Latest News
The FAQs
DES Analysis
Press Release

Version of
NetBrute Scanner
is now available!

Voice your opinion.

The FAQs

Q: If huge, well protected systems like AOL can be hacked into, what are my chances of being able to protect my small home system?

A: It's actually quite a bit easier for a hacker to break into a large organization's system than it is to break into a small organization's system. The main reason behind this is that the more complex a system is, and the more users there are, the more links that there are in the security chain. Just by law of averages, if you have more links then you're going to have more weak links. Remember, your security is only as strong as your weakest link. If you're having a hard time getting your 1 to 100 users to change their password to something besides their username, and you're finding that it is nearly impossible to get your users to safe guard their password, then imagine how difficult this task would be if you had 100 to 100,000 users.

With a large number of hacking attempts being made by legitimate users who choose to abuse the system, you automatically increase the chances of having your users go astray just by having more of them.

With the resources required to run a large system, it is also more likely that your system administration crew will be understaffed, and many hacking attempts will just go plainly unnoticed or uninvestigated.

Large systems are also going to be much more lucrative targets because they contain data that is going to be much more valuable than the average home user's checking account information or resume'. A large system is assumed to contain enough financial and propietary information to make it worth the effort of breaking in.

The hacker expects the average home user to have absolutely no security measures. All you need to do is have the simplest of measures in place to detour the hacker from your system and send him or her to the easier prey of your neighbor's system.

Q: What are some ways that I can fight spam/UCE (Unsolicited Commercial Email)?

A: If you are a system administrator, there are basically four things that you will want to do:

  1. Prevent unauthorized relaying on your SMTP server either by statically specifying networks that are allowed to relay email through your server, or by using some form of POP authentication so that you can authorize your remote users on the fly by simply having them login to check their mail first. You will definately not want to have your email server be an open relay. If you are running sendmail, make sure that you have been upgraded to sendmail 8.9.
  2. Join a real time blacklist such as the one at www.orbz.org. These are lists of known open relay email servers, and the databases are updated in real time. Denying email from these servers will allow you to block mail from users who are anonymously using mail servers for their own illegitimate means.
  3. Prevent access to your mail servers by hosts from foreign countries unless you currently maintain users in that country, or are open to doing business with those countries. It is much harder to get a foreign system administrator to take reasonable action against one of their users for sending you unwanted email than it is to get an american administrator to respond appropriately.
  4. Implement policies that prohibit UCE; let your users know that the policies exist, and enforce the policies consistently.
If you are an email user, there are six basic steps that you will want to take:
  1. Let everyone that you trust your email address with know that you never want them to give out your email address to any person or organization without your permission (this includes electronic greeting card sites).
  2. Always keep your email account (username where your mail collects) private, and just provide email alias addresses to people who request your email address. You can create a new email alias for every single person that emails you if you wish, so that if you start to get spam sent to one of the aliases, you can just remove the alias. If you keep track of who you gave an alias address to, you can easily track who sold your address, or who is responsible for sending you spam.
  3. Whenever you receive spam, never reply directly. If you reply, it should be in the form of a complaint to the sender's ISP or upstream provider.
  4. Do not list your email address as plain text on your website. Place it in an image, or provide a contact form.
  5. Do not post your unmunged email address on USENET newsgroups.
  6. Do not provide your email address as a contact for a domain name if the email address will be available via a "whois" query.

For some powerful tools to help you fight back against spammers, please visit Sam Spade.org and our Resources section.

Q: I worry about giving my credit card information over the Internet, how can I guarantee that it's safe?

A: You can't guarantee that your credit card information will not become available to someone who has illicit plans for the information, but here is some more information about this:

If the web site that you're purchasing from has SSL (even 40 bit), and you ensure that you have an SSL secure connection (a closed lock in MSIE and Communicator), then the transmission of your credit card information will be MORE secure than reading it to someone over an unsecure (unencrypted) telephone line. You should never transmit your credit card information via unencrypted email or on a non-SSL web site.

However, the problem is that most breaches regarding security happen after the trasmission of the information, when the data is sitting in the merchant's computer system. You can never be sure of how well a merchant is safe guarding your billing information. More than likely, they aren't even going to publish their security policies (for security reasons).

One great thing is, that purchasing with Visa or MasterCard offers you a lot of protection. Because Visa and MasterCard merchants must agree to abide by a common Merchant Agreement, you are always protected as long as you look over your credit card statements and request charge backs for purchases that you did not make (within 30 days of the purchase). The burden of proof is always on the merchant. If you request a charge back, the merchant typically has one day to provide proof that they were presented the credit card, and authenticated it. Since mail order and Internet merchants aren't going to have a signed receipt, the merchant is almost always unable to prove the charge was valid, and you win (and unfortunately, they lose).

This information may not apply to other credit cards such as American Express or Discover.

Q: Will my IP address be availble to computers that I scan with NetBrute, PortScan, or WebBrute?

A: The short answer is, yes.

Your IP address is available to any computer which you connect to via IP if that computer is running any type of real time monitor, especially a firewall, or they are logging Internet traffic (which most webservers or other UNIX servers do).

Even if the end computer which you're scanning doesn't log traffic, often either your ISP or their ISP does.

You should only use NetBrute to test the security of networks for which you're responsible for and have permission to test.

You'd have to consult a lawyer in your area to determine the legalities of scanning other people's computers through the Internet with NetBrute and PortScan.

Odds are, if you're using WebBrute against any webserver besides your own, you're breaking the law.

Use these tools to test your own machines. Make sure they're locked down. Then, if you're lucky, you won't have to worry about checking your Internet logs to "catch" people who attempt these attacks against you because they're not likely to succeed.

Q: What other great software has the developer of NetBrute created?

A:yProxy and yProxy Pro

yProxy is a yEnc Decoder for Outlook Express or any newsreader. It also supports NNTPS (SSL). yProxy Pro can be used as a generic TCP proxy, SSL tunnel, or yEnc decoding proxy. You can learn more about it at the website below: