Firewall Wizards mailing list archives
RE: OK, I've been hacked, now what?
From: "Scott, Richard" <Richard.Scott () bestbuy com>
Date: Wed, 5 May 1999 13:25:50 -0500
Where shall I begin ;-) sedwards () sedwards com <mailto:sedwards () sedwards com> stated: I must admit, I was so taken aback by your response I had to check to see if the domain "bestbuy.com" was the "technology and entertainment products" retailer or some random ISP :) I consider any kind of security breach to be a serious incident. I would be very surprised if Best Buy would consider "cp original.html index.html" to be the appropriate response to having their e-commerce web page hacked. Well I can not comment for BestBuy, but if some one's hack was just that, I wouldn't make up huge expensive costs. Well one would assume that a) if the site is used for e commerce a firewall would have been properly set up along with relevant security policies. B) the site when defaced is up a running first c) recovering info on the break in. Let me state first that by all means if your site is online and you have no security policy, what on earth are you doing? As you mentioned above cp'ing the files isn't the end all of things. Since you state you were not aware of the facts of the hacking incident, I'll repeat a few of the key points... This (like your employer's site) is a revenue producing site with online credit card processing. Let's make this clear, is there any site doing e-commerce making money? Amazon .com aren't, Cdnow aren't, they are all battling for market share! ;-) This is one host in a network of about 30 Sun, SGI, Intel and Alpha hosts serving about a thousand domains. When the hack was discovered, we notified senior corporate management. We then physically disconnected the host from the net and called all available admins into the office (the hack occurred on a Saturday). Hmm, how many firewalls had you set up, were you using encrypted connections, VPN's, PPTP ?? Screening routers, ?? We then mapped out our response. We turned off (not shutdown) the host and pulled the drives out of the host. We divided the available staff into two teams -- the "restoration" team to restore the site and the "forensic" team to determine the "depth" of the breach. The "forensic" team installed the drives in a host that had not been put into production yet. The drives were mounted read only to preserve the "evidence." When the "forensic" team determined that the hacker had obtained a root shell and had tweaked the password file, all resources were focused on changing all of the passwords on all of the hosts, routers and switches. Sure. But as I can guess you were running some type of *nix? Did you apply all the system patches, rid your system of SUID, shut down services that were not required.??? In fact did your team discover how the hacker entered your site, and if so was the point of entry documented anywhere in the security domain? If not, then you maybe entitled to your hyper costs, if not, then why wasn't someone in charge of maintain a security archive, constanly updating the system with patches, configurations and monitoring the situation? The teams then returned to their assignments. I take it these were not necessarily security personnel? The "forensic" team determined which files had been accessed and which files had been modified. Since the hacker deleted all of the log files, various scripts and programs were written to scavenge the raw disk devices to recover as much of the logs as possible. They were surprisingly successful -- recovering all but about 40 minutes of the log files. By using this information, the method used to compromise the host was determined with reasonable certainty as was information sufficient to allow the hacker's ISP to take steps to preserve the logs from their dial-up server so they will be available for the appropriate legal response. When the "restoration" team was ready, they deleted the suspected CGI's before connecting the host back up to the net. OK, were these CGI's from a vendor or not? If they are, why not prosecute the vendor too? Isn't it about time that vendors proclaiming that their software is secure, be sued if they are found not to be? Surely this is aginst some trade description act?? All to often the disclaimer is written in to the software license. In retrospect, I consider our response to be appropriate and efficient. The only thing I will do different next time is that I will have a written plan to start with :) That's my point. And yes you have done the write thing. But I am more concerned with is if the hacker downloaded some files, which you may attach a huge monetary value. Eg E911 Case with Blue Lighting, Kevin Mitnick... In fact is breaking in to a system as bad as murder? To what extent is computer crime on par with? The cost estimate I presented does not include any of the changes we've made to improve the security of the site beyond the cost to identify the offending CGI's and delete them -- no "superficial" software or hardware used to inflate the cost of the intrusion. Let's just assume the breech had not occurred? Would your site be just as secure as it was after the breech? You are adding development costs of increasing security in to the cost of the break in. In my view, the search for the offending CGI's should have been occurring anyway, if the CGI's were written in house this is more the case. Assumption: One's site is insecure always. It's like a team developing software, if bugs are found it's to be expected, if you place a site on the internet, I would happily expect some attempt at the sight, and would advocate that to the project team. I think your policy has been good so far in calculating possible costs, but how aware was your management team about Actually, I am surprised the cost of the intrusion was so low. I'm curious why you don't consider the cost of identifying and eliminating a security hole the "fault of the hacker?" Because the site should be continuously updated and looked at for security. Not just for hackers but also for customer reassurance... It isn't just hackers who hack, industrial espionage, spies, etc etc..Let's not mix the hacker with the hardcore people belonging to the CIA et al who may spy on other systems belonging to other countries! That's what the vendors would like you to believe,. "Everyone you site is at risk come and buy our firewall, it wil protect you...hackers are evil" ;-) Your house break-in analogy is unrealistic -- at best an insurance policy pays replacement costs, not the cost to turn your house into Fort Knox. Exactly, so why would a company place in the costs of a break in the cost of beefing up security measure, which are often incorporated in to such costs! Your