Be on the wave or under it
The News Ė 04/27/06
Youíre Hit! What Next? . . . A Slight Return
Four years ago, SNS ran an issue about what to do after a hacker attack called Youíre Hit! What Next? It focused on what to do immediately after youíve been attacked.
A recent unfortunate attack by a disgruntled former employee of one of my clients brought this article back to mind and encouraged me to revisit the topic for two reasons: to update Alert SNS Readers on the state of computer forensics, and to remind everyone what to do and not to do if you suffer an intrusion.
First, Iíll quote a bit of the previous SNS article:
If you think you may want to prosecute the miscreant(s), it is critical to preserve the evidence so it can be used in court.
Your initial impulse is to just get up and running again, and thatís understandable, especially if mission-critical systems are hit. But if you want to press a court case, you need to understand computer crime forensics, the science of reconstructing the cyberattack and establishing a chain of evidence back to the attacker.
There are three places to be concerned about forensics: on the perpetrator's computer, on the compromised computer and on the network devices in between the two.
- Restrict physical access to the area to preserve fingerprints
- Unplug any phone lines that could dial in to the attacked computer
- Unplug the computer from the network
- Photograph the scene, including connections to any peripherals, for later reference if the machine needs to be disassembled for examination
- If the computer is off, don't turn it on; if itís on, donít reboot it, as this could launch viruses or time bombs. Merely turning on a Windows computer changes timestamps and other important evidence, for example.
- Avoid accessing any files on the compromised machine as that changes access timestamps.
- After immediately securing the area and the computer, call in a network forensics specialist.
So now that Iíve quoted myself, Iíd like to quote Michael Ellsworth, a distant relation who is a detective in the Mansfield, MA police department in charge of computer forensics.
Incidentally, the way Mike and I got connected up is a testament to the power of the Internet and the need to preserve the ability of random people to contact each other via email. You may be aware of various anti-spam efforts that have the effect of rejecting email from anyone not in your email address book. It would be a shame if this sort of thing became the rule.
Mike was googling himself and came upon my personal site (www.mikeellsworth.com, put up in 1996 and not much modified since Ė the shoemakerís children shall have no shoes, eh?). He dropped me a line and as we corresponded we realized we have common ancestors, in Prince Edward Island, Canada.
We also realized we share an interest in computer forensics. So after that digression, hereís Mikeís take on what I said four years ago:
All of the things that were written four years ago certainly apply today!† I guess my main advice is, Don't Panic! In the computer forensics end of things, I'm not overly concerned or focused on what they are doing at the moment. My main focus is with what they've done.
The trail that they have already left is where I'm more apt to find my evidence. Here is a snippet of something that I had written recently for a talk:
In most cases, the discovered compromise is ongoing and has been occurring for a period of time. This being the case, there's no need to pull the plug/s and terminate the problem if it's not mission critical.
If you don't know what to do contact someone who does! The money spent on expert consultation will be far less expensive than having to rebuild your entire system after some ill-planned and knee jerk reaction! You need to know where the compromise occurred in order to deal with it; experts can quickly guide you in finding the source and preserving any evidence for criminal or civil litigation or even employee dismissals.
Oftentimes people go into panic mode and do things that exacerbate the problem, i.e. launch a virus or additional malicious software or alert the criminal that he or she has been detected. I'm willing to bet that the attacker has a plan of action to cover his or her tracks should that occur. That plan can also include an even more spiteful and malicious response such as crippling your entire network before they make their exit.††††
How can you avoid these pitfalls? Have the same strategy the attacker does: pre-planning!† Have guidelines and action plans in place to deal with threats. Know your action plans and practice them. Repetition is the mother of all learning! If you are ready for a disaster, then deployment and containment is a snap! Have relationships established with law enforcement and/or private computer forensics consultants. A consultant can better serve you if he or she is already familiar with your network.†
Don't be afraid of law enforcement. Federal, state and local police agencies throughout the country have established computer crime units that are staffed with experts in both computers and the law, and theyíre a free resource! Reach out to them before your disaster strikes. They will be more than willing to come in and talk about what they can and cannot do for you. Times have changed and so have the cops! Law enforcement experts are very much aware of and concerned with a company's need for your privacy.† They understand how negative publicity can be as damaging, or even more so, than the actual intrusion that prompted their response. Don't wait for disaster to hit, forge those relationships and write those policies now!
