Re: Things that make you go "Hmmm"

[Matt <smp.repicky () gmail com>]

In a good company Incidence Response isn't dictated by any of what you
said above.  It's dictated by policy.  Because if you stand around too
long gathering all the information, be it usable or not, you're doing
2 things.

1.  You're wasting time.

2.  You're possibly prejudicing yourself to one side or another.

You don't make assumptions, you don't find out if the government is
interested in prosecuting based off any information you can acquire,
cause i assure you, they won't be unless you've lost hundreds of
thousands of dollars.  And you absolutely never, ever have a suspect
in mind when you start examining a machine.  Which usually leads my
bad to my first statement, Dictated by policy.  Usually in order to
have someone without prejudice examine a machine, an outsider or
someone without knowledge of the event will be brought in and not told
anything other than the box is suspect.  They will then examine the
box, look for any traces of wrongdoing on the box, record it carefully
and present you with the findings.  If in their search they can find
some trail that leads them to an individual, be it a real name or an
alias, they will then make their judgement as to if that person is
then a suspect.

That is the way proper forensics is carried out.

And this all brings me back to my original message.....

> they're still just that stupid
Cause anyone who leaves a box connected to the internet that doesn't
need to be deserves to have it hacked.  Especially if they're not
firewalling it off carefully.  Just cause the Internet is out there
doesn't mean you've got to be a part of it with your lame box.


