Re: compromised network - followups - yuppers - ids

• Previous message: Alvin Oga: "Re: compromised network - followups - yuppers"
• In reply to: Harlan Carvey: "Re: compromised network - followups - yuppers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: keydet89@yahoo.com (Harlan Carvey)
Date: Sun, 4 Jan 2004 14:57:55 -0800 (PST)

hi ya harlan

> Collecting data is trivial...understanding what that
> data is telling you is another matter entirely. Sure,

yuppers...

> > - but if you keep looking and wantto learn, you will
> > figure it out over years of studying the
> > traffic/data
>
> Over years? The original poster is sniffing from an
> incident that has already happened. To me, it sounds
> more as if he's sniffing b/c he heard someone say he
> should, not b/c he's looking for anything in
> particular.

yupper..

and even experienced folks might not know that "this pattern"
is abnormal ... and wont know what is abnormal till you
look at it ... some stuff is obvious :-)

>
> I would agree. Too many times, it's a matter of "I
> don't know exactly what this traffic is doing, so it
> must be bad". Speculation serves no useful purpose
> when investigating an incident, or troubleshooting a
> network issue.
  
yupers

> text of the law...very interesting. It states that if
> the personal data is compromised, the company must
> disclose this fact...unless the data was encrypted.
> However, there is no detailed specification of
> "encrypted"...ROT-13, bit-shift left? Ouch!

and i bet some folks probably have it rot-13'd :-)

> Also, consider this...how many organizations can
> detect a compromise? Acxiom and other places holding

am guessing maybe 5% ??? donno ..

and that after detecting the problems. ... what to do
about it another ball game

> personal information on consumers "detected" their
> compromises when the bad guy bragged...not b/c of
> their own internal processes. So imagine if someone
> took that same data, but instead of telling everyone
> about it, used it in a very limited way, over time?

that is the typical scenario ... including
the detection of the intruder ... they sleep for a bit
before they do anything ... to mke sure "coast is clear"
or gather enough boxes for a ddos or whaterver their plan was
        - i've seen sleepers in machines from 30-60 days
        ago ... the original breakins .. before they
        inadvertantly stepped on an ids trigger

c ya
alvin

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Alvin Oga: "Re: compromised network - followups - yuppers"
• In reply to: Harlan Carvey: "Re: compromised network - followups - yuppers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]