Announcement

Collapse
No announcement yet.

What would you do?: All the media in your [home|data center|office] have been stolen.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Re: What would you do?: All the media in your [home|data center|office] have been sto

    You know I'm really shocked by IT people who claim to be "security specialist" that overlook the most basic hacker skill. Understanding human nature, getting inside other peoples heads. Forget all the bits and bytes for second and try and understand what the other person is thinking. What motivates them, what drives them, what are they trying to prove or disprove, what are they most likely to do it certain situations. It's one of the most basic and overlooked aspects in IT Security along with physical security.

    xor
    Last edited by xor; September 24, 2007, 18:09.
    Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

    Comment


    • #17
      Re: What would you do?: All the media in your [home|data center|office] have been sto

      Yes, of course I agree with what everyone else has stated here. I was just adding what I knew wasn't stated and should have been. Incident response and disclosure are still evolving and hotly debated. Many law enforcement agencies still don't know the first thing to do when a company comes to them and tells them that a laptop with sensitive data is missing. It's treated like every other theft, are you insured, don't call us we will call you, I'll take a report; ...etc. In fact only large law enforcement have a cyber crimes unit and they are busy with kiddie porn, and MSNBC stings.

      I was offering some pro-active efforts that you could take as a victim to help yourself.

      It's no doubt best to disclose in most situations, but by doing so you could make matters worst. By letting people who wouldn't know otherwise that they have something that is very important. But then again people who didn't know, most likely wouldn't know who, or what to do with the data. It's the 1% you gotta really worry about. The professionals that know what to do, who to do it with, and how to move it.

      xor
      Last edited by xor; September 24, 2007, 18:08.
      Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

      Comment


      • #18
        Re: What would you do?: All the media in your [home|data center|office] have been sto

        Originally posted by xor View Post
        Who are you Paris Hilton :)?

        xor

        Many phone carriers today offer a remote wipe. Kerio Mail Server one of my favorites has a push service, with a remote wipe function to. KMS is something you can warez :)
        Yes, but I am much better looking and obviously fatter.

        You know I'm really shocked by IT people who claim to be "security specialist" that overlook the most basic hacker skill. Understanding human nature, getting inside other peoples heads. Forget all the bits and bytes for second and try and understand what that other person is thinking. What motivates them, what drives them, what are they trying to prove or disprove, what are they most likely to do it certain situations. It's one of the most basic and overlooked aspects in IT Security along with physical security.

        xor
        Yes, I can see your point and I think that way as well, However I am not going to take the risk that my CSI-Esque interpretations of the criminal are accurate. No one can 100% determine the intentions of another person. I sure as hell don't want my accountant, lawyer or anyone else doing it either.

        You also say "It's one of the most basic and overlooked aspects in IT Security along with physical security." I disagree. I think in looking at attack patterns and planning countermeasures, incident response, its widely accepted.

        In the physical security aspect that is a whole different realm, and I also disagree, I'm not going to question what your motivations are when you are ripping off my tv at 3am. I'm only paying attention to if you are facing me or walking away. I'm not going to antagonize that in this thread since it's off topic .But I will say that i stick by my statement. You should be prepared and should go into the situation at worse case, but you should also be reasonable and try to diminish the likelihood you are dealing with anything but a litebright in the first place. Don't bring a knife to a gun fight and accept the responsibility of leaving the back door open. Also Learn when to apologize.

