lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: purdy at tecman.com (Curt Purdy)
Subject: [inbox] Re: Reacting to a server compromise

Actually the traditionally accepted court evidence is real-time printouts of
data received by the syslog server.  We ran out of room to store the paper
and went to write-once cd's.  We are looking at going to DVD to cut down on
disk changes.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions
cpurdy@...ol.com
936.637.7977 ext. 121

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke



-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf@...ttot.org]
Sent: Sunday, August 03, 2003 4:07 PM
To: Curt Purdy
Cc: 'Jennifer Bradley'; full-disclosure@...ts.netsys.com
Subject: RE: [inbox] Re: [Full-Disclosure] Reacting to a server
compromise


On Sun, 3 Aug 2003, Curt Purdy wrote:

> Jennifer, I made a reply to someone disagreeing with your statement on
> copying the drive, supporting your contention.  However, most courts
> will not accept log files on magnetic media as evidence due to the ease
> of alteration.  This is why we collect all logs on a central syslog
> server that writes directly to write-once media.  That is irrefutable
> evidence.

Of that someone spoofed a log message to your central log server, or that
someone messed with the log server itself to log fake entries?

What is your write-once media? Does it ensure integrity of the data stored
(so that it is evident when a prinout or a cd or whatnot is replaced)?
If not, it's hardly "irrefutable". If yes, what was the cost of this
device and how many businesses can afford one?

Besdies, what do your logs prove? That someone sent packets with some poor
guy's IP address as a source?

Most courts - IANALBMSUTO - will accept electronic logs, although they
usually expect them to be confirmed by several sources (i.e.  the attacked
host, your ISP) and backed with an official expert opinion to be of any
value.

Still, hardly an evidence the owner of the box was in control of the
application that sent the offending traffic. The hard evidence comes from
a different source, usually.

--
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-08-03 22:54 --





Powered by blists - more mailing lists