|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [ISN] Random rants
From: Curt Bryson (NTI) (cbryson
TELEPORT.COM)
Date: Mon Oct 09 2000 - 13:28:39 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----Original Message-----
>I still think that it's foolhardy to advertise internal information
>so promiscuously because the first step in attacking a site is
>gathering as much information about the site as possible [...]
>> I'm in agreement. If there's any way of making it more difficult for
>> someone to break in, then do it. Today's piece of secure software is the
>> subject of tomorrow's Bugtraq posting. Knowing what I know about the
modus
>> operandi of many crackers (who often scan thousands of hosts checking for
>> security flaws), I think it's a good idea to avoid allowing your IP
>> address to appear on the list of sites vulnerable to the latest 0-day
>> exploit.
OK, I cannot argue this at all, as it IS smart security. But I have to make
mention of the fact that the "suits" in the company also have another issue
to deal with... that of liability. I have worked many cases in the past
year wherein the IP address and other info in the email address OR SMTP
server logs has allowed me to see when and from whence an email came.
In one case, it allowed me to ID an employee who sent threats from his home
ISP. But in another case, it allowed me to assist a software (game) company
ID an employee who used corporate email to send trade secret information out
to an accomplice (not the sharpest knife in the drawer). Header and routing
info should, IMHO, at least be kept by the two servers involved; else
complete anonymity could work against us as much as for us.
Unfortunately, as long as the current protocol for sending mail behaves in
the same manner it does now, the final connection still exists. That
connection, through some elegant pre-planning by the cracker can continue to
be an achilles heel, and is loggable by the OS, regardless of facilities in
the software. All we really do by removing the information is make it a bit
more difficult for the cracker, but also for us when it comes time to see
who's been messing around using our system for no good.
I don't have the answer, before you ask... the question being "well how much
do we want to balance security with accountability?" This was simply a
parallel rant, meant to bring discourse and an additional angle.
Curt Bryson
Computer Forensics/Internet Investigations
Consultant
New Technologies, Inc.
http://www.forensics-intl.com
2075 NE Division St.
Gresham, OR 97030
Ph: (503) 661-6912
Fx: (503) 674-9145
Email: curtforensics-intl.com
NTI is an Armor Holdings company NYSE: AH
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]