Re: Microsoft "solves" hacking mystery

[InfoSec News <isn () c4i org>]

Forwarded from: H C <keydet89 () yahoo com>
Cc: dittrich () cac washington edu, thor () hammerofgod com


> This is one of the poorest of administration and security practices,
> yet people continually think this is perfectly OK to do

Agreed.  I've seen this done in data centers when setting up
customer's web hosted systems.  This, and allowing the Anonymous user
to have write-access to the drive via FTP.  And I'm not talking a home
user setting up a system...I'm talking MCSE+I's setting up systems for
a web hosting product.

> The fact that Windows 2000 and NT ALLOW THIS BY DEFAULT is the
> problem (Windows XP does not).

I would agree that it is A problem, but I think the real problem is
simply lack of knowledge/laziness on the part of those who install
these systems.
 
> but they didn't know the details because "wipe/reinstall" is the
> de-facto method of choice for incident response, which is a very
> poor way to go.  No data to analyze means no conclusions (and repeat
> problems, I can guarantee it.)

You're absolutely right.  There are a couple of quick things that can
be done on Windows systems (NT/2K/XP) to determine if there is even an
incident at all...simply watching the lists shows that there's a lot
of activity from the os and applications that admins and users first
suspect is malware-related.  Remember, there were many Win2K systems
that got infected w/ CR/Nimda, and the owners didn't even realize they
had IIS installed.

> Host and network level forensics (even the most basic) do take some
> time, but is the best way to get to the bottom of things.

I recently had an article published on SF that may be of assistance:

http://online.securityfocus.com/infocus/1624

Also, I teach a course in Win2K "live" forensics...we take a look at
how systems are broken into, how to prevent it, what to look for, and
how to handle incidents.

I'm also developing my own home-grown project, a forensics server.  
It's mostly completed, and I've got one or two clients finished (all
very pre-beta).  The basic idea is to provide a CD to the first
responder with the clients...she pops the CD into the "victim" system,
and runs the configuration, and then the tools.  The information is
sent off of the "victim" system via a socket, similar to
netcat...except that the server not only stores the data, but also
documents all activity.  The client for copying files simply requires
that the first responder select the files they want copied...the
client handles collection of data (MAC times, hashes, etc), copying of
the file to the server, and the server handles documentation,
including hash verification.

I'll admit that this project is slow in development, but that's mostly
b/c (as usual) things that pay the bills take precedence...and there
doesn't seem to be a whole lot of interest in such a thing right now.

I'm planning on releasing this as open source, GPL'd...the tools are
all written in Perl, so the server and clients can be used on or
written for other platforms.

Carv


__________________________________________________
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.