Rolex analogy does not hold water either -- just because I leave my watch within your reach does not give you the right to take it from me, it just deprives me of the expectation of sympathy from my peers. Too true, but the expectations of what is going to happen is known by everyone, and this is not the case when people set up a site in the Internet. Sure we would love to live in a Utopia where there is no crime, no political mess ups et al, but we don't. Just like placing your watch in the open, placing you site in the open is rendering you system to attacks. Me thinks your allegiance shows when you bring up Kevin Mitnick. Where did that come from? Nobody's trying to hang this on him :) No, but it's a prime example of how corporations are applying huge costs to bring about a conviction when in fact these costs are superficial! Why is there sop much injustice. Ok I am not saying Mitnick shouldn't be punished, but is he being treated fairly? Are we now saying that all hackers are criminals, ?? I think not. Let's get down to business. Since you seem to like physical analogies, how about this one: One morning, one of your store managers arrives to find the window display inside the store "hacked" with "Free Kevin" stickers. Is he going to remove the stickers and hope that it doesn't happen again? Not if he values his job. Having every entrance to the building examined, interviewing the janitorial staff and having the stickers dusted for prints all sound like responsible actions. How about taking inventory and examining stock for tampering? Yes I would agree. But when the shop keeper find that all that has happened is that the offender had just broken in via a door. He would call an insurance claim to fix the door(maybe). He then wouldn't add costs of tacking the stickers down, the cost to the shop, even though it was closed, it could have served customers? The additional loss of revenue that occurred due to NEW customers not wanting to go in to the shop. Would the shop keep just report it to the police and be done with it. If he/she had the mentality of some online admin., they would sue the offender for loss revenues caused by the stickers harassing the customers who would never be in the shop because it was closed. What if the offender took the sign from the shop containing the opening times, would you put a value of millions on it, in fact you would not bother claiming it on the insurance, you would just buy another. In fact if the offender had used a door which had been left open, would the insurance pay up? Would the police investigate, after all there are no signs of a break in. Just think of a hacker who did target you machine, entered it, and left, everything remain the same, would you have ground to prosecute? Would you? Or would you be more likey to discuss the break in with the hacker who may wish to share with you your weaknesses? So who is responsible for the cost of these actions? Insurance company ;-) These costs can get huge. Imagine that instead of pushing boxes your stores sold aspirin. Every bottle is now suspect and must be examined. A paranoid manager may decide to pull all stock and have it destroyed rather than risk the exposure. One can appreciate the extent to which a security breech must be flushed. And I am with you that vital resources must be pooled together. But if you relied upon the security measures that other vendors provided you, you should sue them. If I bought secure-telnet software and used it to telnet places, and as a result a sniffer trapped my pwd/uid , should I not be entitled to sue the vendor? Your claim that "It is often the case that figures of such are made up to bring about a prosecution" needs to be substantiated. Kevin Mitnick, The case against Blue Lightening In fact every case that a hacker has been tried. I would counter that I believe the prosecution would err on the conservative side rather than risk having the case tossed out of court or being hit with something like "filing a fraudulent action" or "malicious prosecution." Funny that, but if you follow the Mitnick Saga you would just wonder what injustices are happening. In fact go take a look now... http://www.kevinmitnick.com/home.html <http://www.kevinmitnick.com/home.html> It's all to often that the legal side doesn't understand the technology side and vice versa. What is needed is some collaboration. If you talked to a security legal expert and ask them about inodes, how many really know? How many really know about timestamps, about passwords? At the moment there is a knee jerk reaction to hackers because of the fictitious lies that Markoff and others have made. Yes I agree punishment for those who hacked in to a system are destroyed, copied et al should occur, but it must be balance with what is legal and what is an infringement of civil rights. By all means companies should be compensated, but fairly. It's the old story of trying to claim more from the insurance company, tha what was really stolen damaged. I am not against the huge fees and costs of hiring consultants et al for fixing the problem, but the huge costs associated with the software/files that are downloaded. I wouldn't feel sorry if Microsoft kept NT5 on a machine on the Internet, without it being protected and it was stolen. That's stupidity. The underlining point to be made is, if your online site hasn't got at least a correct configured firewall, then you are definitely looking to be hit. Why not just leave you doors open to your car? Just my opinion. ;-) > Richard Scott > (I.S.) E-Commerce Team > * Tel: 001-(612)-995-5432 > * Fax: 001-(612)-947-2005 > * Best Buy World Headquarters > 7075 Flying Cloud Drive > Eden Prairie, MN 55344 USA > This '|' is not a pipe
Current thread:
- RE: OK, I've been hacked, now what? Scott, Richard (May 04)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 05)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- Re: OK, I've been hacked, now what? Bluefish [@ home] (May 16)
- Re: OK, I've been hacked, now what? Crispin Cowan (May 06)
- <Possible follow-ups>
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- Re: OK, I've been hacked, now what? Joseph S D Yao (May 05)
- RE: OK, I've been hacked, now what? Scott, Richard (May 05)
- RE: OK, I've been hacked, now what? sedwards (May 07)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)
- RE: OK, I've been hacked, now what? dbell (May 12)
- RE: OK, I've been hacked, now what? Peter Mayne (May 12)
- FW: OK, I've been hacked, now what? kevin . sheldrake (May 13)
- Re: FW: OK, I've been hacked, now what? Asmodeus (May 16)
- Re: FW: OK, I've been hacked, now what? Joseph S D Yao (May 16)
- Re: FW: OK, I've been hacked, now what? Crispin Cowan (May 16)
(Thread continues...)