[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IDS: Computer Security - Long message

To: Luiz da Camara Leme <camara.leme@mail.telepac.pt>
Subject: Re: IDS: Computer Security - Long message
From: Guy Bruneau <bruneau@ottawa.com>
Date: Sun, 09 May 1999 16:54:54 -0400
CC: "ids@uow.edu.au" <ids@uow.edu.au>
References: <007501be8a9f$245d9ae0$d7ab41c2@1> <37353C6A.27F7F148@uswest.net>
Sender: owner-ids@uow.edu.au
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

Hello everyone,

Louiz I would suggest that you install a host base firewall. There is one that our
organization has tested for over a year now and it works very well on a Windows'
machine.  You can get an evaluation copy at http://www.signal9.com

The Conceal firewall will let you know if there is any unusual activity coming in
or going our of your workstation with a pop-up message advising you if you want to
allow traffic on a port such as 12345 or 31337 or any other ports.

As Philip suggested, a laptop is the only way to definitely insure the integrity
of  your data.

Guy


"Philip S Holt, Security Engineer / Network Engineer" wrote:

> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
> NOTE: You MUST remove this line from reply messages as it will be filtered.
> SPAM: DO NOT send unsolicted mail to this list.
> USUB: email "unsubscribe ids" to majordomo@uow.edu.au
> ---------------------------------------------------------------------------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Luiz da Camara Leme wrote:
>
> > FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> > IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> > HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
> > NOTE: You MUST remove this line from reply messages as it will be filtered.
> > SPAM: DO NOT send unsolicted mail to this list.
> > USUB: email "unsubscribe ids" to majordomo@uow.edu.au
> > ---------------------------------------------------------------------------
> >
> > Hello Everyone,
>
>    Good morning.
>
> > Sorry to disturb you with somewhat off topic subject,
>
>    None of this is 'off' the subject - this is definitely germane and bad news.
> You have an intrusion and an obvious penetration. You came to the right place.
>
> > but I just run out of ideas to cope with a very bad situation, and need
> > someone with a suggestion
> > to keep on going with this misery.
>
>    Well - its up to each and everyone of us to help, where we can, when we can.
> Its part of the 'job description'.
>
> > I must tell you that I am responsible for supervising the Company's hardware
> > and software but I am not a system administrator,
>
>    "Lucky you."
>
> > and I lack a lot of knowledge I which I did have.
>
>    This listing is full of qualified and and willing professionals to help where
> appropriate.
>
> > I am loosing somewhere between 30 or 50 percent of my time with this problems.
>
>    Understood.
>
> > I will try to be as short as possible, making short a very long story, only
> > with a few major facts, enough only to put some questions in the end.
>
>    Cool.
>
> > For a few years I am battling a war against someone in the Company I work
> > for, that has access to my computer (and I can't do nothing about it) and
> > this fellow with the help of *technicians* of some sort, (outsiders) started
> > stealing whatever I did have in my computer.
>
>    I'll pass here.
>
> > This was probably going on for years without having noticed it. The people
> > that was doing this, started being careless,
>
>    Yes, through time and arrogance - once in a while we get a lead of this type.
>
> > and revealed they  were knowing things they were not supposed to, they were
> > anticipating whatever I was doing, up to the point that I started to image
> > someone was reading my
> > thinking !!!
>
>    System logs, application, processess logs, traffic analysis.
>
> > ZIP drives carried in my pocket all the time was the first solution, with
> > some strong encryption.  The 6 an 7 January 1998 they were stolen, but with a
> > lot of the files that
> > could not be opened outside my own computer. This was a very bad thing but
> > revealed, for sure, WHO was doing this, a person I imagined above all
> > suspicions (its always the same isn't it ?). So a break in at the Company
> > followed one day that I was sufficiently careless to leave the Company with my
