RE: Signs of an Intruder

Al Venz (venz@psa.pencom.com)
Wed, 11 Dec 1996 12:07:20 -0600 (CST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Diane Davidowicz: "Re: Signs of an Intruder"
Previous message: leclerc@austin.asc.slb.com: "Re: Audit trails"

Howdy,

Just a couple comments.  I agree paper logging is very safe, as dictated 
in"The Cuckoo's Egg," but I also remember reading in that book that Cliff 
ran into some paper jam problems, so that's one thing to keep in mind, 
phyisical reliablity of your logs.  Another one is cost, how much paper 
would it take for a major ISP to log all connections?  What if I knew 
they were logging to paper so I intentional created connection after 
connection, possibly legitimate connections, in order to use up there 
finite amount of paper before attacking for real?  Now that ISP gets a 
call from another one letting them know they'd been attacked from a 
particular site, who's the unlucky sould who manual "greps" all 
connections, attempted or made, from that site, or sites similar.

My point is that paper logging sounds cool but is often unrealistic.  If 
it is realistic in your scenario, more power to you.

As for the caveman attacking my site, I guess I should ignore him/her and 
only try to stop the high-tech folks that keep up with the latest bugs.  
Is there a mailing list that tells me when a security hole is considered 
old so I can quit checking on it?  Personally I think it's a good idea to 
stick to the "paranoid" theme and check for *all* known problems.  Maybe 
somebody has a program that goes through hundreds of known holes/bugs and 
tries to exploit them all.  If that were the case the "wiz" "debug" 
attempts may come first and give me an early warning people are attacking.

See ya,
Al

P.S.  What are the actual odds on those "chances" you refer to, maybe we 
can all make some money in Vegas on this.  :-)

On Thu, 5 Dec 1996, BlackHeart wrote:

> It would seem to me the most logical thing to do is to have a print log of
> all port connections, including the site it is coming from.  Sure, it is
> definitely possibly that logs may be altered, but it's pretty hard to role
> back the paper...
> 
>  Another interesting point that I've seen in this discussion is looking for
> attempted commands like "wiz" and "debug"... chances are, if someone is
> attempting these commands, they have either lived in a cave for the past
> decade or have no idea what they are doing... what version of sendmail
> actually contained the "wizard" backdoor?  I know that it was fixed on most
> systems as early as 1988, when the infamous worm used it as a method of
> security breach... but anyways, i digress... later.
> 
> -blak
>

Next message: Diane Davidowicz: "Re: Signs of an Intruder"
Previous message: leclerc@austin.asc.slb.com: "Re: Audit trails"