Re: compromised network - backups

[Alvin Oga <alvin.sec () Virtual Linux-Consulting com>]

hi ya greg

> > The only way to be 100% is to completely start from scratch again.
>
> You know, I have read this reply from many people, over and over again and
> without going to the trouble of finding the original message again, all I
> can say is - whatever happened to the idea of image backups with
> incrementals?
>
> Eg, let's say all is quiet and OK and the crap started happening, at the
> local timezone of that machine, at 11PM. Let's FURTHER say that the business
> has a once a week full backup with hourly incrementals. What the heck is the
> matter with going back to that SAME day at 10PM's incremental and restoring

usually the stories goes like:
        - the last time we did backups was a month ago or 3 months ago ..

        - the "cracker" was noticed yesterday  ( so they dont have backups )

usually, by the time they notice a cracker, its not uncommon to dig around
and find that the cracker been a sleeper in their system for 2-3 months
randomly picking up passwds, emails, using dumb services ( mail, ftp, telnet,
wget, etc) which ishow they started to show up more frequently

if backups was not done properly, most people are afraid to have their
disk erased ... so we have to step around their data to see if we
can find the crackers back doors and other secret files they installed

        - worst case is the crackers that make their own fs inside
        the unused disk space of used inodes

        ( if you have a file of 10 bytes, the remaining 500 bytes is used
        ( by the cracker for their own hidden trojans and back doors )

> Now, after reinstalling from image/incremental, I would, as some have said,
> get someone in who really knows what he/she is doing to A) Make the
> possibility of it happening ever again as close to zero as it can be; B) Get
> rid of whatever the weakness was that allowed this to happen.

usually that is simple process...
        - disallow ftp  ----- use sftp instead
        - disallow telnet --- use ssh instead
        - disallow dhcp ..... use static ip# ... and proper masks
        - disallow pop3/imap. use seure pop3, secure imap
        - disallow wireless .. put that outside the firewall
        - disallow world wide logins from anywhere in the world
        - disallow same login name for email, ssh, vpn, pop3, ...
        - disallow common passwds ... evn if they have to write it
                on paper under their keyboard
                - if the cracker is in the bldg, which they suually are anyway

        - disallow insecure laptops ... those that go traveling to other corps
        and hotels and internet cafe

        - disallow insecure home networks from connecting to corporate data
                - how many people really do work at home ... that is
                worth risking the loss of sensivitive corp data at work
                and/or shutting the entire company down for 2-3 days at a time
                after a security breach ... know several company that it has happened
                
                - they do NOT allow home network or laptops anymore ...

        - worry about 80% of attacks coming for your sysadmin and unauthorized
        users trying to sneak around security policy

        - and on and on  ... hundreds more rules that are even MORE restrictive
        in order to keep the company running ...

> Reformat and install from scratch? That is more or less, to me personally,
> like "My car is out of fuel! I better buy a new car!".

yes....  
        check the gas ............ --> turning a blind eye is a NOT good
        get insurance policy ..... --> backups and security policy
        i got a flat tire ........ --> keep hot swap spare machines
        add all the bells-n-whistes--> add all the security patches 
        if you're in an accident ----> you're been compromized
                - find out what happened by police, professional mechanics, etc
        .. good analagy ... think i'll use it in my "you(client) should do this
                 and that speech" too

have fun
alvin


---------------------------------------------------------------------------
----------------------------------------------------------------------------