Full Disclosure mailing list archives

Re: How we caught an Identity Thief

From: Barrie Dempster <barrie () reboot-robot net>
Date: Mon, 20 Feb 2006 14:32:33 +0000

On Mon, 2006-02-20 at 09:15 -0500, Babak Pasdar wrote:

1. I had to get back to our office from the client site over an hour
away :)  Laws of physics to New York City traffic apply no matter what.


Then notifying us of the timescale was irrelevant, as it was worded it
seemed like it was listed as an achievement.

2. The client or a security company's network are not the best source
for scanning and investigation activities.  Lest you have someone who
looks for these early signs of the investigation.  Scans have to be
alternately sourced.


Indeed, but we had no indication of where you were. No need for a site
visit if the entire incident relates to online content. The entire
scenario could have been conducted over the phone with you in your
office.

3. Running a few commands by no means is an indication of a fully
packaged and verified set of information. A forensics case has to be
started fully documenting all actions and times for possible future
reference in legal proceedings.  Rushing through something like this and
not following procedure is the first step in being caught with your
pants down later.


There was no need for any of the scanning you had done. I doubt the
results of the scans provided any evidence more compelling than the web
page. If there was grounds to contact law enforcement on that alone then
the scanning (done cautiously or not) was irrelevant and possibly even
negligent as it could have led to the suspects realising someone was
paying attention to them, putting them one step ahead of their pursuers.

If there is a case for legal action, then get the responsible legal
experts on board and stop playing around.


-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

Attachment: smime.p7s
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

How we caught an Identity Thief Babak Pasdar (Feb 20)
- Re: How we caught an Identity Thief Barrie Dempster (Feb 20)
  - Re: How we caught an Identity Thief Babak Pasdar (Feb 20)
    - Re: How we caught an Identity Thief Barrie Dempster (Feb 20)
    - Re: How we caught an Identity Thief Babak Pasdar (Feb 20)
    - Re: How we caught an Identity Thief Valdis . Kletnieks (Feb 20)
    - Re: How we caught an Identity Thief Babak Pasdar (Feb 20)
    - Re: How we caught an Identity Thief Valdis . Kletnieks (Feb 20)