In a recent report it came to light that the Dutch Security Software
company Alfa & Ariss has been making unauthorised attempts to break in to
both private and corporate computer systems.
Alfa & Ariss, who made name for themselves by developing software for both
the Open Source and Corporate markets for secure login procedures, as well
as being contracted to implement this software in central Dutch government
and banking agencies, have made confirmed attempts to at least gain access
to several systems without obtaining authorization first from the owners
and operators of those systems.
The most disturbing attempts are the clear and verified, targeted attempts
to access a Scandinavian company by probing for available services,
including but not limited to telnet, SSH, FTP, LDAP, VPN, SSL and SMTP.
These were made from the main IP address registered to them (82.94.105.130)
in late October. The company's data wasn't compromised due to a good
security setup, but the attempts themselves are an indication that Alfa &
Ariss is apparently doing more than just develop software, and not all of
it desirable.
Next to this, the private user is apparently also not safe from them, as an
ex-employee found out. His home-connected computer had its Internet
connection flooded around the same time, and by checking access logs found
out that the company had been snooping on his Livejournal (even after he
left the company) as well as making complete copies of his personal and
business related web pages.
Even though invited to do so, no comments have been made by Alfa & Ariss so
far, but the ex-employee states:
"Yes, there have been problems with my connection. My modem complained
about not being able to handle the traffic correctly, and probably a bunch
of connections were dropped because of that. I'd say that is a clear
example of Denial of Service right there. It didn't last long, but still..."
"I also put a few blocks in place after that, and started keeping an eye on
the IP. Surprisingly, it didn't end there, but instead, I found I got
continued connection attempts from the office at just about every business
day, and even some in the weekend and at night times. To this day they keep
checking up on me, apparently."
As to the reason why, there seems to be some confusion:
"I'm a little limited in what I am allowed to say under my NDA, but I can
tell you that even though I left the company in September on less than
agreeable terms (having had the rights needed to do my job as security
officer and network administrator revoked, forcing me to quit, next to lack
of pay), I didn't have any negative consequences to speak of because of
this. I, myself, was just glad to close it off this way, I have no desire
to be in any way in touch with the people there, and as a matter of fact,
the CEO demanded no further contact, himself. I even returned a few letters
after they got sent to my address regardless of their own command.
There is also nothing of interest for them to be found on my home system,
apart from personal data for me and a few friends which they have no
business in knowing or having access to. Although I can guess as a motive
they might be searching for information to try and fine+sue me over the
NDA; it would not surprise me if so, at all. Having set up a lot of the
network stuff there myself though, I can tell you that if something like
this originates from that IP, it's not been someone else or a system that
got compromised and abused by someone else outside the office. Unless of
course they really messed up their setup after making me quit, but I
somehow doubt it."
> In a recent report it came to light that the Dutch Security Software
> company Alfa & Ariss has been making unauthorised attempts to break in to
> both private and corporate computer systems.
>
> Alfa & Ariss, who made name for themselves by developing software for both
> the Open Source and Corporate markets for secure login procedures, as well
> as being contracted to implement this software in central Dutch government
> and banking agencies, have made confirmed attempts to at least gain access
> to several systems without obtaining authorization first from the owners
> and operators of those systems.
>
> The most disturbing attempts are the clear and verified, targeted attempts
> to access a Scandinavian company by probing for available services,
> including but not limited to telnet, SSH, FTP, LDAP, VPN, SSL and SMTP.
> These were made from the main IP address registered to them (82.94.105.130)
> in late October. The company's data wasn't compromised due to a good
> security setup, but the attempts themselves are an indication that Alfa &
> Ariss is apparently doing more than just develop software, and not all of
> it desirable.
>
> Next to this, the private user is apparently also not safe from them, as an
> ex-employee found out. His home-connected computer had its Internet
> connection flooded around the same time, and by checking access logs found
> out that the company had been snooping on his Livejournal (even after he
> left the company) as well as making complete copies of his personal and
> business related web pages.
>
> Even though invited to do so, no comments have been made by Alfa & Ariss so
> far, but the ex-employee states:
> "Yes, there have been problems with my connection. My modem complained
> about not being able to handle the traffic correctly, and probably a bunch
> of connections were dropped because of that. I'd say that is a clear
> example of Denial of Service right there. It didn't last long, but still..."
>
> "I also put a few blocks in place after that, and started keeping an eye on
> the IP. Surprisingly, it didn't end there, but instead, I found I got
> continued connection attempts from the office at just about every business
> day, and even some in the weekend and at night times. To this day they keep
> checking up on me, apparently."
>
> As to the reason why, there seems to be some confusion:
> "I'm a little limited in what I am allowed to say under my NDA, but I can
> tell you that even though I left the company in September on less than
> agreeable terms (having had the rights needed to do my job as security
> officer and network administrator revoked, forcing me to quit, next to lack
> of pay), I didn't have any negative consequences to speak of because of
> this. I, myself, was just glad to close it off this way, I have no desire
> to be in any way in touch with the people there, and as a matter of fact,
> the CEO demanded no further contact, himself. I even returned a few letters
> after they got sent to my address regardless of their own command.
> There is also nothing of interest for them to be found on my home system,
> apart from personal data for me and a few friends which they have no
> business in knowing or having access to. Although I can guess as a motive
> they might be searching for information to try and fine+sue me over the
> NDA; it would not surprise me if so, at all. Having set up a lot of the
> network stuff there myself though, I can tell you that if something like
> this originates from that IP, it's not been someone else or a system that
> got compromised and abused by someone else outside the office. Unless of
> course they really messed up their setup after making me quit, but I
> somehow doubt it."
>
> Further specifics are not known at this time.
>
>
> [from our security news correspondent]
>
Some of these companies pursuade themselves that if they
can break into a company's IT system, surely that company
will hire them to fix it! Yeah, right!
Jim Watt wrote:
> On Sun, 3 Dec 2006 06:21:55 -0700 (MST), Borked Pseudo Mailed
> <nobody@pseudo.borked.net> wrote:
>
>> The most disturbing attempts are the clear and verified, targeted attempts
>> to access a Scandinavian company by probing for available services,
>> including but not limited to telnet, SSH, FTP, LDAP, VPN, SSL and SMTP.
>> These were made from the main IP address registered to them (82.94.105.130)
>
> And how would this be illegal or unusual ??
I'd say it's rather unusual for a company to do this to another company
as a targeted attack on their system. In fact, I'm quite sure that ISPs
normally don't allow this kind of behaviour under their terms and
conditions.
Even if it was legitimate attempts at accessing exposed services, I
wouldn't say that there is "nothing unusual" about doing a full sweep
across a broad spectrum of ports in a very short period of time (which
this seems to be about). I don't see how that could be trying to access
much of anything legitimately.
Security company attempts hacking 
Linear Mode
