lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200304231818.h3NIIr3j001850@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Break-in discovery and forensics tools 

On Wed, 23 Apr 2003 09:18:58 PDT, Hotmail <se_cur_ity@...mail.com>  said:
>  I realize the importance of after incident forensics... What I dont
> understand is logs used in a court for prosecution. Logs are inheritly not
> preservable or physical evidence, it is tamperable from the time the
> external data hits a MAC, if that were the case basicly I could take my logs
> and edit any damn originating ip i choose, send thosse logs to law
> enforcement, and have an innocent person convicted. Logs are nice.. but IMHO
> defeatable in court.

Very good point - which is why things like this are proposed:

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Security Issues in Network Event Logging Working Group of the IETF.

	Title		: Syslog-Sign Protocol
	Author(s)	: J. Kelsey, J. Callas
	Filename	: draft-ietf-syslog-sign-10.txt
	Pages		: 35
	Date		: 2003-4-7
	
This document describes syslog-sign, a mechanism adding origin
authentication, message integrity, replay-resistance, message
sequencing, and detection of missing messages to syslog. Syslog-sign
provides these security features in a way that has minimal
requirements and minimal impact on existing syslog implementations.
It is possible to support syslog-sign and gain some of its security
attributes by only changing the behavior of the devices generating
syslog messages. Some additional processing of the received syslog
messages and the syslog-sign messages on the relays and collectors
may realize additional security benefits.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-syslog-sign-10.txt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030423/1a44ab05/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