Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Annoy Those Sub7 Scanners.

Re: Annoy Those Sub7 Scanners.

From: Greg A. Woods <woods_at_weird.com>
Date: Fri, 1 Sep 2000 21:24:20 -0400

[ On Thursday, August 31, 2000 at 15:32:56 (-0500), Frank Knobbe wrote: ]
> Subject: Re: Annoy Those Sub7 Scanners.
>
> Speaking of preserving them... On several occasions I had presenting
> consultant and even law enforcement if they were aware or any case
> where PGP was used to preserve and sign logs. Although everyone I
> talked to liked the idea, they could not tell me if that would pass
> in court or not. Does anyone here in this list have any info about
> using PGP for evidence preservation?

If I were called as an expert witness to attest to the integrity of any
logs from some third party's system I would be far more inclined to
acknowledge the validity of logs collected by a secure independent
"drop-safe" style log host than even PGP signed logs collected on the
source system, regardless of whether the source system had been
compromised in the incident in question or not.

The fact that an organisation has taken the trouble to create and use a
separate secure drop-safe log host suggests to me that they treat their
audit data very seriously indeed. While PGP signatures of log files (or
even individual records) would tend to indicate some attention to the
issues, the only really secure way to sign such log files involves
keeping copies of the resulting signatures in some form of secure
escrow, and/or using a second more trusted system to also encrypt the
logs with a secret key too. Use of PGP also implies direct manual
involvement (any automated system might be fooled into signing partial
or faked data). It would in fact be easier (i.e. less error prone, more
automatable) and more secure just to keep all of log files in their
entirety in escrow. What matters if the logs are damaged and you catch
the damage with a signature mis-match when you don't have the originals
in the first place?!?!?!? As it turns out a separate truly secure
drop-safe log host is in fact a suitable form of real-time escrow! 

--
							Greg A. Woods
+1 416 218-0098      VE3TCP      <gwoods_at_acm.org>      <robohack!woods>
Planix, Inc. <woods_at_planix.com>; Secrets of the Weird <woods_at_weird.com>
Received on Sep 02 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos