Slashdot Mirror
Exposing Bots In Big Companies
CalicoPenny let us know about yet another "30 days" effort, this one to name the names of major companies infected with spam-spewing bots. Support Intelligence began the effort on March 28, out of frustration at not being able to attract the attention of anyone who could fix the problems at these companies. While they haven't named 30 companies over the ensuing month, they did name some prominent ones, such as Thompson Financial, Bank of America, and AIG. The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.
Answer: they're usually the height of mediocrity. The best and brightest, if they're there, are often ignored.
The notion that lots of big companies have spam bots all over the place is not all that hard for me to believe. Their IT divisions are often poorly staffed with folks who were selected with more input from HR than from the actual manager. They look at the certificates and then decide if a person is OK for the job. Honestly, the certificates are not a good gatekeepers to ensure that people without a clue don't find themselves on the front line. They can't be.
We all have known people who were extremely good at passing tests, but for reasons unknown to the rest of us, are unable to use those very skills in a real application. Those are the people who all too frequently end up in big organizations, pretending to know what real IT is. There is no substitute for learning from experience.
And these corporations are about to have one of those learning experiences. It won't be pleasant.
Nearly fifty percent of all graduates come from the bottom half of the class!
...along with the deinfestation, a little education might go a long way. If employees could be paid to attend a (mandatory) presentation on just how a botnet gets set up, I bet this would reduce the instances of infections by an appreciable amount. (Yeah, not 100%, I know.)
Make it interesting. Start out asking for people's opinions on spam. Get 'em good and worked up. Then set up some network monitor with a nice, easy-to-see graphic interface (maybe write one) and demonstrate how a workstation gets infected by the user running a compromised app. Once it takes hold (pick a good one), pull out the stopwatch, tick off 5-10 seconds, then show how many mails it sent. Then do the math; multiply those ten seconds by 6 to get minutes, then 60, to get hours, then 24. I bet even the math-challenged will get the point quickly, looking at those really large numbers.
Paleotechnologist and connoisseur of pretty shiny things.
Surely, these large companies could block outgoing port 25 traffic, except for their own email servers. Then the traffic can easily be monitored and spam zombies detected.
Why is this not "best practice"?
The real "Libtards" are the Libertarians!
The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.
Uh, yeah, that's why, like, some of us actually run a secure operating system instead of freaking Windows.
I look forward to the day when proposing a Windows SOE is a firing offence. As for the state of American IT... Aren't you guys supposed to have landed on the moon, way back before Microshit was founded? WHAT HAPPENED TO Y'ALL?
you had me at #!
Major companies infected with spam spewing bots?? No way. This is just to ground breaking to be true. Next thing they are going to tell us is that government machines are also infected. Since we all know that major companies and government machines are impenetrable because their users are so smart, savvy, and technologically secure. Oh wait, the users at these places are the same people that use AOL dial up at home. OK.. so maybe it is true *and* unsurprising. :P
The Register reported this about a month ago and I'm glad the issue is getting the attention it deserves. Having done some "upgrades" for a major bank and worked at a fortune 500 company, I can say that many supposedly secure corporate networks are owned by spammers. It's a big deal because it's hard to filter out.
the percentages would likely compare favorably with the home user population at large, methinks.
You would think that, seeing how much money these companies have to throw into manpower and software, but it's not always so. I'd really like to know what kind of Voodoo the few successful companies are employing.
Sometimes (like ferinstance the company I work for) can be outright anal about security (custom images, email that's filtered nine ways from Sunday, etc
At some companies, this is no more than an inconvenience to the user. Just think about companies that ban cell phones with cameras while allowing actual cameras. The dumber the company, the less effective and more annoying their "security" measures will be.
The problem with a bot net infection at a major company is filtering the email downstream. What ISP is going to blacklist Bank of America IP address? ISP's have to take and filter each and every mail from major companies or risk shafting mail from a real mail server they don't know about in the same IP range. By contrast, mail from home PCs gets little to no respect. ISPs feel free to reject, block and limit it all at the same time, so the home user can only send some piddling number of mails each day and only through the ISP's smtp. The botnet people can and do compensate for this by owning more machines but corporate networks are much better for them.
The root cause, of course, is M$'s easy to abuse desktop.
Friends don't help friends install M$ junk.
The school district I work for is about 80% macs and 20% PCs (running XP) - total number of machines disctrict wide is about 6000. I've asked if I could set up a Linux server and some diskless work stations as a usage test case ... by the response you would think I asked to install an open wireless node in the schools cafeteria. On the other hand if I'd just announced that I'd just installed 35 PCs that would be no problem and everyone would assume they're up to date + antivirus + etc.
I could lock down that Linux box pretty tight etc. but Linux is not on their radar
Its not the years, its the mileage
I think it is interesting that we see "report cards" that give government agencies low grades on security, but publicly-owned corporations get a pass.
I seriously doubt that there are any botnets like this running on, say, the DoD network, yet they get a poor grade on security, while a frigging -bank- is pwned, and nobody is too bothered.
A house divided against itself cannot stand.
Absolutely. But -if you are monitoring your FW logs-, you will see the not so cleverly-written ones, and they can be your "canary in the coalmine". If you are seeing any denied outbound attempts, you know that either someone (or some software) is going against policy, or you have a workstation weakness that is being exploited, and you follow up on it.
Sure, this doesn't guarantee that you don't have a problem (ie., cleverly-written malware). You must take a layered approach to security strategy to be effective. Discounting a layer because it doesn't take every single possibility into account is ridiculous. That's why you have depth built into your security strategy, because no single layer works for everything.
That is the problem with most "security solutions" that are being peddled to CIOs, they claim to be a single magic bullet when real security solutions are more about correlation and follow-up from different layers. Not sexy, but very effective.
A house divided against itself cannot stand.
Bullshit. If a box is on a network, the possibility of an exploit exists. The only secure desktop/server is the one buried in concrete 6 feet underground.
There is still a week or more of a delay to test the patches. If the security patch is a major overall, it could take months. Where I work didn't upgrade from Windows 2000 until last year. We still haven't installed IE7. There is a week to 2 week delay between MS releasing a patch and it getting deployed. Programmers need to test their systems to make sure the patch doesn't blow anything up. I can't see any corporation relying on Linux's automatic updates and just keeping it at that.
For the last year Waters and Support Intelligence CEO Rick Wesson called companies they found spamming, Waters says. But in big companies they had trouble connecting with people who had authority to clean up the networks. Waters thinks corporate upper management--CIO level and above--still don't appreciate the dangers of bots. "We'd talk to mid-level security people who understood botnets but had no buy-in from the CIO," he says. "Or the CEO had never heard about it."
So they decided after "much soul searching" to name offending companies. Their goal is to clean up the Internet, not embarrass people or make money, although Support Intelligence has gained some new business. But most companies are grateful to be told they have a problem, Waters says.
This public disclosure is a last ditch attempt to get someone to do something. They've tried to report the problem, but sometimes nothing will get done until someone with letters after their name sees the company's name in the headlines (where customers can see it and income is affected).
Are you in the same situation with your list?