Any content filter system, URL blacklist, application gatwways, internally facing Firewalls, or internally facing IDS/IPS systems that prevent access to any of the resources described below would have a severely adverse impact on SPI Dynamics’ ability to test our products and collect knowledge about current and emerging web security trends and techniques.
---
SPI spends time each day reading variety of websites across the globe which may or may not be hosted in domains other than .com, .net, or .org to keep up with the latest security research and techniques. Some of these resources include: major IT news sites, major security sites, industry blogs, and mailing lists archives (by visiting the archives we don’t have to use an email address to subscribe)
Malicious attackers are often farther ahead than traditional security researchers. As a result SPI researchers visit various resources attacker discuss their methods. These sites often advocate criminal activity and openly discuss live attacks or specific vulnerabilities in websites or products. Example websites include [REDACTED] and many, many others. From time to time we visit IRC webserver around the Internet. chatrooms to learn the latest security details.
Websites that discuss, advertise or traffic in illegal or illicit materials often contain very sophisticated and non-standard interfaces that use JavaScript, VBScript, Flash and other technologies in unique combinations to try and track what users are doing and protect access to their materials. SPI visits these sites for 2 reasons: They are excellent stress tests of our parsers for JavaScript, Flash, etc and they also provide insight into how people are trying to use web technologies maliciously. Example illegal or illicit materials include pornography, 0day vulnerability information, root kits, and phishing kits.
SPI routinely visits phishing websites (including legitimate websites that have been compromised) to assess what types of information an attacker is collecting and how the server was compromised.
When interacting with different customers or acquiring new security tools SPI will content various non-web destinations on the Internet. Examples include FTP servers, SSH servers, Subversion of CVS source code repository server, and various web servers (SSL encrypted or not) running on none standard ports numbers.
The (legitimate) web security research community is fairly small. SPI routinely uses instant messaging services to communicate with our peers in other companies and in academia. IM allows us to respond to breaking treats (such as the web worms like Samy and Yamanner) more rapidly than email. Many in our profession prefer to use encrypted channels for instant messaging so the conversations cannot be logged by inline devices.
SPI has various test websites set up external of the company (such as atlantahacker.com) which we use for demonstrative purposes when access to internal SPI test sites is not practical or impossible. SPI will scan these sites from inside SPI from time to time as well as we develop them. As a result SPI is sending attack traffic out into the Internet.
SPI performs large search engine queries and visits a sampling or sites to understand the scope of vulnerability and the number of affected platforms. These so-called Google Hacks can sometime set off intrusion detection systems that are monitoring SPI’s outbound traffic.
