|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-disclosure] How we caught an Identity Thief
From: Babak Pasdar (bpasdar
igxglobal.com)
Date: Mon Feb 20 2006 - 08:15:12 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dear Barry,
I can appreciate your point below. Yes, you are correct in that these
commands only take a few minutes to run. However please consider that
in the scenario presented.
1. I had to get back to our office from the client site over an hour
away :) Laws of physics to New York City traffic apply no matter what.
2. The client or a security company's network are not the best source
for scanning and investigation activities. Lest you have someone who
looks for these early signs of the investigation. Scans have to be
alternately sourced.
3. Running a few commands by no means is an indication of a fully
packaged and verified set of information. A forensics case has to be
started fully documenting all actions and times for possible future
reference in legal proceedings. Rushing through something like this and
not following procedure is the first step in being caught with your
pants down later.
Thank you for your response Barry.
Babak
On Mon, 2006-02-20 at 13:53 +0000, Barrie Dempster wrote:
> From the article linked:
> > 1. The domain name
> > 2. Who registered it
> > 3. Who was serving DNS for it
> > 4. The IP address of the web site
> > 5. The Service Provider for the IP address
> > 6. The OS of the host
> > 7. The Web Server
> > 8. Some general information about the application the site was using
> >
> > Within hours we had collected all of the above information. It was my
> recommendation to > the client that we contact the FBI at this point.
>
> It took you "hours" to run nmap/dig/whois ?
>
> Not a very good advertisement of your talents, which the post seemed to
> be attempting. Even giving you the benefit of the doubt and assuming the
> phishers employed basic obfuscation of the host (Which I would doubt as
> usually it's someone else machine anyway) hours is a seriously long time
> to run a few basic commands.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iQIVAwUAQ/nO77vyNfLJIrQWAQJJNQ//Q4hE88QWrZAVWIrm1jW55kgt41hKtKH/
guUMUFIKZZWSbf6becHKfGmxqj2ORh2dzGDRF162kaZKLVloheo0YtZ8KiGFPBfN
RYP5t2ASU4ZXzsIpc5D7t/uz99xGY4iBE8KJLFWqzzS9cF1p4w6HUypxCLe8lUgI
ScyP9DZ0hrspFPSrP3wUEgaSbzipTAgPAqzjK0ZMScAKZqNWLAZOt0W/lJsZbTJ5
YVhr/9GQ4JBJtuiwT62UaCTDNoz0iSso8dqEvJ+cHv+Jr5wMp8rY/7901itALk+5
RSIqAGIP2LBmh5H5w6EeCCK1sKkg84IFQBu4GwB5KzH4EbdQt9dICp3Y+4fknNen
7qyALuThecGZ9IUzPWujiV2RClVagHD8DmIhHHafaZGA5WqfpvSSC91DprubJS96
k0/r2wB1V522SEVMJu+9l5eY2DW8zHg9gMmYaeUDzZWaiYaApQBQyzKbKU0jp3Wa
DUVBTgbhAzETiQMRWFhYcRaAKHOhKd3+GiXS+1zR6Ak5p4vpJ3ybeuaXQ6463bZS
Pbd+2D/wYql4rdMwRDHWHSwLgBwUlkBdttqcG7GGMvKnoL1uaQ1IFEGS7yRLCWVA
9BiPnozG8zZM2D0Lb0BD9AzhgoHeUrgd6N/qltY97i+C8xcWhDSRF6H2U3glzz8X
7MofWHfUFe8=
=zbyi
-----END PGP SIGNATURE-----
_________________________________
igxglobal utilizes state of the art technology from PGP to ensure the safeguard of all electronic correspondences. This message could have been secured by PGP Universal. To secure future messages from this sender, please click this link and contact your representative at igxglobal for further information:
https://keys.igxglobal.com/b/b.e?r=full-disclosure%40lists.grok.org.uk&n=4Njq7juzEf1Yn9MHjRn9Ow%3D%3D
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]