Beware of older cyber attacks Footprinting and brute force attacks are still in use

IBM X-Force® Research Managed Security Services Report

Click here to start ▶ ◀ Previous Next ▶ Contents Executive overview longer discussed much. One example is the TCP/ UDP port scan and TCP/UDP service sweep, Covering more than 18 years of vulnerability data, Executive overview which are part of an attack pattern known as the IBM® X-Force® database surpassed 100,000 Footprinting footprinting.2 Another is the password brute force entries in Q2 2016.1 That means there are a lot of attack pattern,3 one of the brute force attacks4 we Top 10 ports attack vectors at a criminal’s disposal. With much saw emerge decades ago and still see today. While of the media focus on new and emerging threats, Brute force password many products and services today require strong it’s easy to see how security teams might lose attacks passwords, weak passwords are still being used, sight of older, less newsworthy vulnerabilities and Secure shell (SSH) brute aiding criminals in carrying out successful brute attack vectors. force attacks force attacks.5 6 7 Persistence of SSH brute An assessment of recent data from IBM Managed Fortunately, many tools and mitigation techniques force top 20 attacker Security Services (IBM MSS), which continuously IP addresses to thwart these older kinds of cyber attack have monitors billions of events reported by more than been developed over the years. Organizations that SSH brute force top five 8,000 client devices in over 100 countries, reveals apply them in their environments will be better IP addresses some interesting findings about attack vectors no equipped to deal with the ongoing threat. (FTP) brute force attacks

Top five FTP brute force attacker IP addresses About this report Recommendations This IBM® X-Force® Research report was created by the Protect your enterprise IBM Managed Security Services Threat Research group, a while reducing cost team of experienced and skilled security analysts working and complexity diligently to keep IBM clients informed and prepared for the About IBM Security latest cybersecurity threats. This research team analyzes About the author security data from many internal and external sources, including event data, activity and trends sourced from References thousands of endpoints managed and monitored by IBM.

2 ◀ Previous Next ▶ Contents Footprinting Commonly used footprinting tools Most security analysts will agree that “,” Executive overview Looking at the Common Attack Pattern Enumeration and Classification (CAPEC) made available in 1997, is the best known and most Footprinting 10 mechanisms of attack8, we see an attack pattern widely used network footprinting tool. “Scanrand” 11 12 13 Top 10 ports hierarchy. Footprinting9 is considered a meta (2002) , “amap” (2003) , “Unicornscan” (2005) , 14 attack pattern that falls under one of the top level “zmap” (2012) and “masscan” (2013) are also Brute force password popular. Newer tools such as “zmap” (2012) attacks categories, “Gather Information.” Often viewed as more of a pre-attack used to gather information on claim the ability to scan the entire in Secure shell (SSH) brute 15 potential targets, the term encompasses several times ranging from five minutes to an hour. force attacks 16 attack techniques, among them network topology And masscan claims to do it in three minutes. Persistence of SSH brute mapping, host discovery, account footprinting, Scanning tools existed before 1997, for example the force top 20 attacker and port scanning. Generally, multiple ports are Internet Security Scanner (ISS) version 1.x that first IP addresses scanned in a port scan. appeared as a shareware product in 1992 and later 17 SSH brute force top five inspired a commercial product. IP addresses There’s also something called a service (or port) Another way to glean footprinting data is to use a File Transfer Protocol (FTP) sweep, in which multiple hosts in a network are brute force attacks checked for a specific open service port. Service search engine that is searching data from ongoing sweeps are often ignored, since they occur so Internet mapping projects. Shodan (2009) is one Top five FTP brute force of the most popular projects and is thought by attacker IP addresses regularly and aren’t something that warrants an 18 immediate response. The placement of network many to be the most comprehensive. Censys Recommendations sensors also impacts whether footprinting activity (2015) is geared towards computer scientists and 19 Protect your enterprise can be detected. If a sensor is behind a firewall researchers. Thingful (2013) is for Internet of 20 while reducing cost and the firewall is not configured to map ports to Things (IoT) devices. Internet mapping search and complexity internal systems, the scan activity won’t be logged. engines such as these allow attackers to gain About IBM Security access to footprinting information without actually sending packets to the victim, who then remains About the author unaware they’re being targeted. References

3 ◀ Previous Next ▶ Contents Top 10 ports Internet Assigned Executive overview In a sampling of IBM Managed Security Services Numbers Authority Destination customers over two days in Q1 2016, the Rank Sweeps (IANA)-assigned Footprinting TCP port port (TCP port 23) received the most number of service description and popular use22 Top 10 ports sweeps, accounting for 79 percent of the events. 1 • 2 • 3 • 4 • 5 • 6 • 7 Port 80 is excluded from the network IDS signature 1 23 78.65% telnet

Brute force password represented in this data due to the likelihood of 2 1433 2.61% Microsoft SQL Server attacks false positives because legitimate web traffic also 3 8080 2.14% HTTP alternate for port 80 uses port 80.21 Popular ports such as 25 (SMTP), Secure shell (SSH) brute 4 3306 1.59% MySQL force attacks 21 (FTP), 53 (DNS), 135 (RPC), 137 (NETBIOS), 139 MS WBT Server, Windows (NETBIOS), 445 (Microsoft-DS), and others ranked 5 3389 1.54% Persistence of SSH brute lower than the top 10. This is shown in Figure 1 Remote Desktop force top 20 attacker Active API Server Port, some IP addresses and Table 1. 6 3128 1.00% proxy servers (squid-http, 3proxy) SSH brute force top five o P servie see estitio orts 7 443 0.90% http protocol over TLS/SSL IP addresses P over 0.90% Remote framebuffer, VNC tive P 1.00% File Transfer Protocol (FTP) treuer 0.61% 8 5900 0.61% (virtual network computing), 1.54% P 0.56% Apple Remote Desktop brute force attacks 1.59% N 0.54% WAP connectionless erver 2.61% session service, EMC2 Top five FTP brute force 9 9200 0.56% Pt 2.14% (Legato) Networker or attacker IP addresses Sun Solstice Backup ter 9.87% Recommendations 10 21320 0.54% N/A

Protect your enterprise All other 9.87% All other TCP ports combined while reducing cost and complexity Table 1. Rank, destination TCP port, sweeps and service description and popular use for About IBM Security the top 10 ports. Source: IBM MSS data. About the author

References teet 78.65%

Figure 1. Top 10 TCP service sweep destination ports. Source: IBM MSS data. 4 ◀ Previous Next ▶ Contents Ports provide multiple pieces of useful information. Banners can be particularly revealing. “Welcome Attackers may be seeking: to the ACME central bank system running Widgets Executive overview • Specific vulnerabilities for known services, such OS version 3.43.23c” reveals that the attacker Footprinting as Heartbleed on web servers has found both a prime target and an easy path to • Services that can be exploited for a brute force unauthorized access via what may be its operating Top 10 ports 1 • 2 • 3 • 4 • 5 • 6 • 7 password attack system’s many known vulnerabilities. Certain • Information on a target, such as what can be malware are also known to use many common Brute force password found in a login banner ports. Table 2 highlights those associated with the attacks top 10 TCP destination ports revealed in Table 1. Secure shell (SSH) brute force attacks Destination Rank Sweeps Trojans, worms or malware using the port Persistence of SSH brute TCP port force top 20 attacker ADM worm (May 1998), Aphex’s Remote Packet Sniffer, AutoSpY, ButtMan , Fire HacKer, My Very Own Trojan, 1 23 78.65% IP addresses Pest, RTB 666, Tiny Telnet Server - TTS, Truva Atl, Backdoor.Delf variants, Backdoor.Dagonit (2005.10.26) SSH brute force top five 2 1433 2.61% Digispid.B.Worm (2002.05.21), W32.Kelvir.R (2005.04.12), Voyager Alpha Force IP addresses Reverse WWW Tunnel Backdoor, RingZero, Screen Cutter, Mydoom.B (2004.01.28), W32.Spybot. OFN (2005.04.29), W32.Zotob.@mm (2005.08.16), W32.Zotob.E(2005.08.16), Backdoor.Naninf.D File Transfer Protocol (FTP) (2006.02.01), Backdoor.Naninf.C (2006.01.31), W32.Rinbot.A (2007.03.02), Android.Acnetdoor 3 8080 2.14% brute force attacks (2012.05.16), Feodo/Geodo (a.k.a. Cridex or Bugat), Backdoor.Tjserv.D (2005.10.04), RemoConChubo, Brown Orifice, Feutel, Haxdoor, Hesive, Nemog, Ryknos, W32.Kelvir, W32.Mytob, W32.Opanki, W32. Top five FTP brute force Picrate, W32.Spybot, W32.Zotob, Webus attacker IP addresses 4 3306 1.59% Nemon backdoor (discovered 2004.08.16), W32.Mydoom.Q@mm, W32.Spybot

