Is the Botnet Battle Already Lost? 374
An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."
silly (Score:2)
yes, pkis are not flawless, but it would be a huge step above this kind of flailing
Re: (Score:2)
And what is the source?
If the source is an insecure OS, how are we going to convince the botnet fodder to patch/upgrade/secure ? Even if Vista turns out to be a very secure OS, we will have to wait for a couple of generations before adoption is widespread. Do you know anybody who still uses Windows 98? I do.
Is the battle already lost? Probably not. But for the moment they are winning, and all the actions we can take are purely reactive.
why of course roses are red. (Score:2)
The key here is "unpatched server" and of course it happens to be a windows box... hmmm...
Re: (Score:2)
Oh wait, this is slashdot. Nevermind.
Re:why of course roses are red. (Score:5, Funny)
Correct. The sweetheart in question HERE is probably an overclocked dual core Athlon chip that would handle that poem in a few milliseconds.
Re: (Score:3, Funny)
Restrictive Firewall Infection (Score:2, Interesting)
Only
Re: (Score:2)
Re: (Score:2, Informative)
Why use a trojan? (Score:3, Informative)
There have been attempts at doing so with worms ... but these machines are already pwn3d and reporting into a known channel.
In theory, there is nothing stopping the "researchers" from having the zombies identify their OS's, download any patches, install a personal firewall and automatically updating anti-virus program and then removing the ori
Re: (Score:2)
Comment removed (Score:4, Interesting)
Re: (Score:2)
I don't know about that; spammers seem to be doing rather well for themselves...
Re: (Score:3, Funny)
We need a really big lawsuit against Microsoft (Score:3, Interesting)
What's needed is for someone like NY Attorney General Elliot Spitzer to charge Microsoft with reckless endangerment for knowingly, willfully, and negligently distributing and continuing to distribute systems vulnerable to such attacks.
Meanwhile, we may need some brutal firewalls:
We're probably going to see some companies going to a locked down firewall like that.
If you're gonna go to all that trouble . . . (Score:5, Insightful)
Re: (Score:2)
Re:We need a really big lawsuit against Microsoft (Score:4, Insightful)
Re: (Score:2)
A brazilion studies show just how quickly machines get infiltrated. If they're vulnerable they'll get taken over in a matter of minutes as opposed to hours or days so all this really does is avoid an accumulation of baddies - which might actually be a good thing a
Re:We need a really big lawsuit against Microsoft (Score:5, Insightful)
There are quite a few Web 1.5 sites that critically depend on JS, Flash, Java, etc. Facebook loses a lot if you even have just a partial JS interpreter (and I have seen it happen), and Facebook's coding is arguably not 2.0. Yahoo passwords lose a lot of their security if you disable JS, because then you can't do any sort of key challenges - you have to send the password itself, HTTPS or not. Etc.
You have locked out many universities (MIT is a major one; OU and UL also come to mind) that do not feel like paying a 3rd-party commercial company to certify their identity when they can just pass out root certificates.
Wonderful. No e-mail. No file sharing. No VPNs. No intranets. Web-only is fine for home users on AOL. Home users who do anything else, and corporate users, need other ports.
Your internet-café machines are far more usable than your "normal use" machines at this point.
Re: (Score:2)
There are many applications which require macros to be present in Word documents. If you translate the macros to ODF's format (does it even support macros?), you've gained nothing. If you don't, you've caused confusion for many customers.
I must be an exception then. I've been using email for about 15 years and NEVER ONCE has anyone sent me a document with a macro in it that was actually necessary, as opposed to several that were malicious. If you
It's going to hurt. (Score:3, Insightful)
It's going to hurt. It's going to be painful. But when you're losing a war, you have to take defensive steps that work.
Sue/address the IRC networks, first. (Score:5, Interesting)
What's needed is for someone like NY Attorney General Elliot Spitzer to charge Microsoft with reckless endangerment for knowingly, willfully, and negligently distributing and continuing to distribute systems vulnerable to such attacks.
Sue the IRC networks first; that's what makes it dumb shit easy for these guys to set up their botnets.
I had a machine hacked by a german movie filesharing group, and they incldued a bot which logged into their channel on Rizon. Like a good little admin, I logged into rizon, checked out the channel. It had several thousand users, a whole slew of fserves...and ZERO conversation. None.
