[55246] in North American Network Operators' Group
Re: Banc of America Article
daemon@ATHENA.MIT.EDU (Ryan Fox)
Sat Jan 25 22:38:24 2003
From: "Ryan Fox" <rfox@amerisuk.com>
To: "Avleen Vig" <lists-nanog@silverwraith.com>,
"Alex Rubenstein" <alex@nac.net>
Cc: <nanog@nanog.org>
Date: Sat, 25 Jan 2003 21:45:51 -0500
Errors-To: owner-nanog-outgoing@merit.edu
> > Does anyone else, based upon the assumptions above, believe this
statement
> > to be patently incorrect (specifically, the part about 'personal
> > information had not been at risk.') ?
>
> Which not technically correct, they are not technically incorrect
> either.
Hm. One possible attack on BoA's data would be to log incoming udp port
1434 requests to your network, and cross reference the source addresses with
BoA's netblocks. Now you have a list of verified vulnerable BoA MSSQL
servers.
While it's possible that _none_ of the vulnerable servers have _any_
'personal information', I'd venture to guess otherwise.
While I'm on the topic of attacking servers that attacked you first, can I
get some opinions on the ethics of this? I think a targeted attack like the
one I described above would surely be crossing the proverbial line, but what
about an automated nmap scan of attacking hosts, where the data would be
used for aggragate statistics? Thoughts?
Ryan