I had a case like the one you spoke of... where the former employee was killing the company. Fortunately we have some legislation now that allows us to tag old laws with new computer crime problems. In your case I'd charge the guy with a litany of stuff from Malicious Destruction to trade secrets acts, Unauthorized Access, Criminal Harassment and a few others. We're a lot more sensitive to the needs of the private sector now too and are generally willing to assist in cases where an employer needs support in order to fire an individual as opposed to wanting to prosecute. We try to keep the dissemination to the press at a minimum. We find that we're getting a good rep in these parts in dealing with the private sector. In fact, I used to speak at some conferences on that very subject.† Forging Law Enforcement and Corporate Relationships.
Also, make sure you ask the right questions as in: "If I come to you with XX crime, do you have to take action, or can you assist me in a non-criminal resolution?" Child Pornography is generally the key issue there. Nobody wants to have it publicized that they have kiddie porn on their servers.
Law Enforcement is in possession of great programs now, for example, Encase, that allows for network acquisitions without the need of bringing down servers, and seizing a bunch of equipment. So a lot of the times it's pretty easy to do what we have to do quietly. Good computer crime units are willing to work with companies no matter the case. So the best thing to do is to find out what local, state or federal task forces are like and make some contacts.†
From what Det. Ellsworth says, the landscape has changed a bit from four years ago. Back then, it was unlikely that local law enforcement had resources like him to bring to bear on computer crime. At that time, I heard a lot about police blunders that compromise evidence. Iím betting thatís a lot less common these days.
So if youíre hit, Donít Panic, call the cops and follow their advice on handling the situation.
- Shameless Self-Promotion Dept.: Iím republishing SNS on a couple of other services now, including Gather, and Iíve changed the StratVantage Stratlets hosting to use Blogspot.
I was interviewed for ManagementFirstís Feature of the Month and got to toot my horn for a bit.
The WiMAX Guysí main business is new installs for people who want to set up wireless hotspots such as hotels, warehouses, apartment buildings, and office buildings or hotzones that cover cities. We also sell a knowledge-based Web portal called the MAX K-Base. Check out our main Website at www.TheWiMAXGuys.com.
The first chapter of my wifeís novel, Knowing What You Know Today is up on her Website. The rest of the book costs money Ė now at a new lower price! Ė but itís well worth it, believe you me. Check it out at www.debellsworth.com. Sheís also put up a new site, www.empathysymbol.com to publicize the empathy symbol she designed back in college.
Many issues ago I debuted SNS Begware, an opportunity for you, gentle reader, to express your appreciation by tipping your server via PayPal. See the sidebar for more info. Total in the kitty so far: $111.48.
And now that Iím partnered with one of the largest advertisers on the planet, Google, that should be kicking in serious coin to the StratVantage coffers. Letís see. The current total is: $73.15. Great. BTW, I am informed that I canít ask you to read this issue on the Web and click on the ads due to Googleís terms of service. So donít. You can, however, shop at Amazon, pay nothing additional, and send a spiff to me.
- Top 10 Funny Spammer Names Ė Alert SNS Reader Bill Lehnertz recently received spam from the following preposterously named individuals:
10. Frock A. Qua
9.†† Sardonic O. Bribery
8.†† Splendidest M. Capsize
7.†† Matchmaking P. Sneer
6.†† Gratifying Q. Worcestershire
5.†† Interests V. Obdurate
4.†† Overburdening B. Crosswords
3.†† Earthenware L. Decreasing
2.†† Plagiarized L. Twelves
And the number 1 Top Funny Spammer Name:
1.†† Agricola F. Maceration
- FISH of the Day: Alert SNS Reader Patty Kolbo, who works for a law firm,† sends along the following:
- Texas Hunting Rules
As a result of the shooting incident in South Texas when a lawyer was shot by the Vice President, a new set of Hunting Regulations Regarding the Taking and Harvesting of Attorneys will be enforced by the Texas Parks & Wildlife Commission.
