| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Aug 17 14:16:32 2005 From: mmadison at fnni.com (Madison, Marc) Subject: Re: pnp worm unknown variant - post infectionactions Jason Coombs wrote: "What, you expect them to take an inventory of all of your installed software? You think there are "scientific standards" for "computer forensic" examinations? Are you expecting law enforcement to also be expert infosec gurus and do exhaustive searches through hundreds of gigabytes of data looking for the needle in the haystack? What about Metasploit, which will gladly inject a RAM-only WinVNC server and give complete remote control without "installing" WinVNC anywhere on the hard drive? If your Windows box gets owned by such a thing, and you end up accused of the crimes that the attacker committed while they were in control of your box, you can kiss your ass goodbye." Just heard a key not speech from Jim Christy of the Defense Cyber Crime Institute Defense Cyber Crime Center, in which he states over eighty percent of the labs cases are related to child porn, not Al Qaeda or terrorism but these allegedly sick individuals. Mr. Christy said the lab has compiled hashes of know child porn, they use the hashes to perform quick scans of suspected criminals computers in order to facilitate a quicker response to the investigating agency in the case. Now, I agree that computer forensic work is currently unregulated and misrepresented, but according to Mr. Christy, in the near future U.S. Federal courts will not accept forensic work unless it was done in a federally certified lab. I see this as a move in the right direction for the forensics industry, though I'm many so called experts will not. And if I'm not mistaken Metasploit with out any changes is extremely noisy which makes it easy to identify as Metasploit. Marc Madison -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Jason Coombs Sent: Wednesday, August 17, 2005 2:56 AM To: adityad2005@...rs.sourceforge.net Cc: Full-Disclosure Subject: Re: [Full-disclosure] Re: pnp worm unknown variant - post infectionactions Aditya Deshmukh wrote: > suppose we have VNC installed and that is used to take control of the > computer and the actions show up as done by the user - would it not be > caught by law enforcement ? What, you expect them to take an inventory of all of your installed software? You think there are "scientific standards" for "computer forensic" examinations? Are you expecting law enforcement to also be expert infosec gurus and do exhaustive searches through hundreds of gigabytes of data looking for the needle in the haystack? What about Metasploit, which will gladly inject a RAM-only WinVNC server and give complete remote control without "installing" WinVNC anywhere on the hard drive? If your Windows box gets owned by such a thing, and you end up accused of the crimes that the attacker committed while they were in control of your box, you can kiss your ass goodbye. This is what I'm trying to correct. And I'm not alone, but I am in the minority. Your help would be most welcome, but I honestly don't know what you can do... Just be aware, gather proof that "computer forensics" as it is practiced today has very serious flaws, and tell others. I predict that we will see a wave of convictions overturned, and prisoners released, based on faulty computer forensic evidence, that will make wrongful convictions based on faulty DNA evidence seem insignificant by comparison. Regards, Jason Coombs jasonc@...ence.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists