Security company attempts hacking

Note from poster: I got this post from another person who wishes to
remain anonymous. I do know that the original author follows this
newsgroup so follow-up comments will be seen.

** apply virtual scissors here **

In a recent report it came to light that the Dutch Security Software
company Alfa & Ariss has been making unauthorised attempts to break in
to both private and corporate computer systems.

Alfa & Ariss, who made name for themselves by developing software for
both the Open Source and Corporate markets for secure login
procedures, as well as being contracted to implement this software in
central Dutch government and banking agencies, have made confirmed
attempts to at least gain access to several systems without obtaining
authorization first from the owners and operators of those systems.

The most disturbing attempts are the clear and verified, targeted
attempts to access a Scandinavian company by probing for available
services, including but not limited to telnet, SSH, FTP, LDAP, VPN,
SSL and SMTP. These were made from the main IP address registered to
them (82.94.105.130) in late October. The company's data wasn't
compromised due to a good security setup, but the attempts themselves
are an indication that Alfa & Ariss is apparently doing more than just
develop software, and not all of it desirable.

Next to this, the private user is apparently also not safe from them,
as an ex-employee found out. His home-connected computer had its
Internet connection flooded around the same time, and by checking
access logs found out that the company had been snooping on his
Livejournal (even after he left the company) as well as making
complete copies of his personal and business related web pages.

Even though invited to do so, no comments have been made by Alfa &
Ariss so far, but the ex-employee states: "Yes, there have been
problems with my connection. My modem complained about not being able
to handle the traffic correctly, and probably a bunch of connections
were dropped because of that. I'd say that is a clear example of
Denial of Service right there. It didn't last long, but still..."

"I also put a few blocks in place after that, and started keeping an
eye on the IP. Surprisingly, it didn't end there, but instead, I found
I got continued connection attempts from the office at just about
every business day, and even some in the weekend and at night times.
To this day they keep checking up on me, apparently."

As to the reason why, there seems to be some confusion: "I'm a little
limited in what I am allowed to say under my NDA, but I can tell you
that even though I left the company in September on less than
agreeable terms (having had the rights needed to do my job as security
officer and network administrator revoked, forcing me to quit, next to
lack of pay), I didn't have any negative consequences to speak of
because of this. I, myself, was just glad to close it off this way, I
have no desire to be in any way in touch with the people there, and as
a matter of fact, the CEO demanded no further contact, himself. I even
returned a few letters after they got sent to my address regardless of
their own command. There is also nothing of interest for them to be
found on my home system, apart from personal data for me and a few
friends which they have no business in knowing or having access to.
Although I can guess as a motive they might be searching for
information to try and fine+sue me over the NDA; it would not surprise
me if so, at all. Having set up a lot of the network stuff there
myself though, I can tell you that if something like this originates
from that IP, it's not been someone else or a system that got
compromised and abused by someone else outside the office. Unless of
course they really messed up their setup after making me quit, but I
somehow doubt it."

Further specifics are not known at this time.

Re: Security company attempts hacking

57005.48879@bredband.net writes:

>Note from poster: I got this post from another person who wishes to
>remain anonymous. I do know that the original author follows this
>newsgroup so follow-up comments will be seen.

>** apply virtual scissors here **

>In a recent report it came to light that the Dutch Security Software
>company Alfa & Ariss has been making unauthorised attempts to break in
>to both private and corporate computer systems.

>Alfa & Ariss, who made name for themselves by developing software for
>both the Open Source and Corporate markets for secure login
>procedures, as well as being contracted to implement this software in
>central Dutch government and banking agencies, have made confirmed
>attempts to at least gain access to several systems without obtaining
>authorization first from the owners and operators of those systems.

>The most disturbing attempts are the clear and verified, targeted
>attempts to access a Scandinavian company by probing for available
>services, including but not limited to telnet, SSH, FTP, LDAP, VPN,
>SSL and SMTP. These were made from the main IP address registered to
>them (82.94.105.130) in late October. The company's data wasn't
>compromised due to a good security setup, but the attempts themselves
>are an indication that Alfa & Ariss is apparently doing more than just
>develop software, and not all of it desirable.

>Next to this, the private user is apparently also not safe from them,
>as an ex-employee found out. His home-connected computer had its
>Internet connection flooded around the same time, and by checking
>access logs found out that the company had been snooping on his
>Livejournal (even after he left the company) as well as making
>complete copies of his personal and business related web pages.

>Even though invited to do so, no comments have been made by Alfa &
>Ariss so far, but the ex-employee states: "Yes, there have been
>problems with my connection. My modem complained about not being able
>to handle the traffic correctly, and probably a bunch of connections
>were dropped because of that. I'd say that is a clear example of
>Denial of Service right there. It didn't last long, but still..."

>"I also put a few blocks in place after that, and started keeping an
>eye on the IP. Surprisingly, it didn't end there, but instead, I found
>I got continued connection attempts from the office at just about
>every business day, and even some in the weekend and at night times.
>To this day they keep checking up on me, apparently."

