Online Intrusion Monitor

Did you know? Hackers probe your servers for vulnerabilities between 5 and 170 times per week (2007-10-29)

Test your site now: Free 10 day / 10 scan trial

With a dramatic rise in malicious attacks, it is now critical to test your websites and servers for security vulnerabilities. Having the latest firewalls and Intrusion Detection Systems will not protect your organization if they (or the services behind it) are not kept up-to-date and configured correctly.

This means that verifying the security of your systems is not something you can do just once, nor should you check this just every now-and-then. New vulnerabilities are identified every day, exploits become available soon after it, and every change in your systems' configurations, however small, may open up new vulnerabilities. Having audited last week does not imply your systems are fine today!

The WatchMouse Periodic Vulnerability Scan is an affordable way to routinely check your company’s security online intrusion monitor. Utilizing the most up-to-date database of known vulnerabilities, WatchMouse’s identifies any security online intrusion monitors and provides you with the peace-of-mind that your web applications are being scrutinized from the perspective of a possible attacker.

Characteristics

WatchMouse offers Periodic Vulnerability Scanning with an outside - hacker's - view, with the following characteristics:

• Currently over 20,000 vulnerabilities are checked. Checks for new vulnerabilities are added on a daily basis.
• The frequency and the intensity of a scan can be tailored to your policies, and implemented immediately on our self-service website.
• Severe vulnerabilities can, depending on your preferences, initiate SMS (text) or paging alerts, giving you, or your webmasters, the opportunity to react quickly in case of new vulnerabilities.
• Extensive reporting is available for each scan, including pointers on how to fix vulnerabilities.
• WatchMouse's unique Vulnerability Scan Customer Console allows you to manage subsequent scans by inspecting differential reports and open online intrusion monitor, declaring vulnerabilities fixed, adding operator comments, etc.

Try now: Free 10 day trial!

Announcing two free contacts for all accounts and alerting via MSN and Jabber (2008-01-08)

WatchMouse starts the new year with a gift: we have added two contacts to all customer accounts for free.
Contacts are used for:

• alerts in case of errors as defined in your Performance Monitoring rules,
• alerts when new online intrusion monitor are found in your Vulnerability scans, and
• custom reports.

We also introduced two new alerting methods: Instant messaging with MSN (Windows Live Messenger) and Jabber.

If you have a Jabber or MSN instant messenger account, add it as a contact in your WatchMouse account and then use these contacts for alerting. Our favourite setup is an escalation group where at the first error an instant message is sent, then if the error persists, after 5 minutes this is followed by an email and/or SMS text message.

New release: many new features and improvements (2008-08-25)

The most recent release of our site and software brings not only many improvements, but also a number of interesting new features:

• You can now restrict the monitoring of your site to a selection of our monitoring stations.
  As we are adding ever more of these stations, this has become a recurring feature request.
  How: In the [expert mode] of your rule settings, select 'Checkpoint selection'. This allows you to choose the checkpoints that will execute this rule. In case of a 'Master' sequence rule, additional checkpoints will only be used for second opinion checks. Make sure you select at least three stations for redundancy purposes.
• New IMAP and POP3 checkers now support SSL and can send 'round trip' test messages.
  These test messages are checked in the next monitoring cycle thus implementing a full round-trip email verification functionality
  How: In your rule settings for IMAP and POP3 rules select "SSL encryption". Make sure you are in [expert mode], where there will be an email address field. When an email address is found in this field, we send a test email to it in each cycle, and check for its correct delivery in the next cycle.
• New DNS checkers with many more features.
  Test for A, CNAME, MX, NS, PTR, and AAAA records and test these on our local resolvers, on your listed name servers, or on specific DNS servers. The existing dnsa and dnsns type rule will be replaced soon by this new dns type rule. How: In the [expert mode] of your rule settings type the name or IP address to be tested, select the record type, and click look-up. Now select the DNS servers that should be queried, set the other options and click save.
• In many cases, the log viewer will now also show the DNS resolve times for each check. As we move forward, we will add this for all check types.
• The web site now offers a more flexible subscription model, allowing customers to mix and match a wider range of different rule types and intervals.
• The reseller console has undergone major improvements making it easier for resellers to manage their customers' accounts.

In addition, many improvements have been made and several smaller online intrusion monitor have been resolved, please refer to the change log for details.

All new features are available for current and new subscribers at no extra charge. And, as always: if you are missing a feature, please let us know! We will most likely add it in a future release.

