Re: compromised network - followups - yuppers

[Harlan Carvey <keydet89 () yahoo com>]

> > You're going to need the right kind of security
> dude.
>
> and/or just a "list of things to do" after a
> (suspect) compromise

Collecting data is trivial...understanding what that
data is telling you is another matter entirely.  Sure,
it's easy to do lookups of IP addresses from the
output of netstat, but how do you find out what the
bad guy was doing...or if there even was a "bad guy"?
  
> yes... my comment is that people learn by poking
> around
>
> it might look like chinese characters/jibberish to
> english
> language readers ...  so i concure that it might be
> pointless
> to look at stuff one doesnt know what to look for
>
> - but if you keep looking and wantto learn, you will
>   figure it out over years of studying the
> traffic/data

Over years?  The original poster is sniffing from an
incident that has already happened.  To me, it sounds
more as if he's sniffing b/c he heard someone say he
should, not b/c he's looking for anything in
particular.  

Sure, over time, one will learn about what they're
looking at...if they choose to do so.
 
>       - i think sniffing lends itself to too much
> headache 
>       and too many false alarms ...

I would agree.  Too many times, it's a matter of "I
don't know exactly what this traffic is doing, so it
must be bad".  Speculation serves no useful purpose
when investigating an incident, or troubleshooting a
network issue.
 
> > Which federal law is that?  I'm familiar with
> > California's SB 1386, 

[snip]

> thats the one ... and i could have sworn it had a
> federal
> counterpart ... ( but i couldn be out in fairly tale
> wishfuland )

Yeah.  ;-)  A quick Google search will show you the
text of the law...very interesting.  It states that if
the personal data is compromised, the company must
disclose this fact...unless the data was encrypted. 
However, there is no detailed specification of
"encrypted"...ROT-13, bit-shift left?  Ouch!  

Also, consider this...how many organizations can
detect a compromise?  Acxiom and other places holding
personal information on consumers "detected" their
compromises when the bad guy bragged...not b/c of
their own internal processes.  So imagine if someone
took that same data, but instead of telling everyone
about it, used it in a very limited way, over time?  



---------------------------------------------------------------------------
----------------------------------------------------------------------------