Re: What would you do?: All the media in your [home|data center|office] have been sto

You know I'm really shocked by IT people who claim to be "security specialist" that overlook the most basic hacker skill. Understanding human nature, getting inside other peoples heads. Forget all the bits and bytes for second and try and understand what the other person is thinking. What motivates them, what drives them, what are they trying to prove or disprove, what are they most likely to do it certain situations. It's one of the most basic and overlooked aspects in IT Security along with physical security.

xor

Re: What would you do?: All the media in your [home|data center|office] have been sto

Yes, of course I agree with what everyone else has stated here. I was just adding what I knew wasn't stated and should have been. Incident response and disclosure are still evolving and hotly debated. Many law enforcement agencies still don't know the first thing to do when a company comes to them and tells them that a laptop with sensitive data is missing. It's treated like every other theft, are you insured, don't call us we will call you, I'll take a report; ...etc. In fact only large law enforcement have a cyber crimes unit and they are busy with kiddie porn, and MSNBC stings.

I was offering some pro-active efforts that you could take as a victim to help yourself.

It's no doubt best to disclose in most situations, but by doing so you could make matters worst. By letting people who wouldn't know otherwise that they have something that is very important. But then again people who didn't know, most likely wouldn't know who, or what to do with the data. It's the 1% you gotta really worry about. The professionals that know what to do, who to do it with, and how to move it.

xor

Re: What would you do?: All the media in your [home|data center|office] have been sto

Yes, but I am much better looking and obviously fatter.

Yes, I can see your point and I think that way as well, However I am not going to take the risk that my CSI-Esque interpretations of the criminal are accurate. No one can 100% determine the intentions of another person. I sure as hell don't want my accountant, lawyer or anyone else doing it either.

You also say "It's one of the most basic and overlooked aspects in IT Security along with physical security." I disagree. I think in looking at attack patterns and planning countermeasures, incident response, its widely accepted.

In the physical security aspect that is a whole different realm, and I also disagree, I'm not going to question what your motivations are when you are ripping off my tv at 3am. I'm only paying attention to if you are facing me or walking away. I'm not going to antagonize that in this thread since it's off topic .But I will say that i stick by my statement. You should be prepared and should go into the situation at worse case, but you should also be reasonable and try to diminish the likelihood you are dealing with anything but a litebright in the first place. Don't bring a knife to a gun fight and accept the responsibility of leaving the back door open. Also Learn when to apologize.

All of this is probably a pointless debate between us because everyones situation will be different, you wouldn't jump on CNN and to say that the forums passwords have been compromised as much as you would say if 900,000 Names, SSNs, and Addresses have been stolen from an unencrypted excel sheet on a windows 95 box.....

ahh good times...

Re: What would you do?: All the media in your [home|data center|office] have been sto


Did you try FTK, Encase, or WinHex on it? Also warezable; right next to the porn :)

xor

Seagate was suppose to come out with a drive that has built in encryption, they have been promising for a long time now. The school I'm from is that hardware encryption is not the way to go unless you keep updating the hardware. Anything that is fixed eventually will be defeated. I guess it comes down to the old something you need (the hardware, token, key) , and something you know. As the case with Seagate they have a password recovery utility which tells me that it will and can eventually be reversed engineered.

see http://www.seagate.com/www/en-us/pro...us_5400_fde.2/

Re: What would you do?: All the media in your [home|data center|office] have been sto

Since there is a good chance that I won't know who it is that stole it and the information held on it is sensitive why wouldn't I take all possible steps to protect myself and those I owe a duty of confidentiality to?

Hardware is always replaceable...critical information never is. In this scenario I'll be more than happy to replace the hardware and know that there is no chance whatsoever that the information is going to end up being sold or disseminated.

Re: What would you do?: All the media in your [home|data center|office] have been sto

With all due respect do we live in the same city? You are talking about the PPD right? First, that's what we would all like to see happen. Reality NOT. If there are no guns, no loss of life, no injury, they will take a report; unless it's on the news. No finger prints, no forensics, no crime scene secured; no crime lab, all you get is one 300lb cop with an ambivalent attitude.

If there are no signs of forced entry, guess what whomever has the keys including yourself are now suspect number one. Even though we all know how easy it is to pick locks. By the way don't tell them you know that or you will find yourself being asked to come down town for a talk.

