RE: OK, I've been hacked, now what?

[sedwards () sedwards com]

I must admit, I was so taken aback by your response I had to check to see
if the domain "bestbuy.com" was the "technology and entertainment
products" retailer or some random ISP :)

I consider any kind of security breach to be a serious incident.

I would be very surprised if Best Buy would consider

        "cp original.html index.html"

to be the appropriate response to having their e-commerce web page hacked.

Since you state you were not aware of the facts of the hacking incident,
I'll repeat a few of the key points...

This (like your employer's site) is a revenue producing site with online
credit card processing. This is one host in a network of about 30 Sun,
SGI, Intel and Alpha hosts serving about a thousand domains.

When the hack was discovered, we notified senior corporate management. We
then physically disconnected the host from the net and called all
available admins into the office (the hack occurred on a Saturday).

We then mapped out our response. We turned off (not shutdown) the host and
pulled the drives out of the host. We divided the available staff into two
teams -- the "restoration" team to restore the site and the "forensic"
team to determine the "depth" of the breach.

The "forensic" team installed the drives in a host that had not been put
into production yet. The drives were mounted read only to preserve the
"evidence."

When the "forensic" team determined that the hacker had obtained a root
shell and had tweaked the password file, all resources were focused on
changing all of the passwords on all of the hosts, routers and switches.

The teams then returned to their assignments.

The "forensic" team determined which files had been accessed and which
files had been modified. Since the hacker deleted all of the log files,
various scripts and programs were written to scavenge the raw disk devices
to recover as much of the logs as possible. They were surprisingly
successful -- recovering all but about 40 minutes of the log files.

By using this information, the method used to compromise the host was
determined with reasonable certainty as was information sufficient to
allow the hacker's ISP to take steps to preserve the logs from their
dial-up server so they will be available for the appropriate legal
response.

When the "restoration" team was ready, they deleted the suspected CGI's
before connecting the host back up to the net.

In retrospect, I consider our response to be appropriate and efficient.
The only thing I will do different next time is that I will have a written
plan to start with :)

The cost estimate I presented does not include any of the changes we've
made to improve the security of the site beyond the cost to identify the
offending CGI's and delete them -- no "superficial" software or hardware
used to inflate the cost of the intrusion.

Actually, I am surprised the cost of the intrusion was so low.

I'm curious why you don't consider the cost of identifying and eliminating
a security hole the "fault of the hacker?"

Your house break-in analogy is unrealistic -- at best an insurance policy
pays replacement costs, not the cost to turn your house into Fort Knox.

Your Rolex analogy does not hold water either -- just because I leave my
watch within your reach does not give you the right to take it from me, it
just deprives me of the expectation of sympathy from my peers.

Me thinks your allegiance shows when you bring up Kevin Mitnick. Where did
that come from? Nobody's trying to hang this on him :)

Since you seem to like physical analogies, how about this one:

One morning, one of your store managers arrives to find the window display
inside the store "hacked" with "Free Kevin" stickers.

Is he going to remove the stickers and hope that it doesn't happen again?
Not if he values his job. Having every entrance to the building examined,
interviewing the janitorial staff and having the stickers dusted for
prints all sound like responsible actions. How about taking inventory and
examining stock for tampering?

So who is responsible for the cost of these actions?

These costs can get huge. Imagine that instead of pushing boxes your
stores sold aspirin. Every bottle is now suspect and must be examined. A
paranoid manager may decide to pull all stock and have it destroyed rather
than risk the exposure.

Your claim that "It is often the case that figures of such are made up to
bring about a prosecution" needs to be substantiated. I would counter that
I believe the prosecution would err on the conservative side rather than
risk having the case tossed out of court or being hit with something like
"filing a fraudulent action" or "malicious prosecution."

