Re: compromised network

• Previous message: Steve: "home wireless router good practices for security"
• In reply to: erisk: "Re: compromised network"
• Next in thread: Meritt James: "Re: compromised network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 30 Dec 2003 08:39:38 -1000
To: erisk <erisk@iinet.net.au>

Aloha, Dana, et al:

Image and sniff all you want, if you don't know what the vulnerability
was that the intruder exploited to get in then how do you expect to be
"secure" once you've finished reformatting and restoring everything?

If you weren't capturing all data on your network during the attack, and
if you haven't analyzed the capture and/or pinpointed the vulnerability
that was exploited, then just assume you're going to be owned again and
go back to whatever it is that you do in between scheduled emergencies.

Without full disclosure there can be no security.

Sincerely,

Jason Coombs
jasonc@science.org

erisk wrote:
> This might through some flame into the group but I would disagree with most
> peoples responses here..
>
> Firstly do you have formailsed Incident respone plan? If so follow that to
> the letter..Secondly you should, for legal reasons, contact a forensic
> specialist to image the hard drives, capture packets etc, before wiping all
> you data and consult him for further advice (if your company has the
> budget). After this has been all then follow standard hardening
> procedures...
>
>
> ----- Original Message -----
> From: "Glenn Pearl" <glennp@datasync.com>
> To: "'Dana Rawson'" <absolutezero273c@nzoomail.com>;
> <security-basics@securityfocus.com>
> Sent: Tuesday, December 30, 2003 2:10 AM
> Subject: RE: compromised network
>
>
>
>>The only way to really know that your systems are clean is to start over
>>- reformat the hard drives, reinstall apps securely and restore data
>>from backup. Do not allow any access to the boxes until you have
>>completely locked them down.
>>
>>I am in the process of teaching myself these very steps. I'm using
>>Windows 2000 and IIS 5, and working with the NSA Windows 2000 security
>>guides and policy templates in combination with Stefan Norberg's
>>"Securing Windows NT/2000 Servers for the Internet" (O'Reilly) and tons
>>of notes courtesy these Security Focus lists (thanks, everybody!) and
>>articles and Google. I'm also learning how to use scanning tools and
>>IDS such as nmap, nessus, snort, etc.
>>
>>Legal action - I'm sure there are others on this list who are far more
>>helpful than I at answering that one. Personally, I wouldn't waste any
>>time with it or tracking the intruders via ethereal, and instead focus
>>on lessening the chance of such compromises in the future. Search the
>>list archives and GooGroups for info on firewalls, proxies, IDS...
>>
>>Glenn Pearl
>>
>>
>>>-----Original Message-----
>>>From: Dana Rawson [mailto:absolutezero273c@nzoomail.com]
>>>Sent: Friday, December 26, 2003 1:22 PM
>>>To: security-basics@securityfocus.com
>>>Subject: compromised network
>>>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Steve: "home wireless router good practices for security"
• In reply to: erisk: "Re: compromised network"
• Next in thread: Meritt James: "Re: compromised network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]