Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: How we caught an Identity Thief
From: Valdis.Kletnieks () vt edu
Date: Mon, 20 Feb 2006 11:15:24 -0500

On Mon, 20 Feb 2006 09:15:12 EST, Babak Pasdar said:

1. I had to get back to our office from the client site over an hour
away :)  Laws of physics to New York City traffic apply no matter what.

Definite lack of resources there.  You *really* want to be at least 2 or 3
deep at the "first responder" position.  What if you had 5 minutes before
gotten on a plane headed for Los Angeles, and thus basically unreachable for
the next 6 hours?

2. The client or a security company's network are not the best source
for scanning and investigation activities.  Lest you have someone who
looks for these early signs of the investigation.  Scans have to be
alternately sourced.

Again, a security company that doesn't plan ahead for this and have a few
AOL or NetZero accounts already set up indicates a security company that
needs to get ahead of the learning curve.

3. Running a few commands by no means is an indication of a fully
packaged and verified set of information. A forensics case has to be
started fully documenting all actions and times for possible future
reference in legal proceedings.  Rushing through something like this and
not following procedure is the first step in being caught with your
pants down later.

Again, this should not add "hours".  If you have procedure in place, it
shouldn't add much more than 30-45 *seconds* to each command.  And if you're
really smart, you have all the initial queries in a script, and only need
to document that you ran the script....

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]