I went to #help and reported the botnet attack and the response was: "hey, you want us to shut down one of the most popular channels here because of a evidenceless accusation that you were hacked by them and used as one of their fserves? LOL ZOMG GET SECURITY AHAHAHAHAHA LUSER P0WNZORED" etc. etc.
It is patently obvious that the Rizon admins are FULLY aware that they have dozens, if not hundreds, of illegal filesharing groups that are using botnets to set up fserves, attack other systems for more bots, etc. They're doing jack shit about it (and in fact, they're making it easier- they now support SSL connections) and I think it's time someone sued them to hell and back. It's time IRC operators were taught that you can't knowingly support criminal activity, and that if users report hackings- they need to look into said reports and act on them. I also think it's time IRC traffic was considered "highly suspicous" and monitored by ISPs for fserve commands and such; fserves have no real legitimate purpose today, except illegal filesharing.
PS: Next time you download a movie or program, bittorrent or IRC DCC....realize that it was distributed, most likely, by a group that hacked unix systems. Those systems were owned and administered by people just like you, and that person is going to have to deal with the damage and headaches. Just like you will, some day.
Re: (Score:3, Interesting)
-uso.
Re: (Score:2)
Re: (Score:2)
Or better yet, sue the internet.
I think you're barking up the wron tree. IRC is convenient to use for admin because it is already there, and the peoelp writing this stuff are already well versed in it. If it was not there, rigging up some sort of dedicated infrastructure would not be particularly hard. For example some sort of p2p net between infected machines.
you don't know what you're talking about (Score:2, Flamebait)
That's like saying "sue the website networks for distributing illegal content". IRC is a chat protocol. Anybody can run it. It is also widely used for open source development and other legitimate services. Apparently, your mind has been warped so badly by Instant Messaging services that you think any such service needs to be controlled by some big corporate entity.
I had a machine hacked by a german mov
Re: (Score:2)
Even that wouldn't work (Score:2)
Re: (Score:2)
Re: (Score:2)
A utility I use on my server's admin accounts is a simple ~10 line PHP script run by the input filter via Xmail. It just runs strip_tags() [php.net] on the body text of the email after which I drop non-image attachments. This basically makes sure all of my admin mail is text at SMTP. I originally did it because I was using
Re: (Score:2)
Re: (Score:2)
use the clients against themselves (Score:4, Interesting)
We need a trusted network of ISPs (Score:5, Interesting)
Re:We need a trusted network of ISPs (Score:5, Funny)
(x) technical (x) legislative ( ) market-based ( ) vigilante
approach to fighting botnets. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop botnets for two weeks and then we'll be stuck with it
(x) Users of windows will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from botherders
( ) Requires immediate total cooperation from everybody at once
(x) Many pc users cannot afford to lose business or alienate potential employers
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for the internet
(x) Ease of searching tiny numeric address space of all IP adresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of botnets
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with botherders
( ) Dishonesty on the part of botherders themselves
(x) Scope creep of any powerfull monitoring tool that is introduced to deal with a particular burning issue
(x) The old "Who watches the watchmen" problem
(x) The powerfull temptation to use it as a tool for censorship.
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) Connections should not be the subject of legislation
(x) Blacklists suck
( ) Whitelists suck
(x) We should be able to use P2P without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Maybe I'm being complacent, ... (Score:2)
... but I honestly don't see this as such a big issue.
Basically this is a problem with people owning computers who don't know how to maintain them properly, and with MS making it unreasonably difficult, expensive, and time-consuming to maintain a Windows machine properly.
But as someone who doesn't run Windows, I don't really care. I'm sure some of the spam I get is from these bots, but spam would exist with or without botnets, and without a major redesign of the e-mail infrastructure and standards, spam c
Re:Maybe I'm being complacent, ... (Score:4, Insightful)
The cry of "I know, let's invent a computer that is smart enough to maintain itself!" was heard in the boardroom, and thus SkyNet was born - with the dual mission of perfecting itself and eradicating the useless humans that weren't even able to maintain it!
Re: (Score:2)
Of c
Re:Maybe I'm being complacent, ... (Score:5, Insightful)
However, maintaining my WinXP machines consists of checking the radio button labelled "Automatic (Recommended)" in the Automatic Updates dialog. It's not difficult, it's not expensive and it's not time-consuming.