Man sorry to be such a cynic but I've had my fair share of dealings with the PPD. I've had customers with public businesses have their back doors ripped off, alarm & phone lines cut with an entire safe ripped out of the floor and carried out of the building and all they took was a report. In this particular instance the crooks carried the safe for half a mile down the train tracks of the Northeast corridor which was located behind the building and into what police believe was a waiting car. No shit sherlock, no maybe it was a motorcycle or a fing spaceship, a car really. One hell of an investigation there.

Dude only on TV. If it's property and if you are or aren't insured; forget it. Make your report, call your insurance company up and take your lumps. Especially if you haven't heard anything for the magic 72 hours; it's gone.

That's the way it is. If it's your residence you are lucky if they even come out sometimes. First question; are you insured? Will take an incident report. The crime labs are too busy with violent or high profile crime in the big cities.

xor

Ps. This is slightly off topic but it further proves my point. I'll tell you what cops are good at. DO mite have heard of this being from this area. Hadonfield NJ, a wealthy NJ suburb. a high school girl and her family go away on a trip for like a month. Before leaving she gives the key to her parents house to a girl friend I assume for the purpose of entertaining the boyfriend. Instead the girl friend has a wild party at the house. Now in my day we use to do real drugs and raise hell. Well these teens from the report took laxatives and defecated all over the house for fun, as well as unusual sex acts into the furniture and stuffed animals; use your imagination. Needless to say the house was destroyed. The kids then posted pictures of this on the internet. Well needless to say they were caught. That's what cops are good at. What this saids about teenagers today is another thing for another topic.

No this is not an urban myth. If search you mite even find the pictures.

In the defense of law enforcement professionals, I couldn't do their job without cracking. Day to day from happy to see you to I want to kill you would get to me and I actually do have a lot of respect and admiration for them though it is not reflected in these posts.

Re: What would you do?: All the media in your [home|data center|office] have been sto

On Topic and From The Security + Book:

Incident Response:

What immediate steps need to be taken?

Does the security posture need to be modified? When? How?

Who needs to be notified of this event? When? How?

What impact does this have on business operations?

What tools will be used to investigate this incident? Who will use them and how?

What is more important system recovery or evidence collection?

Will forensic activity occur? What evidence will be collected, and how will it be preserved?

At what point to you contact law enforcement? Who makes that call, and whom do you call?

What other resources are available?

Where are things like replacement hardware and software located?

Do system images or backups exist to aid in recovery?

How do you contact hardware, software, or security vendors if you need to?

Will this incident become public knowledge? Is a press release needed?

My additions:

Does this effect HIPAA, Sarbanes-Oxley ...etc compliance, if so how?

Do I get an A :)


xor

Everyone gets on the rookie(sigh) :)

DO I have come to the conclusion that I was sitting behind you on the plane on the way to DEFCON. I flew out Thrsday USAIR, window seat right side by the wing. I asked you to let me know if you were going to move your seat back as it would have crushed by laptop screen..

Re: What would you do?: All the media in your [home|data center|office] have been sto

When Wietse Venema and Dan Farmer provided a presentation on The Grave Robbers Toolkit, aka, Coroner's Toolkit, they revised this into a 3 part set:
What is most important?
1) Evidence collection for the purposes of legal proceedings
2) Bringing the service back online as soon as possible
3) Analysis of the failure to prevent it in the future.
Any one is, for the most part, mutually exclusive to the other two as a priority.

In cases where High Availability is the most important thing, getting a service up and running again is far more important.
In cases where security of [information, access restrictions, etc] is most important, means analysis and understanding of the failure is the most important, so it can be prevented in the future.
If either of the above are chosen, it can be make introduction of altered evidence into a court for purposes of criminal trial-- even with very good chain of evidence, altering physical evidence could put you at risk for destruction or tampering with evidence.

There are ways to choose more than one form the above...

If you have all systems configured with RAID-1, and they are hot swappable, then one of each disk can be yanked to preserve unaltered evidence that can be used in court, and allowed for addition of new disks for rebuilding arrays, and then choose one of the other 2 unchosen items.

Of course, this idea does not apply when *all* of the media at your location has been stolen.

The only evidence to be collected would be physical evidence, and maybe fingerprints if the crime involved a large enough loss to let the LEO justify the expense of any kind of CSI work. (Also in cases where DoD, DOE, or some other TLA might be involved, CSI work may also be justified, even if not conducted by LEO.)

The police are not likely to, "dust for prints," and follow-up with as detailed an investigation for a home-burglary, but might be more interested if a company can show millions of dollars in losses, or classified documents were involved.

So, in some cases, a decision on prosecution is decided for you by LEO or the DA, and can be predicted with a high degree of certainty.