        All of this is probably a pointless debate between us because everyones situation will be different, you wouldn't jump on CNN and to say that the forums passwords have been compromised as much as you would say if 900,000 Names, SSNs, and Addresses have been stolen from an unencrypted excel sheet on a windows 95 box.....

        ahh good times...
        "Haters, gonna hate"

        Comment


        • #19
          Re: What would you do?: All the media in your [home|data center|office] have been sto

          Originally posted by Deviant Ollam View Post
          * NOTE - hard disk controller encryption

          has there been a talk about this at any con? there must have been... i plan on doing some searching after i post. i know almost nothing about this and would love to hear how strong it is, etc. when i swapped out the stock drive in my Fujitsu (see note above about the larger disk i now have) i was surprised to see it i couldn't read it when i installed it in my desktop workstation. it was not until i had placed it into a Dell that a message appeared reminding me of the hard disk protection.

          i was surprised at how rather effective things were with this protection. i could not access the disk in any way. i had expected to just boot and nuke the old drive. that wasn't possible. i couldn't even get in and low-level format it. how is this protection implemented? something on the drive circuitry and not the platters? how easily can LEOs or .gov types bypass it, anyone know? i have some serious reading to do.

          also interesting... do different manufacturers implement this in their own way? there seems to be some sort of standard, given that the Dell picked up on what the Fujitsu had done to the drive... but when the Dell asked that i input the password i had used to lock the drive, it wouldn't honor it. I had to re-install in the Fujitsu, go into the CMOS, unlock the drive there, etc. What if my laptop had been crushed under a car? Would i have had to get a new Fujitsu 7010 to unlock the drive? Would any laptop by that manufacturer have worked? like i say, i'm well behind the curve on this technology and plan on spending a lot of this friday doing very, very little work at my job and instead sitting here googling and reading.

          Did you try FTK, Encase, or WinHex on it? Also warezable; right next to the porn :)

          xor

          Seagate was suppose to come out with a drive that has built in encryption, they have been promising for a long time now. The school I'm from is that hardware encryption is not the way to go unless you keep updating the hardware. Anything that is fixed eventually will be defeated. I guess it comes down to the old something you need (the hardware, token, key) , and something you know. As the case with Seagate they have a password recovery utility which tells me that it will and can eventually be reversed engineered.

          see http://www.seagate.com/www/en-us/pro...us_5400_fde.2/
          Last edited by xor; September 24, 2007, 19:35.
          Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

          Comment


          • #20
            Re: What would you do?: All the media in your [home|data center|office] have been sto

            Was it stolen by some super secret agent man tracking you for months with the intention of trying to sell your data to Iran for millions of dollars, probably not.
            Since there is a good chance that I won't know who it is that stole it and the information held on it is sensitive why wouldn't I take all possible steps to protect myself and those I owe a duty of confidentiality to?

            But I would still look for some trace of the information on the net.
            Hardware is always replaceable...critical information never is. In this scenario I'll be more than happy to replace the hardware and know that there is no chance whatsoever that the information is going to end up being sold or disseminated.
            jur1st, esq.

            Comment


            • #21
              Re: What would you do?: All the media in your [home|data center|office] have been sto

              Originally posted by Deviant Ollam View Post
              chances are very strong that i would simply wait for authorities to fully secure and go over the crime scene for any forensic details. at the places where i consult (some are businesses and some are schools) they are all small enough to either close for the day (think: a sign on the front door saying "water pipe burst, hope to reopen friday") or just operate without technology resources for a while.

              all critical data is backed up on external volumes at my facilities, but not every single client has opted to go whole hog and actually swap media around to the point that they're rotating out a copy somewhere off-site. eh, what can you do?

              after letting police do their thing, i'd begin rebuilding and restoring, much in the same way that i would if a fire or flood took out the technology. none of these companies has privacy-critical data on volumes that aren't somehow encrypted. (typically software encryption, not at the controller level*)
              With all due respect do we live in the same city? You are talking about the PPD right? First, that's what we would all like to see happen. Reality NOT. If there are no guns, no loss of life, no injury, they will take a report; unless it's on the news. No finger prints, no forensics, no crime scene secured; no crime lab, all you get is one 300lb cop with an ambivalent attitude.

              If there are no signs of forced entry, guess what whomever has the keys including yourself are now suspect number one. Even though we all know how easy it is to pick locks. By the way don't tell them you know that or you will find yourself being asked to come down town for a talk.

