RE: Ssh break that claims it was me?

["Viktor Larionov" <viktor.larionov () salva ee>]

Just as a matter of comment.
I absolutely agree with Kevin on this, especially as one may propose that the damage caused, may not necessarily be the 
"unknown hacker"'s deed, but a system administrator fault or error, and eventually a result of his/her "pushing the 
blame to someone else" attempt. In other words, "the butler" who deed this, may not necessarily be a stranger to this 
organization.

On the other hand, correct me if I am wrong, but as far as I know, it is quite hard to convince federal law 
enforcements to deal with cyber crimes even in United States. (not talking of other countries)
Usually theese investigations take a huge time to start, and enormous efforts to complete with anykind of result. No 
results guaranteed of course, especially in the light of law officials not being really keen on dealing with cyber 
crimes. (According to Larry from Spamhaus, 70% of FBI agents are on anti-terrorism cases after 9/11, so I guess you are 
left with 30% of them on other cases, including cyber crime)
This may be a contra argument to Kevin, but it is surely worth to try, you don't lose anything and of course by this 
you may show the client that you are also interested in investigating the case.

Regards and good luck!
Vik



-----Original Message-----
From: Kevin Wilcox [mailto:kevin.wilcox () gmail com]
Sent: Monday, October 27, 2008 4:28 PM
To: viktor.larionov () salva ee
Cc: makkalot () gmail com; incidents () securityfocus com
Subject: Re: Ssh break that claims it was me?


2008/10/27 Viktor Larionov <viktor.larionov () salva ee>:

> And of course first of all check that it was really your user who did that. (if the .bash_history file under your 
> home directory is valid, you can easily see all the commands your user has executed for the past time)

I would go the opposite route with regards to the .bash_history and
logging into the machine again. I would immediately go to a solicitor
and the authorities with the email from your client and have the
server seized - once it is in control of the authorities, and the
sooner the better, I would let their auditors and technicians do the
forensics work.

Why would I take that approach? Because if you log in to the machine
now to start providing log-based evidence then it can be shown that
you were on the machine previously, some stuff got deleted, you were
sent an email about it, you logged in again and could have been
modifying logs/timestamps/etc to cover your tracks. It's usually
better to get trusted law enforcement agencies involved very early so
that *they* can be the ones to do the audit on the machine, not the
accused party.

This is, of course, based off of my understanding of my local, state
and federal law, specific to the United States. You may be in an area
where the laws are completely different. In either event I would
consult a local legal expert.

My humble opinion.

kmw

-- 
Far better is it to dare mighty things, to win glorious triumphs, even
if checkered by failure, than to take rank with those poor spirits who
neither enjoy much nor suffer much, because they live in the gray
twilight that knows not victory or defeat.



------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------