Security Incidents mailing list archives
Re: Who's liable?
From: <macdaddy () neo pittstate edu>
Date: Sun, 14 Oct 2001 01:55:31 -0500 (CDT)
On Sun, 14 Oct 2001 hvdkooij () vanderkooij org wrote:
On Sat, 13 Oct 2001, Michael F. Bell wrote:Lets change the victim from a Goverment agency to a private one. Lets say that EBAY got hacked and they launched the same sort of investigation with the same findings.. What can be done from a legal /financial standpoint if an attack is detected from your company network and there is no proof on exactly who did it? Can the victims take legal action against you, or is there some sort of protocol from a legal standpoint that hinders this?We know (or should know) that IP addresses can and will be faked in case of a real attempt and are not enough to Anyone have trouble hiding his/hers IP number isn't more then a slight inconvinience. (Untill proper handling of spoofed IP's is done more seriously.)
I think something worth pointing out here is that it's unlikely that you'll encounter a "spoofed" IP in a true hack. Sure you'll get them in a DoS all day long but I find it highly unlikely that you'll find them in a true hack. For more than the basic hack, you'll need more than one packet and most likely an actual TCP conversation. Unless you've already hacked the router upstream of the target machine or jacked with the target machine's routing table, you can't use the spoofed IPs in the conversation. If this is really a hack like the poster said, spoofed IPs are most likely out the window. This isn't to say that you won't encounter spoofed IPs in background noise during the hack or that it's not possible to use spoofed IPs for a hack; it's just hard to carry on a conversation with a target if you're not giving it a real IP to talk to. My thoughts on the scenarios is that if they (the investigating party) can't ascertain who is really responsible, they won't find the company responsible because of lax logging. Say I'm ISP XYZ and a spammer gets one of dialups as a throw-away account and hack company or government server ABC and also that I don't log connections from our users (does any ISP?), am I responsible? I hope not. I can't be responsible for the actions of customers I've never met. Justin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Who's liable? Michael F. Bell (Oct 13)
- Re: Who's liable? hvdkooij (Oct 13)
- Re: Who's liable? macdaddy (Oct 14)
- RE: Who's liable? Dom Genzano (Oct 14)
- Re: Who's liable? Kelly Martin (Oct 14)
- Re: Who's liable? macdaddy (Oct 14)
- Re: Who's liable? hvdkooij (Oct 13)
- Re: Who's liable? Jay D. Dyson (Oct 13)
- Re: Who's liable? - fbi Alvin Oga (Oct 13)
- Re: Who's liable? Alvin Oga (Oct 13)
- RE: Who's liable? Chris Mason (Oct 13)
- RE: Who's liable? Liam Burrow (Oct 13)
- RE: Who's liable? Russell Berry (Oct 13)
- RE: Who's liable? Brian Taylor (Oct 14)
- Re: Who's liable? Frank (Oct 14)