              Man sorry to be such a cynic but I've had my fair share of dealings with the PPD. I've had customers with public businesses have their back doors ripped off, alarm & phone lines cut with an entire safe ripped out of the floor and carried out of the building and all they took was a report. In this particular instance the crooks carried the safe for half a mile down the train tracks of the Northeast corridor which was located behind the building and into what police believe was a waiting car. No shit sherlock, no maybe it was a motorcycle or a fing spaceship, a car really. One hell of an investigation there.

              Dude only on TV. If it's property and if you are or aren't insured; forget it. Make your report, call your insurance company up and take your lumps. Especially if you haven't heard anything for the magic 72 hours; it's gone.

              That's the way it is. If it's your residence you are lucky if they even come out sometimes. First question; are you insured? Will take an incident report. The crime labs are too busy with violent or high profile crime in the big cities.

              xor

              Ps. This is slightly off topic but it further proves my point. I'll tell you what cops are good at. DO mite have heard of this being from this area. Hadonfield NJ, a wealthy NJ suburb. a high school girl and her family go away on a trip for like a month. Before leaving she gives the key to her parents house to a girl friend I assume for the purpose of entertaining the boyfriend. Instead the girl friend has a wild party at the house. Now in my day we use to do real drugs and raise hell. Well these teens from the report took laxatives and defecated all over the house for fun, as well as unusual sex acts into the furniture and stuffed animals; use your imagination. Needless to say the house was destroyed. The kids then posted pictures of this on the internet. Well needless to say they were caught. That's what cops are good at. What this saids about teenagers today is another thing for another topic.

              No this is not an urban myth. If search you mite even find the pictures.

              In the defense of law enforcement professionals, I couldn't do their job without cracking. Day to day from happy to see you to I want to kill you would get to me and I actually do have a lot of respect and admiration for them though it is not reflected in these posts.
              Last edited by xor; September 24, 2007, 21:08.
              Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

              Comment


              • #22
                Re: What would you do?: All the media in your [home|data center|office] have been sto

                On Topic and From The Security + Book:

                Incident Response:

                What immediate steps need to be taken?

                Does the security posture need to be modified? When? How?

                Who needs to be notified of this event? When? How?

                What impact does this have on business operations?

                What tools will be used to investigate this incident? Who will use them and how?

                What is more important system recovery or evidence collection?

                Will forensic activity occur? What evidence will be collected, and how will it be preserved?

                At what point to you contact law enforcement? Who makes that call, and whom do you call?

                What other resources are available?

                Where are things like replacement hardware and software located?

                Do system images or backups exist to aid in recovery?

                How do you contact hardware, software, or security vendors if you need to?

                Will this incident become public knowledge? Is a press release needed?

                My additions:

                Does this effect HIPAA, Sarbanes-Oxley ...etc compliance, if so how?

                Do I get an A :)


                xor

                Everyone gets on the rookie(sigh) :)

                DO I have come to the conclusion that I was sitting behind you on the plane on the way to DEFCON. I flew out Thrsday USAIR, window seat right side by the wing. I asked you to let me know if you were going to move your seat back as it would have crushed by laptop screen..
                Last edited by xor; September 24, 2007, 22:44.
                Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                Comment


                • #23
                  Re: What would you do?: All the media in your [home|data center|office] have been sto

                  Originally posted by xor View Post
                  What is more important system recovery or evidence collection?
                  When Wietse Venema and Dan Farmer provided a presentation on The Grave Robbers Toolkit, aka, Coroner's Toolkit, they revised this into a 3 part set:
                  What is most important?
                  1) Evidence collection for the purposes of legal proceedings
                  2) Bringing the service back online as soon as possible
                  3) Analysis of the failure to prevent it in the future.
                  Any one is, for the most part, mutually exclusive to the other two as a priority.