A serious question, then: what do you think makes your outcome different from the outcome experienced by the people who are getting their machines owned? I don't know the answer, because I don't run Windows, but I could speculate:
Is it because they intentionally download stuff that infects their machine with spyware? If so, then maybe security is too difficult for them, because they aren't technologically sophisticated enough to realize that this is a bad idea, and maybe MS is helping to make it too difficult for them, by creating a culture where it's normal for every user to run with unlimited privileges.
Another possibility is that they aren't sophisticated to realize that the simple, commonsense measures you've taken (a router/firewall, doing updates) would be more sensible than measures such as buying anti-virus software, or taking their computer to Circuit City to get it fixed when it "gets slow."
I think the real problem is that a lot of people own more computer than they need. All they really need is a word processor, e-mail, and a web browser. They really don't need a general-purpose computer at all, and don't have the skills needed to maintain one. They might be better off with an internet appliance, or a thin client. The problem is that they don't understand how much they don't understand. It's like the people who have to own a Harley Davidson because it's cool, even though it's an utterly impractical motorcycle for what they want to do.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
No, Linux is more secure because you don't get those smiley packs for it. That and Linux users aren't generally using it for the smileys and assorted mass-consumer crap that is targetted at Windows users.
However, if someone produced a tool that the average linux user wanted to use (say, for example a new fancy bittorrent client) that contained some kind of malware, you'd start to see the exact same problems that the wind
Re: (Score:3, Interesting)
A modest proposal (Score:5, Insightful)
Why isn't it possible to simply identify the exploit being used to spread a particular botnet, and write software that uses the same exploit to travel throughout the net before activating (perhaps at some specific time) to both wipe out the botnet software and seal off the exploit?
It seems that as soon as you have the original botnet software, re-engineering it for this purpose would be relatively trivial. Plus there would be the immense satisfaction of fighting fire with fire. The software could even remove itself as its final act, saying "I know now why you cry, but it is something I can never do" (although someone else might have to press the button to lower it into molten metal - "I cannot self-terminate").
The only reason I can think that this wouldn't work is that the 'antidote' software would be breaching computer security all over the place - basically doing the precise thing we are trying to stop. However, surely some sort of 'good samaritan' clause could be worked into the law - or the government could adopt responsibility for this process, or at least for pushing the button that sets each counter-botnet loose in the wild.
Of course this may already be the approach taken - I don't know much about the field, as I say.
Re: (Score:2)
Seriously, you could write software like this that DOESN'T spit out traffic. You want to stop a lot of botnets? Hang out on IRC, wait for infected hosts to do their thing, and then patch them. And THEM ONLY. Put up webpages with your exploit, and ONLY PATCH THOSE ALREADY INFECTED.
The problem is, everyone tries to write this stuff a la the original worm/trojan - spewing itself out to hosts all over the Internet, the
Re:A modest proposal (Score:4, Interesting)
Good times. Viruses like that operate at levels that were only really meant for system tasks, and yet they are were never part of that system. Windows being the careful balancing act that it already is will topple over readily when you add anything to the base.
Re: (Score:2)
B) Since the goal here in this article is to cripple the botnets, an anti-virus-virus that makes a system unusuable is a positive outcome. If the user can't use it, chances are the botnet can't use it either.
In many jurisdictions t
Re: (Score:3, Informative)
Re: (Score:2)
One of the reasons it doesn't work is that many exploit-scripts already plug the hole they used to get in - not to be nice, more in order to make sure the machine isn't re-taken by someone else.
Re: (Score:2)
For instance, I have absolutely no problem running Azareus and getting hundreds of connections for random unknown computers because since it is written in a typesafe language (Java) it
Legitimate Scanners can accomplish the same things (Score:3, Insightful)
Re: (Score:2)
Yes, this is a checkbox in the toolkit, and it's checked by default.
All over the place (Score:2)
Re: (Score:2)
Net Force (Score:2)
Come on folks, "lost"??! (Score:5, Insightful)
It's not a failure of technology. It's BAD PEOPLE, exploiting BAD SOFTWARE, who aren't being dealt with because of BAD EXECUTION of BAD LAWS. Fix the software, the law, and the enforcement of the law (esp. jurisdiction), and you'll neutralise 95+% of the bad people.
This crap is criminal. Crimes like this are sheltered by discussions about philosophy, politics, jurisdiction, and technology. If people would stop discussing and arguing, and start working together on the problem, it could be eliminated in under 24 months.
But convincing people to work together is impossible, so we might as well get used to it.
Re: (Score:2)
Therein lies the problem. Easier said than done. How do you propose to address these issues, specifically?
