lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <DEDFD939A181F94AAF3D965C58B7AADC01FCE488@001fntcex01.fnb.fnni.com>
Date: Wed Aug 17 14:16:32 2005
From: mmadison at fnni.com (Madison, Marc)
Subject: Re: pnp worm unknown variant - post
	infectionactions

 Jason Coombs wrote:

"What, you expect them to take an inventory of all of your installed
software? You think there are "scientific standards" for "computer
forensic" examinations? Are you expecting law enforcement to also be
expert infosec gurus and do exhaustive searches through hundreds of
gigabytes of data looking for the needle in the haystack?

What about Metasploit, which will gladly inject a RAM-only WinVNC server
and give complete remote control without "installing" WinVNC anywhere on
the hard drive?

If your Windows box gets owned by such a thing, and you end up accused
of the crimes that the attacker committed while they were in control of
your box, you can kiss your ass goodbye."



Just heard a key not speech from Jim Christy of the Defense Cyber Crime
Institute Defense Cyber Crime Center, in which he states over eighty
percent of the labs cases are related to child porn, not Al Qaeda or
terrorism but these allegedly sick individuals.  Mr. Christy said the
lab has compiled hashes of know child porn, they use the hashes to
perform quick scans of suspected criminals computers in order to
facilitate a quicker response to the investigating agency in the case.
Now,  I agree that computer forensic work is currently unregulated and
misrepresented, but according to Mr. Christy, in the near future U.S.
Federal courts will not accept forensic work unless it was done in a
federally certified lab.  I see this as a move in the right direction
for the forensics industry, though I'm many so called experts will not.

And if I'm not mistaken Metasploit with out any changes is extremely
noisy which makes it easy to identify as Metasploit.

Marc Madison



-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Jason
Coombs
Sent: Wednesday, August 17, 2005 2:56 AM
To: adityad2005@...rs.sourceforge.net
Cc: Full-Disclosure
Subject: Re: [Full-disclosure] Re: pnp worm unknown variant - post
infectionactions

Aditya Deshmukh wrote:
> suppose we have VNC installed and that is used to take control of the 
> computer and the actions show up as done by the user - would it not be

> caught by law enforcement ?

What, you expect them to take an inventory of all of your installed
software? You think there are "scientific standards" for "computer
forensic" examinations? Are you expecting law enforcement to also be
expert infosec gurus and do exhaustive searches through hundreds of
gigabytes of data looking for the needle in the haystack?

What about Metasploit, which will gladly inject a RAM-only WinVNC server
and give complete remote control without "installing" WinVNC anywhere on
the hard drive?

If your Windows box gets owned by such a thing, and you end up accused
of the crimes that the attacker committed while they were in control of
your box, you can kiss your ass goodbye.

This is what I'm trying to correct. And I'm not alone, but I am in the
minority. Your help would be most welcome, but I honestly don't know
what you can do...

Just be aware, gather proof that "computer forensics" as it is practiced
today has very serious flaws, and tell others.

I predict that we will see a wave of convictions overturned, and
prisoners released, based on faulty computer forensic evidence, that
will make wrongful convictions based on faulty DNA evidence seem
insignificant by comparison.

Regards,

Jason Coombs
jasonc@...ence.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