Full Disclosure mailing list archives
RE: Reacting to a server compromise
From: "Jones, David H" <Jones.David.H () principal com>
Date: Mon, 4 Aug 2003 12:32:09 -0500
Mark, Id suggest picking up a book on computer forensics and data collection to prepare for the future. And in regards to the debate on logs, I'm copying this from a book called "Computer Forensics: Computer Crime Scene Investigation." "To collect evidence, certain legal requirements must be met. These legal requirements are vast, complex, and vary from country to country. However, there are certain requirements that are generally agreed on within the United states. US Code Title 28, Section 1732 provides that log files are admissible as evidence if they are collected *in the course of regularly conducted business activity*. This means you'd be much safer to log everything all the time and deal with the storage issues, than to turn on logging only after an incident is suspected. Not only is this a bit like closing the barn door after the horse has fled, it may also render your logs inadmissible in court." "Another factor in admissibility of log files is the ability to prove that they have not been subject to tampering. Whenever possible, digital signatures should be used to verify log authenticity. Other protective measures include, but are not limited to, storing logs in a dedicated logging server and/or encrypting log files. Log files are often one of the best, if not only sources of evidence available. Therefore, due diligence should be applied in protecting them." "One other generally accepted requirement of evidence collection is a user's expectation of privacy. A key to establishing that a user has no right to privacy when using corporate networks and/or computer systems is the implementation of a log-on banner. CERT Advisory CA-1992-19 suggests the following text be tailored to a corporations specific needs under the guidance of legal counsel:" (several versions of log-on banners) Anyway, as you can see, under the right circumstances, log files *can* be admissible in court. I'd really suggest one or more of these types of books.. There's a lot of information about tools to use, collection procedures, what to do, what not to do, etc. Cheers, David -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Mark Sent: Friday, August 01, 2003 10:39 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Reacting to a server compromise Hello list, In light of the current state of the internet with the DCOM vuln, I would like to ask for some advice on a situation I had at work. A little while ago(but before the DCOM vuln was released) I had a Win2k box hacked. The box was outside our firewall, running minimal services(ftp/www/smtp - gateway only) and was set to download/install everything it could via Auto-updates. Apparently I didn't reboot it often enough for all of the updates to take effect. <snip> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Reacting to a server compromise, (continued)
- Re: Reacting to a server compromise James A. Cox (Aug 03)
- RE: Re: Reacting to a server compromise Richard Stevens (Aug 04)
- Re: Re: Reacting to a server compromise Frank Bruzzaniti (Aug 04)
- RE: Re: Reacting to a server compromise Ron DuFresne (Aug 04)
- RE: Re: Reacting to a server compromise security snot (Aug 04)
- SV: Re: Reacting to a server compromise martin scherer (Aug 04)
- RE: Re: Reacting to a server compromise madsaxon (Aug 04)
- Re: Re: Reacting to a server compromise Darren Reed (Aug 04)
- RE: Reacting to a server compromise Brad Bemis (Aug 04)
- RE: Reacting to a server compromise Brad Bemis (Aug 04)
- RE: Reacting to a server compromise Jones, David H (Aug 04)
- Re: Reacting to a server compromise Jason Ellison (Aug 04)
- Re: Re: Reacting to a server compromise northern snowfall (Aug 04)
- RE: Reacting to a server compromise John . Airey (Aug 05)