RE: OK, I've been hacked, now what?

["Scott, Richard" <Richard.Scott () bestbuy com>]

Where shall I begin ;-)

sedwards () sedwards com <mailto:sedwards () sedwards com>  stated:

        I must admit, I was so taken aback by your response I had to check
to see
        if the domain "bestbuy.com" was the "technology and entertainment
        products" retailer or some random ISP :)

        I consider any kind of security breach to be a serious incident.

        I would be very surprised if Best Buy would consider

                "cp original.html index.html"

        to be the appropriate response to having their e-commerce web page
hacked.

        Well I can not comment for BestBuy, but if some one's hack was just
that, I wouldn't make up huge expensive costs.


        Well one would assume that a) if the site is used for e commerce a
firewall would have been properly set up along with relevant security
policies. B) the site when defaced is up a running first c) recovering info
on the break in.
        Let me state first that by all means if your site is online and you
have no security policy, what on earth are you doing?

        As you mentioned above cp'ing the files isn't the end all of things.


        Since you state you were not aware of the facts of the hacking
incident,
        I'll repeat a few of the key points...

        This (like your employer's site) is a revenue producing site with
online
        credit card processing. 

        Let's make this clear, is there any site doing e-commerce making
money? Amazon .com aren't, Cdnow aren't, they are all battling for market
share! ;-)

        This is one host in a network of about 30 Sun,
        SGI, Intel and Alpha hosts serving about a thousand domains.

        When the hack was discovered, we notified senior corporate
management. We
        then physically disconnected the host from the net and called all
        available admins into the office (the hack occurred on a Saturday).

        Hmm, how many firewalls had you set up, were you using encrypted
connections, VPN's, PPTP ??
        Screening routers, ??

        We then mapped out our response. We turned off (not shutdown) the
host and
        pulled the drives out of the host. We divided the available staff
into two
        teams -- the "restoration" team to restore the site and the
"forensic"
        team to determine the "depth" of the breach.

        The "forensic" team installed the drives in a host that had not been
put
        into production yet. The drives were mounted read only to preserve
the
        "evidence."

        When the "forensic" team determined that the hacker had obtained a
root
        shell and had tweaked the password file, all resources were focused
on
        changing all of the passwords on all of the hosts, routers and
switches.

        Sure.  But as I can guess you were running some type of *nix?  Did
you apply all the system patches, rid your system of SUID, shut down
services that were not required.???

        In fact did your team discover how the hacker entered your site, and
if so was the point of entry documented anywhere in the security domain?  If
not, then you maybe entitled to your hyper costs, if not, then why wasn't
someone in charge of maintain a security archive, constanly updating the
system with patches, configurations and monitoring the situation?

        The teams then returned to their assignments.

        I take it these were not necessarily security personnel?

        The "forensic" team determined which files had been accessed and
which
        files had been modified. Since the hacker deleted all of the log
files,
        various scripts and programs were written to scavenge the raw disk
devices
        to recover as much of the logs as possible. They were surprisingly
        successful -- recovering all but about 40 minutes of the log files.

        By using this information, the method used to compromise the host
was
        determined with reasonable certainty as was information sufficient
to
        allow the hacker's ISP to take steps to preserve the logs from their
        dial-up server so they will be available for the appropriate legal
        response.

        When the "restoration" team was ready, they deleted the suspected
CGI's
        before connecting the host back up to the net.

        OK, were these CGI's from a vendor or not?  If they are, why not
prosecute the vendor too?  Isn't it about time that vendors proclaiming that
their software is secure, be sued if they are found not to be?  Surely this
is aginst some trade description act??  All to often the disclaimer is
written in to the software license.

        In retrospect, I consider our response to be appropriate and
efficient.
        The only thing I will do different next time is that I will have a
written
        plan to start with :)

        That's my point.  And yes you have done the write thing.  But I am
more concerned with is if the hacker downloaded some files, which you may
attach a huge monetary value.  Eg E911 Case with Blue Lighting, Kevin
Mitnick...
        In fact is breaking in to a system as bad as murder?

        To what extent is computer crime on par with?

        The cost estimate I presented does not include any of the changes
we've
        made to improve the security of the site beyond the cost to identify
the
        offending CGI's and delete them -- no "superficial" software or
hardware
        used to inflate the cost of the intrusion.

        Let's just assume the breech had not occurred?  Would your site be
just as secure as it was after the breech?
        You are adding development costs of increasing security in to the
cost of the break in.  In my view, the search for the offending CGI's should
have been occurring anyway, if the CGI's were written in house this is more
the case.
        Assumption:  One's site is insecure always.  
        It's like a team developing software, if bugs are found it's to be
expected, if you place a site on the internet, I would happily expect some
attempt at the sight, and would advocate that to the project team.
        I think your policy has been good so far in calculating possible
costs, but how aware was your management team about   


        Actually, I am surprised the cost of the intrusion was so low.

        I'm curious why you don't consider the cost of identifying and
eliminating
        a security hole the "fault of the hacker?"

        Because the site should be continuously updated and looked at for
security.  Not just for hackers but also for customer reassurance... It
isn't just hackers who hack, industrial espionage, spies, etc etc..Let's not
mix the hacker with the hardcore people belonging to the CIA et al who may
spy on other systems belonging to other countries!

