[LINK] Trusted .au-wide version(s) of myNetWatchman?

Ann Moffatt annm@exocat.com.au
Tue, 29 Oct 2002 23:25:03 +1000 

i thought i understood how systems like this worked but now i'm not too
sure!!

last week as i was using the westpac broking system my firewall alerted me
of an attack as follows:-

incidents all happened on 22/10/2002, the host name was
'broking.westpac.com.au' the IP address was 203.24.6.148. events were as
follows:-

 time                intrusion attempted on
 06.20.54 pm    PORT 1270 (TCP)
 06.20.56 pm    PORT 1271 (TCP)
 06.20.56 pm    PORT 1273 (TCP)
 06.20.57 pm    PORT 1274 (TCP)
 06.20.57 pm    PORT 1275 (TCP)
 06.20.57 pm    PORT 1272 (TCP)
 06.21.01 pm     PORT 1282(TCP)

i sent an em with this info to westpac broking asking 'why should your
system attempt to invade my home computer?'

a tech from westpac phoned assuring me that westpac computers don't snoop.
he confirmed that the ip address was that of westpac broking but suggested
that a script kiddie had picked up my system & used port 88 to see who i was
communicating with at the time & spoofed that ip address.

does that sound feasible?

i've asked some techos & they say it does sound feasible. if that is
correct, what is the point of reporting intrusion attempts as they might be
spoofs!!

peace & love

annm
************************************
Ann Moffatt
EXoCaT Pty Ltd
49 Raintree Avenue
BURRUM HEADS QLD 4659
tel +61 (0) 7 4129 5796
fax +61 (0) 7 4129 5916
***********************************
----- Original Message -----
From: "Stephen Loosley" <stephen@melbpc.org.au>
To: <link@anu.edu.au>
Sent: Tuesday, October 29, 2002 10:25 PM
Subject: [LINK] Trusted .au-wide version(s) of myNetWatchman?


> Hi all..
>
> The following concept / initiative could be outstanding
>
> In fact, for all of Australia, with a 'trusted' body to run it?
>
> (Anyway, their software and services are free for individuals)
>
>
> http://www.mynetwatchman.com/
>
> How myNetWatchman works:
>
> Step 1: Internet users and companies throughout the world install
> our Agent software to automatically relay their firewall log events to
> our central analysis server.
>
> Step 2: Log events with the same source IP addresses are organized
> into incidents. All IP addresses are automatically backtraced and the
> responsible domain is identified. This allows you to see ALL events
> that orginated from a particular source IP address -- even activity
> reported by OTHER agents.
>
> Step 3: Depending on the target service and the number of agents
> that report a given source IP, the myNetWatchman mailBot automatically
> sends alert e-mails to the responsible party. Basically you don't need to
> lift a finger...everything from collecting the data to backtracing to
sending
> an e-mail escalation is all done for you.
>
> Currently we send 500-1000 alert e-mails per day (10,000+ during Code
Red).
>
> Often the alerts are sent within 60 seconds of when an agent logs an
event.
> This is essential as it helps us inform system administrators (who have
usually
> been compromised themselves) fast enough so that they can take action
before
> serious damage is done.
>
> Step 4: We receive responses back from about 25-30% of the escalations we
> send. All of the response information, often with candid details on how
the
> system was compromised and what steps were taken, is all recorded in the
> incident detail.
>
> Many ISPs do process and act upon our alerts, but unfortunately they don't
> have the automated systems to provide e-mail confirmation of their
efforts.
> but rest assured that most alerts ARE acted upon.
>
> In addition to the global reports you see listed to the left. Agents that
contribute
> data also get a Sample personal report page where you can see an analysis
of
> just the events that you reported.
>
> As an added bonus active agents also receive our IPWatch service which
gives
> you the ability to track your current IP address from anywhere. This is
very
> handy if you have a dynamic IP address and need to connect to your
personal
> web server or remote access program from a remote location.
>
> In summary, think of myNetWatchman as a centralized firewall log analyzer
> and escalation system that adds a global perspective to your event data
...
> something that no standalone product can achieve.
>
> Our software and services are free for individual use. Simply register and
download.
>
> We are currently piloting our security abuse management services for
organizations,
> ISPs, and managed service providers. Anyone interested in participating
..."
> --
>
> Cheers all ..
> Stephen Loosley
> Melbourne Australia
>
> _______________________________________________
> Link mailing list
> Link@mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link