Re: I got an intruder ...
Diane Davidowicz (diane_d@sun1.wwb.noaa.gov)
Thu, 9 Nov 95 16:01:47 EST
> My stomache turns every time I see an exceptionaly ordinary system
> administrators suddenly wet their pants and quiver with excitement and
> anticipation when they come to the conclusion they can really be
> important secret agents, wooed by police, intelligence officers and the
> media. Its a enormous waste of public and private funds. And all for the
> ego and self-delusion of glorified computer managers who are devoid
> of any real life.
I find the ego trips to be quite parallel to egos of hackers (at least
once the situation is under control and their pants have dried) ;-)
Truth is, as far as a business aspect is concerned, the best thing you can
do is to find out how they were vulnerable and to direct them towards
implementing appropriate security measures that will fit into the current
security policies or effectively enhance the security of the site and its
policies. :-)
I have seen time and time again these administrators panic and get led
astray in the "crisis" of the presence of a hacker. If the site did not
take appropriate security measures to begin with, they usually find it quite
overwhelming and cannot see things clear enough to make sound judgements
as to how to go about effectively securing the networks. And usually its
uncalled for.
Its a tough call to make. As Julian Assange asked, are they being malicious?
If they are not, can you play the odds and hope that they won't become
malious in order to buy time for making sound decisions as to how to go
about securing their network and systems. I dealt with a site that was in
a real crisis situation. The hackers had malious intent and were carrying it
out over and over again. The system was pulled off the network to control
the situation and await a patch from the vendor. In the meantime, someone in
the same office frustrated by the outage connected the machine back to the
network and gave the hackers yet another opportunity to reck havoc on the
system.
That was an out of control situation. The users needed to be educated as to
the threat, the system and network needed to be secured appropriately.
and what they all failed to see in the beginning is that all of this takes
time and careful planning. Plans that should include steps to take if another
intruder ever finds their way into the network again.
I have also dealt with sites that were notified in one way or another that
an intrusion had occurred, yet with no malious activities. They were being used
for warez sites or island hopping, or whatever. When I assisted these sites,
they were wholly involved in securing the big picture not just how to get
out hacker x, y, and z.
As far as the authorities? I have heard some real success stories, but overall
things are difficult when trying to prosecute in the states (and third
world countries ;-) A lot of countries don't even have hacking laws and
you are left in the same boat: effectively securing the systems and the
network. So as the NiKe commercial say "Just Do It".
Nonetheless, I do suggest copying evidence off to tapes, etc. It doesn't
hurt and maybe you might find some useful information later when you have
time to review the archives of their activity. Also, it is managements
decision to pursue a legal investigation. If they are interested, then
the evidence is ready to take to the authorities; if they aren't and
they don't want to waste time or money, then you CYA and that is a very
important thing to do. :-)
Hope this helps!
Diane Davidowicz
------------------------------------------------------------------------
Better to keep your mouth shut and let people think you are a fool, then
to open it and remove all possible doubt. -forgot the author
Take my advice. I'm not using it. -a magnet on my refrigerator.
------------------------------------------------------------------------