OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-disclosure] Disney Down?

From: Micheal Espinola Jr (michealespinolagmail.com)
Date: Fri Aug 19 2005 - 14:41:24 CDT


I agree that not all exploits need to or should be handled in such a
way, but this type of open-ended exploit where potentially anything
could have been dropped or altered on a system would force me as an
network/security/systems administrator to have to take appropriate
action to protect my employer.

Yep, it's defiantly extreme. I wouldn't want to have to do it. But,
I still would do it all the same. In my experience the risk is just
too great not to. Which is why we store data on secure servers, and
can multi-cast images for workstations for easy rebuilds. Its a shame
not everyone can work in an environment where things like this can be
done that easily, but that doesn't mean that they shouldn't be done at
all.

I have yet to work work for an employer where my management and fellow
staff wouldn't be prepared to do the same - thank goodness.

I shudder to think about it happening to me...

On 8/19/05, Steve Kudlak <chromazinesbcglobal.net> wrote:
> Micheal Espinola Jr wrote:
> Absolutely. Once a system has been exploited in such a manner, it
> is
completely untrustable. It should most definitely be wiped.

The IT ppl
> in SDC (and many other places) need to all be lined up and
smacked Three
> Stooges style.

On 8/19/05, Donald J. Ankney <dankneysunsetfilms.com>
> wrote:

> Any IT department that simply removes a worm and shoves a box back
into
> production has serious issues.

After a machine has been compromised, it
> should be wiped and rebuilt.

>
> As a practical matter how many boxes are we talking about. I mean I have
> removed worms and viruses (note I don't use the l;ural virii because it is
> too close to the proper Latin Plural of "men";) and put boxes back into use.
> But not in places that are critical. Does one rebuiild everytime something
> goes wrong? Seems extreme to me. I dunno if this is the place to discuss
> issues like this. Now of course with worm designers getting more
> sophisticated it might be that more extereme measures should be taken
> earlier in the descision chain. Now if people implement a really adequate
> backup system, like everything over the last hour is safely backed up it
> might be possible to do that. Anyway it is an interesting case, easy to say
> now that I am disabled and watching from the sidelines.
>
> Have Fun,
> Sends Steve
>
>

--
ME2 <http://www.santeriasys.net/>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/