• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

What would *you* do?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Wed Mar 05, 2003 1:25 am    Post subject: What would *you* do? Reply with quote

Scenerio: You receive a phone call from somebody who needs you to "come in right away" - when you get there, you're instructed that one of the senior people is "gone" and the appropriate accounts / methods of access are to be disabled immediately. Then you're handed a list of keywords and asked to scour the former employees system and email, creating a package of all things found during the previous 6 month period. You aren't given any details, but during your investigation you find that this person had been stealing company secrets (the company was just awarded FDA funding for some cutting edge medical research) and was not only passing them to another former employee, but the two of them had started up their own side business.

Armed with the name of the company (and probably too much curiosity) you do a little digging. The domain is forwarded to a geocities page and the mail server is hosted by Yahoo. However, you have an address and since you suspect there is a DSL line going into those "new" offices, you scan the blocks of IPs for the local providers. Finding what you're looking for you do a non-invasive probe and realize what you're dealing with is an unpatched, default 2k install.. You figure you can be in and out in under 10 minutes plus whatever time it takes to download any incriminating data you find....

Your client has not asked for anything other than what was on the HDD and in email, and has indicated they don't intend to persue criminal charges. However, they are obviously distraught about what data may have been stolen and besides, they have *excellent* coffee and hot chicks at the office Smile

what woud you do?
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Wed Mar 05, 2003 1:27 am    Post subject: Reply with quote

Dude you know what I'd do, but I guess you aint asking me Twisted Evil Razz Twisted Evil
Back to top
View user's profile Send private message Visit poster's website
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Wed Mar 05, 2003 1:36 am    Post subject: Reply with quote

ShaolinTiger wrote:
Dude you know what I'd do, but I guess you aint asking me Twisted Evil Razz Twisted Evil


Yeah but to what extent? Would you just copy the data? Would you copy and then delete the data? Would you turn the box into a giant paperweight? And then what? would you tell your client what you found? Would you tell them how you got it?

I've already completed my portion of it Smile I know what *I* would do (hey, I didn't win the alt.hackers.malicious most "malicious to the core" award for 2002 for nothing Smile
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Wed Mar 05, 2003 1:38 am    Post subject: Reply with quote

I'd find the data, probe the rest of the network check out what was going on, copy all the data back, paperweight the box and leave a message somewhere else on the network that espionage isn't taken lightly in alt.hacking.malicious Very Happy
Back to top
View user's profile Send private message Visit poster's website
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Wed Mar 05, 2003 1:43 am    Post subject: Reply with quote

You'd really paperweight the box? I thought about it, but that's not my style really - I sniffered and backdoored it for future intel gathering - left everything else as is (copied the data off of course) so that noone would be the wiser - that's my standard M.O. - I'll monitor a box for months sometimes before I make my move Smile
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Wed Mar 05, 2003 2:03 am    Post subject: Reply with quote

Heh, yeh depends how hot the chicks in the office are and *how* much they would appreciate it...

But yeh backdoor and info gathering, all good.
Back to top
View user's profile Send private message Visit poster's website
myhatisred
Just Arrived
Just Arrived


Joined: 11 Jan 2003
Posts: 0


Offline

PostPosted: Wed Mar 05, 2003 7:18 am    Post subject: Reply with quote

what would be the purpose?? general curiousity or what?
Back to top
View user's profile Send private message Visit poster's website AIM Address
snootalope
Just Arrived
Just Arrived


Joined: 14 Jan 2003
Posts: 4
Location: IA _ USA

Offline

PostPosted: Wed Mar 05, 2003 5:34 pm    Post subject: Reply with quote

I see two paths: Legal and Illegal (but revenge kicks arse)

If it were me.. I'd take the vp (or someone high up, who you know well), of the company that called you in, and go have a few drinks with him.. don't just sit him down and say, "Hey, I'm a hacker, I'll break in and take down everything, still all of his email, burn down the server and piss on the ashes.." um. no tell him there is a way to recover what was taken and disable the other party.. meaning you could get back everything he took, remove what he has, find their backup program and run some circles on the tapes.. then start delete the hell out of things.. just print out a message on one of thier printers before ya go..