        That's what the vendors would like you to believe,.  "Everyone you
site is at risk come and buy our firewall, it wil protect you...hackers are
evil" ;-)

        Your house break-in analogy is unrealistic -- at best an insurance
policy
        pays replacement costs, not the cost to turn your house into Fort
Knox.

        Exactly, so why would a company place in the costs of a break in the
cost of beefing up security measure, which are often incorporated in to such
costs!


        Your Rolex analogy does not hold water either -- just because I
leave my
        watch within your reach does not give you the right to take it from
me, it
        just deprives me of the expectation of sympathy from my peers.

        Too true, but the expectations of what is going to happen is known
by everyone, and this is not the case when people set up a site in the
Internet.  Sure we would love to live in a Utopia where there is no crime,
no political mess ups et al, but we don't.  Just like placing your watch in
the open, placing you site in the open is rendering you system to attacks.

        Me thinks your allegiance shows when you bring up Kevin Mitnick.
Where did
        that come from? Nobody's trying to hang this on him :)

        No, but it's a prime example of how corporations are applying huge
costs to bring about a conviction when in fact these costs are superficial!
Why is there sop much injustice.  Ok I am not saying Mitnick shouldn't be
punished, but is he being treated fairly?
        Are we now saying that all hackers are criminals, ?? I think not.
Let's get down to business.


        Since you seem to like physical analogies, how about this one:

        One morning, one of your store managers arrives to find the window
display
        inside the store "hacked" with "Free Kevin" stickers.

        Is he going to remove the stickers and hope that it doesn't happen
again?
        Not if he values his job. Having every entrance to the building
examined,
        interviewing the janitorial staff and having the stickers dusted for
        prints all sound like responsible actions. How about taking
inventory and
        examining stock for tampering?

        Yes I would agree.  But when the shop keeper find that all that has
happened is that the offender had just broken in via a door.  He would call
an insurance claim to fix the door(maybe).  He then wouldn't add costs of
tacking the stickers down, the cost to the shop, even though it was closed,
it could have served customers? The additional loss of revenue that occurred
due to NEW customers not wanting to go in to the shop.

        Would the shop keep just report it to the police and be done with
it.  If he/she had the mentality of some online admin., they would sue the
offender for loss revenues caused by the stickers harassing the customers
who would never be in the shop because it was closed.

        What if the offender took the sign from the shop containing the
opening times, would you put a value of millions on it, in fact you would
not bother claiming it on the insurance, you would just buy another.
        In fact if the offender had used a door which had been left open,
would the insurance pay up?  Would the police investigate, after all there
are no signs of a break in.

        Just think of a hacker who did target you machine, entered it, and
left, everything remain the same, would you have ground to prosecute?  Would
you?  Or would you be more likey to discuss the break in with the hacker who
may wish to share with you your weaknesses?

        So who is responsible for the cost of these actions?
        Insurance company ;-)

        These costs can get huge. Imagine that instead of pushing boxes your
        stores sold aspirin. Every bottle is now suspect and must be
examined. A
        paranoid manager may decide to pull all stock and have it destroyed
rather
        than risk the exposure.

        One can appreciate the extent to which a security breech must be
flushed.  And I am with you that vital resources must be pooled together.
But if you relied upon the security measures that other vendors provided
you, you should sue them.  If I bought secure-telnet software and used it to
telnet places, and as a result a sniffer trapped my pwd/uid , should I not
be entitled to sue the vendor?
         


        Your claim that "It is often the case that figures of such are made
up to
        bring about a prosecution" needs to be substantiated.

        Kevin Mitnick,
        The case against Blue Lightening
        In fact every case that a hacker has been tried.

         I would counter that
        I believe the prosecution would err on the conservative side rather
than
        risk having the case tossed out of court or being hit with something
like
        "filing a fraudulent action" or "malicious prosecution."

        Funny that, but if you follow the Mitnick Saga you would just wonder
what injustices are happening.  In fact go take a look now... 
        http://www.kevinmitnick.com/home.html
<http://www.kevinmitnick.com/home.html> 


        It's all to often that the legal side doesn't understand the
technology side and vice versa.  What is needed is some collaboration.  If
you talked to a security legal expert and ask them about inodes, how many
really know?
        How many really know about timestamps, about passwords?

        At the moment there is a knee jerk reaction to hackers because of
the fictitious lies that Markoff and others have made.  Yes I agree
punishment for those who hacked in to a system are destroyed, copied et al
should occur, but it must be balance with what is legal and what is an
infringement of civil rights.  By all means companies should be compensated,
but fairly.  It's the old story of trying to claim more from the insurance
company, tha what was really stolen damaged.


        I am not against the huge fees and costs of hiring consultants et al
for fixing the problem, but the huge costs associated with the
software/files that are downloaded.  I wouldn't feel sorry if Microsoft kept
NT5 on a machine on the Internet, without it being protected and it was
stolen.  That's stupidity.

        The underlining point to be made is, if your online site hasn't got
at least a correct configured firewall, then you are definitely looking to
be hit.  Why not just leave you doors open to your car?



        Just my opinion. ;-)

        > Richard Scott 
        > (I.S.) E-Commerce Team
        > * Tel: 001-(612)-995-5432
        > * Fax: 001-(612)-947-2005
        > * Best Buy World Headquarters
        >    7075 Flying Cloud Drive
        >    Eden Prairie, MN 55344 USA
        >    This '|' is not a pipe