Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: Hal.Lockhart () STORAGENETWORKS COM (Hal Lockhart)
Date: Wed, 15 Mar 2000 11:25:46 -0500
It would be nice if somebody from DOJ or FBI would respond to this. I assume they read this list. (I know they read BUGTRAQ.) At a public meeting in January in Boston (Cambridge actually) a representative of the Boston office of the FBI stated that they had received orders from Washington that for the present (timeframe unspecified) they should not be limited to damages of $5K or more, but were free to investigate any report. I have no idea what the current situation is in light of the DDOS investigation. I understand it has sucked up resources from all over the country. Hal =========================================================== Harold W. Lockhart Jr. StorageNetworks, Inc. Voice: 781-434-6741 100 Fifth Avenue Fax: 781-434-6799 Waltham, MA 02451 hal.lockhart () storagenetworks com www.storagenetworks.com ===========================================================
-----Original Message----- From: Seth Georgion [mailto:sysadmin () SASSPRODUCTIONS COM] Sent: Sunday, March 12, 2000 12:41 AM Subject: Re: Cracked; rootkit - entrapment question? I keep reading various news articles that indicate that federal law currently states that the FBI is not allowed to investigate if they believe that the damage is under 5,000 dollars per computer and if they find out, during the course of the investigation, that the damages are less they must stop. I've seen a couple of articles on this on MSNBC, Yahoo and HNN over the past weeks with the DoS happening and all. They seem to all indicate it is part of Title 80 law but if so I ask this to the group then; Why is it that everyone talks about getting the authorities involved when almost all computer crime occurs state to state rather than intrastate? Doesn't a honey pot, by nature, eliminate the damage factor? Maybe all of these articles are completely bogus but I saw a quote from Janet Reno where she was urging the 5,000 dollar rule to be dismissed and most experts will tell you that the FBI will not investigate if the damage is under 10,000. So what's the deal? All I hear about is trapping someone for the authorities and "I always alert the Authorities!" and "It's a wiretap! be careful if you want a conviction!" Is this all a load of crap from people who don't have a clue or are all these stories and quotes BS? By the way our company investigated pursuing damages once, just for kicks, and our legal representatives informed us that damage can only be calculated as loss of critical business and whatever the dollar amount per hour of the employees involved amounts to. This would only include time spent fixing it not time BSing and investigating and stopping work just because you'd like to verify that all 24,000 company computers weren't subject to attack. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Craig H. Rowland Sent: Thursday, March 09, 2000 8:25 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Cracked; rootkit - entrapment question? Hi Lamont On Fri, 3 Mar 2000 lamont () icopyright com wrote:On Thu, 2 Mar 2000, Craig H. Rowland wrote:If you are facing a serious compromise situation where anattacker hasgained full internal access, and you want to contain andanalyze thedamage, you may wish to deploy a honey pot. For mostcases though I thinkrunning a honey pot on your external border is not a good idea.I've pretty much shared your opinion about honey pots, butone idea I'vebeen toying with recently is deploying "canary" systemsinternally so thatif someone smarter than me does get through the perimeter,if they hit thecanary system it'll alert me. I'd probably use just adefault redhat 6.0install (got enough root holes there to make it east), callit somethingtempting like "cybercash" and then modify sh/bash andcsh/tcsh to e-mail awarning anytime they are run (and turn off cron jobs toeliminate thefalse positives).I know several people who do this, but they generally make the systems hard to crack and just put up a boatload of port monitoring software/sniffers to detect the probes. It seems to be a little more sane than leaving a vulnerable system hanging around. I just get edgy when people want to coax another person into performing a particular type of action. Unfortunately you just can't rule out the attacker doing something to surprise you that falls outside of the planned response that may have been established. Humans have a way of being unpredictable at times (or lucky -- as the case may have it). As I posted in a previous message and on my website, I think putting up honey pots before doing other tangible security measures (filters, patches, etc.) is just not a good plan of attack. Besides giving an attacker a potential toe-hold onto your network, you provide the positive feedback necessary to encourage them into looking further. The one key item I've found that differentiates a successful attacker from an unsuccessful one is time. The shorter amount of time you give an attacker to look/poke/prod your network the less chance they have to find success. Unfortunately, leaving a vulnerable system around affords an attacker more time. Not a good thing -- IMHO. -- Craig
Current thread:
- Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)
- Re: Cracked; rootkit - entrapment question? Lison, Nathan (Mar 02)
- Re: Cracked; rootkit - entrapment question? Adam Pendleton (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jason Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Roy Wilson (Mar 02)
- Re: Cracked; rootkit - entrapment question? Filip M. Gieszczykiewicz (Mar 03)
- Re: Cracked; rootkit - entrapment question? Chuck Phillips (Mar 03)
- Re: Cracked; rootkit - entrapment question? Chuck Phillips (Mar 03)
- Re: Cracked; rootkit - entrapment question? Lison, Nathan (Mar 03)
- Re: Cracked; rootkit - entrapment question? Chuck Phillips (Mar 04)
- Re: Cracked; rootkit - entrapment question? Hal Lockhart (Mar 15)
- Re: Cracked; rootkit - entrapment question? Bob (Mar 15)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 15)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 16)
- Re: Cracked; rootkit - entrapment question? Michael Stone (Mar 17)
- Re: Cracked; rootkit - entrapment question? Robert G. Ferrell (Mar 15)
- Re: Cracked; rootkit - entrapment question? Eric the Fruitbat (Mar 17)
- Re: Cracked; rootkit - entrapment question? David Pick (Mar 20)
- Re: Cracked; rootkit - entrapment question? David Brumley (Mar 17)
- Re: Cracked; rootkit - entrapment question? Eric the Fruitbat (Mar 17)