Honest to god, that's what I would do.. but then again.. the vp and I are good friends like that.. but, I don't think they'd like the idea of jeopardizing the company..
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Wed Mar 05, 2003 5:43 pm    Post subject: Reply with quote

myhatisred wrote:
what would be the purpose?? general curiousity or what?


Intel gathering is always a good thing (assuming they don't catch on and start feeding false info to you) because you never know what you might find when people don't realize they're being monitored. Rarely is the "smoking gun" found, but usually enough tidbits are gathered to make a convincing case if needed.

But yeah, I'm the 'overly curious' type too Smile
Back to top
View user's profile Send private message Send e-mail
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Wed Mar 05, 2003 5:51 pm    Post subject: Reply with quote

snootalope wrote:
I see two paths: Legal and Illegal (but revenge kicks arse)

If it were me.. I'd take the vp (or someone high up, who you know well), of the company that called you in, and go have a few drinks with him.. don't just sit him down and say, "Hey, I'm a hacker, I'll break in and take down everything, still all of his email, burn down the server and piss on the ashes.." um. no tell him there is a way to recover what was taken and disable the other party.. meaning you could get back everything he took, remove what he has, find their backup program and run some circles on the tapes.. then start delete the hell out of things.. just print out a message on one of thier printers before ya go..

Honest to god, that's what I would do.. but then again.. the vp and I are good friends like that.. but, I don't think they'd like the idea of jeopardizing the company..


Heh, that's a good approach - unfortunately the only person I really knew well enough to go out to drinks with was the person that is now gone. Of course my priorities lie with the people paying the bill (and now is a good time to show them that). I'll be going back tomorrow & will feel them out then to see how receptive they are, but considering they just got their FDA funding within the past 6 months, I KNOW they are not going to want to do anything to jeopardize their company - even if that means letting it go.

I almost take it personally, that this person would think that he could get away with it on *my* network - he's not stupid (PhD & one of the top medical researchers in the area) and since he handled the coordination between the users and myself (I only go in once a week unless they have a special project) he should have known better... dumbass didn't even clear his IE cache and used Hotmail and OE for much of his communications for this little "project" of his (interesting .dbx files that he left behind too lol)
Back to top
View user's profile Send private message Send e-mail
snootalope
Just Arrived
Just Arrived


Joined: 14 Jan 2003
Posts: 4
Location: IA _ USA

Offline

PostPosted: Wed Mar 05, 2003 6:22 pm    Post subject: Reply with quote

ThePsyko wrote:

- even if that means letting it go.


Well.. that's proabably what it'll come too.. but what can ya do! There should of been some kind of policies in place to prevent something like this.. Didn't you know anything about what this guy was doing on the side?

jeez, the guy with phD always wins.. soon the coffee's gonna suck cause of budget, and the hot chicks are gonna go work for him.. you'll be stuck with "USave" brand coffee and 350 pd undergrad chicks who eat twinkies all day and call you sweatie every morning.. i've seen it a hundred times.. Razz
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Wed Mar 05, 2003 6:25 pm    Post subject: Reply with quote

Just so long as they don't move the server closet into the spare bathroom (yes, I've been there too... with the rack literally straddling the toilet)
Back to top
View user's profile Send private message Send e-mail
snootalope
Just Arrived
Just Arrived


Joined: 14 Jan 2003
Posts: 4
Location: IA _ USA

Offline

PostPosted: Wed Mar 05, 2003 6:35 pm    Post subject: Reply with quote

ThePsyko wrote:
Just so long as they don't move the server closet into the spare bathroom (yes, I've been there too... with the rack literally straddling the toilet)


Laughing oh..that's horrible.. Laughing maybe you should move the other medical researches into the bathroom for letting this guy get away with this..
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
MR2
Just Arrived
Just Arrived


Joined: 30 Apr 2002
Posts: 1
Location: Somewhere between 0-160mph

Offline

PostPosted: Wed Mar 05, 2003 6:37 pm    Post subject: Reply with quote

ThePsyko wrote:

I almost take it personally, that this person would think that he could get away with it on *my* network - he's not stupid (PhD & one of the top medical researchers in the area) and since he handled the coordination between the users and myself (I only go in once a week unless they have a special project) he should have known better.


Depends how personally you take it mate, if it's that bad, just copy the data back and delete all the stuff on the machine. As it's a default win2k box, I'm sure other ppl would get in and do something even if you don't.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register