RE: Reacting to a server compromise

["Jones, David H" <Jones.David.H () principal com>]

Mark,

Id suggest picking up a book on computer forensics and data collection
to prepare for the future.

And in regards to the debate on logs, I'm copying this from a book
called "Computer Forensics: Computer Crime Scene Investigation."

"To collect evidence, certain legal requirements must be met.  These
legal requirements are vast, complex, and vary from country to country.
However, there are certain requirements that are generally agreed on
within the United states.  US Code Title 28, Section 1732 provides that
log files are admissible as evidence if they are collected *in the
course of  regularly conducted business activity*.  This means you'd be
much safer to log everything all the time and deal with the storage
issues, than to turn on logging only after an incident is suspected.
Not only is this a bit like closing the barn door after the horse has
fled, it may also render your logs inadmissible in court."

"Another factor in admissibility of log files is the ability to prove
that they have not been subject to tampering.  Whenever possible,
digital signatures should be used to verify log authenticity.  Other
protective measures include, but are not limited to, storing logs in a
dedicated logging server and/or encrypting log files.  Log files are
often one of the best, if not only sources of evidence available.
Therefore, due diligence should be applied in protecting them."

"One other generally accepted requirement of evidence collection is a
user's expectation of privacy.  A key to establishing that a user has no
right to privacy when using corporate networks and/or computer systems
is the implementation of a log-on banner.  CERT Advisory CA-1992-19
suggests the following text be tailored to a corporations specific needs
under the guidance of legal counsel:"

(several versions of log-on banners)

Anyway, as you can see, under the right circumstances, log files *can*
be admissible in court.  I'd really suggest one or more of these types
of books..  There's a lot of information about tools to use, collection
procedures, what to do, what not to do, etc.

Cheers,
David 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Mark
Sent: Friday, August 01, 2003 10:39 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Reacting to a server compromise


Hello list,

      In light of the current state of the internet with the DCOM vuln,
I would like to ask for some advice on a situation I had at work.

A little while ago(but before the DCOM vuln was released) I had a Win2k
box hacked.  The box was outside our firewall, running minimal
services(ftp/www/smtp - gateway only) and was set to download/install
everything it could via Auto-updates.  Apparently I didn't reboot it
often enough for all of the updates to take effect.

<snip>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html