                  In cases where High Availability is the most important thing, getting a service up and running again is far more important.
                  In cases where security of [information, access restrictions, etc] is most important, means analysis and understanding of the failure is the most important, so it can be prevented in the future.
                  If either of the above are chosen, it can be make introduction of altered evidence into a court for purposes of criminal trial-- even with very good chain of evidence, altering physical evidence could put you at risk for destruction or tampering with evidence.

                  There are ways to choose more than one form the above...

                  If you have all systems configured with RAID-1, and they are hot swappable, then one of each disk can be yanked to preserve unaltered evidence that can be used in court, and allowed for addition of new disks for rebuilding arrays, and then choose one of the other 2 unchosen items.

                  Of course, this idea does not apply when *all* of the media at your location has been stolen.

                  Will forensic activity occur? What evidence will be collected, and how will it be preserved?
                  The only evidence to be collected would be physical evidence, and maybe fingerprints if the crime involved a large enough loss to let the LEO justify the expense of any kind of CSI work. (Also in cases where DoD, DOE, or some other TLA might be involved, CSI work may also be justified, even if not conducted by LEO.)

                  The police are not likely to, "dust for prints," and follow-up with as detailed an investigation for a home-burglary, but might be more interested if a company can show millions of dollars in losses, or classified documents were involved.

                  So, in some cases, a decision on prosecution is decided for you by LEO or the DA, and can be predicted with a high degree of certainty.

                  At what point to you contact law enforcement? Who makes that call, and whom do you call?
                  [chop]
                  Four years ago, one of the departments at my old job had a meeting with people from the FBI on evidence collection, and how our organization should proceed with certain crimes.

                  Their suggestion at that time was this:
                  We should follow and document chain of evidence, access, custody, and actions, and we should avoid actions that might alter evidence. However, we should investigate as much as possible given the above limits, because once "the law" is called-in, the kinds of evidence they may collect, and how they may collect that evidence which can be admitted into evidence in court is significantly restricted.
                  For example, if we had a policy allowing us to monitor network traffic of all people on our network, then we could gather information legally, which can be used to justify a search warrant.
                  However, if we had no such evidence-- only claims as witnesses, a warrant might be more difficult to acquire, or more restrictive in what evidence could be collected.

                  I am really glad we never went the route of Feds or LEO for "cracking" incidents we encountered. We were lucky to have all incidents be "small" things that we could handle internally in a Human Resource capacity.

                  Do I get an A :)
                  Well, I don't think there is a single correct answer for this. The purpose of these topics is to encourage people to think about what they might do, let people share ideas with each other, and maybe hear some new ideas. :-)

                  Comment


                  • #24
                    Re: What would you do?: All the media in your [home|data center|office] have been sto

                    We should follow and document chain of evidence, access, custody, and actions, and we should avoid actions that might alter evidence. However, we should investigate as much as possible given the above limits, because once "the law" is called-in, the kinds of evidence they may collect, and how they may collect that evidence which can be admitted into evidence in court is significantly restricted.
                    LEOs have some excellent procedures put in place, though much of it remains untested in court. What it boils down to is that the evidence presented is still in such a state that it can be relied upon to find facts.

                    If you're going to be doing any internal investigation and don't know whether law enforcement will be involved, proceed as if they were by cloning media before poking around. Make sure to meticulously document every step and be prepared to show why and how it is forensically sound.

                    I suggest reading through this opinion in Mack v. Markel American Insurance Company to get a good idea of where the law stands on actually getting ESI into the record. It's lengthy, but extremely informative.
                    jur1st, esq.

                    Comment


                    • #25
                      Re: What would you do?: All the media in your [home|data center|office] have been sto

                      For my work (a University science department), my highest priority is getting my users back up and running and, not losing their cumulative years of research data.