> > computer ON (I know I should know
> > better !) and they opened some of the files, because the most sensitive ones
> > had double encryption with different programs, and they lack the second and
> > third keys.
>
>    I'll pass.
>
> > Some months before connected my computer to the NET, something I can't give
> > up, and one good day I started noticing that the computer was tremendously
> > slow.
>
>    Yes, from below. If successfully downloaded and installed, both Back Orifice
> & Netbus turn your machine (client) into a server machine. Your notes and
> thoughts following support this option. So do your ports (port 31337 = ~ 80% of
> the time for BO & port 53 also fits in with that 80%. As reported by Robert
> Graham - 15% of the time {intrusions logged that is) BO goes to other ports.
>
> > Suggestions and software from the Net and I realized that a virus of some
> > kind was  introduced in my HD's and everything I was writing was being sent
> > over the net. First copies of my files were being made and then sent over
> > the lines...
>
>    Part of the notorius functioinality of BO is its ability to really nuke your
> machine and take over everything: run & kill processes, change registry settings
> and whatnot, stop and start services - essentially a nightmare come alive. The
> later part of your report / commentary shows some of this type of behaviour to
> be true.
>
> > Again people showed that they even new when I was supposed to go to the post
> > office ! This kind of virus (I think a kind of Trojan),
>
>    Very good. Both BO and Netbus are trojans. BO can come in as a remote
> adminisrtation tool (Win '95, '98), a game, or an attachment. I am not as
> experienced with Netbus, though it effects both '95 & '98 as well as NT. It does
> all the great stuff that BO does - plus it can even allow the client (can be
> anywhere on the Net - and your commentary below concerning the firewall gives
> off some pointers that things are definitely not kosher) machine the ability to
> open and close your CDRom. "Lucky you!"
>
> > resist detection with all  software I could throw at it (I am a registered
> > user of all Symantec
> > software) and also resisted formatting. I had to have a technician to format
> > the MBR but I am not sure I got rid of the *animal*
>
>    Though some vendors report (and I am not sure whether CERT has updated there
> testing of this entity) there AV packages will catch this as a 'virus' - I am
> not sure if this is the case or not. Further investigate with a machine away
> from the business that is seperate from all the problem individuals and those
> that seem to be on a different frequency than yourself.CERT vulnerability
> http://www.cert.org/vul_notes/VN-98.07.backorifice.html
>
> > This *animal* made copies of all files I was making or manipulating in
> > virtual folders.
>
>    Well - think of this attack. Its running services, its copying files, its
> copying directory trees and everything else.
>
> > In a 100 MB Zip drive I was able to detect 32 MB of my own
> > files. They were made apparent by defragmenting all disks and then deleting
> > everything they had (apparently) just to find out what was left. The bigger
> > the use, the bigger the virtual folder.
>
>    I'll pass.
>
> > So the hard drives were put in drawers and I started carrying them all the
> > time. Well, they just contaminate some disquetes I also used and I got to
> > start all over again.
>
>    I'll pass.
>
> > When I circumvent this, they somehow started tampering the BIOS, and it now
> > prevents defragmentation  of HD's and Zip disks with whatever program I try
> > to do this. Windows, Norton Utilities etc. They *defragment* the hard drives
> > say everything is ok and the HD wasn't defragmented even 1 per cent. I redo
> > everything and its the same.
>
>    Pass.
>
> > ALL Company computers are in this situation.
>
>     BO & Netbus. Once exploited, and we'll assume there are significant trust
> relatioinships within your LAN architecture = ing problems    ...
>
> > I reported the incidents in writing, but, because this can be undone by the
> > person who did it,
>
>    Hard copies for everything. Get an 'outside' source for witnessing of your
> hard copy procedures and possibly think of having these documents notarized and
> or the equivalent procedures implemented. Whatever is available in your country
