What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out? matthew black network services california state university, long beach
Matthew Black wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
matthew black network services california state university, long beach
I'd contact the chiefs of the company in order to assess what actually happened. Define attack. If its an IP based attack, would be difficult to prove unless it was ongoing as spoofing could play a role. It could turn out to be something as trivial as said company ending up with a machine they own which was compromised and used as an attack vector... I've seen it happen to a few companies. Personally, I would seek out the CSO, Senior IT personnel, and follow that route. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato
1) Locate baseball bat 2) Acquire plane ticket 3) Call friends in city where said company is located 4) help them locate their own bats 5) ... 6) Profit On a more serious note, I'd contact them and ask for them to stop. Barring that call a lawyer and have a fancy letter sent to someone's boss. On 5/29/07, Matthew Black <black@csulb.edu> wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
matthew black network services california state university, long beach
On 5/29/07, Quinn Kuzmich <lostinmoscow@gmail.com> wrote:
On a more serious note, I'd contact them and ask for them to stop. Barring that call a lawyer and have a fancy letter sent to someone's boss.
While you're pursuing that route from a legal/business side, on the technical side I'd suggest null routing the block they're coming from at your edge. -brandon
On a more serious note, I'd contact them and ask for them to stop. Barring that call a lawyer and have a fancy letter sent to someone's boss. Being as they are a security company it is possible- if unlikely- that someone typo'd an address range into a vulnerability scanner.
"Never attribute to malice that which is adequately explained by stupidity" -Don
1) Locate baseball bat On a more serious note, I'd contact them and ask for them to stop. Barring that call a lawyer and have a fancy letter sent to someone's boss.
Seems pointless really. If you detect someone hacking your servers and your company does not have a network security department where you can report these things, then dust off your resume and look for a new job. Basically, one of two things is happening. Either someone is breaking the law, or someone has been hired by senior management to test your abilities. If the former, then tell your security people and let them figure out whether to get the lawyers involved. If the latter, then tell your security people and get some brownie points for a) noticing, b) acting promptly, and c) notifying the proper people to deal with security threats to your business. --Michael Dillon
On Tue, 2007-05-29 at 08:21 -0700, Matthew Black wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
Can you better define "attempted to hack", please. -Jim P.
On Tue May 29, 2007 at 12:20:24 -0400, Jim Popovitch wrote:
On Tue, 2007-05-29 at 08:21 -0700, Matthew Black wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
Can you better define "attempted to hack", please.
Personally, I would try to find out who at my site- potentially including S-OX, PCI, other auditors, and the Board- contracted for them to do it.
On 5/29/07, Pete Ehlke <pde+nanog@ehlke.net> wrote:
On Tue, 2007-05-29 at 08:21 -0700, Matthew Black wrote: What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
Personally, I would treat it like any other attack. You do have policy and procedures for responding to intrusions and intrusion attempts? convene your CERT, preserve logs, document the time and other costs, contact the law enforcement, your lawyers, and their ISP.
Personally, I would try to find out who at my site- potentially including S-OX, PCI, other auditors, and the Board- contracted for them to do it.
Even if this were a contracted penetration test, you can't go wrong by treating it as if this were an actual hostile attack. If I were conducting a "pen test" and the target had managed to get an FBI case started and convinced ISP to terminate connectivity due to AUP violations, I would have to give them straight A's for their response :) Kevin
On Tue, 29 May 2007, Matthew Black wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
I'd hold a very public discussion on the matter. If their people are intentionally trying to hack your network, they're probably using proprietary information in violation of some NDAs. It's also indicative of a larger problem. If their servers are compromised and are being remotely abused by a third party, that's something their clients need to know. If it's a spoof, that should also be publicly exposed and addressed.
On Tue, 2007-05-29 at 12:53 -0400, George Imburgia wrote:
On Tue, 29 May 2007, Matthew Black wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
I'd hold a very public discussion on the matter.
Just a few words of caution.... First make sure that it is a hack, and not just a ping or SMTP test because they are trying to deliver you email. I did ask for a definitive of what the OP meant by hack, but haven't seen anything yet. Secondly, make sure that no one else in your company authorized this. A lot of companies do pay outside agencies to test their security. Security Audits are notorious for being requested by the corporate Financial personnel, and those are the same folks that the networking dept communicates the least with (IMHO). Finally, is it possible that the "hack" was planned behavior or a well intended mistake? Years ago, others at $DAYJOB, received customer provided configuration files to try an emulate a customer problem. All sorts of interesting traffic left our network and hit the customers, after all their configs had all their IPs listed. The customer's security department (left hand) called the FBI simply because they didn't know what their own network department (right hand) was asking $DAYJOB to do. -Jim P.
On 5/29/07, Matthew Black <black@csulb.edu> wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
Submit your log files to http://www.dshield.org/howto.html ? Block their IP addresses? Call their registrar and have their domain shut down? Sell the movie rights to a famous Hollywood producer and make sure you get to play the lead character along with Harrison Ford? Is this a theoretical question? Cheers, Andre
On May 29, 2007, at 8:21 AM, Matthew Black wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks?