Recommendations 5 3389 1.54% Backdoor.Win32.Agent.cdm, TSPY_AGENT.ADDQ Masters Paradise, Reverse WWW Tunnel Backdoor, RingZero, Mydoom.B (2004.01.28), W32.HLLW. Protect your enterprise 6 3128 1.00% Deadhat (2004.02.06) while reducing cost and complexity 7 443 0.90% W32.Kelvir.M (2005.04.05), Slapper, Civcat, Tabdim, W32.Kelvir, W32.Kiman

About IBM Security 8 5900 0.61% Backdoor.Evivinc, W32.Gangbot (2007.01.22) 9 9200 0.56% Unknown About the author 10 21320 0.54% Spybot, TopArcadeHits malware installing unapproved proxy References Table 2. Illegitimate uses of the top 10 ports. Rank, destination TCP port, sweeps. Source: IBM MSS data. Trojans, worms, malware using port. Source: Various.23 24 25 5 ◀ Previous Next ▶ Contents Telnet: TCP port 23 you pull into one of those automated car washes Telnet, which has been around since the beginning with no attendant anywhere in sight, one could Executive overview of the ARPANET in 1969 in what evolved to be the wonder whether there’s some criminal in control Footprinting Internet in 1982, accounts for more than three- from hundreds or thousands of miles away. Top 10 ports quarters of the sweep traffic we analyzed. People 1 • 2 • 3 • 4 • 5 • 6 • 7 might wonder “How could that be? I thought A report created on 4 April 2016 from the world’s telnet didn’t get used much anymore.” That’s first search engine for internet-connected devices, Brute force password Shodan, shows that telnet is still alive and serving attacks true enough, but only partly so. While telnet is no longer enabled by default in many /Linux (see Figure 2).27 28 Secure shell (SSH) brute distributions, as it once was, it still gets enabled force attacks by naïve administrators, and it can be found Once an attacker discovers an open telnet port, Persistence of SSH brute enabled by default on many IoT devices such as she or he may have several options: force top 20 attacker refrigerators, DVRs, televisions, beds, toothbrushes • See if the banner reveals something about the IP addresses and some older SCADA (Supervisory Control And system and the entity that owns it SSH brute force top five Data Acquisition) devices. Telnet doesn’t encrypt • If authentication isn’t required, gain immediate IP addresses its communications, making it easy for someone to access to the system • Try common default accounts such as root/root, File Transfer Protocol (FTP) sniff the traffic for user IDs and passwords. brute force attacks system/system, manager/manager, or operator/ Telnet servers aren’t limited to only UNIX/Linux; operator to gain unauthorized access Top five FTP brute force • Perform brute force attacks to obtain passwords attacker IP addresses some telnet servers connected to the Internet are running on Windows systems ranging from for common user accounts or system (root or Recommendations Windows 10 all the way back to Windows XP. Administrator) accounts. Protect your enterprise Many embedded system applications are used while reducing cost in equipment such as routers, VOIP phones and An attacker with unauthorized access will and complexity industrial control systems (ICSs). People think of normally explore the system to view its features, About IBM Security ICS as infrastructure—in utility or manufacturing see what data it contains, and gain experience environments—but ICS is used in other industries, with the technologies used, building up a toolbox About the author for example at the car wash. At least one car wash and learning additional ways to exploit the References system has been known to have a telnet server targeted organization. listening and reachable from the Internet.26 When

6 ◀ Previous Next ▶

Contents eet ort ser resuts Executive overview

Footprinting

Top 10 ports 1 • 2 • 3 • 4 • 5 • 6 • 7

Brute force password attacks

Secure shell (SSH) brute force attacks

Persistence of SSH brute force top 20 attacker IP addresses

SSH brute force top five IP addresses o outries

File Transfer Protocol (FTP) 1 . China 5,199,724 brute force attacks 2 . United States 1,327,980 3 . Brazil 1,257,974 Top five FTP brute force 4 . Republic of Korea 1,030,702 attacker IP addresses 5 . India 723,424 Recommendations 6 . Spain 526,469 7 . Russian Federation 467,227 Protect your enterprise 8 . Viet Nam 409,888 while reducing cost 9 . Italy 350,927 and complexity 10 . Dominican Republic 296,118 About IBM Security

About the author Figure 2. A search for port 23 on 5 April 2016 returned over 16 million results. Source: Shodan.

References

7 ◀ Previous Next ▶ Contents Telnet vulnerabilities time, there has been a small resurgence in number “Common Vulnerabilities and Exposures” (CVE®) during the past few years. It should be interesting to Executive overview is a dictionary of common names (also called see the count for 2016. Footprinting CVE Identifiers) for publicly known cybersecurity 29 A few of the telnet server vulnerabilities disclosed in Top 10 ports vulnerabilities. Vulnerabilities related to telnet 1 • 2 • 3 • 4 • 5 • 6 • 7 have been disclosed every year since its launch in 2015 could impact many organizations without their 1999, and by the end of 2015 they totaled 266 (see ever suspecting such a vulnerability exists. This Brute force password includes CVE-2015-2874 and CVE-2015-3459. attacks Figure 3). While their disclosure has slowed over

Secure shell (SSH) brute force attacks Count of telnet CVE IDs

Persistence of SSH brute 40 force top 20 attacker 35 IP addresses 30 SSH brute force top five IP addresses 25 20 File Transfer Protocol (FTP) brute force attacks 15

Top five FTP brute force 10 attacker IP addresses 5 Recommendations 0 01 10 011 12 13 14 15 20 20 2 20 20 Protect your enterprise 1999 2000 2002 2003 2004 2005 2006 2007 2008 2009 20 20 while reducing cost Figure 3. Total number of telnet vulnerabilities since 1999. Source: CVE Project, and complexity MITRE Corporation.30 About IBM Security

About the author

References

8 ◀ Previous Next ▶ Contents CVE-2015-2874 is associated with a vulnerability in 2015 saw the disclosure of several other telnet a few Seagate portable hard drives used to share vulnerabilities where admin access could be gained Executive overview content with mobile devices such as cell phones fairly easily (see Table 3). Footprinting and tablets.31 The vulnerability is also linked to a common weakness enumeration ID, CWE-798, Top 10 ports which is for “Use of Hard-Coded Credentials.”32 1 • 2 • 3 • 4 • 5 • 6 • 7 CVE ID Product Vulnerability An attacker could exploit this vulnerability by Brute force password establishing a telnet session into a vulnerable Ceragon FiberAir Default password for the attacks CVE-2015-0924 device and typing in the default username and IP-10 bridges root account Sierra Wireless Hardcoded root Secure shell (SSH) brute password to gain root privileges to the system and CVE-2015-2897 AirLink ES, GX, accounts force attacks access all the files stored on the drive. A firmware and LS devices ZTE ZXHN H108N Hardcoded password of Persistence of SSH brute update to remediate the issue is now available from CVE-2015-7251 R1A devices root for the root account force top 20 attacker the manufacturer. Arris DG860A, Hardcoded administra- IP addresses CVE-2015-7289 TG862A, and tor password derived TG862G devices from a serial number SSH brute force top five CVE-2015-3459 is associated with a vulnerability IP addresses affecting the Hospira LifeCare PCA Infusion Table 3. Additional notable telnet System prior to version 7.0. Vulnerable systems do File Transfer Protocol (FTP) vulnerabilities. Note that specific software brute force attacks not require authentication for root telnet sessions, or firmware versions of vulnerable products potentially allowing a remote attacker to modify are not noted in the table. Refer to the IBM Top five FTP brute force the pump configuration. The implications are X-Force Exchange for more information. attacker IP addresses life-threatening: a malicious actor could bypass Recommendations authentication and relatively easily change the Protect your enterprise upper limit of a drug being administered to a while reducing cost patient. According to the vendor, version 7.0 has and complexity the telnet port disabled by default to prevent 33 About IBM Security unauthorized access.

About the author

References

9 ◀ Previous Next ▶ Contents SQL Server: port 1433 Other ports The number two ranked destination port for TCP Some of the ports noted in the top 10 are Executive overview service sweeps, at only three percent of the traffic, associated with well-known older attacks such Footprinting is 1433, commonly used for Microsoft SQL Server. as MyDoom, Slapper, SQL Slammer, and Spybot. In addition to the common footprinting tools noted Top 10 ports While these attacks may or may not still be active 1 • 2 • 3 • 4 • 5 • 6 • 7 earlier, a freely available software package called in the wild, the services with which they are Metasploit34 has an auxiliary module, mssql ping, associated are still of interest to today’s attackers. Brute force password used to discover exposed Microsoft SQL Server attacks Malware may use some of these ports because instances. Metasploit also includes modules some organizations’ firewalls already have rules Secure shell (SSH) brute named mssql_login and mssql_hashdump used allowing these services to go through. force attacks to gain unauthorized access to a Microsoft SQL Persistence of SSH brute Server instance. An open source penetration tool force top 20 attacker called sqlmap35 will locate and exploit SQL injection IP addresses flaws of database servers such as Microsoft SQL SSH brute force top five Server. Another tool to exploit Microsoft SQL IP addresses Server installations is sqlninja.36 Both sqlmap and sqlninja are included in the current releases of Kali File Transfer Protocol (FTP) brute force attacks Linux, a Linux distribution designed to be used for penetration testing.37 Top five FTP brute force attacker IP addresses

Recommendations

Protect your enterprise while reducing cost and complexity

About IBM Security Telnet vulnerabilities persist, largely because

About the author of administrators activating telnet ports and

References because of open ports on IoT devices.

