RE: Computer Forensics is a misnomer Was: How hackers cause damag e... was Vulnerabilites in new laws
- From: James Eppolito <JEppolito@xxxxxxxxxxxx>
- Date: Fri, 3 Mar 2006 08:53:02 -0600
This question may be overly simplistic but here goes; Craig Wright wrote,
"(please note computer forensics is a misnomer and grammatically incorrect)"
Why is that?
-----Original Message-----
From: David Gillett [mailto:gillettdavid@xxxxxxxx]
Sent: Monday, February 27, 2006 5:02 PM
To: 'dave'; security-basics@xxxxxxxxxxxxxxxxx
Cc: 'ROB DIXON'
Subject: RE: How hackers cause damage... was Vulnerabilites in new laws on
computer hacking
1) If it's your friend's machine, you should be able to get
authorization from him/her. Do you really know what 153.18.19.33
is? Does knowing what it was yesterday tell you what it is today?
Do you know that it's not monitoring oxygen levels and anaesthetic
flow during surgery? Answers: No.
2) Same answer as above.
As far as "ability to bring down" -- there are legacy boxes out
there which may crash when subjected to fairly simple probe code.
(No, I will not volunteer details.) How do I know that you're not
hunting for them? Answer: I *have to* assume that you are.
If you have permission, this whole thread doesn't apply to you. If
you don't have permission -- THEN you don't have permission. A
weasel "but I only meant to ..." *might* get you a lighter sentence,
but it won't change that you broke the law. Nor should it.
David Gillett
-----Original Message-----
From: dave [mailto:fla.linux@xxxxxxxxx]
Sent: Saturday, February 25, 2006 8:20 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Cc: ROB DIXON
Subject: Re: How hackers cause damage... was Vulnerabilites
in new laws on computer hacking
Good points???
1 Loss of human life (though systems damage)How can a kid trying to crack his friends server cost someone
their life?
2 Insolvancy and the resultant human costs (lost jobs, etc)Pretty much same answer as above
I think a point was missed...We were initially talking about
some kid who is trying to learn about computers by cracking
various machines. Not some *super hacker* with the ability to
bring down serious systems. I think the point I made was also
overlooked...
If you are hell bent for leather and you simply must learn
how to break into computers then at the very least be wise
about what systems you try to crack into! Dont mess with
production systems...dont mess with bank, hospitals, any big
corporate company. Dont ever mess with any real businesses
period. Dont think about government or law enforcment systems
etc... Dont run "untested" exploits on otherwise important
servers where crashing would be serious problem. As far as
someone losing their life...please give a (realistic) example
or two of how a human life was lost cause a kid tried to
crack his friends web server or exploit some unpatched SSH
deamon on some machine at his dinky little job. As far as
someone losing his job...in an extreme scenario this could
happen but not if the newbie cracker is wise in his choice of
targets (if you can not be wise regarding your targets then
you shouldnt be cracking computers). And as harsh as this may
sound I will say it anyway...If some otherwise unskilled
script kiddie, can break into your *important* system and do
something bad enough to cause someone to possibly lose their
life then you as the admin should be fired!
I also mentioned the financial burden 'Non malicous' attacks
imposes on companies in resonding to the break-in. Once
again...be wise about your targets...think small and
realistic. You are NOT Aleph one or Mitnick or who ever...You
are a script kiddie just trying to learn how it works. If you
are at the point where your are bored with basic servers and
want to venture into mainframe or otherwise corporate hacking
then you are really no longer just some kid trying to learn
and therefore you no longer are the point of this topic.
#### Kids trying to learn about computers who break into
small scale targets and do no harm should do NO time!
#### skilled crackers/hackers who cause harm (be it intential
or not) on important/critical systems should know better and
should be prosicuted/punished accordingly. If someone lost
their life due to a careless cracker then manslaughter
charges should follow etc...
ROB DIXON wrote:
Well put Craig."NON-Malicous attacks".
You made some good points regarding the so called
regarding damage caused by cyber-trespass. This is for the
Robert L. Dixon, CSO
CHFI A+
State of West Virginia's
West Virginia Office of Techonology
Infrastructure Applications
Netware/GroupWise Administrator
Telephone: (304)-558-5472 ex.4225
Email:rdixon@xxxxxxxxxxxxxxx
"Craig Wright" <cwright@xxxxxxxxxxxxx> >>>
Hello,
There have been a large number of ill-informed posts
purpose of this post described as breaking into a system with
no clear intent to cause damage i.e. no Mens Rea or guilty
mind. I will exclude all references to intention to damage or
wilful damage and limit this to reckless damage alone.
that the act of committing a computer crime is by definition
Next, I will exclude Mens Rea as it may pertain to the fact
illegal. We all seem to understand that breaking into a
computer without permission is a breach of the law so I shall
not explore this avenue of argument.
sit rea", which means that "the act will not make a person
The term in law refers to "actus non facit reum nisi mens
guilty unless the mind is also guilty. This is a common
defence in criminal cases though it will not help you in a
civil tort case (i.e. civil damages).
reading) to the levels of damage caused by breaking into
With the seeming ignorant state that exists (not to all
systems and committing cyber-trespass I will endeavour to
detail the resultant state of affairs.
following. This is not to state that Government, privately
I will aim solely at corporate systems for the critique
run or organisational systems have any lesser effects
resultant from attack, but that this is a post and not a
dissertation (though it is moving in that direction).
