Re: compromised network - followups - yuppers

[Alvin Oga <alvin.sec () Virtual Linux-Consulting com>]

hi ya harlan

> > we justified $5K of damages and the fbi was involved
> > faster than you can blink ...
>
> That's great.  I'm speaking from my experience in the
> Northern VA area, as well as talking to members of FBI
> and NIPC.  

cool... fbi country :-)
        - i got lost driving around in circles outside richmond
        
> You're going to need the right kind of security dude.

and/or just a "list of things to do" after a (suspect) compromise


> > > 1.  I hate to be blunt about this, but if you
> > don't know what you're doing, why are you doing it?
> >
> > comment...
> > sometimes people learn how to do things by mmaking
> > mistakes ???
>
> That wasn't my point.  My point is that why is the
> original poster sniffing network traffic when they
> have no idea what they're doing?  No one ever said it
> was a mistake.

yes... my comment is that people learn by poking around

it might look like chinese characters/jibberish to english
language readers ...  so i concure that it might be pointless
to look at stuff one doesnt know what to look for

- but if you keep looking and wantto learn, you will
  figure it out over years of studying the traffic/data
        - it's not a matter of sniffing for hours/days/months...
        one needs to "know precisely" what to look for 

        - i think sniffing lends itself to too much headache 
        and too many false alarms ...

> >     - and fed law ( in the usa ) states that the
> > cracked entity must disclose
> >     to all their clients of said activity and resulting
> > activities they did
> >     and any lost personal info .. etc..etc..etc... 
>
> Which federal law is that?  I'm familiar with
> California's SB 1386, but that law only requires
> disclosure if sensitive information...SSN, credit card
> number, etc...is compromised.  There's no indication

thats the one ... and i could have sworn it had a federal
counterpart ... ( but i couldn be out in fairly tale wishfuland )

> in this particular incident that such a thing
> occurred.

yup...

> > === reinstalling a cracked server is the worst
> > things to do
> > === restoring from backups is the 2nd worst possible
> > things to do 
> >     - and depending on the number of machines you have,
> > that can take
> >     months or years to properly clean up the (insecure)
> > network 
>
> I would agree...but only to a point.  Reinstalling
> without knowing how things got broken is a bad idea.  

yes... just adying that regardless of anything,
its a bad idea to reinstall, w/o being able to answer
the basic 100 basic questions after a compromise

        - the primary one being, how do you know the
        backup data does not have the trojan'd backdoors too
        and the gazillion questions about "backup data"
        
- personally.. its fun to clean up the network after its
  compromized and see what they did .. and preferably know
  who it was and go after their criminal butt 
        - only time i've reinstalled is when the cracker
        decided to run "rm -rf /" when they knew i knew
        they were in one of the client servers

fun stuff...

have fun
alvin

---------------------------------------------------------------------------
----------------------------------------------------------------------------