Security Incidents mailing list archives

Re: probe backs? was Re: [INCIDENTS] Korea

From: mpemble () ISINTEGRATION CO UK (Matthew Pemble)
Date: Tue, 1 Feb 2000 08:34:42 -0000


This thread seems to be boiling down to (apart from the gripes about Korea)
to:

"If you are probed by a system, what is your moral and legal rights to do
'something' about it.  And, what is an appropriate 'something'."

I have no intention about spouting off about the law, basically because as
James Drissel showed, we are all from varying jurisdictions and even if I
was a lawyer, the appropriate law would vary considerably.  (In my case, it
is normally the UK's Computer Misuse Act 1990, and telnetting to the
rootshell would strictly be a Section One offence, but you would never get
prosecuted due to the lack of warnings.)

Morally then: two issues - we want to stop this happening again to us, and
we probably want to help the hacked computer's owners get their box back to
normal.

Most importantly, why have they / the source box been hacked?

1.      They are too busy to monitor all the various bugtraqs and advisories and
apply the appropriate patches when / if those are released.
2.      They do not have the knowledge to monitor and apply as 1.
3.      They are too lazy to m&a or otherwise just don't care.

Morally, 3 seems to be the easiest.  In that case, would you be justified in
any action (legal in your jurisdiction), which did not result in a DoS to
legit users, to protect your system?  Opinions (not flames), please.

In case 1 or 2, wouldn't you, as a harassed or newbie sysadmin, find a
reasoned and helpful statement of what was wrong with your system and how to
fix it more useful than a "You attacked my box, sort it or die" flame?  In
that case, wouldn't we need to do a little exploration (nmap scan, telnet,
check it really was a root shell in the Korea case) in order to put the
abuse email together?  Once again, what are list's opinions?

Matthew Pemble, Senior Consultant, IS Integration,
Preston Technology Management Centre, Marsh Lane, PRESTON, Lancashire, PR1
8UD

Tel: +44 (0)1772 885850  Fax: +44 (0)1772 558881  Mob: +44 (0) 7050 128620

Mailto:mpemble () isintegration co uk  Web: http://www.isintegration.co.uk

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify your system manager
or IS Integration Limited on +44 (0) 1772 885850

Any Views expressed in this e-mail message are those of the individual
sending the message, except where the sender specifically states them to
be the views of IS Integration Limited.

Current thread:

Re: probe backs? was Re: [INCIDENTS] Korea Rob Quinn (Jan 31)
- <Possible follow-ups>
- Re: probe backs? was Re: [INCIDENTS] Korea Matthew Pemble (Feb 01)
  - Re: probe backs? was Re: [INCIDENTS] Korea Pavel Kankovsky (Feb 02)
  - DoS Trojan on Solaris Roderick Padilla (Feb 02)
    - Re: DoS Trojan on Solaris Ross Mueller (Feb 02)
    - Re: DoS Trojan on Solaris David Brumley (Feb 02)
    - Interesting Probe Rick Magill (Feb 03)
    - Re: DoS Trojan on Solaris Dave Dittrich (Feb 03)
    - Re: DoS Trojan on Solaris Data_surge (Feb 04)
    - Re: DoS Trojan on Solaris Ross Mueller (Feb 03)
    - Compromised... Steve Logan (Feb 07)
    - Re: Compromised... David Bernick (Feb 07)

(Thread continues...)