Interesting article came out yesterday saying “hackers in China are believed responsible for four out of five major cyber attacks on government targets in 2007″. 

http://news.yahoo.com/s/ap/20071129/ap_on_hi_te/mcafee_cybercrime_report;_ylt=Anbi.FL2E0D0ceU15GAZZ94E1vAI

Although, I’m in no place to confirm or deny this research my expierence shows that the majority of actual incidents (The organization has been hacked) usually come from ASIA pacfic (Korea, China) or from internal employees.

To protect from the ASIA pacfic consider blocking the IP ranges listed in my IP Blacklist Post.  Internal incidents are usually a result of too much trust of internal employees and lack of segregation of duties between functions.

Malware is everywhere and becoming one of the most common security threats in the industry.  The link below provides some insight into the seriousness of this issue.

• http://seclists.org/fulldisclosure/2007/Oct/0892.html

There really is not a great solution for this problem at this time, but how can a company that serves adds mitigate the risk.  There are several ways.

1. Ensure all ads that are uploaded are hashed in some way to ensure the add being delivered is the add uploaded by the client.

2. Use file monitoring tools like tripwire on image servers to help ensure that adds are not modified.  This will also help provide proof if there is an actual attack on the add server.

3. Scan adds with anti-virus software.  Although this will not catch everything it will catch some of the files.

4. Scan adds for known malware URL’s to prevent phishing type attacks.  (This is like a signature based solution and takes a great deal of maintenance to keep up with the attackers)

5. Hope someone comes up with a good solution that can regularly scan all the adds for malware.

The above will help limit the liability of the ad company serving adds and has some preventive measures that can be implemented to protect both the add companies brand and their customers who may be uploading malware adds without knowing it.

IP Address Blacklists are great for short time security events.  This information is important for a paper that I am working.  It took me a while to find this information again.  I actually had to dig into an old email file to get all of the information because typical internet search engines were not providing good results. 

Here is a good list of IP addresses and ranges that can be blacklisted to help prevent DOS attacks, etc.  Before using this list be sure your organization does not have clients in the below ranges.   

 Dshield Top 10 Attack IP’s

http://www.dshield.org/top10.php

•  074.052.180.114
•  218.003.209.174
•  211.106.172.081
• 195.068.089.211
• 121.015.253.104
•  218.004.137.213
•  202.062.224.090
• 150.164.029.253
•  058.215.065.237
•  218.006.009.099 

Dshield Recommend Block List

http://feeds.dshield.org/block.txt

 Asia Pacific Black List

http://www.apnic.net/db/ranges.html#country

•  58.0.0.0/8
•  59.0.0.0/8
•  60.0.0.0/8
•  61.0.0.0/8
• 116.0.0.0/8
• 117.0.0.0/8
• 118.0.0.0/8
• 119.0.0.0/8
• 120.0.0.0/8
• 121.0.0.0/8
• 122.0.0.0/8
• 123.0.0.0/8
• 124.0.0.0/8
• 125.0.0.0/8
• 126.0.0.0/8
• 169.208.0.0/12
•  202.0.0.0/8
•  203.0.0.0/8
•  210.0.0.0/8
•  211.0.0.0/8
•  218.0.0.0/8
•  219.0.0.0/8
• 220.0.0.0/8
• 221.0.0.0/8
• 222.0.0.0/8 

Its about time!  Foundstone Professional Services has been added to the Avert Labs research blog.  So now the makers of all the free hacking tools are accessible online.  Check it out there are already some great posts. 

 http://www.avertlabs.com/research/blog/index.php/category/foundstone/

I’ve also added it as a Blogroll.