Re: Re(Jepri) 2: Obfuscation and viruses

* Compromises data - The root kit
Maybe and mild damage. A root kit means that somebody wants the machine to keep working. As long as it keeps serving, our business is not lost. I can cope with a root kit, and deal with it at my leisure.

Eh? If a root kit has been installed, how can you ensure the integrity of your data? If the cracker is smart enough to cover their tracks, this strikes me as closer to the *catastrophic* category ... now where are your customer's credit card numbers again? Is that a modified ls in your /bin, or are you just happy to be sending packets of crucial information to nasty.crackers.net that are going to be sold to the competition?

Even if you restore from a known-good state, you still stand to lose any data collected between the time that state was saved and the time the rootkit was installed.

OK, tripwire and the like can help with these issues, but my inclination would be to err on the side of caution were I to find a rootkit installed on any machine I admin.

perl -e 'print "How sweet does a rose smell? "; chomp ($n = <STDIN>); 
+$rose = "smells sweet to degree $n"; *other_name = *rose; print "$oth
+er_name\n"'
[download]

Comment on Re: Re(Jepri) 2: Obfuscation and viruses Select or Download Code

Replies are listed 'Best First'.
Re: Re: Re(Jepri) 2: Obfuscation and viruses by jepri (Parson) on Jun 20, 2001 at 18:26 UTC
This is so totally my point. Techs (and I prefer to think of myself as one) often react disproportionatly to threats. Everyone does. To be precise: people suck really hard at assesing risk/damage/reward situations. There are studies that demonstrate this. You paid no attention to the rest of my post, and focussed on one point that you got wrong anyway. How do you know I keep our clients credit card numbers on the server? Is that your rootkit I see before me? I don't keep credit card numbers, nuclear launch codes or the secret of the mysterious cities of gold on my webserver. I keep webpages that people wish to share with the world. Not their credit card numbers. That was the whole point of the security matrix - to evaluate the effort I need to expend to counter threats, based on the damage to my business. You argued my case much better than I could. You immediately created an example using the worst possible damage imaginable (severe damage to my client's businesses) and argued your case from there. What crucial information could be sent to nasty.crack.net from a webserver? The passwords is the best I can guess. I can change my passwords. And what is the value of the information lost since the last backup? Is it worth more or less than the cost of spending days making the server completely bulletproof, and the incovenience of working with a fully-secured system? It's a lot less. This arguement should be setting off flags in your memory. It is the reason why a certain large company we love to hate can flog crap OSs and get away with it. They are surfing the 'high risk' part of the matrix, but they are on the low damage side. Most information is less valuable than you might be led to believe. ____________________ Jeremy I didn't believe in evil until I dated it.	[reply]

Replies are listed 'Best First'.

Re: Re: Re(Jepri) 2: Obfuscation and viruses
by jepri (Parson) on Jun 20, 2001 at 18:26 UTC

You paid no attention to the rest of my post, and focussed on one point that you got wrong anyway. How do you know I keep our clients credit card numbers on the server? Is that your rootkit I see before me?

I don't keep credit card numbers, nuclear launch codes or the secret of the mysterious cities of gold on my webserver. I keep webpages that people wish to share with the world. Not their credit card numbers. That was the whole point of the security matrix - to evaluate the effort I need to expend to counter threats, based on the damage to my business.

You argued my case much better than I could. You immediately created an example using the worst possible damage imaginable (severe damage to my client's businesses) and argued your case from there. What crucial information could be sent to nasty.crack.net from a webserver? The passwords is the best I can guess. I can change my passwords.

And what is the value of the information lost since the last backup? Is it worth more or less than the cost of spending days making the server completely bulletproof, and the incovenience of working with a fully-secured system? It's a lot less.

This arguement should be setting off flags in your memory. It is the reason why a certain large company we love to hate can flog crap OSs and get away with it. They are surfing the 'high risk' part of the matrix, but they are on the low damage side. Most information is less valuable than you might be led to believe.

____________________
Jeremy
I didn't believe in evil until I dated it.

[reply]