Re: How we caught an Identity Thief

[Valdis.Kletnieks () vt edu]

On Mon, 20 Feb 2006 12:22:35 EST, Babak Pasdar said:

> I would just like to ask you and others not to make presumptions about
> our preparedness, the intelligence of our consultancy, our script
> writing capabilities or the depth of our team, since I did not emphasize
> or define those things in the story.

You may not have "emphasized", and you may not have thought you "defined", but
between the story and your reply, you left enough info lying around for people
to figure things out....

The nasty thing about information leakage is that you usually don't even know
it's happening.  For instance, *YOU* said: "I had to get back to our office
from the client site over an hour away" as a partial explanation of why something
took hours. Now, this has 3 possibilities: (1) It's a lie to cover up an even
more lame reason for it taking hours, or (2) the company was stretched too thin
and didn't *have* anybody else qualified to do basic incident response and recon,
or (3) your company in fact had others available, but didn't give a shit and didn't
bother dispatching anybody else until you got to the office.

This sort of stuff is why back in 1977, the designation of information as
"sensitive but unclassified" was devised - to cover the case of data that seems
innocuous, but can be combined with other data to infer secret data (for
instance, figuring out how many big IRIX systems SGI sold to the NSA and DoD
by looking at their total sales, the systems listed on the Top500 list, and
looking for discrepancies...)

Obligatory security tie-in:  Kevin Mitnick's greatest strength was using this
sort of leaked info and leveraging it into a complete exploit.

>                                       I would certainly like to ask you
> not to minimize the time and effort it takes to build a good forensics
> case.

There *is* a certain amount of rigor required in building the case.  However,
it certainly shouldn't take *hours* to do basic recon.  And in fact, if you
take *too* long, this can actually *ruin* your case.  The opposing attorney
can make the implication that during the intervening hours, somebody else had
altered the data - leaving *you* to prove that such a thing didn't happen.

And although it may have been safe to take hours back in 2001, it's certainly
not in 2006 - see Gadi's recent posting on fast-flux attacks for an indication
of what time frame you need to respond in.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/