WatchMouse Public Status Pages: your own public website health page in two clicks! (2009-08-19)

Today we move the WatchMouse Public Status Pages (WMPSP) out of beta, making them available for all WatchMouse customers free of charge!

What is a Public Status Page?

A public status page is a web page that informs your customers on the status of your services, inspired by similar pages from many organisations like Amazon, Apple, Google, but also ISPs, financial institutions and other organisation who deliver critical services to other companies or the general public. Well-known examples are:

• The Amazon web services Health Dashboard
• Apple MobileMe support (top right corner)
• Google Apps Dashboard
• Nationwide (a UK bank) service page
• The WatchMouse Status Page and our Monitoring stations status (yes, we eat our own dog food)

On our Public Status Pages the current status of your selection of on-line services can be displayed, and updates (public announcements) can be placed there for your customers. The pages are hosted on the Amazon cloud infrastructure, ensuring that your status page is highly scalable. It also ensures that your status pages continue to be available even if your main site or service is not.

Should my organization have a Public Status Page?

There is a strong trend to inform customers as soon as possible when certain services become unavailable, and announce maintenance well in advance. If you would like to provide your customers a dedicated status page for the on-line services you provide to them, WMPSP is a very efficient and cost-effective solution for your organisation. You can have a Public Status Page set up in minutes by creating one or more rules in your WatchMouse account, set up a public folder, and move these rules into this folder. Using the WMPSP setting page you can post announcements, annotate current online intrusion monitor, and optionally set up a special host name (CNAME) so people can access the status page using your domain name, e.g. status.yourdomain.com.

How does it work?

After you have set up a public folder with monitoring rules in your account, the status of these rules will be pushed to http://status.watchmouse.com/NNN automatically (where NNN is a unique id for your status page). Make sure the settings of the rules, and especially the timers for the performance thresholds are according to your standards / SLA. You may want to have a similar set of rules with more strict thresholds for internal use so you will get notified well before your Public Status Page is update. Note that you can have your own host name as well, i.e.status.yourdomain.com instead of http://status.watchmouse.com/NNN

Whenever there is a performance or availability issue, you can annotate this in your WatchMouse account and this information (e.g. "our technicians are working on a solution, expected to be available at 16:00") will be pushed to the WMPSP as well. Similarly, you can announce maintenance or downtime in the same procedure and this will be listed in the announcement section of your Public Status Page.

All Public Status Page are hosted on the Amazon web services infrastructure, making it independent from your own servers availability and ensuring a very high availability and scalability.

Get started now!

• Login into your account and go to the standard rule settings page
• Create a new rule folder for each WMPSP you would like to set up, and create rules within those folder that are representative for the availability of your main services.
• Go to the WMPSP setting page and click the [add] button, and select a folder you created in the previous step.
• Optionally you can also add a host name within your own domain in the CNAME field. Not that you have to add a CNAME record to you DNS for this host name pointing to status.watchmouse.com.
• Click [make public] and you're done! Note that it might take a minute or two before the status page is actually available, since the data has to be transferred to the Amazon AWS platform first.
• Test your WMPSP by clicking on the Name and/or CNAME links in the public folder listing. Observe that each rule has it's own detail page which looks like this: WMPSP for the WatchMouse web site
• Note that the name and logo shown can be changed in your account details
• Next you can add announcements to your WMPSP in case you have scheduled maintenance for one of more services or when actual online intrusion monitor arise and you would like to update your customers about the progress fixing it.

New feature included in all website monitoring subscriptions: Root Cause Analysis (2009-10-18)

Today we release the Root Cause Analysis feature for all our website monitoring customers, at no additional cost, in all subscriptions.

What is Root Cause Analysis?

Until now, any online intrusion monitor found by WatchMouse were logged in your account and you were alerted according to your settings and preferences. Although the information in the alert tells you what the problem is, a more detailed analysis, or Root Cause Analysis, can be helpful in determining the actual cause of the issue.

How does it work?

When an issue is found and has been confirmed by another monitoring station (if needed), the Root Cause Analysis is triggered. Currently the Root Cause Analysis entails:

• Perform a traceroute from two monitoring stations to find the actual routes that were used in the tests.
• A screen dump (image) of the web page in question (for http(s) rules only) in two sizes
• The source HTML of the web page (for http(s) rules only) if available.
• Relevant checks: results from previous and subsequent checks for the same rule.
• A detailed analysis of your domain name set-up
• DNS analysis from two monitoring stations to see if the host names are resolved properly.

