Slashdot Mirror
Secretive Company Scanning the Net
Zarf writes: "A start-up called Quova is pinging and tracerouting the entire Internet, causing firewalls and Intrusion Detection Systems to go crazy, and some security-types to get mad, according to this story at Security Focus. What's interesting is that the company won't say what they're doing with the information they're gathering, but records with the Patent and Trademark Office suggest it has something to do with selling "psychographic" information, i.e., matching advertisments to particular lifestyles and beliefs."
Unless they're actually intruding, i.e. busting through firewalls or cracking in some way, it seems that this falls well within "fair use" of TCP/IP. When I was larval, I would scan any network I could find just to see how it was put together.
If you don't want companies like this to see it, lock it down. It's not hard.
-carl
. We've got computers, we're tapping phone lines, you know that ain't allowed - Talking Heads, "Life During Wartime"
But after six months of constant probing, Quova says it's received only 100 complaints. A 1998 Internet mapping project by Bell Labs researcher Bill Cheswick drew 30 complaints after six months of scanning.
Yes, but it's possible many others didn't detect it and would have complained if they knew about it. Look at the last quote:
"...To that end, the company is working to refine its technique, so as to fly stealthily beneath the radar of firewalls and intrusion detection systems. "It's a goal we have," says Muniz. "Someday I'd like to get the system to the point where we don't set off anybody's alarms."
They don't care about the people or their complaints; they just care about getting caught.
Being with you, it's just one epiphany after another
Something like a year or two ago something really similar was done. A group of people had gotten together and decided to survey the 'net on security. They did this, as I recall, by doing your standard ping/traceroute/portscan for just about anything. IIRC, they also 'tested' to see if the then 10 most common exploits were vulnerable.
Two interesting things came about from this. One, of course, was the results. Only something in the vicinity of 12% of their search space was 'secure' by their tests. .com's and .gov's were the most vulnerable, as well.
The second was the people they pissed off. Scr1pt K1dd13s DoS'd once or twice. Some network admins sent and e-mail asking why portscans had come from that domain. Others threatened legal action and had 'sent logs to the FBI.' And then there was this one guy... I can't even do him justice, but in .7 seconds he'd fscked their systems like you wouldn't believe.
Anyway, it wouldn't surprise me to find that something similar was happening again. I've got no problems with my box being probed. Honestly, if you freak at a portscan, you're a liittle paranoid.
Oh, and hey... some karma whore go dig that link up. May very well have been from this site ;)
Nessus Scan Report
Number of hosts which were alive during the test : 1
Number of security holes found : 5
Number of security warnings found : 1
Number of security notes found : 2
List of the tested hosts :
[ Back to the top ] 205.177.226.233 :
List of open ports :
[ back to the list of ports ]
Vulnerability found on port www (80/tcp)
- The 'perl' cgi is installed and can be launched
/cgi-bin
[ back to the list of ports ]as a CGI. This is like giving a free shell to anyone, with the
http server privileges (root or nobody).
Solution : remove it from
Risk factor : Serious
CVE : CAN-1999-0509
Vulnerability found on port www (80/tcp)
- The 'jj' cgi is installed. This CGI has
/cgi-bin.
[ back to the list of ports ]a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from
Risk factor : Serious
CVE : CVE-1999-0260
Vulnerability found on port www (80/tcp)
- The 'glimpse' cgi is installed. This CGI has
/cgi-bin.
[ back to the list of ports ]a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Note that we could not actually check for the presence
of this vulnerability, so you may be using a patched
version.
Solution : remove it from
Risk factor : Serious
CVE : CVE-1999-0147
Vulnerability found on port www (80/tcp)
- The 'Count.cgi' cgi is installed. This CGI has
/cgi-bin.
[ back to the list of ports ]a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from
Risk factor : Serious
CVE : CVE-1999-0021
Vulnerability found on port www (80/tcp)
- 'cgiwrap' is installed. This CGI has
/cgi-bin.
[ back to the list of ports ]a well known security flaw that lets anyone execute arbitrary
commands with the privileges of the http daemon (root or nobody).
Solution : remove it from
Risk factor : Serious
Warning found on port www (80/tcp)
[ back to the list of ports ]The 'finger' cgi is installed. It is usually
/cgi-bin.
not a good idea to have such a service installed, since
it usually gives more troubles than anything else.
Double check that you really want to have this
service installed.
Solution : remove it from
Risk factor : Serious
CVE : CAN-1999-0197
Information found on port www (80/tcp)
[ back to the list of ports ]The remote web server type is :
Apache/1.3.12 (Unix) PHP/4.0.0 FrontPage/4.0.4.3
We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult
Information found on port general/udp
This file was generated by Nessus, the open-sourced security scanner.For your information, here is the traceroute to 205.177.226.233 :
?