I think the first thing to do would be to attempt to determine whether they were trying to actually 'hack' anything, or whether they were doing some kind of hostscanning as part of a survey, or what (or even if it's traffic which isn't spoofed - i.e., is it TCP) - i.e., classify the traffic - and then if the activity is annoying/harmful/ undesirable, implement appropriate filtering mechanisms to block said traffic. [Of course, various OS, application, and network infrastructure BCPs should be implemented so as to combat interactive cracking-type activity in the first place.] The next thing to do would be to contact them directly and ask if they're aware of this situation - if so, ask what they're doing and ask them to stop if it's annoying/harmful, secondly if they're not aware, let them know so that they can see if they've an unauthorized individual/group generating the traffic in question, or perhaps have systems on their network which have been compromised and are being used for illicit activity. IANAL, but I'd suggest trying to have a conversation before getting lawyers involved. Hopefully, it's just a misunderstanding of some sort, and can be resolved amicably. ------------------------------------------------------------------------ Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice You may not be interested in strategy, but strategy is interested in you. -- Leon Trotsky
On Tue, 29 May 2007 08:21:47 PDT, Matthew Black said:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
Step 0: Define "attempted to hack"? Step 1: Ask whoever acts as your CTO/CIO if you contracted for a pen test from the company. Step 2: If you're not a customer of the security company, contact the company, and explain the concept of "negative advertising" to them.
Matthew Black wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
matthew black network services california state university, long beach
What happened to me one time was that one of my hosting customers hired a firm to do a security check on their website. This company ran a whole battery of penetration tests against the server. The bad news is that the customer never told us this was going to happen. The good news was that we detected the "attack" and blackholed the tester's IP address. :-) We passed with flying colors. Better check with your management to make sure that they haven't authorized something. Roy
On 5/29/07, Matthew Black <black@csulb.edu> wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
On top of the other suggestions, I would add: Make sure you're really being hacked before complaining. If I had a dollar (or even a nickle) for every "stop hacking my port 80" complaint I've seen in my career, I would currently be in possession of all the currency on this planet. Automated tools make mistakes. Stateless firewalls, personal desktop alarms, and god knows what else are really great at seeing legitimate FTP, DNS, HTTP and other traffic and making an incorrect assumption that it must be due to something nefarious. That being said, I have actually seen other networks leak like a sieve due to infected desktops or what not. I've found the quickest way to find out if they are aware was to call them on the phone and ask to speck to their IT help desk or security team. I'd then also null route the offending IPs, and potentially put in a calendar reminder to consider removing the null route in three months and observing to see if the unwanted traffic continues. Regards, Al Iverson -- Al Iverson on Spam and Deliverabilty, see http://www.spamresource.com News, stats, info, and commentary on blacklists: http://www.dnsbl.com My personal website: http://www.aliverson.com -- Chicago, IL, USA
Hello; On May 29, 2007, at 3:48 PM, Al Iverson wrote:
On 5/29/07, Matthew Black <black@csulb.edu> wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
On top of the other suggestions, I would add: Make sure you're really being hacked before complaining. If I had a dollar (or even a nickle) for every "stop hacking my port 80" complaint I've seen in my career, I would currently be in possession of all the currency on this planet.
You might (or might not) be surprised at how many times network types have written me claiming that high bit rate video streams requested by their users were actually UDP DOS attacks or some other kind of attack. Regards Marshall
Automated tools make mistakes. Stateless firewalls, personal desktop alarms, and god knows what else are really great at seeing legitimate FTP, DNS, HTTP and other traffic and making an incorrect assumption that it must be due to something nefarious.
That being said, I have actually seen other networks leak like a sieve due to infected desktops or what not. I've found the quickest way to find out if they are aware was to call them on the phone and ask to speck to their IT help desk or security team.
I'd then also null route the offending IPs, and potentially put in a calendar reminder to consider removing the null route in three months and observing to see if the unwanted traffic continues.
Regards, Al Iverson -- Al Iverson on Spam and Deliverabilty, see http://www.spamresource.com News, stats, info, and commentary on blacklists: http://www.dnsbl.com My personal website: http://www.aliverson.com -- Chicago, IL, USA
On Tue, 29 May 2007, Matthew Black wrote:
What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
Contact your internal security and legal folks. Sometimes in large organizations, a group hires an external security firm to perform an audit (e.g. PCI, SAS70, etc) without talking to the correct people elsewhere in their organization. "Security firms" should conduct due dilegence of the information before using it, but sometimes they type the wrong numbers or addresses in their auditing tools. Your internal security and legal folks should send the appropriate cease and desist letter to the security firm. However, keep in mind....the following: Since you didn't actually describe what you consider an attack; in many cases attacks aren't actually attacks but unusual, but "normal" network activity which some people aren't familar with. Or there is always the possibility of spoofed packets and routing, especially of "brand name" firms, by third parties. If you can actually prove malicious intent on the part of a brand-name company, your lawyers will probably be very happy to start tallying their legal fees. But accidents, stupidity and ignorance explain a lot of things.
participants (18)
-
Al Iverson
-
Andre Gironda
-
Brandon Galbraith
-
Donald Stahl
-
George Imburgia
-
J. Oquendo
-
Jim Popovitch
-
K K
-
Marshall Eubanks
-
Matthew Black
-
michael.dillon@bt.com
-
Pete Ehlke
-
Quinn Kuzmich
-
Randy Bush
-
Roland Dobbins
-
Roy
-
Sean Donelan
-
Valdis.Kletnieks@vt.edu