Re: Red Hat compromise

From: Dave Dittrich (dittrichat_private)
Date: Tue May 22 2001 - 12:27:16 PDT

  • Next message: Erin Kenneally: "Hard Drive Write Blocker"

    Lisa,
    
    > Thought someone
    > might be able to shed some light on how the person got into the box and
    > also how one might monitor this compromise.
    
    Speculation about intrusion methods is not the same as knowing for
    sure (or at least to a high degree of certainty).  Sure, there are
    lots of known exploits, but listing them is not the same as
    implicating the one that was used.
    
    >  I have already told him to
    > reinstall.
    
    Hopefully *after* he makes a bit image copy of the hard drive,
    especially if you intend on prosecution.  You can't analyze data that
    no longer exists.
    
    > Most of the literature on security is on how to protect yourself, how to
    > build walls. That's fine, I can do that (ugh), but once they are over the
    > wall, how can we find out who they are and where they are located? If I do
    > leave a hole in the wall, how can I restrict them and monitor what they try
    > to do? I would like to get a name and address so I could turn them in to the
    > authorities, but I would settle for any kind of evidence that would be
    > worthwhile reporting.
    >
    > Have any suggestions?
    
    The Honeynet Project Forensic Challenge aimed to do exactly that.  To
    document examples (14, in fact) of how one can analyze a compromised
    system and answer the questions posed.  Knowing how they got in will
    also help in defense in the future.  See:
    
    	http://project.honeynet.org/challenge/results/
    
    Also, the first thing I read was "stuck the systems behind a firewall
    using NAT", followed by an obvious description of remote exploit of a
    service, which wouldn't be possible with classic NAT firewalls, unless
    the system was specifically exposed.  This is one of the risks of
    "firewalls" (that you've actually put some box in front that magically
    protects the systems from all harm.) Building a bad firewall is worse
    than not even trying to build a firewall, since you have a false
    expectation that you are protected.  Better also have them get a book
    on firewall implementation.
    
    --
    Dave Dittrich                           Computing & Communications
    dittrichat_private             University Computing Services
    http://staff.washington.edu/dittrich    University of Washington
    
    PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
    Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
    



    This archive was generated by hypermail 2b30 : Tue May 22 2001 - 17:02:33 PDT