10 ◀ Previous Next ▶ Contents Brute force password attacks and cracking programs exist. Some of the more popular remote network password hacking tools Executive overview A brute force password attack is a tactic in which are Brutus38, Medusa39, Ncrack40 (alpha), and THC an intruder tries to guess a username and Footprinting Hydra41. They work against a variety of protocols password combination in order to gain unauthorized which may include FTP, SSH, SMB, telnet, MySQL, Top 10 ports access to a system or data. The attacker will try Microsoft SQL, SMTP and VNC, and might find a a litany of common usernames and passwords, Brute force password simple dictionary password in less than a second. attacks well-known default credentials, and passwords derived from a dictionary. The target could be a The data included in this report shows that Secure shell (SSH) brute local console, an encrypted file or a service across force attacks brute force password hacking attacks occurred a network, such as a social media account or a consistently throughout 2015. Some of the top Persistence of SSH brute secure shell (SSH) access to a remote system. force top 20 attacker attackers carried out the same type of brute force IP addresses attacks against many targets every day for months, Brute force password attacks have been around even for a full year in some cases. Several times SSH brute force top five since the early days of the Internet and are an attacker carrying out an SSH brute force attack IP addresses still a significant presence in the wild. Often an came back months later looking for another service File Transfer Protocol (FTP) attacker will come across a new system during a to target, such as a database server. Even though brute force attacks footprinting attack against a targeted network and attacks may come from a compromised system or see a login screen banner. A banner that reveals Top five FTP brute force an anonymous proxy rather than the attacker’s own the version will give the attacker attacker IP addresses IP address, the persistence we’ve seen in brute an idea of what system-level account names to Recommendations force attacks means that it’s wise to block the begin trying. Many brute force password hacking source IP address of the attacking system. Protect your enterprise while reducing cost and complexity About IBM Security Brute force password attackers can About the author be very persistent, continuing their References attacks for months or even a full year.

11 ◀ Previous Next ▶ Contents Secure shell (SSH) brute The number of unique attacker IP addresses associated with SSH brute force attacks also Executive overview force attacks peaked in May (see Figure 5). While there was a Footprinting Attackers favor SSH because it provides shell pronounced downward trend in attacks from June account access across the network. SSH brute through December, the unique attacker count was Top 10 ports force attacks peaked in May 2015, then trended closer to trending flat during that time period. The Brute force password downward for the rest of the year except for a slight main point is that SSH brute force attacks aren’t attacks increase in December over November (see Figure limited to a small set of attackers, and protecting 4). It’s likely that the known as SSHPsychos Secure shell (SSH) brute your systems from such attacks is important. force attacks was responsible for much of the activity early in 1 • 2 • 3 the year, and the downward trend in later months reflected efforts by members of the security Persistence of SSH brute community to mitigate this threat.42 force top 20 attacker IP addresses

SSH brute force top five rute ore tts IP addresses 20% File Transfer Protocol (FTP) brute force attacks 15% Top five FTP brute force attacker IP addresses 10% Recommendations

Protect your enterprise while reducing cost 5% and complexity

About IBM Security 0% t r uary April May June July ober March embe ember About the author ebr Augus v January F pt Oct Se No December References Figure 4. Percentage of SSH brute force attacks for each month in 2015 (1 January 2015 – 31 December 2015). Source: IBM MSS data.

12 ◀ Previous Next ▶

Contents Unique attacker IP count

Executive overview 1000

Footprinting 800 Top 10 ports

Brute force password 600 attacks 400 Secure shell (SSH) brute force attacks 200 1 • 2 • 3

Persistence of SSH brute 0 force top 20 attacker t r uary April May June July ober March embe ember IP addresses ebr Augus v January F pt Oct Se No December SSH brute force top five IP addresses Figure 5. Unique attacker IP count for SSH brute force attacks (1 January 2015 – 31 December 2015). Source: IBM MSS data. File Transfer Protocol (FTP) Note: A single IP address is considered unique and counted as “1” for each month that it appeared in the data. For example, the IP address brute force attacks 1.2.3.4 would be counted as “1” in both January and February if found in both months.

Top five FTP brute force attacker IP addresses The brute force attack source IP locations collected IP addresses hosted in the United States were Recommendations by IBM Managed Security Services covered targets in almost 67 percent of the attacks (see 98 countries (see Figure 6), with 93 percent of Figure 7). Protect your enterprise the total brute force attack activity coming from while reducing cost the top 10 countries. Hong Kong and China and complexity combined represented 76 percent of the total—not About IBM Security surprisingly, since the networks most known as About the author sources for the SSHPsychos botnet, 103.41.124.0/23 and 43.255.190.0/23, were from there.43 References

13 ◀ Previous Next ▶

Contents Top 10 source countries Top 10 destination countries for SSH brute force attacks for SSH brute force attacks Executive overview United Kingdom 1.04% Russian Federation 0.88% Japan 0.79% France 0.43% Australia 0.22% Footprinting Germany 1.15% Netherlands 0.84% Italy 0.80% Republic of Korea 1.31% Brazil 0.72% Germany 0.17% Denmark 1.26% Europe 0.03% Top 10 ports France 2.50% Hong Kong 40.28% Canada 1.95% Brute force password United States 8.76% United Kingdom 2.16% attacks

Secure shell (SSH) brute force attacks 1 • 2 • 3

Persistence of SSH brute force top 20 attacker IP addresses 1 • 2 China 35.51%

SSH brute force top five United States 66.91% IP addresses Figure 6. Top ten source countries for SSH brute force attacks (1 January 2015 – Figure 7. The top destination countries for File Transfer Protocol (FTP) 31 December 2015). Source: IBM MSS data. SSH brute force attacks (1 January 2015 – brute force attacks 31 December 2015). Source: IBM MSS data. Top five FTP brute force attacker IP addresses Persistence of SSH brute force top a more targeted and prolonged effort against a particular organization. According to the Talos Recommendations 20 attacker IP addresses Security Intelligence and Research Group,44 Attackers behind the top 20 IP addresses actively Protect your enterprise several IP addresses in the table are known to be while reducing cost targeted their victims during two or more calendar associated with the SSHPsychos group. Talos and complexity months (see Table 4). Any amount of attack activity reported that the SSHPsychos attacks involved is a concern, but activity noted for three or more About IBM Security targeting only the root account, trying over months from the same IP address may signify About the author 300,000 passwords.