- Sec 370.01
- Any person with a valid in-state rodent or snake hunting license may also hunt and harvest attorneys for recreational and sport (non-commercial) purposes.
- Sec 370.02
- Taking of attorneys with traps or deadfalls is permitted. The use of United States currency as bait, however, is prohibited.
- Sec 370.03
- Stuffed or mounted attorneys must have a state health department inspection for rabies and vermin.
- Sec 370.04
- The willful killing of attorneys with a motor vehicle is prohibited, unless such vehicle is an ambulance being driven in reverse. If an attorney is accidentally struck by a motor vehicle, the dead attorney should be removed to the roadside and the vehicle should proceed immediately to the nearest car wash.
- Sec 370.05
- It is unlawful to chase, herd or harvest attorneys from a power boat, helicopter or aircraft.
- Sec 370.06
- It is unlawful to shout, "WHIPLASH", "AMBULANCE", or "FREE SCOTCH" for the purposes of trapping attorneys.
- Sec 370.07
- It is unlawful to hunt attorneys within 100 yards of BMW, Mercedes or Porsche dealerships except on Wednesday afternoon.
- Sec 370.08
- It is unlawful to hunt attorneys within 200 yards of courtrooms, law libraries, health clubs, country clubs, hospitals or brothels except on Saturday and Sunday.
- Sec 370.09
- If an attorney gains elective office, it is not necessary to have a license to hunt, trap, bag, shoot or possess the same. Use of any type killing device is legal including shotguns with the choke removed, high powered rifles, handguns of any caliber, all types and kinds of game traps and snares. Poisoning is prohibited because of the danger to rattlesnakes, coyotes and skunks.
- Sec 370.10
- It is unlawful for a hunter to wear a disguise such as a reporter, drug dealer, pimp, female legal clerk, sheep, accident victim, bookie, physician, chiropractor or tax accountant for the purpose of hunting attorneys.
- Sec 370.11
- Bag and Possession Limits per day:
- Yellow-bellied sidewinders, 2
- Two-faced tortfeasors, 1
- Back-stabbing divorce litigators, 3
- Horn-rimmed cut-throats, 2
- Minutiae-advocating dirtbags, 4
- Honest attorneys are protected under the Endangered Species Act and can normally be identified because they do not wear Rolex watches, drive a Porsche, BMW or other expensive luxury automobile or wear $500 shoes and $1500 suits.
- Join the Alert SNS Reader Group! You may have heard of a concept called Web 2.0 (or even the more grandiose Web 3.0). Basically itís about adding to Web-based software the kind of interactive and functionality we all take for granted in our installed software. Itís a bunch more than that as well; Web 2.0 encompasses other concepts such as Software as a Service (SaaS), Web services, and Service Oriented Architecture (SOA). These are all fancy technologies that enable an ordinary person Ė or at least an ordinary programmer person Ė to pull together bits of functionality available on the Web to create something new.
A case in point is a free service called Grou.ps. The strange punctuation refers to the URL of the service: www.grou.ps. You may be familiar mostly with Web addresses that end in .com, .net, and perhaps .org or .edu. But there are all kinds of other suffixes, like .biz, .info, and even others that are associated with a country, like .uk, .us and so on. One of the most common is .tv, which is the country code of Tuvalu, an island nation in the Pacific that sold the rights to market .tv domain names back in 2000. Obvious customers have been broadcast and cable companies.
So what country does .ps belong to? The Palestinian Territory as it turns out. However, Iím thinking Grou.ps has nothing to do with Palestinians (although a rather rude anti-US exclamation appears from time to time on their main Web page), and more to do with an enterprising Palestinian who registers domains with .ps extensions, which can hardly be as lucrative as .tv domains.
