What would *you* do?

Networking/Security Forums -> General Security Discussion

Author: ThePsykoLocation: California PostPosted: Wed Mar 05, 2003 1:25 am    Post subject: What would *you* do?
    ----
Scenerio: You receive a phone call from somebody who needs you to "come in right away" - when you get there, you're instructed that one of the senior people is "gone" and the appropriate accounts / methods of access are to be disabled immediately. Then you're handed a list of keywords and asked to scour the former employees system and email, creating a package of all things found during the previous 6 month period. You aren't given any details, but during your investigation you find that this person had been stealing company secrets (the company was just awarded FDA funding for some cutting edge medical research) and was not only passing them to another former employee, but the two of them had started up their own side business.

Armed with the name of the company (and probably too much curiosity) you do a little digging. The domain is forwarded to a geocities page and the mail server is hosted by Yahoo. However, you have an address and since you suspect there is a DSL line going into those "new" offices, you scan the blocks of IPs for the local providers. Finding what you're looking for you do a non-invasive probe and realize what you're dealing with is an unpatched, default 2k install.. You figure you can be in and out in under 10 minutes plus whatever time it takes to download any incriminating data you find....

Your client has not asked for anything other than what was on the HDD and in email, and has indicated they don't intend to persue criminal charges. However, they are obviously distraught about what data may have been stolen and besides, they have *excellent* coffee and hot chicks at the office Smile

what woud you do?

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Wed Mar 05, 2003 1:27 am    Post subject:
    ----
Dude you know what I'd do, but I guess you aint asking me Twisted Evil Razz Twisted Evil

Author: ThePsykoLocation: California PostPosted: Wed Mar 05, 2003 1:36 am    Post subject:
    ----
ShaolinTiger wrote:
Dude you know what I'd do, but I guess you aint asking me Twisted Evil Razz Twisted Evil


Yeah but to what extent? Would you just copy the data? Would you copy and then delete the data? Would you turn the box into a giant paperweight? And then what? would you tell your client what you found? Would you tell them how you got it?

I've already completed my portion of it Smile I know what *I* would do (hey, I didn't win the alt.hackers.malicious most "malicious to the core" award for 2002 for nothing Smile

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Wed Mar 05, 2003 1:38 am    Post subject:
    ----
I'd find the data, probe the rest of the network check out what was going on, copy all the data back, paperweight the box and leave a message somewhere else on the network that espionage isn't taken lightly in alt.hacking.malicious Very Happy

Author: ThePsykoLocation: California PostPosted: Wed Mar 05, 2003 1:43 am    Post subject:
    ----
You'd really paperweight the box? I thought about it, but that's not my style really - I sniffered and backdoored it for future intel gathering - left everything else as is (copied the data off of course) so that noone would be the wiser - that's my standard M.O. - I'll monitor a box for months sometimes before I make my move Smile

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Wed Mar 05, 2003 2:03 am    Post subject:
    ----
Heh, yeh depends how hot the chicks in the office are and *how* much they would appreciate it...

But yeh backdoor and info gathering, all good.

Author: myhatisred PostPosted: Wed Mar 05, 2003 7:18 am    Post subject:
    ----
what would be the purpose?? general curiousity or what?

Author: snootalopeLocation: IA _ USA PostPosted: Wed Mar 05, 2003 5:34 pm    Post subject:
    ----
I see two paths: Legal and Illegal (but revenge kicks arse)

If it were me.. I'd take the vp (or someone high up, who you know well), of the company that called you in, and go have a few drinks with him.. don't just sit him down and say, "Hey, I'm a hacker, I'll break in and take down everything, still all of his email, burn down the server and piss on the ashes.." um. no tell him there is a way to recover what was taken and disable the other party.. meaning you could get back everything he took, remove what he has, find their backup program and run some circles on the tapes.. then start delete the hell out of things.. just print out a message on one of thier printers before ya go..

Honest to god, that's what I would do.. but then again.. the vp and I are good friends like that.. but, I don't think they'd like the idea of jeopardizing the company..