> I'm not sure    ... I'm sure there's something equivalent to a notary public
> ...
>
> > I am even afraid of being called a liar if one good they a test is done and
> > everything appears ok ! (We all know what they will do nest !)
>
>    See above, and I'll pass.
>
> > TODAY, Saturday I was at the company and had to go out for lunch just for
> > less then an hour, but carrying my HD's with me. Big mistake. Just 10
> > minutes after I left the *animal* owner came in. I restarted my computer and
> > looking and hearing at some anomalies at the start I immediately sensed
> > danger. I was right, the Firewall does not work properly anymore. All ports
> > but one at a time are not monitored, and only
> > the outbound ports. No inbound ports are controlled.
>
>    Pass.
>
> > Here I go again...
> >
> > The logs are full of 12345,
>
>    SYN packets for connection requests for Netbus (Most of the time coming from
> either the US and or Canada)
>
> > 31337/31338,
>
>    Back Orifice UDP packets (Majority of the time coming from Europe and
> periphery countries)
>
> > and dozens others I do not know its meaning
>
>    Both can be configured to listen and run on other ports    ...
>
> > and the Firewall states as Unknown, ports 53,
>
>    Quite possibly BO - as reported and researched by Robert Graham.
>
> > 54 you name it. The logs have more warnings than traffic !
>
>    Pass.
>
> > Most of this files are already lost with the first formatting but a few days
> > of *work* and I have hundreds of pages of *warnings* again.
>
>    Pass.
>
> > I ordered some 32 pin ZIF Sockets for Flash EPROM's, and I will buy some new
> > BIOS and will carry them with me also.
>
>    Pass.
>
> > The HD is almost constantly *working* for no reason at all.
>
>    Well - outside (everything other than the particular machine at this point)
> your LAN and all compromised machines, the client (mal contents) machine has
> free and total (potentially) reign of your machines    ...
>
> > The loss of ours and of personal files, over 2.8 GB of it, is preventing me
> > of doing my job as I should, and I am being attacked for this reason (by the
> > *animal* owner, who else ?)
>
>    Pass.
>
> > I simply run out of ideas, so I have some questions.
> >
> > 1. Is it possible to buy non flashable BIOS that could be tampered proof ?
> > 2. Is there a way of preventing the use of the BIOS reserved memory for
> > other purpose ?
> > 3. Does anyone know any program that I could use to see whatever  is inside
> > of the BIOS ? I heard about one *Get BIOS* but its a very old DOS program.
> > Anything else. (This would be really nice).
> > 4. Apart from the BIOS and the BIOS reserved memory at the EPROM inside of a
> > normal computer is there any other possibility of interfering with its work
> > ?
> > 5. I was told that the keyboard could also be tampered for password
> > stealing. Is this correct ?
>
>    Pass on all.
>
> > Please also note that I was somehow intentionally vague because I don't want
> > to help this people, just in case that my mail goes to more places than I
> > intend to (it's not impossible to do with this kind of *animals*).
>
>    You given enough - important thing is, you initiated this thread.
>
> > Hope there is someone that could give some idea on how to cope with this
> > fellows!
>
> CERT - get to their site, mentioned above, and go through the paces in the order
> they outline. That's a good start.AusCERT - get to their site.
> You will need to document.
> You will need to take copius notes.
> You will need as much as possible to CYA
>    You way a lot of work to do    ... Not envious in the least    ...
> Philip.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 5.5.5 for non-commercial use <http://www.nai.com>
>
> iQA/AwUBNzU7MxialBIhIMlEEQIPXACcDuxnQMSWmxwPhwbIpU+0Bi2w0FwAoO4G
> nX4uZPA5YupTvd6Rwhxb7zvC
> =4jW8
> -----END PGP SIGNATURE-----
References:
- IDS: Computer Security - Long message
  - From: "Luiz da Camara Leme" <camara.leme@mail.telepac.pt>
- Re: IDS: Computer Security - Long message
  - From: "Philip S Holt, Security Engineer / Network Engineer" <philipsholt@uswest.net>
Prev by Date: IDS: Re: Computer Security - Long message
Next by Date: IDS: IDS policy & procedures
Prev by thread: Re: IDS: Computer Security - Long message
Next by thread: IDS: Re: Computer Security - Long message
Index(es):
- Date
- Thread