Re: How to obtain a complete list of CR2 compromised hosts

From: Kee Hinckley (nazgulat_private)
Date: Mon Aug 06 2001 - 10:16:54 PDT

Next message: Bryan Andersen: "Re: CR vs. CoreBuilder"

Previous message: Alfred Huger: "Re: CR Overflows followed up by UDP 2380"
In reply to: Joe Shaw: "Re: How to obtain a complete list of CR2 compromised hosts"
Next in thread: Jay D. Dyson: "Re: How to obtain a complete list of CR2 compromised hosts"
Reply: Jay D. Dyson: "Re: How to obtain a complete list of CR2 compromised hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 1:51 AM -0500 8/6/01, Joe Shaw wrote:
>It is reckless and dangerous to suggest that the first step of recovery
>from any type of security compromise is to delete relevant information,
>especially system or application logs without first examining them.

There's the right way to do something, and there's what J.Random User 
running Personal Web Server is going to put up with.  You need to 
come up with two solutions to any given attack--one for the savvy 
tech user and/or system admin, one for the unsavvy home user.  The 
latter is not going to read log files, report compromised hosts or do 
anything else other than follow an absolutely minimal set of 
instructions.

We need to change our mindset here.  Server attacks are no longer 
just deal with by "admin/IT/Infosec/whomever staff".  Solutions need 
to address both audiences.  If we can't successfully come up with 
dual solutions, home users will eventually be unable to run services 
at all.  (I posted a longer discussion of this issue a few days ago, 
but it was moderated out.  Unfortunately I don't think it's wise to 
examine incidents without also examining the social consequences of 
the incidents and their solutions.)

As a side note.  The "wipe the machine and reinstall option" becomes 
doubly problematic with Windows XP.  Never mind that most home users 
don't do backups--if I read the news on XP installations correctly, 
they won't be able to do a reinstall without getting permission from 
Microsoft.  :-)
- -- 

Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3

iQA/AwUBO27RHSZsPfdw+r2CEQIbKQCgnMUxhIsnL0TZuCH9mNhtFZC6hAkAnjr9
7ncjej1Cb7nQH/moYjQYYT2B
=xC8x
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Bryan Andersen: "Re: CR vs. CoreBuilder"
Previous message: Alfred Huger: "Re: CR Overflows followed up by UDP 2380"
In reply to: Joe Shaw: "Re: How to obtain a complete list of CR2 compromised hosts"
Next in thread: Jay D. Dyson: "Re: How to obtain a complete list of CR2 compromised hosts"
Reply: Jay D. Dyson: "Re: How to obtain a complete list of CR2 compromised hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:05:06 PDT