Security Incidents mailing list archives
Re: Interesting reply
From: "Forrester, Mike" <mforrester () HSACORP NET>
Date: Tue, 17 Oct 2000 15:07:11 -0600
As most of you pointed or hinted at, it's hard to determine if a remote system has been compromised that you don't have access to. We determine the problem by talking with the customer. Since we talk with quite a few people, you get a pretty good idea from talking to them what was going on. I know what you're all thinking, but I'd bet my "most" is fairly accurate. You'd be surprised at how many people share their whole hard drive with no password. It's something that I don't think can be easily explained and is more of a gut feeling. I've talked to some that I know are playing dumb. Also, I know there are some that I thought were innocent and were not (if I have reasonable doubt, they get ONE more chance). Sure I could attempt to verify it by logging traffic, but right now we have more important things to do. The traffic and scans we see are quite different than most other companies (excluding ISP's). There's a reason why script kiddies go after the 24.0.0.0 network, easy prey. Obviously, you don't have to trust or beleive my "scientifically" gathered information. However, I'd bet money that at least 51% (that's why I said "most") of the problems we have are with compromised machines. My guess is in the 60-70% range. I could be wrong, but assuming (I know...) that there are more victims than perpetrators is fairly safe assumption (especially on the 24.0.0.0 network). Mike
Current thread:
- Re: Interesting reply Crist Clark (Sep 30)
- <Possible follow-ups>
- Re: Interesting reply H Carvey (Sep 30)
- Re: Interesting reply Forrester, Mike (Oct 11)
- Re: Interesting reply Gary Flynn (Oct 12)
- Re: Interesting reply Mikael Gripenstedt (Oct 13)
- Re: Interesting reply Gary Flynn (Oct 12)
- Re: Interesting reply H Carvey (Oct 13)
- Re: Interesting reply Keith Pachulski (Oct 16)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Aj Effin ReznoR (Oct 24)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Forrester, Mike (Oct 19)
- Re: Interesting reply Narins, Joshua (Oct 19)
- Re: Interesting reply Forrester, Mike (Oct 20)
- Re: Interesting reply Turpin, Jason (Oct 25)
- Re: Interesting reply Aj Effin ReznoR (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Neil Long (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 27)