Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: How to track down a wireless hacker

from [cwright] Network Security [Permanent Link]
Subject: RE: How to track down a wireless hacker
Date: 9 Nov 2007 12:37:12 -0000 
CG,
Pen Testing is not forensics and incident response as much as you would like 
this. Forensics and Incident response are the other side of the argument. As 
for what I know on forensics, lets see. I am one of the 14 people with a GIAC 
GSE level accreditation, co-author of a forensic book and about 20 peer 
reviewed published papers. Oh, also post grad law and 15+ years experience in 
digital forensics (21 security).

As for Honeynets - I have run several.

You state:
"Once an ATTACKER steps past the authentication/authorization border he/she
loses all rights of expected privacy on that network. As well, entrapment
(4th amendment) applies to law enforcement ect..., which I'm not."

I find your lack of understanding of legal issues problematic. There is no 
relation to the 4th amendment and these actions. Neither did I mention 
entrapment. An attacker does not lose any rights. There is no legal recourse to 
attack back or retaliate. As much as you may not like it - this is how it 
works. Further, the attack may originate from an innocent 3rd party. The law 
does not work on the principle of an eye for an eye.

How do you propose to find these leads? You seem to be stating that placing 
data somewhere will lead to a capture. Please explain how.
I see this as a simple request. I ask you to explain how this will occur. Let 
us forget web cookies. You have stated a field in a database, username and 
password for instance. Please explain how this will lead back to the mystery 
attacker?

Or is it that you are proposing that you will sniff traffic and find them post 
the event. That you propose making environmental changes that are going to be 
noticed?

What if the attacker sniffed the network and did not insert anything? What if 
they played an inactive role in the attack gathering information and monitoring 
traffic flows as occurs in most of these cases? What then?  You have made it 
sound simple, please elaborate.

Craig Wright (GSE-Compliance)




--------------------------------------------------------------------------------
From: ep [mailto:captgoodnight@hotmail.com]
Sent: Fri 9/11/2007 9:24 PM
To: Craig Wright
Cc: pen-test@securityfocus.com
Subject: RE: How to track down a wireless hacker



"Ah, if only all pentesters were also honeynet admins, /sigh"

First, pen-testing is function of testing, not forensic analysis and

incident response.

Pen-testing has all the flavors of forensic analysis and incident response.
It's just the other side of the coin that's usually amiss in practice.


How do you propose to track the cookie? Are you making the assumption that

all attacks will be to a web server? Adding a cookie to a web session is a
valid response, if it is not a web >>session (and I saw nothing to suggest
that this attack on an  internal network was) then it may not be.

It's NOT a web cookie, though in another example it could be and in fact
it's the same functional idea. More specifically it's a username and
password that belongs to (for the sake of the argument) OUR NETWORK, be it
the network the attacker sniffed them from after breaking into or the one
he/she would log into later on. That action would be a lead, from there we
could add other ingredients to create more leads... But NEVER would any
piece of data be placed on the attacker's machine that he/she didn't
knowingly place there themselves. May I say dear Craig, that simple fact
pretty much negates your remaining 'reply'. But let's continue.

Once an ATTACKER steps past the authentication/authorization border he/she
loses all rights of expected privacy on that network. As well, entrapment
(4th amendment) applies to law enforcement ect..., which I'm not.

If you are curious to the legalities of honeynets in the US then may I
suggest you visit this site http://www.honeynet.org. Also, please kindly
trim your replies.


Have fun,
--cg


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to find if exploit exist to a reported CVE ?, Ronald Chmara
Next by Date:  RE: How to track down a wireless hacker, ep
Previous by Thread:  Re: Re: How to track down a wireless hacker, cwright
Next by Thread:  RE: How to track down a wireless hacker, ep
Indexes:  [Date] [Thread] [Top] [All Lists]