                      Therefore, my setup maximizes that imperative by backing up each server and workstation every night, to tape, located on another campus. In the event of theft, forensics have to take second place to angry professors.
                      While we've never had a major theft or breakin- nightly tape backup has saved my ass a number of times.
                      One Voter really can make a difference. Ask me how!

                      Comment


                      • #26
                        Re: What would you do?: All the media in your [home|data center|office] have been sto

                        For Cotman or Anyone Else Interested

                        Originally posted by TheCotMan View Post
                        For example, if we had a policy allowing us to monitor network traffic of all people on our network, then we could gather information legally, which can be used to justify a search warrant.
                        However, if we had no such evidence-- only claims as witnesses, a warrant might be more difficult to acquire, or more restrictive in what evidence could be collected.

                        FYI Speaking Of Monitoring:

                        LoveMyTool - Network Monitoring, CALEA, Lawful Intercept, Application Performance, Web User Experience, Web Analytics, Content & Database Security, IDS, Malware, Crimeware, SOX, HIPAA and PCI Compliance Auditing, Forensics, DPI, VoIP, IPTV ...

                        (Dedicated to customer testimonials and expert reviews of “out-of-band” network security and performance monitoring tools)

                        http://www.lovemytool.com/blog/2007/...orts-or-t.html

                        xor

                        PS No it's not something obscene so get your minds out of the gutter :)

                        New Books for those of us who are old fashioned enough to still read print :)

                        Syngress
                        HOT OFF THE PRESS

                        Alternate Data Storage Forensics: Raising Digital Fingerprints from iPods, PDAs, Cell Phones, Digital Cameras, and Game Systems
                        Learn to pull digital fingerprints from alternate data storage (ADS) devices including: iPod, Xbox, digital cameras and more from the cyber sleuths who train the Secret Service, FBI, and Department of Defense in bleeding edge digital forensics techniques. This book sets a new forensic methodology standard for investigators to use. ... More >>

                        Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research
                        With the arrival of Metasploit Framework Version 3.0 (MSF 3.0), the entire approach to information security testing is likely to be revolutionalized. MSF 3.0 is not only an exploit platform but also a security tool development platform. This book introduces the reader to the main features of the tool, outlines the steps for its installation, and discusses how to use it to run exploits. ... More >>
                        Last edited by xor; September 25, 2007, 21:03.
                        Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                        Comment


                        • #27
                          Re: What would you do?: All the media in your [home|data center|office] have been sto

                          Originally posted by xor View Post
                          Lots of Crap
                          Have have you ever actually had to call the PPD about a Major InfoSec Incident. You may be more surprised than you think at their response... Then again, you probably just enjoy talking out your ass about things you know nothing about.
                          And I heard a voice in the midst of the four beasts, And I looked and behold: a pale horse. And his name, that sat on him, was Death. And Hell followed with him.

                          Comment


                          • #28
                            Re: What would you do?: All the media in your [home|data center|office] have been sto

                            Originally posted by HighWiz View Post
                            Have have you ever actually had to call the PPD about a Major InfoSec Incident. You may be more surprised than you think at their response... Then again, you probably just enjoy talking out your ass about things you know nothing about.
                            Then school us HighWiz, tell us how it all goes; be specific, tell us how it turned out :). I was referring to how the PPD handled burglary, and grand theft in most of my posts. Home and SMB computers, I was pretty specific about what I was talking about; if you took the time to read it. I didn't go into a major INFOSEC incident. The last few posts that I did I was quoting from the a text book and also made that clear. At least I disseminate some knowledge in my posts.

                            xor
                            Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                            Comment


                            • #29
                              Re: What would you do?: All the media in your [home|data center|office] have been sto

                              Originally posted by Deviant Ollam View Post
                              chances are very strong that i would simply wait for authorities to fully secure and go over the crime scene for any forensic details. at the places where i consult (some are businesses and some are schools) they are all small enough to either close for the day (think: a sign on the front door saying "water pipe burst, hope to reopen friday") or just operate without technology resources for a while.