Re: (Score:2)
Re: (Score:2)
Wow, just fix everything and the problem goes away. Damn, why didn't I think of that??
It's simple. They don't care. (Score:5, Insightful)
The botnet creators don't give a damn, their objective involves breaking the law (where there is one) in order to hijack someones computer. Someone attempting to destroy the botnet is likely to be atempting to operate within the law, which requires notifying and enlisting the support of the owners of the compromise machines, many of which:
a) are difficult or impossible to contact
b) don't speak your language
c) don't understand anything about the problem
d) don't care
Any single instance of a botnet may have weaknesses that permit its demise without running into potential legal problems (such as a poorly-secured disable command), however botnets as a concept have no real theoretical weakness given the appropriate cryptography and care of construction. Decentralised, failure resistant networks of cooperating nodes is a well researched area and at the level botnets operate, barely constitute a challenge to anyone with the necessary knowledge of protocols, cryptography and programming.
They're here to stay, there is no practical non-desperate legal changes or technical tricks which will kill the concept entirely. Even if the general level of internet security increased 10-fold, there'd still be more than enough vulnerable computers to support botnet operators, and lets face it, that level of security change is not going to happen. Even if the general OS level improves, old and embedded (non-patchable) devices are still plentiful, and there will be more no-patch applicance like systems in the future which will continue to be exploited.
As a systems administrator or someone otherwise concerned with the impact, the rules are simple. Stay patched, Stay vigilant. If a large botnet decides to get you, hope your ISP subscribes to something like tipping-point that will give them a head start on deflecting the inbound traffic. That's about it.
Re:It's simple. They don't care. (Score:5, Interesting)
And that is a matter of economics; specifically, externalities. You would bear the cost of securing your system, but you aren't seeing the cost of running an insecure one.
In the Netherlands, at least one large network employs a detection mechanism for exploited hosts using honeypots. A lot of the IPs on the network get assigned to honeypots, so that a compromised host is likely to hit a honeypot sooner or later. The compromised host is that put in quarantine, denying it normal Internet access (only access to information and removal tools is still available). This hurts users when their machines are compromised, encouraging them to secure their systems.
It surprises me that this isn't done more often. Surely ISPs have something to gain from eliminating all the traffic that compromised hosts generate (seeing that 90% of email traffic is spam, and the bulk of it comes from compromised machines, just to name one thing).
Re:It's simple. They don't care. (Score:4, Insightful)
Or to change ISPs. Or to call the support number, resulting in increased costs for the ISP. It still seems to be in the ISP's rational economic self-interest to ignore bots on their own network.
Automated response (Score:2)
larger battle (Score:5, Insightful)
Not so on the Internet. Due to automation you can play the numbers game, and taking over 100,000 machines is feasable, less risky yet possibly just as profitable as breaking into one bank.
The best non-computer equivalent I can think of is the plague. Welcome to the crowded cities of the middle ages. Even if you, personally, are safe, you're still affected. Think about it.
My comments.. (Score:5, Interesting)
No shit. Simply decompile the exec, get the password (shouldent be hard, unless it is encrypted, usually isnt), get the server ip/port/password/channel and possibly channel key, join the channel, login to the bots (.l password or what ever) and do
Now now. I am a Linux fan and such, but blaming Microsoft here is just stupid! You know why? Because usaully the thing is exploited hasent been patched yet. Every program has bugs, thats just how it is. Get over it. And how is it expensive to maintain windows machines properly? Windows Update is free, no?
While *nix botnets arent nearly as prevalent as Windows botnets, there are still ones out there...Dont think you are exempt.
Its very easy to get your identity stolen these days..Simply do some SQL injection on a pron site or what ever, then boom, you got yourself 5k credit cards. Were you dropped a child? On Windows, you cant delete a exec if its running..and most botnet execs fuck up things like the task manager and have backups of themselfs on your box. Easier said than done. How does your 'software' know what on the machine is a trojan? That wouldent be very good would it if your 'software' illegally compromised hosts trying to get rid of the trojans and accidently got some guys stuff that isnt infected? Also consider, when ever a new exploit is leaked in to the wild, all of the current botnet trojans are updated with it...There are widely diffrent...there is no plasuable way to just rid of all hosts comprimised with hole ____
Re: (Score:2)
Not to mention going to extreme lengths to avoid being wiped out, usually. Try to sneak in that "run during login" registry item to remove the offending "winlogon" registry item? Gone as soon as you hit enter (from your point of view).
