Firewall Wizards mailing list archives
RE: OK, I've been hacked, now what?
From: sedwards () sedwards com
Date: Wed, 5 May 1999 00:37:39 -0700 (PDT)
I must admit, I was so taken aback by your response I had to check to see if the domain "bestbuy.com" was the "technology and entertainment products" retailer or some random ISP :) I consider any kind of security breach to be a serious incident. I would be very surprised if Best Buy would consider "cp original.html index.html" to be the appropriate response to having their e-commerce web page hacked. Since you state you were not aware of the facts of the hacking incident, I'll repeat a few of the key points... This (like your employer's site) is a revenue producing site with online credit card processing. This is one host in a network of about 30 Sun, SGI, Intel and Alpha hosts serving about a thousand domains. When the hack was discovered, we notified senior corporate management. We then physically disconnected the host from the net and called all available admins into the office (the hack occurred on a Saturday). We then mapped out our response. We turned off (not shutdown) the host and pulled the drives out of the host. We divided the available staff into two teams -- the "restoration" team to restore the site and the "forensic" team to determine the "depth" of the breach. The "forensic" team installed the drives in a host that had not been put into production yet. The drives were mounted read only to preserve the "evidence." When the "forensic" team determined that the hacker had obtained a root shell and had tweaked the password file, all resources were focused on changing all of the passwords on all of the hosts, routers and switches. The teams then returned to their assignments. The "forensic" team determined which files had been accessed and which files had been modified. Since the hacker deleted all of the log files, various scripts and programs were written to scavenge the raw disk devices to recover as much of the logs as possible. They were surprisingly successful -- recovering all but about 40 minutes of the log files. By using this information, the method used to compromise the host was determined with reasonable certainty as was information sufficient to allow the hacker's ISP to take steps to preserve the logs from their dial-up server so they will be available for the appropriate legal response. When the "restoration" team was ready, they deleted the suspected CGI's before connecting the host back up to the net. In retrospect, I consider our response to be appropriate and efficient. The only thing I will do different next time is that I will have a written plan to start with :) The cost estimate I presented does not include any of the changes we've made to improve the security of the site beyond the cost to identify the offending CGI's and delete them -- no "superficial" software or hardware used to inflate the cost of the intrusion. Actually, I am surprised the cost of the intrusion was so low. I'm curious why you don't consider the cost of identifying and eliminating a security hole the "fault of the hacker?" Your house break-in analogy is unrealistic -- at best an insurance policy pays replacement costs, not the cost to turn your house into Fort Knox. Your Rolex analogy does not hold water either -- just because I leave my watch within your reach does not give you the right to take it from me, it just deprives me of the expectation of sympathy from my peers. Me thinks your allegiance shows when you bring up Kevin Mitnick. Where did that come from? Nobody's trying to hang this on him :) Since you seem to like physical analogies, how about this one: One morning, one of your store managers arrives to find the window display inside the store "hacked" with "Free Kevin" stickers. Is he going to remove the stickers and hope that it doesn't happen again? Not if he values his job. Having every entrance to the building examined, interviewing the janitorial staff and having the stickers dusted for prints all sound like responsible actions. How about taking inventory and examining stock for tampering? So who is responsible for the cost of these actions? These costs can get huge. Imagine that instead of pushing boxes your stores sold aspirin. Every bottle is now suspect and must be examined. A paranoid manager may decide to pull all stock and have it destroyed rather than risk the exposure. Your claim that "It is often the case that figures of such are made up to bring about a prosecution" needs to be substantiated. I would counter that I believe the prosecution would err on the conservative side rather than risk having the case tossed out of court or being hit with something like "filing a fraudulent action" or "malicious prosecution." On Mon, 3 May 1999, Scott, Richard wrote:
Greetings all, I was just wondering about these so called costs. Let's assume your web page was defaced. That your original index.html or whatever had in fact be copied to old.html, and a new page inserted(the hacked page). Now I am not aware of the hacking incident, more information maybe more helpful here. Now if it is the case that the original page has been moved. What are the real costs in replacing by moving it back to index.html. The fact that the security hole already existed shouldn't be placed in the cost of the intrusion. The cost of beefing up security maybe replacing software/ hardware shouldn't be placed in to these superficial figures. If you include costs for increasing the security due to the hole, then this is of no fault of the hacker. The hole existed before hand. In fact, I would go so far as to say that it's fraudulent use of figures. It's analogous to a house break in. You add to the insurance claim the cost of providing 24hr surveillance because of the security hole, or maybe the use or purchase of hi-tech keys, because the keys were picked. It's all to often heard that companies who are hacked claim millions of $ worth of damage, and maybe that is the case. But these are more often the case beefed up figures, including R/D, advertising, management costs, etc etc.... Maybe one would take a look at this and state: " if this is worth so much, why are we leaving it out on the street?" Just the question a police officer/insurance person would asked when you told them you left a Rolex watch on the path outside the house, but inside a locked 2ft gate. The bottom line is, how much did it cost to return the site to it's original state, plus the business lost(in terms of EC) did they company undergo. It is often the case that figures of such are made up to bring about a prosecution. And this maybe the case in the Mitnick case. I would advise people to be honest in judging the loss caused by intrusions. Richard Scott (I.S.) E-Commerce Team * Tel: 001-(612)-995-5432 * Fax: 001-(612)-947-2005 * Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA This '|' is not a pipe -----Original Message----- From: sedwards () sedwards com [SMTP:sedwards () sedwards com] Sent: Friday, April 30, 1999 12:38 AM To: Antonomasia Cc: firewall-wizards () nfr net Subject: Re: OK, I've been hacked, now what? On Fri, 2 Apr 1999, Antonomasia wrote: > From: sedwards () sedwards com > > > Yes it's true, one of my client's web page was hacked. The attack > > occurred on March 27. [snip] > Estimate the cost of the incident (when considered finished). > Actually I'd like to know too since you've been kind enough to > talk about it. Rough guestimates: Personnel Hours Rate Cost ---------------------------------------------------- senior management 6 300 1800 mid-management 6 150 900 senior consultant 16 150 2400 senior admin 8 75 600 mid-admin 8 50 400 junior admin #1 4 30 120 junior admin #2 4 30 120 junior admin #3 4 30 120 "retired" hardware 600 lost revenue 500 ---------------------------------------------------- 7560 Note that this does not include the costs of pursuing legal avenues since these are still in motion. The impact of this attack was mitigated by the availability of spare hardware on hand and reasonably fresh backups -- we pulled the drives out of the compromised host, replaced them with spares, installed the OS from CD's and restored the site content from tape. Thanks in advance, ------------------------------------------------------------------------ Steve Edwards sedwards () sedwards com Voice: +1-760-723-2727 PST Newline Pager: +1-760-740-1220 Fax: +1-760-731-3000
Thanks in advance, ------------------------------------------------------------------------ Steve Edwards sedwards () sedwards com Voice: +1-760-723-2727 PST Newline Pager: +1-760-740-1220 Fax: +1-760-731-3000
Current thread:
- RE: OK, I've been hacked, now what? Scott, Richard (May 04)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 05)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- Re: OK, I've been hacked, now what? Bluefish [@ home] (May 16)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- <Possible follow-ups>
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 07)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)
- RE: OK, I've been hacked, now what? dbell (May 12)
(Thread continues...)