In your logs you will find this icon right next to the (confirmed) error pointing to the Root Cause Analysis report. Note that this icon will be present only for the first confirmed error in a straight sequence of errors. There is another icon that might appear indicating that the log file has additional information (e.g. for http(s), scripting, or dns/domain rules) that looks like this .

Getting started

If you had any errors reported recently there may already be Root Cause Analysis reports available in your account. To check it out go to the logs and select 'Root Cause Analyses' from the 'Display' menu and click [show].
If there are entries in the resulting list, simply click on the Root Cause Analysis icon to inspect the details.

When an alert email is sent, this will now contain a direct link to the Root Cause Analysis report.

LB Icon chooses WatchMouse for independent website monitoring (2005-01-31)

Customer websites verified from the visitors' perspective

LB Icon and WatchMouse have signed a contract for the continuous monitoring of the websites and services of LB Icons' customers. Using the WatchMouse services, LB Icon expects to raise its service level even higher.

The Application Management & Hosting Services (AM&HS) group of LB Icon maintains the administration and management of servers and applications of a large number of (international) clients. This makes AM&HS responsible for the performance and availability of the websites and Internet applications.

Using the WatchMouse services, AM&HS will instantly be aware of upcoming and/or acute incidents related to the websites of its clients, and can, as a result, resolve problems in a short time frame.
The websites and their functionality are checked for accessibility, speed and conformance from different locations around the world. Because the websites are checked in the same way that visitors are experiencing them, incidents will be detected at an early stage. Also, using WatchMouse's objective periodical reports, it is possible to see if the performance is in accordance with the agreed service levels (SLAs).

Eveline Aendekerk, MD a.i.: "The door of a shop should never be jammed, websites and the functionality on those sites should simply be accessible and available. Our clients should be able to rely on this completely, so they can focus on their primary business processes, such as communication, interaction and sales.
We chose WatchMouse because of their expertise, and also because of the simplicity and user-friendliness of their system and services".

Stan P. van de Burgt, one of the founders of WatchMouse: "I find it a powerful gesture that LB Icon doesn't just monitor the websites of their clients, but that they selected an external party for this, and on top of that give their clients access to the results. Many companies where the website plays an essential role in business, don't have any awareness of this. They have no idea of the online intrusion monitor and the resulting damage, until the day comes that things actually go wrong"

About Lost Boys

For 11 years Lost Boys has been a major service provider in the area of (mobile) Internet. Lost Boys offers a combination of strategy, design, technical development, implementation, application management and hosting of Internet- and mobile solutions. The Amsterdam based corporation is part of the Lost Boys/IconMedialab Group and is listed on the Stockholm Stock Exchange and Euronext Amsterdam. Lost Boys operates with 600 employees in 7 countries, both in Europe and the United States.

http://www.lostboys.nl/
http://iconmedialab.com/

About WatchMouse

WatchMouse is a service of RoundZero. Since 2001, WatchMouse has been checking Internet sites and e-commerce applications of major companies all over the world. The WatchMouse services are available in 8 languages and analysis is performed through its worldwide monitoring network at different locations and networks. WatchMouse has thousands of users in more than 70 countries.

http://www.watchmouse.com/

What do you want to check with a service such as Watchmouse? (2005-01-31)

As I explained in my previous column, you can use a monitoring service in a number of roles. Common to all these roles is the fact that you are keeping alive some services for the benefit of your customers, suppliers, employees or partners. These users are, in the end, all that counts.

What are the objects that you should be checking? Obviously, the least you want to do is check the service that is most visible to these users. This could be the webserver, or a POP or FTP server for example. You would start by setting up a rule to check the server and a URL. The frequency with which you can monitor (that is: the elapsed time between checks) is typically limited by the type of subscription that you have. Only in specific cases would you not check as often as your subscription allows.

Note that there is a difference between a CONNECT on port 80 rule and a HTTP rule. The first just connects to the port that the webserver is supposed to use. The HTTP rule also checks whether the webserver can produce a valid HTTP response, and whether the document can be found. You probably want the latter check.
Similar reasoning applies to POP and FTP checks. If you set up two different rules on the same host, this allows you to distinguish for example between a broken webserver and a host that is down. If you want even more content oriented checks, have a look at the so-called PLUG-IN rules. Additionally, you can set up checks to make sure that your users are actually using the services that you intend them to. The whole Internet depends heavily on the domain name system(DNS) functioning correctly. If it does not work properly your users may be directed to another site than you intended. This could be a configuration error, but it could also be a defamation hack. In either case, you want to know.
First of all you want to check whether the root servers of the Internet accurately find the DNS that is serving you. This can be checked with a DNSNS rule. What you are checking with this rule is whether the registrar's databases are correct. Second, you want to check if that DNS server (and its slaves) are serving up the proper IP address for the server. For this you can use the DNSA rule, and it will warn you if the DNS server is not working or serves up the wrong address. (Note that the hosting party can change that address at its discretion, as part of a renumbering operation for example.)

