Re: Red Hat compromise

From: Dave Dittrich (dittrichat_private)
Date: Tue May 22 2001 - 12:27:16 PDT

Next message: Erin Kenneally: "Hard Drive Write Blocker"

Previous message: Andrew Thomas: "RE: Red Hat compromise"
In reply to: Lisa Bogar: "Red Hat compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Lisa,

> Thought someone
> might be able to shed some light on how the person got into the box and
> also how one might monitor this compromise.

Speculation about intrusion methods is not the same as knowing for
sure (or at least to a high degree of certainty).  Sure, there are
lots of known exploits, but listing them is not the same as
implicating the one that was used.

>  I have already told him to
> reinstall.

Hopefully *after* he makes a bit image copy of the hard drive,
especially if you intend on prosecution.  You can't analyze data that
no longer exists.

> Most of the literature on security is on how to protect yourself, how to
> build walls. That's fine, I can do that (ugh), but once they are over the
> wall, how can we find out who they are and where they are located? If I do
> leave a hole in the wall, how can I restrict them and monitor what they try
> to do? I would like to get a name and address so I could turn them in to the
> authorities, but I would settle for any kind of evidence that would be
> worthwhile reporting.
>
> Have any suggestions?

The Honeynet Project Forensic Challenge aimed to do exactly that.  To
document examples (14, in fact) of how one can analyze a compromised
system and answer the questions posed.  Knowing how they got in will
also help in defense in the future.  See:

	http://project.honeynet.org/challenge/results/

Also, the first thing I read was "stuck the systems behind a firewall
using NAT", followed by an obvious description of remote exploit of a
service, which wouldn't be possible with classic NAT firewalls, unless
the system was specifically exposed.  This is one of the risks of
"firewalls" (that you've actually put some box in front that magically
protects the systems from all harm.) Building a bad firewall is worse
than not even trying to build a firewall, since you have a false
expectation that you are protected.  Better also have them get a book
on firewall implementation.

--
Dave Dittrich                           Computing & Communications
dittrichat_private             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

Next message: Erin Kenneally: "Hard Drive Write Blocker"
Previous message: Andrew Thomas: "RE: Red Hat compromise"
In reply to: Lisa Bogar: "Red Hat compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 22 2001 - 17:02:33 PDT