Entertaining privacy problem with PacBell DSL service - doesn't apply to DHCP users, but apparently does with static IP. ~~~~~~~~~~~~~~~~~ http://www.infoworld.com/cgi-bin/deleteframe.pl?story=/articles/op/xml/00/06 /19/000619opswatch.xml >From InfoWorld.com Published at: Friday, Jun. 16, 2000 1:01 pm PT Internet privacy shows troubling prospects; constant erosion leads to lots of exposed data By Stuart McClure & IN OUR RUSH to utilize the Internet, someone forgot to consider the enormous impact of disclosure. We send unencrypted e-mail messages that are stored on mail servers (or their backup tapes) for years. We respond to public newsgroup postings for all the world to see. With information at our fingertips comes the inevitable conclusion that privacy is in for a beating. Now with the advent of banner ad-and traffic-tracking companies such as DoubleClick and AdForce, privacy is a dwindling privilege. For the right price, companies can learn about your buying habits and tie that to your e-mail address for mass marketing and the usual spam. Now a recent discovery has surfaced that brings this invasion even closer to home. Where do you live? Just ask ARIN We've found another example of why you need to worry about your information on the Internet. A growing number of home DSL customers are requesting static IP addresses to have a place to serve up their family pictures and post their r�sum�s online. Typically, when an ISP registers a block of IP addresses with the American Registry of Internet Numbers (ARIN), it submits its own street address rather than the client's. But as one bright reader discovered, at least one major ISP, Pacific Bell Internet, gives the DSL customer's home address instead of the ISP's. The phenomenon appears to show up only with certain ISPs and only when the IP addresses for DSL are static. From a privacy standpoint, this simply boils our blood. The effect of this privacy violation is that anyone using a chat room or IRC channel can look up anyone else's IP address and discover their home address. For example, if you are an IRC user, someone can use the "/who *.pacbell.net" command to list all those users coming from a Pacific Bell domain and then target you. If you support SOHO (small office/home office) corporate users or have employees who work from home and connect into your corporate network, attackers can target your employees at their houses. Believe us when we say that "dumpster diving" is by no means a vanished art. If you care about your privacy, check out ARIN and see whether your static IP addresses (and, more important, your home address) is registered with them. Point your browser to www.arin.net , select the Whois link, and then submit either your last name or your static IP addresses into the search field. Now if your name appears on the screen, select the NETBLK name to the right. If your home address is listed there, you should call your ISP and have them do one of three things: change your billing address to a P.O. box or personal mailbox, have them change the address to their own address, or switch to dynamic IP addressing. Loose DNS lips The next Internet privacy concern is the way Network Solutions stores records in DNS servers and the domains over which they have authority. This "feature" of Network Solutions' database is not new, but it is worthy of your attention. With either a command-line Whois client or your favorite Web browser, you can view the first 50 domain names of almost any DNS server on the Internet. Why is this trick such a big deal? Well, where do you think attackers go when they can't hack a box they really want? They can attack both your ISP and your neighbors, looking for low-hanging fruit. To discover the information your DNS is leaking, just ask Network Solutions. For example, to check out how simple it is to view your DNS records, just point your Web browser to www.networksolutions.com and select WHOIS Lookups. Now input your domain name (e.g., mydomain.com) and hit Submit. You will see your normal Network Solutions registration information, including the primary and secondary (maybe more) DNS servers. Now click on the first DNS entry's IP address. With any luck this will show you the HST (host) record for your DNS server. Now for the undocumented trick. In the lookup field, insert "server NS0000-HST" replacing NS0000-HST with the DNS's HST name, and up will pop the first 50 domain names that your DNS server hosts. Knowing the alternate domain names being hosted on a particular DNS server encourages attackers to turn their focus from your neighbor's box to yours. Instead of wasting time on a difficult original target, an attacker can take advantage of a weaker system nearby. Perhaps an attacker will listen to the network and catch your cleartext FTP passwords used during your NetObjects Web site updates. Sleep tight now, ya hear. Internet privacy is undoubtedly disappearing at an exponential rate, and little is being done to slow the process. With little legal backing for enforcing information privacy, the problem is only going to grow and affect the way we do business on the Internet. What do you think about your right to privacy? Let us know at [EMAIL PROTECTED] Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone ( www.foundstone.com ). Their best-selling book, Hacking Exposed, has sold more than 100,000 copies in six months. ~~~~~~~~~~~~~ Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