Author: ThePsykoLocation: California PostPosted: Wed Mar 05, 2003 5:43 pm    Post subject:
    ----
myhatisred wrote:
what would be the purpose?? general curiousity or what?


Intel gathering is always a good thing (assuming they don't catch on and start feeding false info to you) because you never know what you might find when people don't realize they're being monitored. Rarely is the "smoking gun" found, but usually enough tidbits are gathered to make a convincing case if needed.

But yeah, I'm the 'overly curious' type too Smile

Author: ThePsykoLocation: California PostPosted: Wed Mar 05, 2003 5:51 pm    Post subject:
    ----
snootalope wrote:
I see two paths: Legal and Illegal (but revenge kicks arse)

If it were me.. I'd take the vp (or someone high up, who you know well), of the company that called you in, and go have a few drinks with him.. don't just sit him down and say, "Hey, I'm a hacker, I'll break in and take down everything, still all of his email, burn down the server and piss on the ashes.." um. no tell him there is a way to recover what was taken and disable the other party.. meaning you could get back everything he took, remove what he has, find their backup program and run some circles on the tapes.. then start delete the hell out of things.. just print out a message on one of thier printers before ya go..

Honest to god, that's what I would do.. but then again.. the vp and I are good friends like that.. but, I don't think they'd like the idea of jeopardizing the company..


Heh, that's a good approach - unfortunately the only person I really knew well enough to go out to drinks with was the person that is now gone. Of course my priorities lie with the people paying the bill (and now is a good time to show them that). I'll be going back tomorrow & will feel them out then to see how receptive they are, but considering they just got their FDA funding within the past 6 months, I KNOW they are not going to want to do anything to jeopardize their company - even if that means letting it go.

I almost take it personally, that this person would think that he could get away with it on *my* network - he's not stupid (PhD & one of the top medical researchers in the area) and since he handled the coordination between the users and myself (I only go in once a week unless they have a special project) he should have known better... dumbass didn't even clear his IE cache and used Hotmail and OE for much of his communications for this little "project" of his (interesting .dbx files that he left behind too lol)

Author: snootalopeLocation: IA _ USA PostPosted: Wed Mar 05, 2003 6:22 pm    Post subject:
    ----
ThePsyko wrote:

- even if that means letting it go.


Well.. that's proabably what it'll come too.. but what can ya do! There should of been some kind of policies in place to prevent something like this.. Didn't you know anything about what this guy was doing on the side?

jeez, the guy with phD always wins.. soon the coffee's gonna suck cause of budget, and the hot chicks are gonna go work for him.. you'll be stuck with "USave" brand coffee and 350 pd undergrad chicks who eat twinkies all day and call you sweatie every morning.. i've seen it a hundred times.. Razz

Author: ThePsykoLocation: California PostPosted: Wed Mar 05, 2003 6:25 pm    Post subject:
    ----
Just so long as they don't move the server closet into the spare bathroom (yes, I've been there too... with the rack literally straddling the toilet)

Author: snootalopeLocation: IA _ USA PostPosted: Wed Mar 05, 2003 6:35 pm    Post subject:
    ----
ThePsyko wrote:
Just so long as they don't move the server closet into the spare bathroom (yes, I've been there too... with the rack literally straddling the toilet)


Laughing oh..that's horrible.. Laughing maybe you should move the other medical researches into the bathroom for letting this guy get away with this..

Author: MR2Location: Somewhere between 0-160mph PostPosted: Wed Mar 05, 2003 6:37 pm    Post subject:
    ----
ThePsyko wrote:

I almost take it personally, that this person would think that he could get away with it on *my* network - he's not stupid (PhD & one of the top medical researchers in the area) and since he handled the coordination between the users and myself (I only go in once a week unless they have a special project) he should have known better.


Depends how personally you take it mate, if it's that bad, just copy the data back and delete all the stuff on the machine. As it's a default win2k box, I'm sure other ppl would get in and do something even if you don't.



Networking/Security Forums -> General Security Discussion


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group