Re: [incidents] Re: backdoor

[Jonas M Luster <jluster () d-fensive com>]

Quoting Daniel Wittenberg (daniel-wittenberg () uiowa edu):

> I don't think you're exactly comparing the same things.  How about
> someone broke into my house, planted bugs all over my hours, possibly
> set traps doors in the floor, and wired it to catch on fire when you
> leave.  The biggest problem I see with a compromise, is that you don't

To stay with your example is to come home, find the house bugged and
boobie-trapped, and based on that fact leveling it, just to build a
similar house (in less time than it'd take to clean it, agreed).

The neighbor's cat, which got snipered with gun from the upper windows
of your house is not brought back, right? But without at least dusting
for shoeprints, you'll never know HOW the bad guy got in. You'll build
the same house again, the bad guy got lucky once in this neighborhood
they might come back. So, when you simply level and reerrect the
house, you might make yourself an accessory to the neighbors dog being
snipered, too.

I've seen quite a number of intrusions in my life. Most of the systems
were reinstalled between four and six hours after detection - that is
after someone with sufficient clue took he 'live' snapshot, did the
on-analysis and removed the media to do the deeper forensic work. A
new harddisk in, reinstall, good. And by that time, one knows HOW the
bad guy got in and what he did.

The 'security through reinstallation' myth seems to have coined by all
those Certified Internet Snakeoil Sales People (CISSPs) and their
likes to conceal the fact that all their fancy certs don't help them
much when it comes to true forensic work.

See, I believe that a networked system brings with itself
responsibilities. Just like buying a car or a gun. It's a liability,
one should only accept if s/he knows how to resolve these problems in
a matter that keeps neighbors and other participants in the
'community', knows someone who's competent to do it, or can pay for
someone to do it.

> know what they did.  Also, with a lot of people it's a matter of time. 
> If it takes me 3 days to follow your instructions below, vs. 1-2 hours
> to rebuild the system from scratch, unless I have a lot of time to

An initial 'live' assessment takes 3-4 hours, reinstalling a system
from the latest backup between 1 and 3 hours, and applying the patches
to prevent the intrusion from happening again, based on the knowledge
gathered during the initial 3-4 hours, takes another 2 hours. So, I
guess, it's fair to say that it _will_ indeed take longer to do proper
forensics, but not 2 hours compared to 3 days but more like three
hours compared to six.

> systems compromised like this, but I've cleaned up plenty that have, and
> it's usually not worth the time and effort to figure out what all the
> little kiddies were doing.  I don't think there is any right answer to

And if it's just to find out if they did it to other systems from
yours, it's always worth the effort - at least in my book.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com