Try to be even more clever and put another login item to run a batch file (or whatever) to remove/corrupt the offending dll?
Obligatory: Yes, but does it run linux? (Score:2)
Seriously. Does this beowulf botnet run linux? Are linux hosts being deprived of the global machine endeavor to sell us more v1agra and inform us of opportunities to participate in online gaming? Can we not assist in the provision of "bulletproof hosting"? Does *BSD not deserve to take it's place in the pantheon of truly "highly available, totally reliable, even if netops doesn't want to run them" services? I say if an open source OS can't support these services, what good is it? This is the future of
Re: (Score:2)
Have fun.
RBL (Score:4, Interesting)
ISPs that tolerate insecure computers need to get blocked. Blocked from everything. It COULD happen, if Comcast and AT&T both decide they've had enough.
This would have the added benefit of stopping a lot of spam.
Yes, RBLs didn't get rid of spam. But they sure did (do) help. And a good part of the reason they don't work better is botnets. (remember Blue Security [securityfocus.com]?
-Daniel
Until people are punished for their system's behav (Score:3, Interesting)
People only react to that which causes them difficulty, punish them for not taking care of their responsibilities and things will get better. But until then, it will only get worse.
You're part of a botnet? Pay a fine! Didn't know? Too bad. Just like your dog getting out and destroying property, if you don't care enough to protect others from your wanton disregard, it's going to cost you.
Re:Until people are punished for their system's be (Score:2)
You'd see a major change in government and the law swiftly gone is what you'd see. Well, in any democracy, anyway. This simply won't resonate with people's sense of justice; to most people it would seem like holding you responsible for what any maniac does with your stolen property. And I'm not even talking about stolen weapons here, but any stolen car, hammer or
The Good Old Days... (Score:2, Interesting)
It is illegal to drive a car on any public road without a drivers licence, for the safety of other road users. Why shouldn't it be illegal to connect a computer to the internet without the proper qualifications, again for the common good? Keep all the stupid off the internet and the situation is bound to improve because there will be less opportunity for the greedy to exploit them.
There's a simpler way (Score:2, Interesting)
The Next Step (Score:2)
Arikle is Botnet FUD (Score:2)
Read here here [csoonline.com].
Re: (Score:3, Informative)
The incident described in CSO magazine is the exception that proves the rule. How did the online casino "defeat" the botnet attack? By spending a million dollars on bandwidth and equipment; they outscaled the attack. That sort of approach may (or may not) work for companies with millions of dollars in web revenue, but it is simply not a feasible way for most online entities to deal with an attack. There are hundreds of thousands of online businesses that, if faced by even a small botnet attack, would h
Why? Because there's NO PENALTY! (Score:3, Insightful)
An exercise in futility.
You stop rock-throwing by going after the throwers. If these propeller-heads would stop playing with their toys long enough to spend fifteen minutes talking to the nearest cop they would realize this.
Ignore the silly botnets and invest the resources to find and punish their creators. Criminal behavior declines only when there is substantial risk of substantial punishment. Until that risk exists, you're just wasting everyone's time.
'Nuff said.
Re: (Score:3, Insightful)
Trying to stop botnets by taking-down servers is like trying to stop rock-throwing by confiscating rocks.
Or, install shutters on your Windows so you can ignore the rock throwing and hire a security guard to go shoot the rock throwers or drive them off.
If these propeller-heads would stop playing with their toys long enough to spend fifteen minutes talking to the nearest cop they would realize this.
The cops often can or will do little in these instances. A lot of the time botnets are rented out by the
How do you Know and REMOVE them? (Score:3, Interesting)
Norton, Spybot, etc CANNOT detect what she has. Netstat shows the connection but taskmanager etc does not. I block port 25 from her computer as a precaution and the darn computer starts searching for smtp servers on the local network. I use qmail-auth and it prevents it.. however I have no trust that it cant use UPnP or something else to change my main router.
So.. HOW IN THE HECK do you REMOVE stuff that you cant find? I really.. REALLY.. dont want to reformat and reinstall because there is no way this should be hidden to adminstrator on Windows XP.. but it IS!
Re: (Score:3, Interesting)
After all, the bot is code running locally. So if it contains any channel names, channel keys or cryptographic keys, you can get to them.
