InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Community //  Opinions //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Descan your network

A SMALL COMPANY is about to go live with a big idea that you can greatly benefit from.

The company is Descan.net, and the idea is to identify and halt the "script kiddies" who are infiltrating and subsequently attacking our computer networks.

An example of the kind of attack I'm talking about is the recent infestation known as SQLSnake or Spida, which attempts to take control of systems running Microsoft SQL Server.

Shortly after security groups sent out their first announcements about SQLSnake on May 20, its probes briefly became the most prevalent attack on the Internet, according to Dshield.org, which monitors such intrusions.

Methodically testing IP addresses around the world, SQLSnake looks for SQL Server machines with a system-administrator account of "sa" and a blank password, which was at one time installed by default. Whether you blame novices who don't know they need to set the password or Microsoft for distributing a product with such a weak default, there are a lot of such systems. The vulnerable components may also be installed by Visio Enterprise Network Tools or Microsoft's Access 2000, Project Central, or Visual Studio 6.

SQLSnake isn't just a harmless nuisance. Once it finds an opening, it sends the vulnerable system's password database to an e-mail address in Singapore. (This address is now shut down, but we may never know how many passwords it received.)

Even worse, infected machines begin their own scans. This creates mucho traffic. MyNetWatchman, another monitoring group, at one point detected 300 new servers being infected per hour. (For additional information, see http://www.mynetwatchman.com/kb/security/ports/6/1433.htm and http://online.securityfocus.com/news/444.)

Descan.net is a well-thought-out effort to stop this nonsense. You download a small, free listening agent and install it on a firewall or a machine outside your firewall that's running Linux 2.4 or later. (A version for Windows servers is coming.)

The agent reads only one small part of Internet traffic, called the SYN packet, and ignores all other content. This alone is enough to catch scanners.

Descan.net engineering manager David Graves says there are hundreds, not thousands, of bad actors in the world, and they can be stopped. The company's logs show that its agent issued an alarm about SQLSnake probes on April 27, more than three weeks before the first public warnings.

Richard Leeds, chairman of Descan.net, says ISPs and the FBI could use these alarms to shut down and prosecute offenders. The for-profit company plans to sell add-on services to ISPs and corporations, which means Descan.net will have enough revenue to continue supporting its agent.

I'll have more next week, but meanwhile go to http://www.descan.net/joinin.html and get the code.




RELATED SUBJECTS

Security

MORE >
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Community //  Opinions //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Learn to secure your PCs from new and unknown hacker attacks.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.
Protect Your Data: Get your FREE Enterprise Backup Intelligence Kit from ADIC.
New HP digital projectors — click now for limited-time introductory offers.
SeeBeyond Webinar - Topic: UCCnet, Thurs., 9/26/02 , 8-9 am PST

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine
Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2002 InfoWorld Media Group, Inc.