Four years ago, one of the departments at my old job had a meeting with people from the FBI on evidence collection, and how our organization should proceed with certain crimes.

Their suggestion at that time was this:
We should follow and document chain of evidence, access, custody, and actions, and we should avoid actions that might alter evidence. However, we should investigate as much as possible given the above limits, because once "the law" is called-in, the kinds of evidence they may collect, and how they may collect that evidence which can be admitted into evidence in court is significantly restricted.
For example, if we had a policy allowing us to monitor network traffic of all people on our network, then we could gather information legally, which can be used to justify a search warrant.
However, if we had no such evidence-- only claims as witnesses, a warrant might be more difficult to acquire, or more restrictive in what evidence could be collected.

I am really glad we never went the route of Feds or LEO for "cracking" incidents we encountered. We were lucky to have all incidents be "small" things that we could handle internally in a Human Resource capacity.

Well, I don't think there is a single correct answer for this. The purpose of these topics is to encourage people to think about what they might do, let people share ideas with each other, and maybe hear some new ideas. :-)

Re: What would you do?: All the media in your [home|data center|office] have been sto

LEOs have some excellent procedures put in place, though much of it remains untested in court. What it boils down to is that the evidence presented is still in such a state that it can be relied upon to find facts.

If you're going to be doing any internal investigation and don't know whether law enforcement will be involved, proceed as if they were by cloning media before poking around. Make sure to meticulously document every step and be prepared to show why and how it is forensically sound.

I suggest reading through this opinion in Mack v. Markel American Insurance Company to get a good idea of where the law stands on actually getting ESI into the record. It's lengthy, but extremely informative.

Re: What would you do?: All the media in your [home|data center|office] have been sto

For my work (a University science department), my highest priority is getting my users back up and running and, not losing their cumulative years of research data.

Therefore, my setup maximizes that imperative by backing up each server and workstation every night, to tape, located on another campus. In the event of theft, forensics have to take second place to angry professors.
While we've never had a major theft or breakin- nightly tape backup has saved my ass a number of times.

Re: What would you do?: All the media in your [home|data center|office] have been sto

For Cotman or Anyone Else Interested


FYI Speaking Of Monitoring:

LoveMyTool - Network Monitoring, CALEA, Lawful Intercept, Application Performance, Web User Experience, Web Analytics, Content & Database Security, IDS, Malware, Crimeware, SOX, HIPAA and PCI Compliance Auditing, Forensics, DPI, VoIP, IPTV ...

(Dedicated to customer testimonials and expert reviews of “out-of-band” network security and performance monitoring tools)

http://www.lovemytool.com/blog/2007/...orts-or-t.html

xor

PS No it's not something obscene so get your minds out of the gutter :)

New Books for those of us who are old fashioned enough to still read print :)

Syngress
HOT OFF THE PRESS

Alternate Data Storage Forensics: Raising Digital Fingerprints from iPods, PDAs, Cell Phones, Digital Cameras, and Game Systems
Learn to pull digital fingerprints from alternate data storage (ADS) devices including: iPod, Xbox, digital cameras and more from the cyber sleuths who train the Secret Service, FBI, and Department of Defense in bleeding edge digital forensics techniques. This book sets a new forensic methodology standard for investigators to use. ... More >>

Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research
With the arrival of Metasploit Framework Version 3.0 (MSF 3.0), the entire approach to information security testing is likely to be revolutionalized. MSF 3.0 is not only an exploit platform but also a security tool development platform. This book introduces the reader to the main features of the tool, outlines the steps for its installation, and discusses how to use it to run exploits. ... More >>

Re: What would you do?: All the media in your [home|data center|office] have been sto

Have have you ever actually had to call the PPD about a Major InfoSec Incident. You may be more surprised than you think at their response... Then again, you probably just enjoy talking out your ass about things you know nothing about.

Re: What would you do?: All the media in your [home|data center|office] have been sto

Then school us HighWiz, tell us how it all goes; be specific, tell us how it turned out :). I was referring to how the PPD handled burglary, and grand theft in most of my posts. Home and SMB computers, I was pretty specific about what I was talking about; if you took the time to read it. I didn't go into a major INFOSEC incident. The last few posts that I did I was quoting from the a text book and also made that clear. At least I disseminate some knowledge in my posts.

xor

Re: What would you do?: All the media in your [home|data center|office] have been sto

So, there you two go. Copying this to another thread in /dev/random where flaming is allowed. If you want to play with flamethrowers, that's the place to do it.

Related posts as quoted here will be copied to the new thread in /dev/random for less restrictive rules, including allowances for flaming.