[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDS: Computer Security - Long message

To: Luiz da Camara Leme <camara.leme@mail.telepac.pt>, ids@uow.edu.au
Subject: Re: IDS: Computer Security - Long message
From: Robert Graham <robert_david_graham@yahoo.com>
Date: Sat, 8 May 1999 16:28:12 -0700 (PDT)
Sender: owner-ids@uow.edu.au

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

--- Luiz da Camara Leme <camara.leme@mail.telepac.pt> wrote:
> Sorry to disturb you with somewhat off topic subject, but I just run out of
> ideas to cope with a very bad situation, and need someone with a suggestion
> to keep on going with this misery.

I don't understand what you wrote. Let me re-iterate to see if I understand correctly:

1. For several years now, somebody has been getting into your computer, copying files and
destroying files.
1b. That person is within the company.
1c. You know, or suspect, who it is.
1d. It is actually a group of people, and includes some outsiders as well.

2. Your first solution was encrypted ZIP drives (a good solution, by the way).
2b. This didn't work out because of Viruses/Trojans that would steal the files as soon as you
decrypted them in order to work with them.
2c. They still stole the ZIP disks anyway; they couldn't decrypt, but you no longer had them
either.

3. Recently, you have connected to the Internet.
3b. You don't want to give this up (addictive, isn't it?)
3c. Your firewalls are detecting heavy 12345 (NetBus trojan) and 31337 (BackOrifice trojan)
traffic.

4. You do not know enough about the technology.
4b. You are afraid to approach others in your company because you don't have any exact evidence
that conclusively proves what is going on. You don't want to look foolish.

The discussion of viruses, trojans, firewalls, defragmentation, and BIOSs is pretty fuzzy; sounds
like a language and technology barrier. Viruses won't allow them to control your machine.
Firewalls won't protect you if the enemy is within your Company. The defragmentation problems have
no relation to any attack methods I'm aware of. The BIOSs are not a problem; the only problem
related to flash BIOSs is wiping them to prevent your machine from booting.

Anyway, here is the answer:
IF THE ENEMY HAS PHYSICAL ACCESS TO YOUR MACHINE, THERE IS NO DEFENSE.

It doesn't matter what you do with the BIOS, firewall, utilities, etc. If somebody can access your
physical machine, there is nothing that you can do that they cannot undo. This is especially true
in your situation where they know more about computers than you do. 

Let me tell you some things I would do if I were the enemy you describe and if I had physical
access to your machine. First, I would install a Remote Access Trojan (RAT)  like BackOrifice
(port 31337) or NetBus (12345). With these programs, I could read any file you can read, remotely
control you machine, and capture all keystrokes that you type. Capturing the keystrokes allows me
to get your passwords, among other things. Reading files allows me access to your files when you
decrypt them in order to work on them.

I am pretty sure that a RAT is involved in your problem. In order to see if this is so, go to a
comamnd prompt (MS-DOS box) and run:
"netstat -A"
This shows you the list of ports on your machine. NetBus will be LISTENING at port 12345,
BackOrifice will be listening at port 31337.  Note that if your enemy has any brains, they would
change these ports; but it sounds like they don't. Normal ports you should expect to see are 135,
137 (nbname), 138 (nbdatagram), 139 (nbsession). You should also see a few ports starting at 1024
through around 1030. These are probably OK.
In this list, you will also see who your machine is connected to. If the enemy is using
BackOrifice, you won't see a connection (it uses UDP, which is "connection-less"), but if they are
using NetBus, you will see the enemy's name appear. 

Whenever you think somebody has connected to your machine from across the Internet, pull up the
"netstat -A" and you will see who they are.

The problem with RATs is that many of them are detectable by anti-virus scanners. There are things
people can do to avoid detection, but I don't think your enemy is smart enough. However, many "key
logging" programs are not detectable by anti-virus scanners. They don't allow remote control, but
they give the enemy all your passwords.

An even easier thing I would do to attack your machine is turn on "File/Print Sharing". This is
built into Windows and allows me to read files from your disk. Anti-virus programs won't detect
this.

I would like to help you more. I am currently working on a FAQ that discusses such problems.
(Personal privacy in the workplace). I would love to discuss this with your more in order to flesh
out content for this document. Please send me private e-mail (robert_david_graham@yahoo.com) with
more details, such as who you think the enemy is, and why it is that you think they are playing
with your machine.

Rob.

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Prev by Date: IDS: Computer Security - Long message
Next by Date: IDS: FAQ: Network Intrusion Detection Systems
Prev by thread: IDS: Re: Computer Security - Long message
Next by thread: RE: IDS: Computer Security - Long message
Index(es):
- Date
- Thread