RE: Signs of an Intruder

Dwight Hubbard (dhubbard@mail.cedarnet.com)
Mon, 2 Dec 1996 08:29:26 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tracy R. Reed: "Re: searching logs for key phrases"
Previous message: Matthew Archibald: "Re: Audit trails"

Exactly how would an intruder remove themselves from a log written to a write on
ly media.  Or for that matter a laser printer??

----------
From:   Diane Davidowicz[SMTP:diane_d@sun1.wwb.noaa.gov]
Sent:   Monday, November 25, 1996 5:27 PM
To:     ids@uow.edu.au
Subject:        RE: Signs of an Intruder

> Why not just log everything to write once media such as a Worm drive...
This is on the right track and so is logging off to other systems as so
many of us know.
> 
> I also believe there is some help in using "security through obscurity",
> whereby you place wrapper logs etc. in a logfile where a whole lot of
> irrelevant logging goes too (for example, the ftp xferlog, or somesuch).
> 
Wrong. The intruders with a clue know what to look for and remove themselves
promptly. Nothing is sacred on a system once it has intruders. Keep checksums
to detect what has changed and protect your logs by sending them off to
a secured environment.


Diane

Next message: Tracy R. Reed: "Re: searching logs for key phrases"
Previous message: Matthew Archibald: "Re: Audit trails"