Re: Template Admin Notification

[Dave Salovesh <salovesh () RAMASSOCIATES COM>]

> -----Original Message-----
> From: Terje Bless [mailto:link () TSS NO]
> Sent: Wednesday, January 24, 2001 6:33 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: Template Admin Notification
>
>
> On 24.01.01 at 13:55, Martin Hoz Salvador -CITI Soporte
> <mhoz () CITI CITI COM MX> wrote:
>
> > - PGP SIGNED. This is serious.
>
> Very! Anything not PGP Signed will potentially make me take
> it a little
> less seriously. It's that "Reasonable Assumption of
> Non-Refutability" thing
> again. You may also consider giving phone-numbers so I can
> reach you in a
> hurry if the situation warrants it.

I don't even consider that optional - I make my first contact by phone
anyway, even if it's just to verify the email address, and I leave my name
and phone number everywhere I call.

These days you never know what you're getting into.  I've been in touch with
a DSL-connected family domain where their pre-teen daughter was tricked by a
chat friend into running portscans and trying rootkits on his behalf.  The
appropriate solution was for her parents to limit her time and supervise her
more closely, and a PGP signature or log excerpts would have confused them -
they only had their domain for the fun of it...

I've called up a small-town newspaper where they had a compromised system -
they said they knew it and had been taking heat about it for days.  They
told me that they had run their own systems for a long time, but the paper
had recently been sold to a holding company and the holding company
contracted out system management to someone who had locked them out of admin
functions on orders from the holding company.  Then things got eerie - I
asked who the contractors were, and it turns out that I used to work for
them!  I knew just who to call, the story checked out (and then some), the
hole was plugged in short order, and the system was cleaned up and normally
secured that same day.  I did them a big favor just by being me, but nothing
would have come of it if I had written them, PGP signature or log excerpts
were irrelevant.

Boiler plate letters have their place - I send them all the time for spam,
or when I just can't locate the right people - but if they're your only
approach you probably aren't getting as much done as you could be.

--
Dave Salovesh
RAM Associates, Inc.
(202) 543-3635



>


> > - Source Ip's, ports, destination ips and ports, giving times
> >  (start and ending times), giving also the timezone (this
> >  is pretty important).
>
> I may have 1K+ potential sources in my care. Lack of detailed
> info makes my
> task impossible as the one on the recieveing end of the Notification.
> Relate all times to GMT or, even better, UTC. While I /can/
> figure out what
> DST is in Nowehere, Michigan; I'd just as soon not have to.
>
>
> > - Polite language:
> > - How did you realized about the attack (IDS, firewall logs,
> >  casuality, etc...)
> > - The kind of attack you think are dealing with...
>
> So how many form-letters have you got from some cabel-modem
> user with a
> "Personal Firewall" with a shoddy configuration? I thougth
> so. Make sure I
> understand that you're for real from the get-go. Make sure I
> understand
> that you're interested in solving the problem and not just
> venting steam at
> me (i.e. the "Be Polite" bit). If you have a good guess as to
> the attack, I
> may know it's traffick pattern and be able to find the offender in 5
> minutes. If I have to actually slog through logs the time increases
> exponentially.
>
> And set a realistic level of severity! If my users have knocked out
> Microsoft's DNS I'll do what it takes to fix it. If one of
> your users get
> kicked from IRC by a bot from one of mine, I'll deal with it after I
> placate Microsoft's network people. Well, it being MS.... :-)