References

14 ◀ Previous Next ▶ Contents Executive overview

Footprinting

Top 10 ports Count Month Rank Attacking IP January February March April May June July August September October November December Customers Total Affected* Brute force password 1 221.229.160.237 8% 22% 10% 7% 0% 0% 0% 0% 0% 0% 0% 0% 29% 4 attacks 2 115.231.222.23 9% 22% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 24% 2 Secure shell (SSH) brute 3 115.239.248.237 15% 13% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 20% 2 force attacks 4 115.239.248.205 10% 16% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 20% 2 Persistence of SSH brute 5 27.221.10.43 0% 0% 2% 7% 7% 9% 6% 7% 9% 2% 5% 3% 18% 10 force top 20 attacker 6 88.150.240.59 0% 3% 14% 6% 0% 0% 0% 0% 0% 0% 0% 0% 17% 3 IP addresses 7 58.218.213.238 6% 10% 5% 0% 0% 0% 0% 0% 0% 0% 0% 0% 16% 3 1 • 2 8 103.41.124.63 7% 10% 10% 0% 0% 0% 0% 0% 0% 0% 0% 0% 16% 3 SSH brute force top five 9 103.41.124.111 8% 8% 9% 0% 0% 0% 0% 0% 0% 0% 0% 0% 16% 3 IP addresses 10 43.255.190.147 0% 0% 0% 14% 5% 0% 0% 0% 0% 0% 0% 0% 15% 2 File Transfer Protocol (FTP) 11 43.255.190.160 0% 0% 0% 15% 2% 0% 0% 0% 0% 0% 0% 0% 15% 2 brute force attacks 12 218.26.11.118 0% 0% 10% 8% 0% 0% 0% 0% 0% 0% 0% 0% 15% 2 Top five FTP brute force attacker IP addresses 13 59.47.0.150 0% 7% 3% 8% 6% 9% 9% 5% 2% 0% 0% 0% 15% 8 14 218.65.30.61 0% 7% 7% 11% 13% 9% 7% 2% 3% 0% 0% 0% 15% 8 Recommendations 15 58.218.204.172 7% 9% 6% 0% 0% 0% 0% 0% 0% 0% 0% 0% 15% 3 Protect your enterprise 16 43.255.190.125 0% 0% 0% 14% 3% 0% 0% 0% 0% 0% 0% 0% 15% 2 while reducing cost and complexity 17 58.218.213.249 5% 13% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 15% 2 18 43.255.190.134 0% 0% 0% 15% 2% 0% 0% 0% 0% 0% 0% 0% 15% 2 About IBM Security 19 8.254.73.28 3% 9% 5% 1% 0% 0% 0% 0% 0% 0% 0% 0% 15% 4 About the author 20 103.41.124.48 7% 8% 8% 0% 0% 0% 0% 0% 0% 0% 0% 0% 15% 3 References Table 4. The top attacking IP addresses for SSH brute force in 2015 (1 January 2015 – 31 December 2015). Source: IBM MSS data. Note: Percentages shown represent the percentage of customers the attacking IP targeted during 2015. The red highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth. 15 ◀ Previous Next ▶ Contents SSH brute force top five 1: Attacker IP address 221.229.160.237 Country location: China Executive overview IP addresses Most of the activity from this address occurred The following section highlights the top five source Footprinting from January 2015 through June 2015, with a little IP addresses that conducted SSH brute force showing up in September (see Table 5). While all Top 10 ports attacks in 2015. For each of the following tables, its activity in January through April was focused on Brute force password the signature names shown in the first column SSH, the TCP service sweeps in June (6/3 – 6/4) attacks represent intrusion detection/protection system and September (9/17) targeted SQL Server (and signatures from multiple vendors. These tables Secure shell (SSH) brute were sourced from port 6000). force attacks show that the same IP address that initiates TCP service sweeps also carries out brute force Persistence of SSH brute Observations regarding this IP address include: password attacks. While the network ranges of force top 20 attacker • The SSH_Brute_Force signature directly 103.41.124.0/23 (China) and 43.255.190.0/23 (Hong IP addresses indicates the SSH brute force attacks. Kong) were previously noted as sources for much • Brute force attacks require making many SSH brute force top five of the SSHPsycho botnet activity, the LongTail SSH IP addresses connections to a service. “Multiple Rapid SSH Honeypot project confirms other IP addresses 1 • 2 • 3 • 4 • 5 • 6 Connections,” “OpenSSH Repeated CRC outside those ranges exhibiting the same DoS,” “SSH connection flood,” and “SSH_ File Transfer Protocol (FTP) patterns.45 It’s interesting that all top five source IP Connection_DoS” signatures indirectly indicate brute force attacks addresses reside in China and much of the activity SSH brute force attacks based on the large Top five FTP brute force happened within the first few months of the year. attacker IP addresses number of connections. • The footprinting signatures shown are “TCP_ Recommendations Service_Sweep,” “SSH client scan,” “TCP_ Protect your enterprise Probe_SSH,” “Sweep Scan,” “SSH_Service_ while reducing cost Sweep,” and “TCP: SYN Host Sweep.” and complexity

About IBM Security

About the author

References

16 ◀ Previous Next ▶ Contents Executive overview Signature Footprinting

Top 10 ports January February March April June September December Event Total Count* SSH_Brute_Force 10.26% 32.49% 8.44% 8.31% 0.00% 0.00% 0.00% 59.49% Brute force password attacks TCP_Service_Sweep 0.00% 0.00% 0.00% 0.00% 30.07% 0.34% 0.00% 30.41% Multiple Rapid SSH Connections 1.14% 4.50% 0.15% 0.00% 0.00% 0.00% 0.00% 5.79% Secure shell (SSH) brute force attacks OpenSSH Repeated CRC DoS 0.52% 3.52% 0.00% 0.00% 0.00% 0.00% 0.00% 4.04%

Persistence of SSH brute SSH connection flood 0.01% 0.07% 0.00% 0.00% 0.00% 0.00% 0.00% 0.08% force top 20 attacker SSH client scan 0.01% 0.05% 0.00% 0.00% 0.00% 0.00% 0.00% 0.07% IP addresses Geo Protection 0.00% 0.00% 0.00% 0.00% 0.04% 0.00% 0.00% 0.04% SSH brute force top five TCP_Probe_SSH 0.01% 0.00% 0.01% 0.00% 0.00% 0.00% 0.00% 0.02% IP addresses 1 • 2 • 3 • 4 • 5 • 6 SSH_Connection_DoS 0.00% 0.00% 0.00% 0.02% 0.00% 0.00% 0.00% 0.02%

File Transfer Protocol (FTP) Sweep Scan 0.00% 0.00% 0.00% 0.00% 0.01% 0.00% 0.00% 0.01% brute force attacks SSH_Service_Sweep 0.00% 0.00% 0.01% 0.00% 0.00% 0.00% 0.00% 0.01%

Top five FTP brute force TCP: SYN Host Sweep 0.00% 0.00% 0.00% 0.00% 0.01% 0.00% 0.00% 0.01% attacker IP addresses Grand Total* 11.96% 40.63% 8.60% 8.33% 30.14% 0.34% 0.00% 100.00% Recommendations Table 5. Activity from IP address 221.229.160.237 (1 January 2015 – 31 December 2015). Protect your enterprise while reducing cost Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher and complexity percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth. About IBM Security

About the author

References

17 ◀ Previous Next ▶ Contents 2: Attacker IP address 115.231.222.23 Country location: China Executive overview Signature This attacker IP address was seen in the logs for Footprinting only two months in 2015 conducting brute force January February Event Total Count* Top 10 ports attacks. It ranks number two based on the high SSH_Brute_Force 34.19% 51.73% 85.92% count of customers targeted. Actual dates were Brute force password Multiple Rapid SSH Connections 1.97% 6.67% 8.63% 17 January 2015 through 25 February 2015 attacks OpenSSH Repeated CRC DoS 0.20% 2.65% 2.85% (see Table 6). Secure shell (SSH) brute Sequence Verifier 0.73% 1.49% 2.22% force attacks 3: Attacker IP address 115.239.248.237 TCP_Probe_SSH 0.04% 0.06% 0.10% Persistence of SSH brute Country location: China TCP Invalid Checksum 0.08% 0.00% 0.08% force top 20 attacker This attacker IP was seen in logs at the same time IP addresses SSH client scan 0.02% 0.06% 0.08% as the previous attacker IP address, and most of SSH brute force top five the IDS signatures were the same (see Table 7). SSH connection flood 0.00% 0.06% 0.06% IP addresses TCP anomaly 0.04% 0.00% 0.04% 1 • 2 • 3 • 4 • 5 • 6 4: Attacker IP address 115.239.248.205 OpenSSH maxstartup Threshold Country location: China Connection Exhaustion denial 0.00% 0.02% 0.02% File Transfer Protocol (FTP) of service brute force attacks This attacker was logged primarily in January and Grand Total* 37.26% 62.74% 100.00% Top five FTP brute force February of 2015, with a little activity in July. All the attacker IP addresses activity in January and February centered on SSH Table 6. Activity from IP address scanning and brute force SSH attacks. In July the 115.231.222.23 (1 January 2015 – 31 December Recommendations traffic triggered a different signature, indicating 2015). Source: IBM MSS data. Protect your enterprise Note: Percentages shown represent signature event count that the attacker was attempting to launch a generated from the attacking IP address. Red highlighting indicates while reducing cost denial of service (DoS) attack against the target’s a higher percentage, orange a lower percentage, and green indicates and complexity DNS system (see Table 8). zero percentage. *Totals rounded to the nearest hundredth. About IBM Security

About the author

References

18 ◀ Previous Next ▶ Contents

Executive overview Signature Signature Footprinting January February Event Total Count* January February July Event Total Count*

Top 10 ports SSH_Brute_Force 31.47% 49.76% 81.23% SSH_Brute_Force 31.46% 56.32% 0.00% 87.78% Multiple Rapid SSH Connections 5.33% 3.67% 9.01% Multiple Rapid SSH Brute force password 4.09% 2.75% 0.00% 6.84% Connections attacks OpenSSH Repeated CRC DoS 2.67% 5.26% 7.92% OpenSSH Repeated CRC 0.00% 4.41% 0.00% 4.41% Secure shell (SSH) brute Sequence Verifier 0.81% 0.25% 1.06% DoS force attacks Sequence Verifier 0.24% 0.08% 0.00% 0.32% TCP Invalid Checksum 0.10% 0.10% 0.20% Persistence of SSH brute SSH User Authentication TCP_Probe_SSH 0.15% 0.05% 0.20% 0.24% 0.00% 0.00% 0.24% force top 20 attacker Brute-force Attempt(40015) IP addresses TCP anomaly 0.08% 0.10% 0.18% SSH connection flood 0.00% 0.12% 0.00% 0.12%

