Re: [ISN] Microsoft "solves" hacking mystery

From: InfoSec News (isnat_private)
Date: Wed Sep 11 2002 - 23:10:49 PDT

  • Next message: InfoSec News: "[ISN] Terror Czar: The War Is Digital"

    Forwarded from: H C <keydet89at_private>
    Cc: dittrichat_private, thorat_private
    > This is one of the poorest of administration and security practices,
    > yet people continually think this is perfectly OK to do
    Agreed.  I've seen this done in data centers when setting up
    customer's web hosted systems.  This, and allowing the Anonymous user
    to have write-access to the drive via FTP.  And I'm not talking a home
    user setting up a system...I'm talking MCSE+I's setting up systems for
    a web hosting product.
    > The fact that Windows 2000 and NT ALLOW THIS BY DEFAULT is the
    > problem (Windows XP does not).
    I would agree that it is A problem, but I think the real problem is
    simply lack of knowledge/laziness on the part of those who install
    these systems.
    > but they didn't know the details because "wipe/reinstall" is the
    > de-facto method of choice for incident response, which is a very
    > poor way to go.  No data to analyze means no conclusions (and repeat
    > problems, I can guarantee it.)
    You're absolutely right.  There are a couple of quick things that can
    be done on Windows systems (NT/2K/XP) to determine if there is even an
    incident at all...simply watching the lists shows that there's a lot
    of activity from the os and applications that admins and users first
    suspect is malware-related.  Remember, there were many Win2K systems
    that got infected w/ CR/Nimda, and the owners didn't even realize they
    had IIS installed.
    > Host and network level forensics (even the most basic) do take some
    > time, but is the best way to get to the bottom of things.
    I recently had an article published on SF that may be of assistance:
    Also, I teach a course in Win2K "live" forensics...we take a look at
    how systems are broken into, how to prevent it, what to look for, and
    how to handle incidents.
    I'm also developing my own home-grown project, a forensics server.  
    It's mostly completed, and I've got one or two clients finished (all
    very pre-beta).  The basic idea is to provide a CD to the first
    responder with the clients...she pops the CD into the "victim" system,
    and runs the configuration, and then the tools.  The information is
    sent off of the "victim" system via a socket, similar to
    netcat...except that the server not only stores the data, but also
    documents all activity.  The client for copying files simply requires
    that the first responder select the files they want copied...the
    client handles collection of data (MAC times, hashes, etc), copying of
    the file to the server, and the server handles documentation,
    including hash verification.
    I'll admit that this project is slow in development, but that's mostly
    b/c (as usual) things that pay the bills take precedence...and there
    doesn't seem to be a whole lot of interest in such a thing right now.
    I'm planning on releasing this as open source, GPL'd...the tools are
    all written in Perl, so the server and clients can be used on or
    written for other platforms.
    Yahoo! - We Remember
    9-11: A tribute to the more than 3,000 lives lost
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 01:36:20 PDT