Re: compromised network - followups - yuppers - ids

From: Alvin Oga (
Date: 01/04/04

  • Next message: Jimi Thompson: "Re: home wireless router good practices for security"
    To: (Harlan Carvey)
    Date: Sun, 4 Jan 2004 14:57:55 -0800 (PST)

    hi ya harlan

    > Collecting data is trivial...understanding what that
    > data is telling you is another matter entirely. Sure,


    > > - but if you keep looking and wantto learn, you will
    > > figure it out over years of studying the
    > > traffic/data
    > Over years? The original poster is sniffing from an
    > incident that has already happened. To me, it sounds
    > more as if he's sniffing b/c he heard someone say he
    > should, not b/c he's looking for anything in
    > particular.


    and even experienced folks might not know that "this pattern"
    is abnormal ... and wont know what is abnormal till you
    look at it ... some stuff is obvious :-)

    > I would agree. Too many times, it's a matter of "I
    > don't know exactly what this traffic is doing, so it
    > must be bad". Speculation serves no useful purpose
    > when investigating an incident, or troubleshooting a
    > network issue.

    > text of the law...very interesting. It states that if
    > the personal data is compromised, the company must
    > disclose this fact...unless the data was encrypted.
    > However, there is no detailed specification of
    > "encrypted"...ROT-13, bit-shift left? Ouch!

    and i bet some folks probably have it rot-13'd :-)

    > Also, consider many organizations can
    > detect a compromise? Acxiom and other places holding

    am guessing maybe 5% ??? donno ..

    and that after detecting the problems. ... what to do
    about it another ball game

    > personal information on consumers "detected" their
    > compromises when the bad guy bragged...not b/c of
    > their own internal processes. So imagine if someone
    > took that same data, but instead of telling everyone
    > about it, used it in a very limited way, over time?

    that is the typical scenario ... including
    the detection of the intruder ... they sleep for a bit
    before they do anything ... to mke sure "coast is clear"
    or gather enough boxes for a ddos or whaterver their plan was
            - i've seen sleepers in machines from 30-60 days
            ago ... the original breakins .. before they
            inadvertantly stepped on an ids trigger

    c ya


  • Next message: Jimi Thompson: "Re: home wireless router good practices for security"

    Relevant Pages