SSH brute force top five SSH client scan 0.05% 0.08% 0.13% SSH client scan 0.00% 0.12% 0.00% 0.12% DNS ANY Queries Brute- IP addresses SSH connection flood 0.03% 0.05% 0.08% 0.00% 0.00% 0.08% 0.08% 1 • 2 • 3 • 4 • 5 • 6 force DOS Attack(40033) Grand Total* 40.68% 59.32% 100.00% TCP_Probe_SSH 0.04% 0.02% 0.00% 0.06% File Transfer Protocol (FTP) brute force attacks Table 7. Activity from IP address SSH_Service_Sweep 0.02% 0.00% 0.00% 0.02% Top five FTP brute force 115.239.248.237 (1 January 2015 – Grand Total* 36.09% 63.83% 0.08% 100.00% attacker IP addresses 31 December 2015). Source: IBM MSS data. Note: Percentages shown represent signature event count Recommendations generated from the attacking IP address. Red highlighting indicates Table 8. Activity from IP address a higher percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth. 115.231.248.205 (1 January 2015 – Protect your enterprise 31 December 2015). Source: IBM MSS data. while reducing cost Note: Percentages shown represent signature event count and complexity generated from the attacking IP address. Red highlighting indicates a higher percentage, orange a lower percentage, and green indicates About IBM Security zero percentage. *Totals rounded to the nearest hundredth.

About the author

References

19 ◀ Previous Next ▶ Contents

Executive overview Signature Footprinting March April May June July August September October November December Event Total Count* Top 10 ports SSH_Service_Sweep 2.14% 7.43% 10.62% 11.40% 2.29% 9.05% 7.58% 2.97% 4.78% 0.71% 65.82%

Brute force password SSH_Brute_Force 0.30% 2.80% 2.37% 1.85% 1.04% 1.69% 2.93% 0.88% 0.96% 1.72% 20.69% attacks TCP_Probe_SSH 0.06% 1.07% 1.12% 0.84% 0.38% 0.93% 0.66% 0.01% 0.01% 0.74% 7.61% SSH.Client.Request. Secure shell (SSH) brute 0.51% 0.02% 0.01% 0.26% 0.00% 1.68% 2.10% 0.24% 0.00% 0.00% 4.81% force attacks Mimicking Geo Protection 0.01% 0.04% 0.08% 0.08% 0.05% 0.04% 0.02% 0.01% 0.01% 0.00% 0.52% Persistence of SSH brute force top 20 attacker TCP: SYN Host Sweep 0.01% 0.03% 0.01% 0.01% 0.00% 0.02% 0.01% 0.01% 0.00% 0.18% 0.31% IP addresses Sweep Scan 0.00% 0.03% 0.02% 0.01% 0.00% 0.01% 0.01% 0.01% 0.00% 0.08% 0.17%

SSH brute force top five TCP SYN Host Sweep 0.00% 0.01% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01% IP addresses TCP_Service_Sweep 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01% 1 • 2 • 3 • 4 • 5 • 6 PSNG_TCP_PORTS- 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% File Transfer Protocol (FTP) WEEP_FILTERED brute force attacks SSH_Connection_DoS 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00%

Top five FTP brute force Grand Total* 3.03% 11.44% 14.23% 14.44% 3.78% 13.42% 13.30% 4.13% 5.78% 3.43% 100.00% attacker IP addresses

Recommendations Table 9. Activity from IP address 27.221.10.43 (1 January 2015 – 31 December 2015). Protect your enterprise Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red while reducing cost highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. Orange cells containing “0.00%” and complexity indicate a value greater than 0.00%, but less than 0.01%. *Totals rounded to the nearest hundredth. About IBM Security 5: Attacker IP address 27.221.10.43 About the author Country location: China This attacker was still being seen as of March 2016, The first activity from this IP address appeared making it the most persistent attacking IP address References in March 2015 and continued throughout the year identified for the period 1 January 2015 through (see Table 9) and into the first months of 2016 (see 31 March 2016. Table 10). 20 ◀ Previous Next ▶ Contents

Executive overview Signature Footprinting January February March Top 10 ports SSH_Service_Sweep 0.81% 5.54% 0.59%

Brute force password SSH_Brute_Force 0.65% 3.46% 0.03% attacks TCP_Probe_SSH 0.82% 0.85% 0.13%

Secure shell (SSH) brute Geo Protection 0.00% 0.16% 0.00% force attacks TCP: SYN Host Sweep 0.00% 0.03% 0.00% Persistence of SSH brute Sweep Scan 0.00% 0.01% 0.00% force top 20 attacker NetScreen_Dest_IP_Session_ IP addresses 0.00% 0.00% 0.00% Limit SSH brute force top five Grand Total* 2.28% 9.99% 0.75% IP addresses 1 • 2 • 3 • 4 • 5 • 6 Table 10. Activity from IP address 27.221.10.43 File Transfer Protocol (FTP) (1 January 2016 – 31 March 2016). brute force attacks Source: IBM MSS data. Note: Percentages shown represent signature event count Top five FTP brute force generated from the attacking IP address. Red highlighting indicates a higher percentage, orange a lower percentage, and green indicates attacker IP addresses zero percentage. *Totals rounded to the nearest hundredth. Recommendations

Protect your enterprise while reducing cost and complexity

About IBM Security Often we see that the same IP address is

About the author associated with both TCP service sweeps

References and brute force password attacks.

21 ◀ Previous Next ▶ Contents File Transfer Protocol (FTP) brute Figure 8 shows that brute force FTP attacks occurred throughout 2015, ranging from 3 to 12 Executive overview force attacks percent of total attacks each month. Footprinting The service File Transfer Protocol (FTP) has been around a long time and isn’t used as it once was Most months in 2015 had over 100 different Top 10 ports because it doesn’t encrypt either the authentication attacker IP addresses (see Figure 9). July had the Brute force password process or the data transfer. While FTP should highest with 276, which is 55 percent above the attacks be configured to deny access to administrator monthly average. The second highest month was Secure shell (SSH) brute accounts, we have witnessed successful FTP brute November at 236 unique attacker IP addresses. force attacks force attacks against these accounts (see Figure 8).

Persistence of SSH brute force top 20 attacker P rute ore tts IP addresses 12% SSH brute force top five IP addresses 10% File Transfer Protocol 8% (FTP) brute force attacks 1 • 2 • 3 6% Top five FTP brute force attacker IP addresses 4%

Recommendations 2%

Protect your enterprise 0% while reducing cost t r uary April May June July ober March embe ember and complexity ebr Augus v January F pt Oct Se No December About IBM Security Figure 8. FTP brute force attacks as a percentage of all observed attacks (1 January 2015 – About the author 31 December 2015). Source: IBM MSS data. References

22 ◀ Previous Next ▶

Contents Unique attacker IP count (FTP) Executive overview 300

Footprinting 250

Top 10 ports 200 Brute force password attacks 150

Secure shell (SSH) brute 100 force attacks 50 Persistence of SSH brute force top 20 attacker 0 IP addresses t r uary April May June July ober March embe ember ebr Augus v January F pt Oct SSH brute force top five Se No December IP addresses Figure 9. Unique attacker IP counts for FTP brute force attacks (1 January 2015 – File Transfer Protocol 31 December 2015). Source: IBM MSS data. (FTP) brute force attacks 1 • 2 • 3 China edges out the United States with just a two France, and United Kingdom, are also part of the Top five FTP brute force percent difference to take first place as the country top ten destination countries (see Figure 11). The attacker IP addresses where most FTP brute force attacks appeared to top two destination countries for FTP brute force Recommendations originate (see Figure 10). Interestingly, only four attacks were the United States and France with Protect your enterprise of the top source countries, United States, India, nearly 60 percent of the total attacks. while reducing cost and complexity

About IBM Security

About the author

References

23 ◀ Previous Next ▶

Contents Top 10 source countries o estitio outries for FTP brute force attacks or P rute ore tts Executive overview Indonesia 3% er 0.85% er 0.62% Footprinting United Kingdon 3% ite io 0.93% t 0.23% France 4% China 21% Top 10 ports o o 1.16% i 0.15% ustri 2.25% Brazil 5% ite ttes Brute force password 32.30% attacks 6.74% Vietnam 5% Secure shell (SSH) brute force attacks

Persistence of SSH brute Ukraine 7% force top 20 attacker IP addresses Russian United States SSH brute force top five Federation 7% 19% IP addresses India 10% re 27.81% File Transfer Protocol Figure 10. The top two source countries for FTP (FTP) brute force attacks brute force attacks were China and the United 1 • 2 • 3 Figure 11. The top two destination countries States (1 January 2015 – 31 December 2015). for FTP brute force attacks were the United Top five FTP brute force Source: IBM MSS data. States and France (1 January 2015 – 31 attacker IP addresses December 2015). Source: IBM MSS data. Recommendations