worst a system would just need to be rebuilt. A prior poster
First we have the argument that has been fielded that at
stated that he would analyse his system and track the
incident. For the majority of the world this is not so
simple. Most people are not skilled in either incident
response techniques or digital forensic science (please note
computer forensics is a misnomer and grammatically
incorrect). Nor are most companies able to afford to rebuild
systems on a regular basis for the fun of it.
commonly stated that the only manner of recovery from a
Cyber-trespass leaves one in a state of doubt. It is
system compromise is to rebuild the host. I will resist
quoting a voluminous amount of material at this point (unless
somebody wishes to dispute this :). It is needless to say
that documents, working papers and processes on this topic
are widely available. SANS, CERT and the CIS all recommend
that a compromised system be rebuilt, not from backup, but
from scratch.
backups" *1 and complete an "entire system install be
Further one must "Resist the temptation of restoring from
performed from read-only distribution media".
system and recreating the data. In the modern corporation,
So here, we have to look to the cost of both rebuilding the
the primary assets are often vested in the intellectual
capital of the firm.
There is no argument here (though I am willing to engage in
First, the system needs to be rebuilt as was listed above.
one) over the need to rebuild the system. The people at the
company that was attacked do not and cannot know your
motives. They cannot assume you are benign, but have to
assume that you are malignant being that you are willing to
break the law, that you are willing to face gaol.
know that you have not installed a rootkit? How is it known
If they assume otherwise they will suffer again. How do they
that there is no timebomb on the server. You as the attacker
have already demonstrated that you are not bound my
conventional morality and ethics. You have violated property
rights, entered and penetrated a system, breached the
defences and raped the security of the site you choose as
just "practice".
malicious attacker to succeed.
Every attacker that does this makes it easier for the truly
reputation and compliance costs. Let us for the moment forget
On top of this, add the loss due the unavailability,
the costs of tort against the company. The costs of action
for a violation of privacy rights. The costs from a violation
of PCI-DSS. HIPPA Violations or the effects to the companies
share price.
think about it. Each of these costs is damage. This damage
Costs. They seem to be all over the place when you actually
needs to be recovered. We all pay.
skilled incident response professionals. They need to employ
Now most organisations do not have, not can afford to retain
external parties at a cost. Even when they do have internal
staff there is a cost, but the accounting process is not so simple.
personal from a respected firm (and it is not likely to be
At rates (and this is based in Sydney, Australia) hiring
less in the case of fear from an attack driving firms to a
position of trust) will have a charge out rate in the order
of $ 250-450 per hour. The investigation will take 10 -100
hours (and in some cases longer though rare).
it. I hope not, but this is a personal risk decision for the
Is the cost of damages when placed against the risk worth
individual to decide. I can do little to stop you committing
cyber-trespass just as I can do little to stop you robbing a
7-11. Mind you however, I am a bit of an a*8hole. If I get
involved I will (in my personal time if needs be) map out
every piece of information that you have done and ensure that
every lie you tell to try to worm out (aimed at those who
still try to do this act) of the consequences is proved
beyond a reasonable doubt in court.
familiarity of illegal content of behaviour, and of its
Animus nocendi or a mind to harm reference the precise
possible consequences. Now that you have read this post, it
may be argued that you have come to understand that there are
consequences for your actions if you choose to still attack a
system (aimed at those who do). Please feel free to flame me
as reading this post effectively provides the essential
condition to give a penal condemnation if you still choose to
violate the law by breaking into systems and causing damage.
events to occur
Regards,
Craig
PS
So called.. NON-Malicous attacks have caused the following
these with statistical data available ;)
1 Loss of human life (though systems damage)
2 Insolvancy and the resultant human costs (lost jobs, etc)
so much for no damage... PPS even longer rant as to each of
Standards Legislation in respect of matters arising within
Liability limited by a scheme approved under Professional
those States and Territories of Australia where such
legislation exists.
is confidential. If you are not the intended recipient, you
DISCLAIMER
The information contained in this email and any attachments
must not use or disclose the information. If you have
received this email in error, please inform us promptly by
reply email or by telephoning +61 2 9286 5555. Please delete
the email and destroy any printed copy.
individual sender. You may not rely on this message as advice
Any views expressed in this message are those of the
unless it has been electronically signed by a Partner of BDO
or it is subsequently confirmed by letter or fax signed by a
Partner of BDO.
or its attachments due to viruses, interference,
BDO accepts no liability for any damage caused by this email
interception, corruption or unauthorised access.
--------------
-------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEmanagement
The Norwich University program offers unparalleled Infosec
education and the case study affords you unmatchedconsulting experience.
Tailor your education to your own professional goals with degreeContinuity Planning,
customizations including Emergency Management, Business
Computer Emergency Response Teams, and Digital Investigations.--------------
http://www.msia.norwich.edu/secfocus
-------------------------------------------------------------
--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business
Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
This message is intended for the sole use of the individual and entity to
whom it is addressed, and may contain information, including any
attachments, that is privileged, confidential and exempt from disclosure
under applicable law. If you are not the intended addressee, nor authorized
to receive for the intended addressee, you are hereby notified that you may
not use, copy, disclose or distribute to anyone the message or any
information contained in the message. If you have received this electronic
transmission in error, please notify the sender immediately by a "reply to
sender only" message and destroy all electronic and hard copies of the
communication, including attachments. Thank you.
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- Follow-Ups:
- Prev by Date: Re: Protocol Specific Intrusion Detect/Prevention Systems.
- Next by Date: RE: Questions regarding EFS
- Previous by thread: Remote Web Workplace security
- Next by thread: RE: Computer Forensics is a misnomer Was: How hackers cause damage... was Vulnerabilites in new laws
- Index(es):
Relevant Pages
|
|