--

On Thu, 3 Mar 2005 12:39:21 +0000 GMT, Jason Coombs <jasonc () science org> wrote:
> Wow, James.
> Very nice analysis.
> You've drawn invalid conclusions based on speculations, but it's the thought process that matters most in incident 
> response, and you've got a decent ability to infer possibilities from limited information. At least you get yourself 
> to the point where you can ask good questions. That's hard to teach.
> Do you work incident response?
> I don't think the forensics.PivX.com Linux box was doing anything other than sitting there wearing a fancy FQDN... 
> But that's not something that I know about for sure. I haven't been an employee of PivX since September.
> I do know that I was accused of doing something to the box.
> If the assertion that I received from two different sources, that the box was compromised in some way, was itself 
> based on bad information, then I may have passed on bad information.
> Whether or not that is so will require expert forensic analysis and opinion testimony that, as you point out, may now 
> be impossible due to "re-imaging".
> The 'incident' here, to continue your thought process for you, may be as simple as a malicious ex-employee who is 
> just trying to spread rumors in order to harm the company.
> How would you advise your client that such an incident be handled?
> For starters, you'd see if you can interest law enforcement in prosecuting based on the presumption of guilt. As a 
> public company in the U.S.A. you would have extra leverage of securities laws, as criminal charges could be filed 
> against anyone who may have tried purposefully to manipulate the company's stock price.
> Then there's tortious interference in trade. No person or entity is allowed to interfere with the capability of 
> another person or entity to interest others in doing business, or continuing to do business, with them, by any but 
> fair means of competition.
> http://www.lectlaw.com/def2/t061.htm
> Doing so results in a cause of action that may be brought in civil court.
> Does this apply to sincere and truthful communications with one's peers on full-disclosure, when that communication 
> results in the (temporary) appearance of diminished capacity to effectively compete? What if there is no thought 
> whatsoever of competition? What if the interest and motive are purely the best interest of the security community at 
> large? How then does tortious interference come into play as a result of simple security-related communications?
> Wasn't this essentially the argument made by HP against SnoSoft for publishing Tru64 vulnerability exploits? Sure, 
> the DMCA and Computer Fraud and Abuse Act gave the appearance of substance to the accusations for a short time, based 
> on fears that speech could now be curtailed just by alleging that it was harmful to the copyright or computer 
> security of an owner of same, in essence abusing courts' and legislators' lack of understanding of technical jargon 
> to gain new power and advantage, and thus increased economic value, from intellectual property rights...
> http://www.theregister.co.uk/2002/07/31/hp_invokes_dmca_to_quash/
> ... but isn't it the same thing in different terms when we declare other people's speech, and their important and 
> valuable communications, to be illegal or to be a justification for lawsuit based solely on the difference of status, 
> the speaker being not an owner and the subject of the speech being an owner of property, or the subject of speech 
> being an artificially created storehouse of perceived value with perpetual existence (i.e. a corporation) ? Why do 
> natural persons have inferior rights and fewer complex civil and criminal legal protections than do artificial 
> persons in possession of immortality?
> Surely the natural person is entitled to a level playing field, something to balance out the harm that is otherwise 
> done to natural persons' sense of self-worth and hopefulness for the future during their short and relatively 
> insignificant existence compared to that of a corporation?
> Next in your incident response, James, you might examine any contracts that bind the suspect, and ascertain whether 
> there was any duty of care or misuse of company property or violation of confidentiality agreements that might give 
> rise to a cause of action against the individual for passing on the bad information as a breach of contract or as 
> defamation of character.
> Bearing in mind that this cause of action will hinge on the question of fact with respect to the server's true 
> condition. Passing on something that is believed to be true may not be enough to save the offender from liability for 
> defamation if it turns out that person could have or should have known the information to be false and acted 
> recklessly.
> Your point that if a mail server is compromised, why wouldn't the attacker send bogus e-mail all day long, creating 
> fights and watching them spiral out of control, is very insightful.
> This does happen in the real world.
> Information forensics is a very strange business, and incident response often takes you where you least expected to 
> go at the outset.
> Shouldn't we be allowed to speak in public with relative freedom on subjects of substance and importance to the 
> security and awareness of others?
> Shouldn't we be allowed the freedom to learn from our mistakes, as we make them, and deal with others in society with 
> open hands and full disclosure? Shouldn't there be protections of persons who risk imprisonment, fines, and civil 
> liability in order to do the right thing in truly impossible circumstances?
> I believe so, and judging from the response I have received, it is clear that there are some who believe that I have 
> just risked imprisonment, personal bankruptcy, and perhaps even death from the vengeful wrath of angry millionaires 
> in order to find out.
> I pray that I am right, and that the doomsayers and other legal professionals are wrong, and that the higher 
> interests of ethical actions and security research weigh more heavily on the outcome than do anger and malice.
> Sometimes incident response is triggered early enough that harm can be avoided almost completely... If people do the 
> right things, and follow the right thought process to discover the true incident to which a response is required and 
> is urgently necessary.
> Sincerely,
> Jason Coombsjasonc () science org
> -----Original Message-----
> From: James Tucker <jftucker () gmail com>
> Date: Thu, 3 Mar 2005 09:47:38
> To:Matt <smp.repicky () gmail com>
> Cc:full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Things that make you go "Hmmm"
>
> [complete snip]
>
> What amazes me most having read this whole thread, is not so much that
> a server may have been hacked; this happens if you gain enough
> attention from the wrong people and do not build your systems hard
> enough (like people in a failing company).
>
> I am amazed that a forensics box was the target, moreover, that it was
> capable of being the target, and even more amazed that in fact it was
> a corporate mailserver.
> 1. If the box was to be used for forensics research, it is likely that
> it contains sufficient tools in certain user accounts to do any amount
> of damage to the system and to view almost every important property of
> it in a relatively short space of time. To put such a system in a high
> point of exposure, or in a point of high information value (such as
> running a mailserver from it) is extremely bad practice.
> 2. The company uses spamsoap store and forward. If the mail server was
> configured to retrieve mail from spamsoap it is entirely possible that
> the store and forward account was also compromised, leading to
> potential disclosure without continued access to pivx network
> infrastructure.
> 3. If the machine was so core to infrastructure why was it given a
> live dns address so close to the domain root?
> 4. Pivx' (lack of proper) response to the issue. They had a box
> labelled "forensics" hacked, and "it is being re-imaged". So in other
> words, it's going to be returned to the same state as it was
> originally, without any forensics work taking place.
> 5. If "re-imaged" there is nothing to suggest that the previously used
> exploits will not work again on the new system, thus the need for
> proper forensics work, which has clearly been neglected.
> 6. Recent major disclosure of internal publications and
> communications, there are allot of clearly frustrated employees within
> pivx each of which may be attempting to cover their tracks of
> information disclosure by hacking, or allowing said machine to be
> hacked.
> 7. Given the nature of the company and the configuration which they
> would seem to be referring too there is no good reason why the server
> in question was publicly accessible at all, there is a perfectly good
> store and forward service which can happily be the sole external
> communicator with the box.
> 8. The forensics department seems to be out of contact with the
> operations staff, who seem to be not directly related to the
> "corporate counsel". Who is actually in charge of your company? I am
> beginning to think the hacker has more control than any of you.
> 9. Discussions of server exploitation via potentially disclosed
> communications mediums. In the event that the hacker had successfully
> spread from forensics.pivx.com to some other machine (not unlikely
> being your displayed e-mail etiquette) then the mails you send
> discussing the matter may also have been compromised. In essence you
> do not know where the mail has come from, who sent it, or when it was
> sent. In fact there is no reason to trust anything in or out of pivx
> right now.
> 10. Evident lack of experience dealing with internal corporate
> security issues and poor communication leading to wide spread
> disclosure of potentially damaging situations without explained cause
> or reason.
>
> I would strongly suggest that any and probably all of Pivx financial
> issues are products of the above, or situations similar to the above.
> This company is not capable of picking up the phone or reaching
> individuals over any secured transport medium. In fact it would seem
> that everyone knows a little of something, but not even allot. There
> is deceit and destruction occurring from within the company. My
> suggestion to Pivx as a whole is to stop what you are currently doing,
> look at your infrastructure (human and systems) and decide what CAN be
> managed and what CANNOT. Remove immediately that which cannot be
> managed and begin MANAGING that which can. There is no reason to keep
> any employees which are not capable of full filling the company goals.
> A company is a team so someone trying to score at the wrong end is no
> use at all.
>
> I am sure your investors are mighty excited to hear the next
> installment. If you still have any value in your company, given that
> you had an attack and you destroyed all the evidence of what was done.
> What if a mail was captured containing sufficient information to gain
> access to build files for your products?
> Have you verified the contents of the applications on your web servers?
> Are your customers safe from attacks?
> Are you un-knowing as to the status of your system automations such as
> updates and the current state of information flow out of the company?
>
> Whilst it is true from this point that Jason Coombs may have thought
> the box was being hacked during the time when some other member of the
> business was performing critical updates or some other management
> function, there is no good reason why Jason was not aware of this
> before it happened. If Mark is confident that the box has not been
> hacked, then he needs to take actions to find out what is going on
> with Jason and most importantly why he is informing the world of false
> facts which damage the corporate image.
>
> This is surely a dark shadow now hanging over pivx. Further disclosure
> may be the only way to regain respect from the security industry, but
> given the complete (and entirely public) contradiction between two
> senior managers this may be difficult.
>
> I am flabbergasted. The entire interaction of this thread is wholly
> bad practice and gives the appearance of a company which is completely
> out of control. Pivx should be preparing a full formal press release
> to (attempt to) clear this up.
>
> wow. absolutely wow.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html