Request for off line security help

Ben Beeson beesond001 at hawaii.rr.com
Tue Nov 13 23:30:56 PST 2001


Chris,
	Let there be a little light!!!  Now it's my turn....  H-m-m-m I remember 
replying to an opportunity to check of my box against today's  top 20 
internet security vulnerabilities by Qualys.com.  I thought it would be 
nice to get an outside opinion on how I was doing... The answer they sent 
me back after the check was that they didn't find anything in the top 20. 
 They also sent along an invite to pay for a more in-depth look at  my 
system...    Here is the catch -- I didn't find an IP address for 
Qualys.com when I looked up  the  addresses in my logs.  Instead, I found 
another organization.  It also appears that Qualys.com didn't just check 
for the top 20, they also checked for a bunch more.  I guess that makes 
sense also because if they do a good scan the first time, then they only 
need to do one.   What I saw in my logs didn't match what I thought I 
asked for when I asked for the "top 20 test" and that is why I asked the 
question that started this whole thing.   
	I wish I had known who it was earlier in this process, that would have 
saved a whole lot of questions.  Chris, that last little bit of info 
rounded out the missing piece of the puzzle.  Thanks!
	Thanks to the rest of you for your patience and help!
Respectfully,
Ben 

P.S. BTW, Humble Pie is quite good with a little salt...




Original Message dated 11/12/01, 11:24:23 PM
Author: "Chris M. Rafael" <thecomputerguy at hawaii.rr.com>
Re: [luau] RE: Request for off line security help:


First I need to apologies for jumping the gun on my response.
Reading your question here, I automatically thought you had been
pinged by one of our footprint servers by the response you got
from the NOC.  I didn't look at your email to Digital Island, and
I should have, because I would have know that you were not
scanned by a server on our footprint network.
 
You received the our canned response, unfortunately who ever sent
you that did not fully examine your attachment, if they would
have the would have known, or should have known it wasn't
coming from our footprint network.
 
The IP that you were scanned from is a customer of ours,
Qualys.com.  They are a security company that business hire
to do comprehensive security screening.
 
I do not know why they were scanning you.  It could be one of
reasons:
 
1.  Road runner hired them to do an assessment on their network.
2.  Someone may have compromised their network and is doing 
scans from behind their firewall.
3.  Someone in their company is messing around.
 
I'll follow up on this, and try to find out what is going on.
 
You were absolutely right to question the response you got
from us.  I need to also find out who sent you the reply.
 
Sorry about the confusion.
 
Now for the associates position in HI, I don't know if they
hired someone or not yet.  The request was sent internally
and may not have been posted to our website yet, but I will
speak with the head of the department in the morning and
see if he is still accepting resumes.  I'll let you all know
as soon as I find out. 
 
-----Original Message-----
From: Ben Beeson [mailto:beesond001 at hawaii.rr.com]
Sent: Monday, November 12, 2001 10:38 PM
To: Linux & Unix Advocates & Users
Subject: [luau] RE: Request for off line security help
Aloha all,

        I didn't mean to stir up quite such a hornets nest!!!  Chris, I 
hope
you or your company are not offended by my question.  I did not intend
to imply that something untoward was about, I honestly didn't know what
was up.  Because I needed some help and also wished to respect the good
intentions of those involved through the "first, do no harm" principle,
I asked for an off-line look.     

        To expand on several of the issues on the list, I'll offer the
following with good intentions and hope that it is well received.  
        
        Yes, I get scanned all the time.  Most of the scans I get usually 
fall
into the "ignore" box and I send them off to /dev/null.  You know what
I mean, some windows user boots up and his box checks the "network" for
available file and print services. Stuff like that...  

        Occasionally, I get a more serious scan or series of scans 
against my
box.  If something about it strikes me as unusual, I usually drop a
note to the owner of the IP address block and ask them to look into it.
 Sometimes I get an answer back, but usually I don't.  Most of the
answers I get back are very informative.  Once in a while I even get an
answer that just makes me think...  I always learn something from the
answers I receive though.  In any case, the scanning usually stops
after that either because I fixed it, or somebody else fixed it.     

        I don't think all portscans are bad, but sometimes it's hard to 
tell
the good ones from the bad ones (especially if like me, your knowledge
is limited.)  For example, I exchanged e-mail with one particular ISP
provider that made a habit of reverse scanning addresses making certain
connections to check for the presence of a particular windows hack that
was troublesome to their business.  They further went on to state that
they would help customers rid their systems of the particular infection
they were concerned with if it was found.  I thought that was kind of
cool and thought, "gee 
---
You are currently subscribed to luau as: thecomputerguy at hawaii.rr.com
To unsubscribe send a blank email to $subst('Email.Unsub')
-- more guys should be so civic minded." I then
changed my firewall to ignore their specific scan.  I learned a lot
from that, especially about firewall rules and good will.  

        The idea of pushing material likely to be requested to a "nearby"
server in the "network topology" makes sense.  I can see where visiting
a web site may attract the interest of a business and cause them to see
how to better serve the customer. After all, business's now have the
technology to know when I am looking at their web site. (As opposed to
whether or not I used the Sunday paper to light the BBQ grill before I
read their ad.)  This may cause them to "push" the cache of potential
files to a nearer server to quicken the web's response to a query.   

        I have to ask a question though. ((Please realize that this is an
honest question from a guy that drives jets for a living and
***plays*** with Linux in his spare time.  This question is not
intended as an insinuation, it's just an expression of what is going
through my mind.))  My question is this, "Is a full portscan necessary
to find out what they need to know about where my box is and what it
may be able to provide to help their business?  Would an address lookup
be enough, or does this business really need to know if I run a time
server (for example)?"  I don't know the answer. I don't even know all
the issues attached to these questions... (No answer needed from the
list BTW.) Anyway, it has been quite a while since my box got scanned
as much as this one from the same IP address.  

        That leads me to the initial question I posted to the list.  I 
didn't
know what the scan was, what it represented, or why it was there.  I do
know that it was a pretty big scan compared with others I see, so I
asked the NOC to look into it.  They did, and I thought the reply I got
was about as different from any other answer that I had ever received
as it could be. I accept the NOC given reason at face value, but I had
never seen anything quite like this, so I asked the list for someone to
help me with an off-line look to help me figure it out.

        What did I learn?  Three things so far: 
                - There can be good business reasons for scans beyond 
system
security. 
                - I am reassured that there are some very generous and 
helpful people
on this mailing list, and I am very grateful for that -- thanks again
to all of you.  
                - I also learned that I need to read up on stateful 
firewalls before
I upgrade my box.  There may be a way to "ignore" the good scans...

Respectfully,

Ben

---
You are currently subscribed to luau as: beesond001 at hawaii.rr.com
To unsubscribe send a blank email to $subst('Email.Unsub') 



More information about the LUAU mailing list