Protect your enterprise while reducing cost and complexity

About IBM Security

About the author

References

24 ◀ Previous Next ▶ Contents Top five FTP brute force attacker 1: Attacker IP address 27.251.65.195 Country location: India Executive overview IP addresses The top five FTP brute force password attackers This attacker was seen in FTP brute force attack Footprinting were seen conducting FTP brute force attacks logs every month in 2015. The activity from this IP Top 10 ports spanning anywhere from 2 to 12 calendar months was made up largely of FTP brute force attacks, (see Table 11). Three out of the five IP addresses but there were also footprinting and SSH brute Brute force password force attacks. (See Table 12.) attacks had several months of activity followed by a pause of one or more months, then resumed activity. Secure shell (SSH) brute force attacks

Persistence of SSH brute force top 20 attacker IP addresses

SSH brute force top five IP addresses Rank Attacking IP January February March April May June July August September October November December Customers Total Affected* Count Month

File Transfer Protocol (FTP) 1 27.251.65.195 4.76% 2.38% 4.76% 9.52% 2.38% 4.76% 7.14% 11.90% 0.00% 0.00% 0.00% 2.38% 28.57% 9 brute force attacks 2 141.105.70.98 0.00% 0.00% 0.00% 2.38% 7.14% 0.00% 2.38% 9.52% 0.00% 0.00% 0.00% 0.00% 19.05% 4 Top five FTP brute force 3 113.20.30.182 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 2.38% 7.14% 2.38% 2.38% 2.38% 14.29% 5 attacker IP addresses 1 • 2 • 3 • 4 • 5 • 6 • 7 4 211.109.1.231 0.00% 0.00% 0.00% 0.00% 9.52% 2.38% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 11.90% 2

Recommendations 5 141.105.70.96 0.00% 0.00% 0.00% 4.76% 2.38% 0.00% 9.52% 0.00% 0.00% 0.00% 0.00% 0.00% 11.90% 3

Protect your enterprise Table 11. The top attacking IP addresses for FTP brute force in 2015. Source: IBM MSS data. while reducing cost Note: Percentages shown represent the percentage of customers the attacking IP targeted during 2015. Red highlighting indicates a higher and complexity percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth.

About IBM Security

About the author

References

25 ◀ Previous Next ▶ Contents

Executive overview Signature Footprinting January February March April May June July August September November December Event Total Count* Top 10 ports FTP_User_Root 1.91% 33.35% 0.28% 18.90% 0.01% 15.82% 1.59% 6.57% 0.00% 0.00% 9.26% 87.69%

Brute force password FTP_Auth_Failed 0.65% 0.20% 0.04% 2.40% 0.00% 3.53% 0.05% 1.15% 0.00% 0.00% 0.00% 8.11% attacks FTP_User 0.09% 0.08% 0.12% 0.00% 0.09% 2.26% 0.00% 0.00% 0.00% 0.00% 0.00% 2.64%

Secure shell (SSH) brute TCP_Service_Sweep 0.33% 0.08% 0.13% 0.01% 0.01% 0.00% 0.02% 0.03% 0.04% 0.02% 0.04% 0.71% force attacks FTP Authorization 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.41% 0.00% 0.41% Failure Persistence of SSH brute force top 20 attacker SSH_Brute_Force 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.18% 0.00% 0.01% 0.00% 0.00% 0.19% IP addresses SSH_Service_Sweep 0.00% 0.00% 0.00% 0.00% 0.00% 0.08% 0.00% 0.00% 0.02% 0.02% 0.00% 0.12% PSNG_TCP_PORT SSH brute force top five 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% IP addresses SWEEP_FILTERED TCP: SYN Host Sweep 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% File Transfer Protocol (FTP) brute force attacks Sweep Scan 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00%

Top five FTP brute force Grand Total* 2.98% 33.71% 0.56% 21.32% 0.12% 21.79% 1.84% 7.74% 0.06% 0.58% 9.30% 100.00% attacker IP addresses 1 • 2 • 3 • 4 • 5 • 6 • 7 Table 12. Activity from IP address 27.251.65.195 (1 January 2015 – 31 December 2015). Source: IBM MSS data. Recommendations Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth. Protect your enterprise while reducing cost and complexity

About IBM Security

About the author

References

26 ◀ Previous Next ▶ Contents 2: Attacker IP address 141.105.70.98 however; other ports seen were for SIP (Session Country location: Russia Initiation Protocol, used in internet telephony)46 Executive overview This attacker was logged across six different including ports 5060, 5061, 5095, 5070, 5095, 6060, Footprinting months in 2015, but there was no activity in either and 6090. The FTP attacks from this attacker could have been attempts to gain access to a Top 10 ports June or September. The footprinting attack activity had scans for the FTP port and resulted in FTP digital voice or collaboration system. Brute force password brute force attacks. More ports were scanned, attacks

Secure shell (SSH) brute force attacks

Persistence of SSH brute Signature force top 20 attacker

IP addresses April May July August October November Event Total Count* FTP_Auth_Failed 2.67% 6.60% 13.21% 23.55% 0.00% 0.00% 46.03% SSH brute force top five IP addresses TCP_Service_Sweep 27.29% 0.00% 0.42% 0.29% 5.99% 0.00% 33.99%

File Transfer Protocol (FTP) FTP_User_Root 2.64% 1.27% 6.31% 6.47% 0.00% 0.00% 16.69% brute force attacks Geo Protection 0.00% 0.00% 0.00% 0.00% 0.00% 3.12% 3.12%

Top five FTP brute force TCP: SYN Host Sweep 0.00% 0.00% 0.00% 0.00% 0.13% 0.00% 0.16% attacker IP addresses Grand Total* 32.60% 7.87% 19.94% 30.35% 6.12% 3.12% 100.00% 1 • 2 • 3 • 4 • 5 • 6 • 7

Recommendations Table 13. Activity from IP address 141.105.70.98 (1 January 2015 – 31 December 2015). Source: IBM MSS data. Protect your enterprise Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher while reducing cost percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth. and complexity

About IBM Security

About the author

References

27 ◀ Previous Next ▶ Contents 3: Attacker IP address 113.20.30.182 Country location: Indonesia Executive overview This attacker was seen in FTP brute force attack Footprinting logs for 5 out of 12 months, but was seen in SSH Top 10 ports brute force attack logs the month before attacks from this address appeared for FTP brute force. Brute force password attacks

Secure shell (SSH) brute force attacks Signature Persistence of SSH brute force top 20 attacker July August September October November December Event Total Count* IP addresses FTP_User_Root 0.00% 34.22% 37.66% 0.54% 8.00% 0.66% 81.07%

SSH brute force top five TCP_Service_Sweep 0.01% 0.09% 3.67% 0.41% 0.00% 4.66% 8.85% IP addresses FTP_Auth_Failed 0.00% 1.34% 5.41% 0.05% 1.66% 0.34% 8.81%

File Transfer Protocol (FTP) SSH_Brute_Force 0.18% 0.00% 0.00% 0.58% 0.20% 0.00% 0.96% brute force attacks SSH_Service_Sweep 0.00% 0.05% 0.00% 0.04% 0.12% 0.00% 0.21% Top five FTP brute force TCP: SYN Host 0.00% 0.00% 0.05% 0.00% 0.00% 0.00% 0.05% attacker IP addresses Sweep 1 • 2 • 3 • 4 • 5 • 6 • 7 Sweep Scan 0.00% 0.01% 0.00% 0.00% 0.00% 0.01% 0.03% PSNG_TCP_PORTS- Recommendations 0.00% 0.00% 0.01% 0.00% 0.00% 0.00% 0.01% WEEP_FILTERED Protect your enterprise Grand Total* 0.20% 35.72% 46.81% 1.62% 9.97% 5.68% 100.00% while reducing cost and complexity Table 14. Activity from IP address 113.20.30.182 (1 January 2015 – 31 December 2015). About IBM Security Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher About the author percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth.

