E-mail Attacks - A Bad Day For Submitting Articles
These days, I write several pages for our site plus two to three
articles per week. The first places these articles are posted
are DefendingTheNet.com and CastleCops.com. Several days later,
I post these articles on other submission sites. This is standard
operating procedure in the world of article submissions.
E-mail Attacks
For the most part, articles are re-published without you even
knowing. You typically find out when someone visits your site
from another where the article has been posted. Other times, the
site that plans on posting the article e-mails you and asks you
to review it before it goes live. Two weeks ago, I received one
of these e-mails. Email attack - It was all downhill from there.
To Click Or Not To Click, That Is The Question
Our systems are protected by state of the art security systems.
Our SPAM filter is a hardware device that is nearly 100% effective.
It also helps in protecting against Spyware and other malicious
code. Our Firewall is similar to those you would find in large
corporations. Our Anti-Virus system has served us well and we've
not had problems with virus for years. I'm not claiming that our
systems are 100% protectedas there is no such system at this point
in time. However, we are fairly confident in our security systems.
Two weeks ago, I received approximately twenty e-mails requesting
the review and approval of Defending The Net articles published
on other sites. I thoroughly review the e-mails to make sure they
seem legitimate. I review the url's included to make sure they
are valid and not redirected to a site that is IP only. The last
e-mail I reviewed seemed to be in proper order. When I clicked
on the URL to the article, the site failed to load.
Approximately five minutes later, my system slowed to a crawl.
I reviewed the running services on the machine and found that
the "SYSTEM" process was running at 100% CPU utilization.
A thorough review of the system did not reveal anything out of
the ordinary. Yet, the machine was barely operating.
After rebooting the system in safe mode and reviewing the event
logs, I found the cause of the problem. The event log revealed
that the TCP/IP stack repeatedly exceeded the maxim number of
connections. I had fell victim to a local machine Denial Of Service
attack.
In most cases, an event like this would reveal at least something
out of the ordinary; A registry entry, file, or service that should
not be present. But not in this case.
The computers local drives were imaged to preserve their current
state. The images were then submitted to our Anti-Virus and Firewall
vendor research teams. As of today, they have not been able to
determine the exact cause of the problem. They do know something
malicious is going on, and are looking closely at the TCP/IP stack
and system process. Short-term investigation points in the direction
of one of these components being modified or corrupted. It's quite
possible that a new vulnerability exists and I'm fairly confident
they will be able to pinpoint it.
What's The Point
I've seen just about every type of exploit, vulnerability, and
e-mail attack you can think of over the years. Some items we uncover
during security assessments would make your jaw drop.
It never ceases to amaze me how many people out there just don't
care what kind of problems or damage they cause. It appears as
if the point of this recent e-mail attack was nothing more than
to cause the recipient grief, to put the target computer out of
business for a while. One things for sure, it resulted in a bad
day for me. The time I had to put into investigating the situation,
and preparing the images for delivery to our vendor, could have
been spent working on something productive.
Conclusion
Because of this event, we have configured a dedicated system who's
sole purpose in life is to test potentially harmful url's. It is
actually a virtual machine that if attacked, can be configured to
its default state within seconds.
I can only imagine the stress and frustration others without technical
experience or resources must go through when something like this
happens. I receive countless e-mails from our site visitors regarding
their concern that they may have been attacked or compromised. I
wish I could help them all out directly but that is not always a
reality.
What I can do is share my experiences and recommendations. This
is one of the primary reasons why I enjoy writing articles as much
as a do.
Darren Miller is an Information Security Consultant with
over sixteen years experience. He has written many technology &
security articles, some of which have been published in nationally
circulated magazines & periodicals. Darren is a staff writer
for www.defendingthenet.com and several other e-zines. If you would
like to contact Darren you can e-mail him at [email protected]
or [email protected].
If you would like to know more about computer security please visit
us at http://www.defendingthenet.com.
If someone you know has sent you this article, please take a moment
to visit our site and register for the free newsletter at http://www.defendingthenet.com/subscribe.htm.
