Security Basics mailing list archives
Re: compromised network - followups - yuppers - ids
From: Alvin Oga <alvin.sec () Virtual Linux-Consulting com>
Date: Sun, 4 Jan 2004 14:57:55 -0800 (PST)
hi ya harlan
Collecting data is trivial...understanding what that data is telling you is another matter entirely. Sure,
yuppers...
- but if you keep looking and wantto learn, you will figure it out over years of studying the traffic/dataOver years? The original poster is sniffing from an incident that has already happened. To me, it sounds more as if he's sniffing b/c he heard someone say he should, not b/c he's looking for anything in particular.
yupper.. and even experienced folks might not know that "this pattern" is abnormal ... and wont know what is abnormal till you look at it ... some stuff is obvious :-)
I would agree. Too many times, it's a matter of "I don't know exactly what this traffic is doing, so it must be bad". Speculation serves no useful purpose when investigating an incident, or troubleshooting a network issue.
yupers
text of the law...very interesting. It states that if the personal data is compromised, the company must disclose this fact...unless the data was encrypted. However, there is no detailed specification of "encrypted"...ROT-13, bit-shift left? Ouch!
and i bet some folks probably have it rot-13'd :-)
Also, consider this...how many organizations can detect a compromise? Acxiom and other places holding
am guessing maybe 5% ??? donno .. and that after detecting the problems. ... what to do about it another ball game
personal information on consumers "detected" their compromises when the bad guy bragged...not b/c of their own internal processes. So imagine if someone took that same data, but instead of telling everyone about it, used it in a very limited way, over time?
that is the typical scenario ... including
the detection of the intruder ... they sleep for a bit
before they do anything ... to mke sure "coast is clear"
or gather enough boxes for a ddos or whaterver their plan was
- i've seen sleepers in machines from 30-60 days
ago ... the original breakins .. before they
inadvertantly stepped on an ids trigger
c ya
alvin
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:
- Re: compromised network - followups root (Jan 02)
- Re: compromised network - followups Harlan Carvey (Jan 02)
- Re: compromised network - followups - yuppers Alvin Oga (Jan 05)
- Re: compromised network - followups - yuppers Harlan Carvey (Jan 05)
- Re: compromised network - followups - yuppers - ids Alvin Oga (Jan 05)
- Re: compromised network - followups - yuppers Alvin Oga (Jan 05)
- Re: compromised network - followups Harlan Carvey (Jan 02)