References

28 ◀ Previous Next ▶ Contents 4: Attacker IP address 211.109.1.231 There are both footprinting and brute force (against Country location: Korea FTP) attack patterns. FTP User Root covers login Executive overview This attacker was seen for just a little over one attempts for administrator accounts such as “root,” Footprinting month (7 May 2015 – 12 June 2015), so we’re “Administrator,” and “admin.” The largest event count was from the brute force attacks, but the Top 10 ports showing a daily view of this particular data rather than a whole year’s worth (Tables 15 and 16). Even footprinting attacks were seen across the greatest Brute force password though this is a short time frame of activity, due to number of days. The FTP User signature is an audit attacks the high number of customers it attacked, this IP event that isn’t enabled often, which explains why Secure shell (SSH) brute address ranked fourth. the same volume of events is not seen for both FTP force attacks User and FTP User Root. Persistence of SSH brute force top 20 attacker IP addresses Signature SSH brute force top five IP addresses 7 May 2015 7 May 2015 8 May 2015 10 May 2015 12 May 2015 13 May 17 2015 May 2015 18 May 19 2015 May 22 2015 May 2015 May 24 25 2015 May 2015 26 May event Total count*

File Transfer Protocol (FTP) FTP_User_Root 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 53.51% 0.00% 0.00% 0.00% 0.00% 6.76% 74.50% brute force attacks FTP_Auth_Failed 0.34% 0.01% 0.00% 0.00% 0.00% 0.00% 0.00% 0.20% 0.00% 0.00% 0.00% 1.97% 15.27%

Top five FTP brute force FTP_User 0.00% 0.00% 0.00% 2.03% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 5.00% attacker IP addresses TCP_Service_ 1.24% 0.01% 0.04% 0.12% 0.04% 0.11% 0.00% 1.25% 0.00% 0.15% 0.14% 0.02% 4.98% 1 • 2 • 3 • 4 • 5 • 6 • 7 Sweep FTP: login Brute- Recommendations 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01% 0.24% force attempt (40001) PSNG_TCP_PORT Protect your enterprise 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01% while reducing cost SWEEP_FILTERED TCP: SYN Host and complexity 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01% Sweep About IBM Security Grand Total* 1.58% 0.02% 0.05% 2.14% 0.04% 0.12% 53.51% 1.43% 0.00% 0.15% 3.11% 10.78% 100.00% About the author Table 15. Activity from IP address 211.109.1.231 (7 May 2015 – 26 May 2015). References Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth.

29 ◀ Previous Next ▶ Contents Executive overview Signature Footprinting

Top 10 ports 27 2015 May 28 2015 May 2015 30 May 2015 May 31 2015 2 June 2015 4 June 2015 5 June 2015 8 June 2015 10 June 2015 June 11 2015 12 June Event Total Count* FTP_User_Root 0.00% 0.03% 12.02% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01% 0.14% 0.00% 74.50% Brute force password attacks FTP_Auth_Failed 0.00% 0.00% 12.69% 0.00% 0.00% 0.00% 0.01% 0.00% 0.00% 0.03% 0.03% 15.27% FTP_User 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 5.00% Secure shell (SSH) brute force attacks TCP_Service_Sweep 0.02% 0.00% 0.00% 0.00% 0.01% 0.14% 0.15% 0.01% 0.02% 0.14% 1.38% 4.98% FTP: login Brute-force Persistence of SSH brute 0.09% 0.00% 0.00% 0.14% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.24% attempt(40001) force top 20 attacker PSNG_TCP_PORTS- 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01% IP addresses WEEP_FILTERED SSH brute force top five TCP: SYN Host Sweep 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.01% 0.00% 0.01% IP addresses Grand Total* 0.11% 0.03% 24.71% 0.14% 0.01% 0.14% 0.15% 0.01% 0.03% 0.33% 1.41% 100.00% File Transfer Protocol (FTP) brute force attacks Table 16. Activity from IP address 211.109.1.231 (27 May 2015 – 12 June 2015). Source: IBM MSS data. Top five FTP brute force Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher attacker IP addresses percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth. 1 • 2 • 3 • 4 • 5 • 6 • 7

Recommendations 5: Attacker IP address 141.105.70.96 (81 through 88, 8080 through 8089), plus port 8086, registered with IANA for “Distributed SCADA Protect your enterprise Country location: Russia while reducing cost This attacker acted differently from the other top Networking Rendezvous Port,” and port 8383, and complexity five FTP brute force attacker IP addresses in that registered with IANA for “M2M Services”. M2M means machine-to-machine and is associated with About IBM Security its FTP brute force events (signatures highlighted in grey in Table 17) did not have a high volume. Its IoT (Internet of Things) device use, generally in an About the author footprinting attacks logged higher event counts industrial context. We surmise that the attacker References and included sweeps and scans not only for port was searching for specific industrial control 21 (FTP), but also for common HTTP proxy ports equipment with an exposed FTP service.

30 ◀ Previous Next ▶ Contents

Executive overview Signature Footprinting March April May June July Event Total Count* Top 10 ports TCP_Probe_Other 0.00% 0.00% 0.00% 52.10% 0.00% 52.10%

Brute force password TCP_Service_Sweep 13.74% 0.02% 17.88% 0.01% 2.64% 34.30% attacks TCP_Port_Scan 0.03% 0.00% 9.11% 0.02% 0.00% 9.17%

Secure shell (SSH) brute FTP_User_Root 0.00% 0.91% 0.12% 0.01% 0.97% 2.01% force attacks FTP_Auth_Failed 0.00% 0.49% 0.20% 0.00% 0.89% 1.58% Persistence of SSH brute FTP_User 0.00% 0.74% 0.00% 0.00% 0.00% 0.74% force top 20 attacker IP addresses TCP: SYN Host Sweep 0.00% 0.02% 0.00% 0.00% 0.03% 0.05%

SSH brute force top five FTP Authorization Failure 0.00% 0.00% 0.02% 0.00% 0.00% 0.02% IP addresses PSNG_TCP_PORTSWEEP_FILTERED 0.00% 0.01% 0.00% 0.00% 0.00% 0.01%

File Transfer Protocol (FTP) HTTP_AuthResponse_Possible_CSRF 0.00% 0.00% 0.00% 0.00% 0.01% 0.01% brute force attacks PSNG_TCP_FILTERED_PORTSCAN 0.00% 0.01% 0.00% 0.00% 0.00% 0.01% Top five FTP brute force Grand Total* 13.78% 2.20% 27.33% 52.15% 19.94% 100.00% attacker IP addresses 1 • 2 • 3 • 4 • 5 • 6 • 7 Table 17. Activity from IP address 141.105.70.96 (1 March 2015 – 31 July 2015). Recommendations Source: IBM MSS data. Note: Percentages shown represent signature event count generated from the attacking IP address. Red highlighting indicates a higher Protect your enterprise percentage, orange a lower percentage, and green indicates zero percentage. *Totals rounded to the nearest hundredth. while reducing cost and complexity

About IBM Security

About the author

References

31 ◀ Previous Next ▶ Contents Recommendations • Footprint your network from the inside to help Our data shows that footprinting techniques ensure that only approved and inventoried Executive overview such as service sweeps and port scans are still devices are connected and to detect Footprinting being carried out with some frequency. Attackers unapproved devices. Your footprinting should include port detection and software versions to Top 10 ports often use the results of scanning to conduct brute force password attacks. Because the IoT ensure that no unpatched, vulnerable versions Brute force password devices and industrial control systems increasingly are present. attacks present in networks don’t always get the level of • Disable all unnecessary or insecure services, Secure shell (SSH) brute security review given a new computer, they can replacing services that have weak security with force attacks more easily fall victim to both footprinting and stronger counterparts. For example, replace Persistence of SSH brute brute force attacks. We provide the following telnet with SSH. force top 20 attacker recommendations to help avoid this result. • If a service such as SSH, which defaults to IP addresses listening on TCP port 22, can be changed SSH brute force top five Footprinting to another port number without negatively IP addresses • Footprint your own network from the Internet, impacting operations, doing so would lessen its chance of being attacked by systems that could File Transfer Protocol (FTP) using the same techniques as an attacker. While brute force attacks you may be able to assemble a kit of tools like connect to it. , a vulnerability scanning service can • Use a firewall to allow access only from Top five FTP brute force authorized networks and IP addresses to attacker IP addresses continuously monitor your attack surface. • Check network mapping search engines such services they require. Do not allow “all” to Recommendations as Shodan to see if your banners are revealing connect to services such as SSH, FTP and 2 1 • details they shouldn’t. databases unless that’s absolutely necessary for Protect your enterprise the type of service you provide. while reducing cost and complexity

