Security Basics mailing list archives
Re: compromised network - followups - yuppers
From: Harlan Carvey <keydet89 () yahoo com>
Date: Sun, 4 Jan 2004 04:46:47 -0800 (PST)
You're going to need the right kind of securitydude. and/or just a "list of things to do" after a (suspect) compromise
Collecting data is trivial...understanding what that data is telling you is another matter entirely. Sure, it's easy to do lookups of IP addresses from the output of netstat, but how do you find out what the bad guy was doing...or if there even was a "bad guy"?
yes... my comment is that people learn by poking around it might look like chinese characters/jibberish to english language readers ... so i concure that it might be pointless to look at stuff one doesnt know what to look for - but if you keep looking and wantto learn, you will figure it out over years of studying the traffic/data
Over years? The original poster is sniffing from an incident that has already happened. To me, it sounds more as if he's sniffing b/c he heard someone say he should, not b/c he's looking for anything in particular. Sure, over time, one will learn about what they're looking at...if they choose to do so.
- i think sniffing lends itself to too much headache and too many false alarms ...
I would agree. Too many times, it's a matter of "I don't know exactly what this traffic is doing, so it must be bad". Speculation serves no useful purpose when investigating an incident, or troubleshooting a network issue.
Which federal law is that? I'm familiar with California's SB 1386,
[snip]
thats the one ... and i could have sworn it had a federal counterpart ... ( but i couldn be out in fairly tale wishfuland )
Yeah. ;-) A quick Google search will show you the text of the law...very interesting. It states that if the personal data is compromised, the company must disclose this fact...unless the data was encrypted. However, there is no detailed specification of "encrypted"...ROT-13, bit-shift left? Ouch! Also, consider this...how many organizations can detect a compromise? Acxiom and other places holding personal information on consumers "detected" their compromises when the bad guy bragged...not b/c of their own internal processes. So imagine if someone took that same data, but instead of telling everyone about it, used it in a very limited way, over time? --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: compromised network - followups root (Jan 02)
- Re: compromised network - followups Harlan Carvey (Jan 02)
- Re: compromised network - followups - yuppers Alvin Oga (Jan 05)
- Re: compromised network - followups - yuppers Harlan Carvey (Jan 05)
- Re: compromised network - followups - yuppers - ids Alvin Oga (Jan 05)
- Re: compromised network - followups - yuppers Alvin Oga (Jan 05)
- Re: compromised network - followups Harlan Carvey (Jan 02)