Full Disclosure mailing list archives
Re: How we caught an Identity Thief
From: Valdis.Kletnieks () vt edu
Date: Mon, 20 Feb 2006 11:15:24 -0500
On Mon, 20 Feb 2006 09:15:12 EST, Babak Pasdar said:
1. I had to get back to our office from the client site over an hour away :) Laws of physics to New York City traffic apply no matter what.
Definite lack of resources there. You *really* want to be at least 2 or 3 deep at the "first responder" position. What if you had 5 minutes before gotten on a plane headed for Los Angeles, and thus basically unreachable for the next 6 hours?
2. The client or a security company's network are not the best source for scanning and investigation activities. Lest you have someone who looks for these early signs of the investigation. Scans have to be alternately sourced.
Again, a security company that doesn't plan ahead for this and have a few AOL or NetZero accounts already set up indicates a security company that needs to get ahead of the learning curve.
3. Running a few commands by no means is an indication of a fully packaged and verified set of information. A forensics case has to be started fully documenting all actions and times for possible future reference in legal proceedings. Rushing through something like this and not following procedure is the first step in being caught with your pants down later.
Again, this should not add "hours". If you have procedure in place, it shouldn't add much more than 30-45 *seconds* to each command. And if you're really smart, you have all the initial queries in a script, and only need to document that you ran the script....
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- How we caught an Identity Thief Babak Pasdar (Feb 20)
- Re: How we caught an Identity Thief Barrie Dempster (Feb 20)
- Re: How we caught an Identity Thief Babak Pasdar (Feb 20)
- Re: How we caught an Identity Thief Barrie Dempster (Feb 20)
- Re: How we caught an Identity Thief Babak Pasdar (Feb 20)
- Re: How we caught an Identity Thief Valdis . Kletnieks (Feb 20)
- Re: How we caught an Identity Thief Babak Pasdar (Feb 20)
- Re: How we caught an Identity Thief Valdis . Kletnieks (Feb 20)
- Re: How we caught an Identity Thief Babak Pasdar (Feb 20)
- Re: How we caught an Identity Thief Barrie Dempster (Feb 20)