by Dwight Johnson
The Internet Operating System Counter run by cubenet.de which
has been so useful in bringing to light the predominance of Linux
use on the Internet has been stopped because of accusations of
hacking in Israeli domains.
The Counter, which uses the freeware probing software
Queso currently featured in the InfoWorld article
TCP fingerprinting solutions for Linux offer another way to gather
security data, was accused of initiating “hack attacks” against
“hi-tech companies and banks”.
The
accusation published October 26 in the Israeli online news site
Globes reads:
“In the past three weeks, scores of Israeli companies Internet
sites have been attacked by a group of hackers, suspected to be
Lebanese, operating from the US. Yitzhak Mozgah, of security
company COMSEC, told “Globes” today that the hackers operated from
Texas, and were discovered in an investigation carried out by
COMSEC and PubliCom.”
According to hzo.cubenet.de:
“Today (Friday, 23.10.98 about 4.00 CEST) I got urgent email
from the sysadmins of leb.net where my query is running as a
background job. The ongoing Oct’ 98 survey which also queries all
servers of the .il domain (Israel) had brought up sysop complaints
about »hack attacks« against »hi-tech companies
and banks« There was a statement, that a »Firewall-1
system was bypassed and the log turned off after compromise«
(which shouldn’ t be triggered by the packets I send to the hosts
to query).”
“As I see it, I came in between frontiers where I don’t want to
be. As I was told, there could be even some articles in today’s
Israelinewspapers about this whole thing. Therefore I stopped the
ongoing host query.” The Internet Operating System Counter (ios++)
is a survey of operating system usage on the Internet. It collects
host addresses and queries these hosts, which operating systems
they are running.”
Below is a follow-up report issued today:
From [email protected] Fri Oct 30 13:22:16 1998 Date: Fri, 30 Oct 1998 20:23:16 +0100 (CET) From: ios++ mechanic To: [email protected] Subject: Sorry, no Oct. 98 query results. Resent-Date: 30 Oct 1998 19:23:23 -0000 Resent-From: [email protected] Resent-cc: recipient.list.not.shown:; Hi, the Oct. 98 query was stopped because of an incident with servers of the '.il' domain. A complaint concerning a "hack attack" (which usually comes in every 120 000 hosts queried) was "upgraded" into a full alarm for all '.il' hosts. This alarm was triggered at Fri, 23 Oct 1998 00:59:21 +0000 24 hrs after I had provided them full explanation what I was doing and giving pointers to the Counter web pages which were provided at Thu, 22 Oct 1998 01:07:01 +0200 (CEST) Severe accusations shined up in Israeli newspapers (see attached article which was published by http://www.globes.co.il on Sunday, Oct 25, 1998 at 18:00 (GMT+3) ). Security companies seemed to use this incident to bash other security suppliers ( "...a Checkpoint firewall-1 was compromised..." ) and to promote their services. I asked the person who released the Israel wide alarm to publish a log file which could prove these claims. Until now (Fri Oct 30 20:10:14 CET 1998), no log file could provided which would back these claims. The gentleman from Israel responsible for triggering the false alarmdid not defuse it until Thu, 29 Oct 1998 21:13:46 +0200, more than six days after he had triggered it. You can read more about this incident in the Israeli Linux-il mailing list archive: http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00368.html http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00378.html http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00401.html http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00424.html http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00425.html http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00479.html http://plasma-gate.weizmann.ac.il/Linux/maillists/98/10/msg00512.html I'm sorry to tell you that I stopped the Oct. 98 query because of this incident. Further host queries might or might not be done depending on free time and mood. Enjoy! hans --ios++ == The Internet Operating System Counter. ios++ == Counting the operating systems on the Internet. ios++ == http://www.hzo.cubenet.de/ioscount/