Anyway, Grou.ps stitches together a number of freely available services to create social meeting places on the Web. Hereís their mission statement:
Our mission is to provide a sharing platform for social groups. Our services include but not limited to:
- Location Mapping
- Photo Sharing
- Collection of Personal Blogs
- Link Sharing
- Free Content Editing
- Sharing of Personal Interests
- Funds Management
Instead of centralizing these services, we abstract popular providers like Flickr, del.icio.us in order to prevent duplicate efforts, and migration hassles.
- So to demonstrate the power of Web 2.0, I invite you to join the Alert SNS Reader Group.
- From SNS 2001 - Buzzword Alert: About five years ago, I reported on my first sighting of the term zettabyte, which refers to a really large amount of computer storage. A zettabyte is a 1 followed by 21 zeroes. That was the then-current estimate of how much information the Internet would contain by the end of the decade. Weíre all familiar with megabytes by now, and most will recognize gigabytes (1,024 megabytes). You may even know that a terabyte is 1,024 gigabytes and a petabyte is 1,024 terabytes.
In a 2003 study, researchers estimate that, ďprint, film, magnetic, and optical storage media produced about 5 exabytes of new information in 2002. Ninety-two percent of the new information was stored on magnetic media, mostly in hard disks . . . in 1999 the world produced between 1 and 2 exabytes of unique information.Ē An Exabyte is one quintillion bytes. The study continues, ďIf digitized with full formatting, the seventeen million books in the Library of Congress contain about 136 terabytes of information; five exabytes of information is equivalent in size to the information contained in 37,000 new libraries the size of the Library of Congress book collections . . . The World Wide Web contains about 170 terabytes of information on its surface; in volume this is seventeen times the size of the Library of Congress print collections.Ē
†Since the production of information doubled between 1999 and 2003, I think itís safe to say it has at least doubled since then, to perhaps 10 exabytes per year. Where are we going to put all this stuff? Well, thereís the petabox, used by the Internet Archive. A 1-petabyte Petabox (1,000 terabytes) costs about $2 million. That would put a dent in the average userís pocketbook. However, large scale storage has now come to the desktop.
Recently, while browsing through the local computer store ads, I was stunned to realize that an ordinary person with $800 in his or her pocket can now put 1 Terabyte of storage on their desktop. So if youíve got a mere $108,800 you can put the 136 terabytes of the Library of Congress on your home network and, for only a little more, you can archive the Web, circa 2003.
Any bets on how long it will take the Internet to get to a googolplexbyte?
And if you think the growth of the Internet is slowing, check out these current stats:
( 2006 Est.)
( Penetration )
Return to Mikeís
Copyright © 2000-2008, StratVantage Consulting, LLC. All rights
Please send all comments to
Looking to light up your office, your business, or your city?
The WiMAX Guys™ can help you easily provide secure wireless Internet to your customers.
The WiMAX Guys specialize in designing and running wireless networks. We're experienced, we're quick, and we won't cost you an arm and a leg. Give us a call today provide your users a wireless Internet experience tomorrow.
Alert SNS Reader Hall of Fame
About The Author
a New Service from StratVantage
Canít Get Enough of ME?
In the unlikely event
that you want more of my opinions, Iíve started a Weblog. Itís the fashionable
thing for pundits to do, and Iím doing it too. A Weblog is a datestamped
collection of somewhat random thoughts and ideas assembled on a Web
page. If youíd like to subject the world to your thoughts, as I do,
you can create your own Weblog. You need to have a Web site that allows
you FTP access, and the free software from www.blogger.com.
This allows you to right click on a Web page and append your pithy thoughts
to your Weblog.
Iíve dubbed my Weblog
entries ďStratletsĒ, and they are available at www.stratvantage.com/stratlets/.
Let me know what you think.
Also check out the TrendSpot for ranking of
the latest emerging trends.
14, 1928 - July 5, 2003
Jane C. Ellsworth
20, 1928 - July 20, 2003