About IBM Security

About the author

References

32 ◀ Previous Next ▶ Contents Brute force attacks because we’ve just published it openly, haven’t • Enforce complex passwords. Stipulate a we? Never use your real high school, mother’s Executive overview minimum length of eight characters and a maiden name, or any other information that can Footprinting combination of upper- and lower-case letters, be gleaned from social media and public records such as obituaries. You can still use the maiden Top 10 ports numbers and special characters such as punctuation marks and mathematical symbols. name option, of course. Just choose an answer Brute force password • Change your password every so often, even that’s not true, and would be difficult to guess. attacks when not forced to do so, but do NOT use a • Use two-factor authentication when available. Secure shell (SSH) brute derivation of a previously used password. And • Disable accounts if they’re not being used. If force attacks never, ever use weak passwords. you’ve been granted access to an application or Persistence of SSH brute • When you use the same password across many service but don’t plan to use it, have the account force top 20 attacker sites, you risk multiple account compromises disabled. If you think you might happen to need it IP addresses if even just one vendor is breached. A local sometime in the distant future, challenge yourself SSH brute force top five password manager helps in managing the use to make the password the toughest one to crack. IP addresses of many passwords. Keep the master password • Implement account lockout features. That can be very effective at slowing down or blocking File Transfer Protocol (FTP) written down and locked securely in a safe. brute force attacks • Make sure the answers to your security questions remote brute force password attacks, but please are difficult to guess or to look up in publicly be aware of the considerations found here: Top five FTP brute force available information. If a site lets you create your ://www.owasp.org/index.php/Blocking_ attacker IP addresses own question, make it as esoteric as possible. For Brute_Force Attacks Recommendations example, one comedian suggested the question • Do not allow administrator accounts to be 1 • 2 “What are you wearing right now?” and the logged into directly. Disable them in operating Protect your enterprise answer “That’s a totally inappropriate question!” systems that allow you to do so. while reducing cost But obviously, don’t use that question and answer and complexity

About IBM Security

About the author

References

33 ◀ Previous Next ▶ Contents Protect your enterprise while About IBM Security Executive overview reducing cost and complexity IBM Security offers one of the most advanced and integrated portfolios of enterprise security Footprinting From infrastructure, data and application protection to cloud and managed security services, IBM products and services. The portfolio, supported Top 10 ports Security Services has the expertise to help by world-renowned IBM X-Force research and Brute force password safeguard your company’s critical assets. We development, provides security intelligence to attacks protect some of the most sophisticated networks help organizations holistically protect their people, infrastructures, data and applications, offering Secure shell (SSH) brute in the world and employ some of the best minds in solutions for identity and access management, force attacks the business. database security, application development, risk Persistence of SSH brute IBM offers services to help you optimize your management, endpoint management, network force top 20 attacker security and more. IBM operates one of the world’s IP addresses security program, stop advanced threats, protect data and safeguard cloud and mobile. With broadest security research, development and SSH brute force top five IBM Managed Security Services, you can take delivery organizations, monitors billions of security IP addresses advantage of industry-leading tools, security events per day in more than 130 countries, and File Transfer Protocol (FTP) intelligence and expertise that will help you improve holds more than 3,000 security patents. brute force attacks your security posture—often at a fraction of the Top five FTP brute force cost of in-house security resources. Our Managed attacker IP addresses Protection Service offers around-the-clock Recommendations monitoring, management and incident escalation to help protect your networks, servers and desktops. Protect your enterprise Identity and Access Management services target while reducing cost virtually every aspect of identity and access and complexity management across your enterprise, including user About IBM Security provisioning, web access management, enterprise About the author single sign-on, multi-factor authentication, and user activity compliance. References

34 ◀ Previous Next ▶ Contents About the Author Contributors Executive overview Scott Craig is a Threat Dave McMillen – Senior Threat Researcher, Threat Researcher for IBM Managed Research Group Footprinting Security Services. Scott has Michelle Alvarez – Threat Researcher, Threat Top 10 ports worked in the IT field for more Research Group Brute force password than 20 years, 17 of which were attacks dedicated to . Before being dedicated to computer security, Scott’s work For more information Secure shell (SSH) brute as an enterprise Unix system administrator and force attacks To learn more about the IBM Security portfolio, a systems architect helped him to understand please contact your IBM representative or IBM Persistence of SSH brute the way security fits into overall systems. Scott’s Business Partner, or visit: force top 20 attacker unique ability to find patterns of interest in security ibm.com/security IP addresses device logs is what helped him become successful SSH brute force top five in his last role in IBM Managed Security Services For more information on security services, visit: IP addresses as a team lead of the Data Intelligence group. In ibm.com/security/services File Transfer Protocol (FTP) his role as an IBM Threat Researcher, Scott mines brute force attacks through millions of rows of data in search of stories Follow @IBMSecurity on Twitter or visit the IBM Top five FTP brute force worth sharing with others. Through these efforts, Security Intelligence blog attacker IP addresses he hopes to improve every entity’s data security which, in turn, helps every person who has a file Recommendations about them somewhere. Protect your enterprise while reducing cost and complexity

About IBM Security

About the author

References

35 ◀ Previous Next ▶

1 http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype= 23 http://www.speedguide.net/ports.php Contents WH&infotype=SA&htmlfid=WGL03114USEN&attachment= 24 http://www.simovits.com/trojans/trojans.html WGL03114USEN.PDF Executive overview 25 http://www.bekkoame.ne.jp/~s_ita/port/port1-99.html 2 http://capec.mitre.org/data/definitions/169.html 26 3 http://www.darkreading.com/vulnerabilities---threats/hackin-at- Footprinting http://capec.mitre.org/data/definitions/49.html the-car-wash-yeah/d/d-id/1319156 4 http://capec.mitre.org/data/definitions/112.html 27 https://en.wikipedia.org/wiki/Shodan Top 10 ports 5 http://capec.mitre.org/data/definitions/300.html 28 https://www.shodan.io/ 6 Brute force password http://www.theregister.co.uk/2016/02/08/alibaba_taobao_ 29 http://cve.mitre.org/about/index.html security_process_failure/ attacks 30 http://cve.mitre.org/data/downloads/index.html 7 http://www.itworldcanada.com/article/nasa-breach-shows-again- 31 https://exchange.xforce.ibmcloud.com/vulnerabilities/106137 Secure shell (SSH) brute that-brute-force-password-attacks-work/380475 8 32 force attacks http://capec.mitre.org/data/definitions/1000.html https://cwe.mitre.org/data/definitions/798.html 9 http://capec.mitre.org/data/definitions/169.html 33 https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01B Persistence of SSH brute 10 https://nmap.org/ 34 http://www.metasploit.com/ force top 20 attacker 11 http://dankaminsky.com/2002/11/18/77/ 35 http://sqlmap.org/ IP addresses 12 http://www.irongeek.com/i.php?page=backtrack-3-man/amap 36 http://sqlninja.sourceforge.net/ 13 37 SSH brute force top five https://www.defcon.org/images/defcon-13/dc13-presentations/ https://en.wikipedia.org/wiki/Wikei/Kali_Linux DC_13-Lee.pdf 38 http://sectools.org/tool/brutus/ IP addresses 14 https://zmap.io/ 39 http://foofus.net/goons/jmk/medusa/medusa.html 15 File Transfer Protocol (FTP) https://www.washingtonpost.com/news/the-switch/wp/2013/08/ 40 https://nmap.org/ncrack/ 18/heres-what-you-find-when-you-scan-the-entire-internet-in-an- brute force attacks hour/ 41 https://www.thc.org/thc-hydra/ 42 Top five FTP brute force 16 http://blog.erratasec.com/2013/09/masscan-entire-internet-in- http://blog.level3.com/security/breaking-botnets-how-level-3- 3-minutes.html#.VtR_S3UrIkV and-cisco-worked-together-to-improve-the--security- attacker IP addresses and-stop-sshpsychos/ 17 ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/iss/ 43 18 http://blog.level3.com/security/breaking-botnets-how-level-3- Recommendations http://fossbytes.com/the-hacker-search-engine-shodan-is-the- and-cisco-worked-together-to-improve-the-internets-security- scariest-search-engine-on-internet/ and-stop-sshpsychos/ 19 Protect your enterprise https://censys.io/about 44 https://blogs.cisco.com/security/talos/sshpsychos while reducing cost 20 https://thingful.net/ 45 http://longtail.it.marist.edu/honey/index.shtml and complexity 21 https://exchange.xforce.ibmcloud.com/signature/TCP_Service_ 46 https://en.wikipedia.org/wiki/Session_Initiation_Protocol Sweep About IBM Security 22 http://www.iana.org/assignments/service-names-port- numbers/service-names-port-numbers.xhtml About the author

References

36 ◀ Previous Next ▶ Contents © Copyright IBM Corporation 2016 Executive overview IBM Security Route 100 Footprinting Somers, NY 10589

Top 10 ports Produced in the United States of America April 2016 Brute force password attacks IBM, the IBM logo, ibm.com and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. Secure shell (SSH) brute A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at force attacks ibm.com/legal/copytrade.shtml Persistence of SSH brute Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. force top 20 attacker IP addresses Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. SSH brute force top five IP addresses UNIX is a registered trademark of The Open Group in the United States and other countries.

File Transfer Protocol (FTP) This document is current as of the initial date of publication and may be changed by IBM at any time. Not all brute force attacks offerings are available in every country in which IBM operates.

Top five FTP brute force THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR attacker IP addresses IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR Recommendations PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Protect your enterprise while reducing cost Statement of Good Security Practices: IT system security involves protecting systems and information through and complexity prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse About IBM Security of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or About the author access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, References which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

SEL03093-USEN-00