Security Incidents mailing list archives

RE: maybe a simple problem

From: "Brooke, O'neil (EXP)" <o'neil.brooke () lmco com>
Date: Wed, 02 Oct 2002 16:17:37 -0400

Hi Andrew, 

        If you client is involved in activity that makes him a target for
maliscious activity he should do much more than run netstat. Remote Access
Trojans (RAT's) do not necissarily cause any disruption to the workstation
if the remote attacker is at all careful. 

        If people are specifically targetting him, they can and probably
will get maliscious code installed on his machine. Get this man professional
help ASAP! 

        An evaluation of his work flow should be done so that critical
functions/information is not vulerable to compromise. This means moving
critical documents and contracts to a computer that is not networked. If
these attackers were to gain access to NegotiatingPoints.doc before the
meeting on Friday could that information be used to his disadvantage? If so,
why is he composing NegotiatingPoints.doc on a platform that can be
compromised? Let him work with this critical information on a standalone
host and then copy it over to the email system by floppy/zip/cd/jazz when
necissary. While this level of protection may not be justifiable in normal
circumstances, if he suspects maliscious activity, it may be justifiable for
now. Think like the attacker for a minute, read one of his emails, find out
what version of outlook he has, identify bugs or exploits to it, send him a
custom crafted message to exploit the bug and install maliscious code. 

        He should also get professional help in evaluating the security of
his corporate enviornment. Are things properly firewalled? Does IT have a
proven disaster recovery plan in effect? What would happed if these people
were to take out some central servers? Could that be used to place him in a
weak position during negotiations? Are there intrusion detection systems
around so that he will know if someone is attacking him? Does he have
contacts with any forensic investigators so that he can launch a proper
investigation that may result in legal action if maliscious activity is
detected? Or will his IT shop botch the investigation?

        In this case I really think he should get the forensic investigators
onboard with some sort of a service agreement. i.e. will provide services if
required within X hours of incident detection. Then make this agreement
publically known. While it does not provide much in the way of proactive
security it will serve as a deterrant if the hostile parties become aware of
it. This follows the art of war, "Win the war by destroying your opponents
will to fight." If he has professional forensic investigators onboard, they
will not want to risk computer hacking charges.

Good luck, 

O'Neil.

-----Original Message-----
From: Andrew Fison [mailto:afison () brit-tex net]
Sent: October 2, 2002 5:37 AM
To: incidents () securityfocus com
Subject: maybe a simple problem


I have a client who believes that thier win98 pc has been hacked with some
remote control software. They are pretty vague and not close buy so i cannot
look at the machine all the time. I asked them to do netstat when they think
they are being spied on but as yet they have not given me anything useful.

I think there is reason to believe them as the owner is involed in a hostile
boardroom take over of his company by some other entities, whilst this is
legal, they have used other underhand methods against my customer before and
they are trying to force him to sign over the business to them a little too
swiftly.

this all started when his wife was suing the pc, and a telescop came on the
screen and then disapeared, since then the machine crashes, documents
pertaing to the business have  gone missing etc, any clues to what this
telescope could be?

yours

andrew



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: maybe a simple problem Brooke, O'neil (EXP) (Oct 02)
- <Possible follow-ups>
- Re: maybe a simple problem Michael Anuzis (Oct 03)
- RE: maybe a simple problem Robinson, Sonja (Oct 03)
- RE: maybe a simple problem george . wasgatt (Oct 04)
- RE: maybe a simple problem Robinson, Sonja (Oct 04)
- RE: maybe a simple problem george . wasgatt (Oct 04)
  - RE: maybe a simple problem Clayton Hoskinson (Oct 05)
- RE: maybe a simple problem Jeff Peterson (Oct 05)
  - RE: maybe a simple problem Hugo van der Kooij (Oct 05)
- Re: maybe a simple problem tabrams (Oct 05)
- RE: maybe a simple problem Rob Keown (Oct 05)