Who should you notify of rule failures? Again, different roles have different information requirements. You want to notify the person who can fix things as soon as possible. Mail or SMS/text them directly, you do not want to be in the loop. You might set up an escalation chain, which fires off after a certain amount of errors. Note: make sure that you send the message on a channel that is not online intrusion monitor by the outage: if your e-mail system does not work, delivering a message to that effect should not depend on that e-mail system.
The people in charge of overseeing somebody else's service levels should only get escalation messages, if at all. Rather, they should get the weekly or monthly service reports.

Peter van Eijk is a management consultant specialized in management of network infrastructures. He can be reached via his contact page.

Flu Jab Your Website Against The Pandemic: 6,000 Infected Webpages Per Day! (2008-02-18)

The respected IT news website, The Register reports that every 14 seconds a web page is infected, which amounts to 6,000 infected web pages per day. Four out of five of these infections come from innocent companies and individuals who are oblivious to their site being hacked and subsequently used for hosting the malware of virus writers. The Register further reports that in the past viruses were spread using infected e-mail. Nowadays, however, the favoured virus distribution methods are downloads from compromised sites. As a result of these booby-trapped sites malware is present on at least one in every ten web pages.

WatchMouse's Periodic Vulnerability Scanning offers your website the flu jab against this virus pandemic. WatchMouse's Periodic Vulnerability Scanning is an affordable way to routinely check you company's online intrusion monitor exposure and eliminate the risks of manual audits. Utilizing the most up-to-date database of known vulnerabilities, WatchMouse identifies any online intrusion monitor risks and provides you with peace of mind that your software applications are being scanned from the perspective of a hacker, external to your organization.
To ensure your website and servers are checked for the latest issues WatchMouse's Periodic Vulnerability Scanning performs over 20,000 checks for known vulnerability and online intrusion monitor exposures; using a database which is updated daily by multiple accredited organizations including CVE (funded by the US government) and Bugtraq. Following the detection of any severe issues, automated, real-time email, SMS and pager alerts give your business the chance to react quickly. Scans can be online intrusion monitord during low usage or maintenance hours and set at an intensity and frequency suited to your business needs and budget.

To obtain a free Periodic Vulnerability Scanning trial visit: www.watchmouse.com/vulnerability_scan_trial.php

The Register's article was published on 23.01.08 can be viewed at: www.theregister.co.uk/2008/01/23/booby_trapped_web_botnet_menace/

phpDirectorySource SQL Injection and Cross Site Scripting Vulnerabilities (2009-07-24)

phpDirectorySource is prone to an SQL-injection online intrusion monitor and a cross-site scripting online intrusion monitor because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

IBM Tivoli Identity Manager Session Fixation Vulnerability (2009-07-24)

IBM Tivoli Identity Manager is prone to a session-fixation online intrusion monitor.

Attackers can exploit this issue to hijack a user's session and gain unauthorized access to the affected application.

Tivoli Identity Manager 5.0 is affected.

PowerDNS Recurser Buffer Overflow Vulnerability (2010-01-09)

PowerDNS is prone to a remote buffer-overflow online intrusion monitor because it fails to properly bounds-check user-supplied input before copying it into a fixed-length buffer.

Successfully exploiting this issue allows a remote attacker to execute arbitrary code with superuser privileges, resulting in a complete compromise of the affected computer. Failed exploits will cause a denial of service.

Ignite Realtime Openfire Unspecified Privilege Escalation Vulnerability (2007-05-29)

Openfire is prone to an unspecified privilege-escalation online intrusion monitor.

An attacker can exploit this issue to obtain escalated privileges. A successful attack can result in a compromise in the context of the affected application.

Openfire 3.3.0 and prior are vulnerable to this issue.

Inout Metasearch Engine Cookie Forgery Remote Authentication Bypass Vulnerability (2007-05-29)

The Inout metasearch engine is prone to an authentication-bypass online intrusion monitor because it fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to gain unauthorized access to services hosted on an affected computer.