Re: Odd situation, advice needed on penentration test results

From: Ido Dubrawsky (idubrawsat_private)
Date: Wed Mar 26 2003 - 16:16:09 PST

Next message: hellNbak: "Re: Thankyou"

Previous message: Greg Reber: "RE: Odd situation, advice needed on penentration test results"
In reply to: Harlan Carvey: "Re: Odd situation, advice needed on penentration test results"
Next in thread: Greg Reber: "RE: Odd situation, advice needed on penentration test results"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Mar 26, 2003 at 02:01:44PM -0800, Harlan Carvey wrote:
> Ido,
> 
> I would agree that the system needs to be secured, but
> what good does shutting down the system do if you
> loose all of the volatile data, such as running
> processes, network connections, etc?  How do you trace
> the issue back to whomever is responsible if you don't
> even know what IP address they're coming from, b/c
> you've lost the volatile data?
> 
That's where network packet logging and possibly IDS would be useful.  I
agree that capturing the IP source address is important.
>
> I'm not sure I completely understand your reasoning
> here.  If you unplug the power from the system, and
> the NIC goes down (due to lack of power), wouldn't the
> system itself shut off?  Wouldn't the hard drive stop
> spinning and the CPU no longer process instructions?  
> 
> If that's the case...how's a logic bomb going to
> execute?
> 
Actually, that's what happens when you have two trains of thought in your 
head and only write half of each.  I meant to say that you should be careful
because the intruder may have set up a logic bomb that if the network inter-
face goes down then the system (or at least his files) get wiped.  That's the
reason why it may be better to simply unplug the system at the power source
since then there should (theoretically) be no way for a logic bomb that 
triggers on network interface connectivity from wiping the system before you 
have a chance to capture the drive image.  I was writing on two things and
forgot to make sure I was complete on both of them.  Sorry.

Ido
-- 
===========================================================================
                        | Ido Dubrawsky          E-mail: idubrawsat_private
     |          |       | Network Security Architect
    :|:        :|:      | VSEC Technical Marketing, SAFE Architecture Team
   :|||:      :|||:     | Cisco Systems, Inc.
.:|||||||:..:|||||||:.  | Silver Spring, MD. 20902
===========================================================================

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1

Next message: hellNbak: "Re: Thankyou"
Previous message: Greg Reber: "RE: Odd situation, advice needed on penentration test results"
In reply to: Harlan Carvey: "Re: Odd situation, advice needed on penentration test results"
Next in thread: Greg Reber: "RE: Odd situation, advice needed on penentration test results"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 08:58:35 PST