>As to the reason why, there seems to be some confusion: "I'm a little
>limited in what I am allowed to say under my NDA, but I can tell you
>that even though I left the company in September on less than
>agreeable terms (having had the rights needed to do my job as security
>officer and network administrator revoked, forcing me to quit, next to
>lack of pay), I didn't have any negative consequences to speak of
>because of this. I, myself, was just glad to close it off this way, I
>have no desire to be in any way in touch with the people there, and as
>a matter of fact, the CEO demanded no further contact, himself. I even
>returned a few letters after they got sent to my address regardless of
>their own command. There is also nothing of interest for them to be
>found on my home system, apart from personal data for me and a few
>friends which they have no business in knowing or having access to.
>Although I can guess as a motive they might be searching for
>information to try and fine+sue me over the NDA; it would not surprise
>me if so, at all. Having set up a lot of the network stuff there
>myself though, I can tell you that if something like this originates
>from that IP, it's not been someone else or a system that got
>compromised and abused by someone else outside the office. Unless of
>course they really messed up their setup after making me quit, but I
>somehow doubt it."

>Further specifics are not known at this time.

This sounds nuts to me.
a) If the second person who claims to have been a security officer, network
administrator cannot setup his own system to make sure that the company
cannot get into his computer, then he deserved to have been fired. He is
incompetent.

b) There is nothing wrong with "Probing for telnet, SSH, FTP, LDAP, VPN,
SSL and SMTP." Those are services by which a computer links to the outside
world, and in particular by which outside computers are supposed to
connect. The only way to tell if you can connect is by probing. Now if they
DO connect and carry out nepharious tasks after doing so, that is a
different question.

Furthermore, IP spoofing is now at least 20 years old. Ie, there is no way
of knowing if those IP addresses have anything to do with the company. I
have no way of disproving the claims, but the evidence presented is
insufficient for the conclusions reached.

Re: Security company attempts hacking

Unruh wrote:
> This sounds nuts to me.
> a) If the second person who claims to have been a security officer, network
> administrator cannot setup his own system to make sure that the company
> cannot get into his computer, then he deserved to have been fired. He is
> incompetent.
I'm sure if you read the post again, a little more carefully, you'll
notice that there was no mentioning of the company actually being
successful in anything but flooding the end user's Internet connection.
Which is usually not all that hard to do, since business connections of
companies in the IT industry usually have quite a big pipe to use, and a
home user usually has, what, 1mbit DSL with a modem that is not designed
for heavy use?

Main question is of course why would the company WANT to try to break in
to an ex-employee's system?
He said that it might be -trying- to access data that would give them
grounds to sue. And that was speculation to begin with.

Jumping to the conclusion that someone is incompetent because he
actually noticed an attempted DoS, and after that checked up on logs to
see what was going on, sounds a little bit strange.

> b) There is nothing wrong with "Probing for telnet, SSH, FTP, LDAP, VPN,
> SSL and SMTP." Those are services by which a computer links to the outside
> world, and in particular by which outside computers are supposed to
> connect. The only way to tell if you can connect is by probing. Now if they
> DO connect and carry out nepharious tasks after doing so, that is a
> different question.
I disagree with you there. To use services like SMTP, to name one
example, you go through the proper route of requesting which server/IP
to use in DNS, and then connect to that machine. There is no reason to
go at it from the other direction. Same goes for directory services,
even web and FTP servers.
Another example: VPN is normally used with a known hostname from someone
that has access to, and data of, the corporate network they are trying
to connect to. Same for SSH and Telnet: authorized users know the host
they are connecting to.

The only time ports are probed like this is when someone is searching
for services that can be used or abused with not following the normal
access route. Of course knocking on the door isn't illegal by itself,
unlike actually going in and abusing a system which is a serious crime,
but because of the context I just sketched, most ISPs also frown heavily
on this kind of behaviour, and most of them explicitly forbid it in
their terms of service because it is not normally done apart from when
trying to do something illegal when an open or exploitable service is found.
Even if it was legitimate attempts at accessing exposed services, I
wouldn't say that there is "nothing wrong" with doing a full sweep
across a broad spectrum of ports in a very short period of time (which
this seems like to have been the case). and I don't see how that could
be trying to access much of anything legitimately.


> Furthermore, IP spoofing is now at least 20 years old. Ie, there is no way
> of knowing if those IP addresses have anything to do with the company. I
> have no way of disproving the claims, but the evidence presented is
> insufficient for the conclusions reached.

*chuckles* IP spoofing only works when you don't have to establish a
connection. You can't get a TCP connection if you can't do a handshake.
The spoofed IP would have to be at least in the same subnet as the IP
shown, or there won't be a route back to the originating sender and you
won't get a sensible response.
At the very least the spoofer has to be on the route between the two
machines for it to work, and I somehow doubt that that would have
happened in today's Internet infrastructure in the countries we are
talking about, certainly not to two distinct, totally different systems
which would place the spoofing point pretty damn close to the company's
IP anyway! (and I don't buy that their ISP would be the culprit for one
second)
Since the posting talks about verified connections I'm sure this kind of
connection -was- established and therefore the IP can't have been
spoofed. Also the access logs that were mentioned showing a full
download of web sites, being HTTP (TCP) connections, also confirms that
this cannot have been spoofed.

I'd also be very surprised if ISPs don't check and filter outgoing
traffic for IPs that aren't supposed to be in the designated subnet of
the connection.
As for the connection to the company, if you do a PTR lookup or whois,
it is as clear as day that that IP belongs to that company.