Hi Andrew, If you client is involved in activity that makes him a target for maliscious activity he should do much more than run netstat. Remote Access Trojans (RAT's) do not necissarily cause any disruption to the workstation if the remote attacker is at all careful. If people are specifically targetting him, they can and probably will get maliscious code installed on his machine. Get this man professional help ASAP! An evaluation of his work flow should be done so that critical functions/information is not vulerable to compromise. This means moving critical documents and contracts to a computer that is not networked. If these attackers were to gain access to NegotiatingPoints.doc before the meeting on Friday could that information be used to his disadvantage? If so, why is he composing NegotiatingPoints.doc on a platform that can be compromised? Let him work with this critical information on a standalone host and then copy it over to the email system by floppy/zip/cd/jazz when necissary. While this level of protection may not be justifiable in normal circumstances, if he suspects maliscious activity, it may be justifiable for now. Think like the attacker for a minute, read one of his emails, find out what version of outlook he has, identify bugs or exploits to it, send him a custom crafted message to exploit the bug and install maliscious code. He should also get professional help in evaluating the security of his corporate enviornment. Are things properly firewalled? Does IT have a proven disaster recovery plan in effect? What would happed if these people were to take out some central servers? Could that be used to place him in a weak position during negotiations? Are there intrusion detection systems around so that he will know if someone is attacking him? Does he have contacts with any forensic investigators so that he can launch a proper investigation that may result in legal action if maliscious activity is detected? Or will his IT shop botch the investigation? In this case I really think he should get the forensic investigators onboard with some sort of a service agreement. i.e. will provide services if required within X hours of incident detection. Then make this agreement publically known. While it does not provide much in the way of proactive security it will serve as a deterrant if the hostile parties become aware of it. This follows the art of war, "Win the war by destroying your opponents will to fight." If he has professional forensic investigators onboard, they will not want to risk computer hacking charges. Good luck, O'Neil. -----Original Message----- From: Andrew Fison [mailto:afison@brit-tex.net] Sent: October 2, 2002 5:37 AM To: incidentsat_private Subject: maybe a simple problem I have a client who believes that thier win98 pc has been hacked with some remote control software. They are pretty vague and not close buy so i cannot look at the machine all the time. I asked them to do netstat when they think they are being spied on but as yet they have not given me anything useful. I think there is reason to believe them as the owner is involed in a hostile boardroom take over of his company by some other entities, whilst this is legal, they have used other underhand methods against my customer before and they are trying to force him to sign over the business to them a little too swiftly. this all started when his wife was suing the pc, and a telescop came on the screen and then disapeared, since then the machine crashes, documents pertaing to the business have gone missing etc, any clues to what this telescope could be? yours andrew ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 13:57:38 PDT