...)