Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Charges of hacking stop Internet OS Count

Oct 30, 1998, 16:45 (7 Talkback[s])

by Dwight Johnson

The Internet Operating System Counter run by cubenet.de which has been so useful in bringing to light the predominance of Linux use on the Internet has been stopped because of accusations of hacking in Israeli domains.

The Counter, which uses the freeware probing software Queso currently featured in the InfoWorld article TCP fingerprinting solutions for Linux offer another way to gather security data, was accused of initiating "hack attacks" against "hi-tech companies and banks".

The accusation published October 26 in the Israeli online news site Globes reads:

"In the past three weeks, scores of Israeli companies Internet sites have been attacked by a group of hackers, suspected to be Lebanese, operating from the US. Yitzhak Mozgah, of security company COMSEC, told "Globes" today that the hackers operated from Texas, and were discovered in an investigation carried out by COMSEC and PubliCom."

According to hzo.cubenet.de:

"Today (Friday, 23.10.98 about 4.00 CEST) I got urgent email from the sysadmins of leb.net where my query is running as a background job. The ongoing Oct' 98 survey which also queries all servers of the .il domain (Israel) had brought up sysop complaints about »hack attacks« against »hi-tech companies and banks« There was a statement, that a »Firewall-1 system was bypassed and the log turned off after compromise« (which shouldn' t be triggered by the packets I send to the hosts to query)."

"As I see it, I came in between frontiers where I don't want to be. As I was told, there could be even some articles in today's Israelinewspapers about this whole thing. Therefore I stopped the ongoing host query." The Internet Operating System Counter (ios++) is a survey of operating system usage on the Internet. It collects host addresses and queries these hosts, which operating systems they are running."

Below is a follow-up report issued today:



From ioscount@goldfish.cube.net Fri Oct 30 13:22:16 1998
Date: Fri, 30 Oct 1998 20:23:16 +0100 (CET)
From: ios++ mechanic 
To: ioscount-list@goldfish.cube.net
Subject: Sorry, no Oct. 98 query results.
Resent-Date: 30 Oct 1998 19:23:23 -0000
Resent-From: ioscount-list@goldfish.cube.net
Resent-cc: recipient.list.not.shown:;

Hi,

the Oct. 98 query was stopped because of an incident
with servers of the '.il' domain.
A complaint concerning a "hack attack" (which usually
comes in every 120 000 hosts queried) was "upgraded" into a
full alarm for all '.il' hosts.

This alarm was triggered at Fri, 23 Oct 1998 00:59:21 +0000
24 hrs after I had provided them full explanation what I was doing and
giving pointers to the Counter web pages which were provided at Thu, 22
Oct 1998 01:07:01 +0200 (CEST)

Severe accusations shined up in Israeli newspapers (see attached
article which was published by http://www.globes.co.il on Sunday, Oct 25,
1998 at 18:00 (GMT+3) ). Security companies seemed to use this incident to
bash other security suppliers ( "...a Checkpoint firewall-1 was
compromised..." ) and to promote their services.

I asked the person who released the Israel wide alarm to publish a
log file which could prove these claims. Until now (Fri Oct 30 20:10:14
CET 1998), no log file could provided which would back these
claims.

The gentleman from Israel responsible for triggering the false alarmdid not defuse it until Thu, 29 Oct 1998 21:13:46 +0200, more than six
days after he had triggered it.

You can read more about this incident in the Israeli Linux-il mailing
list archive:

http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00368.html
http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00378.html
http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00401.html
http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00424.html
http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00425.html
http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00479.html
http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00512.html

I'm sorry to tell you that I stopped the Oct. 98 query because of
this incident. Further host queries might or might not be done
depending on free time and mood.

Enjoy!
hans

--ios++ == The Internet Operating System Counter.
ios++ == Counting the operating systems on the Internet.
ios++ == http://www.hzo.cubenet.de/ioscount/