                              all critical data is backed up on external volumes at my facilities, but not every single client has opted to go whole hog and actually swap media around to the point that they're rotating out a copy somewhere off-site. eh, what can you do?

                              after letting police do their thing, i'd begin rebuilding and restoring, much in the same way that i would if a fire or flood took out the technology. none of these companies has privacy-critical data on volumes that aren't somehow encrypted. (typically software encryption, not at the controller level*)
                              Originally posted by xor View Post
                              With all due respect do we live in the same city? You are talking about the PPD right? First, that's what we would all like to see happen. Reality NOT. If there are no guns, no loss of life, no injury, they will take a report; unless it's on the news. No finger prints, no forensics, no crime scene secured; no crime lab, all you get is one 300lb cop with an ambivalent attitude.

                              If there are no signs of forced entry, guess what whomever has the keys including yourself are now suspect number one. Even though we all know how easy it is to pick locks. By the way don't tell them you know that or you will find yourself being asked to come down town for a talk.

                              Man sorry to be such a cynic but I've had my fair share of dealings with the PPD. I've had customers with public businesses have their back doors ripped off, alarm & phone lines cut with an entire safe ripped out of the floor and carried out of the building and all they took was a report. In this particular instance the crooks carried the safe for half a mile down the train tracks of the Northeast corridor which was located behind the building and into what police believe was a waiting car. No shit sherlock, no maybe it was a motorcycle or a fing spaceship, a car really. One hell of an investigation there.

                              Dude only on TV. If it's property and if you are or aren't insured; forget it. Make your report, call your insurance company up and take your lumps. Especially if you haven't heard anything for the magic 72 hours; it's gone.

                              That's the way it is. If it's your residence you are lucky if they even come out sometimes. First question; are you insured? Will take an incident report. The crime labs are too busy with violent or high profile crime in the big cities.

                              xor

                              Ps. This is slightly off topic but it further proves my point. I'll tell you what cops are good at. DO mite have heard of this being from this area. Hadonfield NJ, a wealthy NJ suburb. a high school girl and her family go away on a trip for like a month. Before leaving she gives the key to her parents house to a girl friend I assume for the purpose of entertaining the boyfriend. Instead the girl friend has a wild party at the house. Now in my day we use to do real drugs and raise hell. Well these teens from the report took laxatives and defecated all over the house for fun, as well as unusual sex acts into the furniture and stuffed animals; use your imagination. Needless to say the house was destroyed. The kids then posted pictures of this on the internet. Well needless to say they were caught. That's what cops are good at. What this saids about teenagers today is another thing for another topic.

                              No this is not an urban myth. If search you mite even find the pictures.

                              In the defense of law enforcement professionals, I couldn't do their job without cracking. Day to day from happy to see you to I want to kill you would get to me and I actually do have a lot of respect and admiration for them though it is not reflected in these posts.
                              Originally posted by HighWiz View Post
                              Have have you ever actually had to call the PPD about a Major InfoSec Incident. You may be more surprised than you think at their response... Then again, you probably just enjoy talking out your ass about things you know nothing about.
                              Originally posted by xor View Post
                              Then school us HighWiz, tell us how it all goes; be specific, tell us how it turned out :). I was referring to how the PPD handled burglary, and grand theft in most of my posts. Home and SMB computers, I was pretty specific about what I was talking about; if you took the time to read it. I didn't go into a major INFOSEC incident. The last few posts that I did I was quoting from the a text book and also made that clear. At least I disseminate some knowledge in my posts.

                              xor
                              So, there you two go. Copying this to another thread in /dev/random where flaming is allowed. If you want to play with flamethrowers, that's the place to do it.

                              Related posts as quoted here will be copied to the new thread in /dev/random for less restrictive rules, including allowances for flaming.
                              Last edited by TheCotMan; September 26, 2007, 04:22.

                              Comment

                              Working...
                              X