Howdy
A little more info (at this stage) on 'Quova' from the description of an opening they had for a Senior Network Developer :
http://www.e-oasis.com/rmiug-jobs/1223. html
cheers
front
Based on the senior engineer job posting that someone else mentioned, some of the discussion here and a bit of creative thinking, here's what I believe they are doing:
They are developing localized web advertising. They are working to resolve IP addresses to physical locations: cities and neighbourhoods.
Once they've built a map that translates virtual space to realspace, they can sell advertising services that are far more effective.
Your local retailers, for instance, can advertise to you. Just like they do in your newspaper, only in banner format.
Further, they will be able to target your demographic specifically. Some neighbourhoods are richer than others. No point in selling you McDonald's advertising if you're of La Maison Rouge quality.
The traceroute information is a useful tool in narrowing the location. Plot a traceroute on a map, and you'll intuitively start guessing what part of the country it's going to end up in. At some point it resolves to your local ISP, which gives them your county or city.
Where ping fits in, I dunno, other than perhaps it provides the IP addresses for traceroute to digest. And there is useful information in being able to ping a machine and identify that it's still online in the dead of night: that implies it's a full-time connection, which means you're a cut above the average dial-up user.
What we'd all better hope is that there's no way for them to patent the map. Doing so would be the equivalent of having the patent for the map of all the roads in the country.
ooooh... and tie the IP addresses to DoubleClick's personal database, and they'll be able to do targeted snailmail advertising. If you've got a fulltime connect, your IP is as good as your street address. If you're dialup, the number is shared with others in your locale... but all of you are a distinctly different demographic than the population that doesn't access the Internet.
And, tied to the DC's database, they can really get into the psychographic stuff. "This IP reads a lot of pr0n; this one is a snowboarding junkie; here's one that's been researching home decorating..."
I'm more and more positive that this is their goal!
--
--
Don't like it? Respond with words, not karma.
...someone just typed by accident:
root@quova:~$ ping *.*.*.*
root@quova:~$ traceroute *.*.*.*
--
This space left intentionally blank.
They rent rackspace from Exodus (who according to messages (index of week's messages) on INCIDENTS). Exodus is doing nothing it seems and condones their activities. They don't seem to be doing anything more than getting some REALLY paranoid sysadmins underwear in a knit, but I really don't like being batch scanned for no real reason. So here's my info I've scoped on them. ...
... good.
E )
whois -h whois.networksolutions.com quova.net
Registrant:
David Naffziger (QUOVA2-DOM)
333 W Evelyn
Mountain View, CA 94043
US
Domain Name: QUOVA.NET
Administrative Contact, Technical Contact, Zone Contact:
hostmaster (HO8675-ORG) hostmaster@QUOVA.COM
Quova, Inc.
333 W. Evelyn Ave.
Mountain View , CA 94043
US
(650) 962-2933
Fax- (650) 962-2025
Billing Contact:
billing (BI4691-ORG) billing@QUOVA.COM
Quova, Inc.
333 W. Evelyn Ave.
Mountain View , CA 94043
US
(650) 962-2933
Fax- (650) 962-2025
Record last updated on 23-May-2000.
Record expires on 16-Nov-2001.
Record created on 16-Nov-1999.
Database last updated on 6-Jul-2000 18:55:18 EDT.
Domain servers in listed order:
NS1.QUOVA.COM 208.37.145.35
AUTH50.NS.UU.NET 198.6.1.161
www.quova.net is running Apache/1.3.12 (Unix) PHP/4.0.0 FrontPage/4.0.4.3 on Solaris netcraft
AND SINCE THEY shouldn't mind!!!
cherrycoke:~$ sudo nmap -sX -vv -O www.quova.net
Starting nmap V. 2.54BETA1 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Host (205.177.226.233) appears to be up
Initiating FIN,NULL, UDP, or Xmas stealth scan against (205.177.226.233)
The UDP or stealth FIN/NULL/XMAS scan took 69 seconds to scan 1525 ports.
For OSScan assuming that port 23 is open and port 1 is closed and neither are firewalled
Interesting ports on (205.177.226.233):
(The 1520 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
80/tcp open http
111/tcp open sunrpc
514/tcp open shell
2049/tcp open nfs
TCP Sequence Prediction: Class=random positive increments
Difficulty=132682 (Good luck!)
