Yes I see. When reading the mails initiating this thread I thought that the owner of the computer whose logs we are interested was "on the side of the law". (And that there existed a time -the initial time- when the computer wasn't compromised. If the computer is compromised before the logs start being recorded, then there is nothing much that can be done. Even if you are printing (either on a cd rom or on an ink printer) the logs, they would be easily tampered with by the compromiser. Supposing that the computer has not been compromised at an initial time, when the log record (and parallel log check process) are started, then there is still the question of wether the computer owner is compromised or not. Him being compromised could do whatever he wanted, from changing the whole computer with a new one (stay stored at home), to more simpler solutions such as replacing the HD, or simply formating it, eliminating every program producing a log, plenty. (I am supposing without much fundations, but with intuition -and i might not be right- that an old enough HD would have so many log records that not much could be deciphered out of them.) Now the hardware could be IDd, but it seems impossible that there is a permanent check on whether a computer hasn't been replaced, or only some of it's components have been replaced. E.g., the use of hardware Ids as in Microsofts Windows X proved to be easy tamperable. (But all this solutions this could be surpassed with enough time of compromise over the computer. Such as a computer owner is in possession of.) Finally, providing the computer hasn't been tampered with nor that the user is malicious, there are plenty of solutions using messaage authentication codes (MACs) such as done in the citations i provided, Futoransky's and Kargieman's PEO. Notice that a simple print on a server printer, or even a writable cd rom could be intercepted or tampered with. Encryption could make things more difficult for a third party, but at least it would be possible to destroy the records -interceptring them.) So that I strongly suggest that a check (e.g., w/ MACs) is continuously done. Aftr a certain amount of time the lawfull user could write everything to disk after a checkup, and sign the contents as correct (w/ timestamp and wahtever would be required). The server administrator could take the place of the computer owner, and a timely check up by a server who has setted up a PEO client in the computer under study, could overcome most of this problems. best, Ariel Waissbein rferrellat_private wrote: > > Hi folks, > > One of the solutions to the log authentication problem I've been pondering > lately is the write once/read many network logging device. This could be > essentially a CD-ROM drive (or the equivalent technology) designed to write > a copy of the log in real time, using a process that makes subsequent > overwrites > physically impossible (or as near to impossible as one can get in this > business), > at least without obvious signs that an overwrite has been attempted. We know, > for example, that each write pass over magnetic media leaves a permanent > trace in the media substrate, so a detector specially designed to check for > multiple writes could be employed as a verification check before and after > the media was loaded into the drive. It could even burn a permanent record > of the initial verification run, protected by a checksum (for example) in the > header of the disk itself. > This is all highly speculative, of course, although some aspects of > this technology do already exist, and it doesn't address the issue of > verifying > currently existing logs. It would be expensive to develop and, at least > initially, > to deploy, but it might be a viable long term means of coming to terms with > the electronic record verification problem. In thinking about the problem, > I was > reminded of my days in corporate security, when alarms and other > electronically > monitored security incidents were recorded in real time on a dot matrix > continuous > feed stack, attempted alterations to which were usually quite easy to > spot. Courts > seemed to have little trouble accepting those logs as genuine. > > Just a little postulating from a speculative fiction writer... > > ;-) > > Cheers, > > RGF > > Robert G. Ferrell, CISSP > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- ==============[ CORE Security Technologies ]============= Ariel Waissbein Researcher - Corelabs email : ariel_waissbeinat_private http://www.corest.com ========================================================= I was scared. Petrified. Because (x) hearing voices isn't like catching a cold, you can't get rid of it with lemmon tea (y) it's inside, it is not some naevus, an epidermal blemish you can cover up or cauterise (z) I had no control over it. It was there of its own volition, just stopped in and (zz) I was going bananas. -Tibor Fischer ``The Thought Gang" ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 09:13:21 PDT