Re: spyware question

On Friday 25 June 2004 05:31 pm, Royce Williams wrote:
>If you get another hit a few days later from the same IP,
> a follow-up is certainly warranted.

The amount of attempts I get from the ACS net-range is tremendous. Matching ips
to users could become a real chore, seeing we have the choice of always on or not :) I can only imagine.
Seems best to be done in real-time. Though this could become a customer service nightmare. Question: The dsl modems
use a unique mac right? That could make it easier to track.

This makes me wonder, do the isps have some sort of honeypot/net for the sole purpose of security? (attempt compromise && auto-push an e-mail)
This could be an incredible tool. It really does give away lots of info. Who/OS/and what infection (generally). As I see it, the crux would be putting all the
info together and advising in a customer do-it-themselves type of solution; Use the e-mail that's auto generated to recommend a fix from M$ or an antivirus vendor.
Automating this whole mess seems possible. Heck, match the uploaded payload (custom sigs) to a AV fix or M$ patch. The isp could use a 3 strikes
in a day and ya get an e-mail, the strike count could be determined by the seriousness of the sig. Oh dear, my minds a ticking...ouch...ouch...ouch lol, Match the
attempted compromise (sig/s counts) with the current ip/mac handout (source db) && auto email user && user freaks out and goes bald (if not already) :) lol

> The short answer: we usually *are* spanking them -- we're just not
> sending you the photos. :)

lol, kinky. :)

> > Anyhow, not to digress, but using to many acronyms with phone support
> > usually confuses them. I'm kinda surprised ya got NNTP (a news feed)
> > past them...lol. :) Here's an exercise for ya, when talking to phone
> > support, use only acronyms, and listen to the confusion. lololol j/k
>
> In their defense, these folks are usually geared to handle Grandma,
> not y'all. Couple that with the high turnover, and it may sometimes be
> hard to get a one-off issue across so that it can be properly escalated.

hehe. Grandma support has always been good, sec support too!
I must admit, I was phishing for an ACS response from the list. It's nice to see ACS/GCI (sorry for the closeness there :)
employees on the list.

Here's another question.
Do the isps use wireless decoy packets to witness monitor hackers? Since theoretically it's impossible to remotely detect a card in monitor mode.
Maybe even promisc mode too. This is a tactic I use at home, as also a remote nic promisc detection method/script. I'm curious because of the new
wireless internet program. What type of encryption is it using? wep? ssl? ??? I'm genuinely curious ;)

Oh, so many questions; hope it's okay to inquire here. Any answers would be great. Hope I make sense. Thanks AKLUG.

eddie

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Jun 25 20:33:37 2004