Sequence numbers: 6A1BA7D9 6A255F59 6A2A5515 6A2F4624 6A37B2F6 6A3CE0D6
Remote OS guesses: Solaris 2.6 - 2.7, Solaris 7
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=2064A)
T1(Resp=Y%DF=Y%W=2297%ACK=S++%Flags=AS%Ops=NNTNWM
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 83 seconds
Some "security company," with all those notoriously insecure services running on their webserver (NFS, telnet, shell, RPC). Oh well. It looks like their webserver is colocated with some company.
cherrycoke:~$ traceroute www.quova.net
traceroute to www.quova.net (205.177.226.233), 30 hops max, 40 byte packets
1 orangecrush (192.168.0.1) 2.638 ms 2.239 ms 2.238 ms
2 quincy-asx-2.ziplink.net (206.15.185.18) 509.732 ms 203.12 ms 219.374 ms
3 206.15.185.17 (206.15.185.17) 209.86 ms 215.767 ms 199.762 ms
4 * zl-qnz-cisco2bcn.ziplink.net (206.15.158.150) 205.427 ms 214.611 ms
5 zl-pru-h20-1z172h209.ziplink.net (206.15.172.209) 219.845 ms 214.564 ms 219.459 ms
6 206.15.185.217 (206.15.185.217) 219.572 ms 216.462 ms 199.567 ms
7 bay4-322.quincy.ziplink.net (208.196.109.82) 279.498 ms 274.794 ms 259.6 ms
8 zl-sf-e20-2sf7k.ziplink.net (206.15.172.6) 279.477 ms 265.691 ms 279.473 ms
9 pacbell-1.globalcenter.net (198.32.128.32) 279.597 ms 272.632 ms 279.56 ms
10 pos4-2-155M.cr1.SNV.gblx.net (206.132.150.25) 269.622 ms 272.892 ms 299.483 ms
11 pos2-0-622M.cr1.IAD3.gblx.net (206.132.113.102) 337.01 ms 333.853 ms 339.512 ms
12 pos0-0-0-155M.br2.IAD3.gblx.net (206.132.253.26) 339.529 ms 343.903 ms 349.513 ms
13 digiweb.s2-1-1.br2.IAD.gblx.net (204.152.166.190) 349.878 ms 273.863 ms 299.393 ms
14 209.143.145.194 (209.143.145.194) 309.769 ms 277.821 ms 299.558 ms
15 ucla.digiweb.com (206.161.225.11) 299.497 ms 292.234 ms *
Yeah, maybe that's where this psycho-profile is coming from. They determine what software your box is running and then assess your personality and buying habits from that.
For instance...
Running Windows 95/98/NT - Will buy anything, start spamming immeadiately.
Running BeOS - Will buy anything, so long as it is obscure or different. Try to sell them some gas-powered boots.
Running Linux - Likes bandwagons. Try to off-load britney spears and pokemon.
Running Commercial Unix - Resists bandwagons. Try to sell them some more 5,000 dollar operating systems.
Running Windows 3.11 - Too stupid and/or poor. Don't bother.
Disclaimer: Please don't take these personally.
Stupider like a fox! - H.S.
Common sense says "my network is my property, and mine alone to allow visitors".
However, the IP address space is a public resource, documented and available to any who are willing to participate. You can look up any address block and find out who owns it if you want (like a Registry of Deeds here in most US states). And in order to get a block, you have to agree to the "rules".
The question I'd ask here is "where is the boundary between public and private property?" Obviously, if a system is accessible over the Internet and a service is available, then that service, at least, probably meets the requirements of "public", even if the owner doesn't realize that the service is accessible. Using that service may be public, even though it's not polite.
I'd say if it's behind a firewall that blocks the pings, or not accessible through a NAT export, then it's private. Kind of like the difference between a gated community and a regular old subdivision, to use an imperfect analogy. I can drive into a subdivision, map and photograph every street and house I see, and then use the information for whatever legal purpose I want (I could legally sell it to people wanting, for instance, to publish guides to preferred neighborhoods). I'm free to look at the houses so long as I don't actually trespass on the private property that they rest on.
If I want to map and document a gated gommunity, though, the street is private and blocked off, with restricted access. I need the permission of whoever runs the gatehouse to go inside and map the streets and houses within. If I can see all the houses without having to go through the gatehouse I can still take my photographs, though.
And there's the conundrum. If I block all inbound access to my network (except for exported hosts), then the scans will be stopped at my gatehouse (firewall), and only the things I have chosen to make visible will be mapped. Those systems are public, though my network is private.
Where this company is being unethical is in trying to do this activity as stealthily as possible. If a surveyor wants to try and map my neighborhood, fine. Let them show me their credentials and announce their presence. If I see someone skulking around in the middle of the night in a car with the lights dimmed, who pauses in front of each house for a while, I just may think they're up to no good. And someone else may think that and either call the cops (the offending visitor's ISP) or just shoot 'em.
If I don't want to be mapped (and I, for one, don't), I'll erect my own gate and cordon off my address space that way. If someone sneaks in anyway then I may shoot the varmint myself.
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."