On Mon, 3 May 1999, Scott, Richard wrote:

> Greetings all,
>
> I was just wondering about these so called costs.  Let's assume your web
> page was defaced.  That your original index.html or whatever had in fact be
> copied to old.html, and a new page inserted(the hacked page).
>
> Now I am not aware of the hacking incident, more information maybe more
> helpful here.
> Now if it is the case that the original page has been moved.  What are the
> real costs in replacing by moving it back to index.html.
>
> The fact that the security hole already existed shouldn't be placed in the
> cost of the intrusion.  The cost of beefing up security maybe replacing
> software/ hardware shouldn't be placed in to these superficial figures.
>
> If you include costs for increasing the security due to the hole, then this
> is of no fault of the hacker.  The hole existed before hand.  In fact, I
> would go so far as to say that it's fraudulent use of figures.  It's
> analogous to a house break in.  You add to the insurance claim the cost of
> providing 24hr surveillance because of the security hole, or maybe the use
> or purchase of hi-tech keys, because the keys were picked.
> It's all to often heard that companies who are hacked claim millions of $
> worth of damage, and maybe that is the case.  But these are more often the
> case beefed up figures, including R/D, advertising, management costs, etc
> etc....
> Maybe one would take a look at this and state: " if this is worth so much,
> why are we leaving it out on the street?"
> Just the question a police officer/insurance person would asked when you
> told them you left a Rolex watch on the path outside the house, but inside a
> locked 2ft gate.
>
> The bottom line is, how much did it cost to return the site to it's original
> state, plus the business lost(in terms of EC) did they company undergo.  It
> is often the case that figures of such are made up to bring about a
> prosecution.  And this maybe the case in the Mitnick case.  I would advise
> people to be honest in judging the loss caused by intrusions. 
>
> Richard Scott 
> (I.S.) E-Commerce Team
> * Tel: 001-(612)-995-5432
> * Fax: 001-(612)-947-2005
> * Best Buy World Headquarters
>    7075 Flying Cloud Drive
>    Eden Prairie, MN 55344 USA
>    This '|' is not a pipe
>
>       -----Original Message-----
>       From:   sedwards () sedwards com [SMTP:sedwards () sedwards com]
>       Sent:   Friday, April 30, 1999 12:38 AM
>       To:     Antonomasia
>       Cc:     firewall-wizards () nfr net
>       Subject:        Re: OK, I've been hacked, now what?
>
>       On Fri, 2 Apr 1999, Antonomasia wrote:
>
>       > From: sedwards () sedwards com
>       > 
>       > > Yes it's true, one of my client's web page was hacked. The
> attack
>       > > occurred on March 27.
>
>       [snip]
>
>       >       Estimate the cost of the incident (when considered
> finished).
>       >       Actually I'd like to know too since you've been kind enough
> to
>       >       talk about it.
>
>       Rough guestimates:
>
>               Personnel               Hours           Rate    Cost
>               ----------------------------------------------------
>               senior management       6               300     1800
>               mid-management          6               150      900
>               senior consultant       16              150     2400
>               senior admin            8                75      600
>               mid-admin               8                50      400
>               junior admin #1         4                30      120
>               junior admin #2         4                30      120
>               junior admin #3         4                30      120
>               "retired" hardware                               600
>               lost revenue                                     500
>               ----------------------------------------------------
>                                                               7560
>
>       Note that this does not include the costs of pursuing legal avenues
> since
>       these are still in motion.
>
>       The impact of this attack was mitigated by the availability of spare
>       hardware on hand and reasonably fresh backups -- we pulled the
> drives out
>       of the compromised host, replaced them with spares, installed the OS
> from
>       CD's and restored the site content from tape.
>
>       Thanks in advance,
>       
> ------------------------------------------------------------------------
>       Steve Edwards      sedwards () sedwards com      Voice: +1-760-723-2727
> PST
>       Newline            Pager: +1-760-740-1220           Fax:
> +1-760-731-3000

Thanks in advance,
------------------------------------------------------------------------
Steve Edwards      sedwards () sedwards com      Voice: +1-760-723-2727 PST
Newline            Pager: +1-760-740-1220           Fax: +1-760-731-3000