Re: (Score:3, Interesting)
There is no easy solution
http://images.slashdot.org/hc/07/4a6fece962b0.jpg [slashdot.org]
Re: (Score:3, Informative)
Re:How do you know if you've been rooted? (Score:5, Funny)
Re:How do you know if you've been rooted? (Score:5, Funny)
I have already said it (Score:4, Funny)
Re:I have already said it (Score:4, Interesting)
Re:How do you know if you've been rooted? (Score:5, Informative)
Re:How do you know if you've been rooted? (Score:4, Informative)
Re:How do you know if you've been rooted? (Score:5, Informative)
Snort identifies traffic by signatures, so instead of you eyeballing suspicious patterns, it can tell you if certain phrases are used, certain protocols, or what-have-you. Writing your own signatures are a piece of cake and the process is well-documented.
The bridge sits at the mouth of your network (behind your firewall) and can be used to identify what is getting past the firewall.
For the crafty -- use Snort2pf to automatically block inappropriate traffic. I used this to discourage eDonkey usage on school system's computer network and it worked like a dream.
Know your network. (Score:4, Informative)
ARP should not matter on the firewall.
Anyway, the easiest way is to monitor traffic by IP address, at the firewall, during times when no one should be using the computer with that address. If the machine is doing anything that goes through the firewall at 1 am, you should investigate.
On a home network? Probably no one.
On a business's network, that's completely different. If you leave your network open and are cracked and you lose you credit card numbers, that's between you and the bank. If a business leaves its network open and is cracked and loses YOUR credit card number, they can be sued.
The problem is that not many "network administrators" really know anything about their network or security. There are an almost infinite number of things you can that will take time and money but that will not actually increase the security of your systems.
Education is the beginning.
Re: (Score:3, Informative)
In the near future - none. Most security "usual suspects" are working on network admission systems and how they fit in a business network. Some ISPs are looking to roll them out on public networks as well.
The general idea is that you do deep packet inspection on anything going in and out and any PC that suddenly exhibits abnormal behaviour is removed from the network proper and is put on the "naughty step" until it is fixed. Similarly, you can move any PC on your netwo
Re: (Score:3)
Re:How do you know if you've been rooted? (Score:4, Funny)
Re: (Score:3, Informative)
Hire contarctors to evuate your installation. They need not have real access, in fact they should be able to propose possible vulnerabilities without real access, assuming they can ask questions. So you hire them to ask questions, you take note of the
Know if you've been rooted (Score:4, Funny)
What does it matter, really, if you've been rooted?
The sad fact is that no matter how often you're rooted, as the other post quite clearly pointed out, you're never going to get approval to remove the defective software that allowed it. If knowing creates willful negligence but not knowing doesn't, there's a certain advantage in not looking.
Just watch your netops keep uninstalling the more obvious malware and reimaging your boxes every few years and pretending everything is ok. Nod when they call the AV and the firewall edge box due diligence and don't watch those road warriors connect their notebooks to your localnet. You never get documents with executable content in email from outside your network anyway and if you did the virus scanner would stop it before delivery, wouldn't it?. Nobody on your network would click a suspicious link. These are not the rootkits you're looking for. Repeat after me: "I am so shocked! Gosh those hackers are clever. I hope they go to prison for a long time if they're ever caught using their completely anonymous fault tolerant botnet."
Now go heal some sick people, and never get admitted to your hospital under your own name.
Re: (Score:3, Insightful)
Set a network switch or hub right behind your keyboard so you can see the status lights. If it seems a little busy when you are not doing anything, somebody may be using your computer remotely. I think more computers need the NIC status lights on the front of the monitor, not the back of the PC.
Re: (Score:3, Informative)
Re: (Score:3, Informative)
On the shelf right above my monitor is my printer shelf with the LAN switch and router. If something starts spewing, it gets noticed. Client/server traffic is easy to spot as only two ports have a burst of high traffic. Something port scanning tends to light up the switch between the bot and the WAN. If I get slow net response to loading pages, I make it a point to check the switch first and the router second. From there I walk over to the busy computer to see if it's a user d
Re: (Score:3, Funny)
Humans can WIN! (Score:2)
No. We can stop this war from happening.
All we need to do is send a single person back in time to the year 1955 (perhaps powered by some combintaion of The Wayback Machine and Google's Solar Panels [slashdot.org] to assassinate Sara^H^H^H^HMary Gates [wikipedia.org] before Bill is born, this will prevent the formation of Microsoft, stopping the PC timeline with Tim Paterson's QDOS [wikipedia.org] and r