Penetration Testing mailing list archives
Re: Odd situation, advice needed on penentration test results
From: Ido Dubrawsky <idubraws () cisco com>
Date: Wed, 26 Mar 2003 19:16:09 -0500
On Wed, Mar 26, 2003 at 02:01:44PM -0800, Harlan Carvey wrote:
Ido, I would agree that the system needs to be secured, but what good does shutting down the system do if you loose all of the volatile data, such as running processes, network connections, etc? How do you trace the issue back to whomever is responsible if you don't even know what IP address they're coming from, b/c you've lost the volatile data?
That's where network packet logging and possibly IDS would be useful. I agree that capturing the IP source address is important.
I'm not sure I completely understand your reasoning here. If you unplug the power from the system, and the NIC goes down (due to lack of power), wouldn't the system itself shut off? Wouldn't the hard drive stop spinning and the CPU no longer process instructions? If that's the case...how's a logic bomb going to execute?
Actually, that's what happens when you have two trains of thought in your
head and only write half of each. I meant to say that you should be careful
because the intruder may have set up a logic bomb that if the network inter-
face goes down then the system (or at least his files) get wiped. That's the
reason why it may be better to simply unplug the system at the power source
since then there should (theoretically) be no way for a logic bomb that
triggers on network interface connectivity from wiping the system before you
have a chance to capture the drive image. I was writing on two things and
forgot to make sure I was complete on both of them. Sorry.
Ido
--
===========================================================================
| Ido Dubrawsky E-mail: idubraws () cisco com
| | | Network Security Architect
:|: :|: | VSEC Technical Marketing, SAFE Architecture Team
:|||: :|||: | Cisco Systems, Inc.
.:|||||||:..:|||||||:. | Silver Spring, MD. 20902
===========================================================================
top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1
Current thread:
- Odd situation, advice needed on penentration test results saraf (Mar 26)
- Re: Odd situation, advice needed on penentration test results Ido Dubrawsky (Mar 26)
- Re: Odd situation, advice needed on penentration test results Raven Alder (Mar 26)
- RE: Odd situation, advice needed on penentration test results Greg Reber (Mar 26)
- <Possible follow-ups>
- re: Odd situation, advice needed on penentration test results Harlan Carvey (Mar 26)
- re: Odd situation, advice needed on penentration test results Desmond Irvine (Mar 27)
- re: Odd situation, advice needed on penentration test results Harlan Carvey (Mar 27)
- Re: Odd situation, advice needed on penentration test results Desmond Irvine (Mar 27)
- re: Odd situation, advice needed on penentration test results R. DuFresne (Mar 27)
- re: Odd situation, advice needed on penentration test results Desmond Irvine (Mar 27)
- Re: Odd situation, advice needed on penentration test results Ido Dubrawsky (Mar 26)
- Re: Odd situation, advice needed on penentration test results Harlan Carvey (Mar 26)
- Re: Odd situation, advice needed on penentration test results Ido Dubrawsky (Mar 27)
- RE: Odd situation, advice needed on penentration test results Vitaly Osipov (Mar 27)