> From: H C [mailto:keydet89at_private] > Sent: Thursday, 21 February 2002 3:37 a.m. > To: Steve Wray; Russell Fulton; Lubomir.Nistor@star-21.de > Cc: loganalysisat_private > Subject: RE: [logs] hack attempts && price > > > > > I think it all boils down to this; our cultural > > association > > with this sort of technology is only just beginning. > > Everything is essentially having to be learned from > > scratch > > by everyone who gets into it even just a little bit. > > I don't know. I would agree that this is the case for > things like recent/current MCSE's, but Unix admins had > this all down pat years ago. Of course, 'zero > knowledge administration breeds zero knowledge > administrators'; re: NTFS alternate data streams, etc. Sure, but what I'm trying to get at is the level of social pressure on sysadmins. In the case of the callout I got, the general manager there is now much more aware of these issues and knows what to ask her sysadmins etc. She will doubtless pass this sort of thing on to her friends and so the body of cultural knowledge will grow. Sysadmins will frequently only do what they are *asked* to do, or are required to do (particularly the case, I feel, for 'certified' technicians who typically follow procedures, and when those procedures don't help for the specific situation things can fall apart). > I teach a 2-day, hands-on incident response course for > NT/2K. I've had folks ask be during the course, "why > would someone want to break into my computer??" And, briefly, what do you tell them? > > Its going to take a while before these manners of > > thinking > > have gotten into the popular culture enough to do > > any good. > > I agree, but I don't see why. As a security > consultant, I have been reporting this to clients for > years. When I was a security manager, I tried to get > folks to change their manner of thinking sooner rather > than later. Its a cultural thing. I think that its something that has to seep into our body of common knowledge, as things to do with other technologies have seeped in. Who, today, would wear a jockstrap packed with radium? Not so long ago, this was a 'patent medicine'. :) Nowadays, after quite some time, our cultural awareness of the hazards of radiation have improved. The same will happen WRT computer 'stuff' [snip] > > I got a callout from a company that had been hacked > > and their internet access taken down for two > > business days. Because their 'official' admins hadn't been checking > > logs. Or hadn't been aware of what they were seeing. > > Which takes us back to the original issue...how can > you put a price tag on security, or compute ROI, in a > situation like that? What was the 'hack' (you didn't > mention the company name, which was good...thought I'd > ask what happened)? Did it require two days of > downtime? Could it have been prevented? In the > aftermath, was there anything useful in the logs? Ok well, when I checked it, it (Linux box) was booting but barely and nothing would run (complaining about missing libc 5) I booted it from a rescue disk and checked the logs. over the previous 10 days it had been used as a launchpad by a group of (apparently) Romanian hackers. They had started trying to hack in (via an old sshd) about another 10 days before that. The logs were full of sshd complaining about people trying to connect as root from .ro domains, and eventually there was a successful one. From then on they installed rootkits and hacking tools to the bliss of their savage little hearts, and tried to hack into other sites. Eventually, it seems, one of them tried to install some kit that hides root kits, only it was compiled for libc 5, and the system didn't have the libraries. Thats when it fell over and I was called in (because the site is in NZ and their admins are in AU). From my perspective, it shouldn't have been down for two days, but my role was purely diagnostic and I had no control over the process of rebuilding the system. I told the general manager that their admins had absolutely NO excuse for letting things get that far; the log entries were very clear. I think they got a rocket up them. 8) It could easily have been prevented by maintaining an up-to-date sshd. This was a well known exploit that even script kiddies could have (and did, judging by the contents of .bash_history (no they didn't clear it; it was full of erroneous commandlines such that I'm fairly certain that they didn't *really* know their way around Unix)). > > Their general manager was absolutely distraught. > > They *sure* became aware of how hacking can impact > > ones > > business life, and she now has a nice horror story > > to > > tell as well. Word gets about, people learn. It > > takes time tho. > > Unfortunately, in situations like this, *most* folks > demonize the 'hacker', rather than address the real > issue...which is, what was so wrong with our processes > that this happened? If any changes are made, just > wait 6 months...complacency will set in again. Yes, thats why I made sure that the manager was aware of what had happened and why it shouldn't have been allowed to happen in the first place. --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 17:16:09 PST