Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updated PGP key for blocklist added to https://isc.sans.edu/PGPKEYS.txt

Copyright Alert System - What say you?

Published: 2011-07-09
Last Updated: 2011-07-09 17:37:12 UTC
by Tony Carothers (Version: 1)
6 comment(s)

 It has been announced by some of the major Internet Service Providers (ISP's) in America that they will be participating in the "Copyright Alert System".  There already exists plenty of media and discussions written about this topic, however I would like to open some discussion here at the Internet Storm Center.  The crux of the Copyright Alert System is the illegal downloading or distribution of copyrighted media.  The ISP's are now moving to a "six strike system" where a user or business will be provided six notifications, after which time the ISP will begin active intervention.  This active intervention could be in the form of pop-up notifications, site redirection, bandwidth reduction, and possibly service interruption.  I am not singling out any one provider, only the approach and practice as a whole.

It is my intention and hope that on this slow summer weekend to stir some discussions here at the Storm Center on the possible impacts in this change of Acceptable Use Policy (AUP).  One of my first and foremost concerns is the impact to voice services.  Voice over IP (VoIP) in many places has replaced traditional voice services (fixed, copper-based, Time Division Multiplexing) for home telephone services.  Is it conceivable that a service provider would ever redirect traditional voice services in this manner?  What is going to happen when I pick up my VoIP telephone to make a call, while I am in dispute with my ISP over the current usage of my internet service?

So it is today that I ask our readers regarding this policy "What say you?"  I look forward to the discussions.

 

Tony Carothers

tony.carothers_at_isc.sans.edu

 

Keywords: Alert Copyright ISP VoIP
6 comment(s)

Safer Windows Incident Response

Published: 2011-07-09
Last Updated: 2011-07-09 00:49:39 UTC
by Chris Mohan (Version: 1)
4 comment(s)

There's always a moment in any horror film where, inexplicably, one of the character, let's call him Chuck, wanders blindly into an obviously lethal encounter in a confined space. It's the "I'm just going down to the cellar to find out where everyone else has gone" moment that has most of us suddenly looking for a reason to run into another room to miss the grizzly outcome. Shortly after Chuck’s demise, one of the surviving cast clearly hears someone coming back up the cellar stairs and happily assumes it's just Chuck. Moments later they meet an equally horrifying end with some random household object.

Funny thing is a digital door to the cellar looms for an incident responder when investigating a report of a suspiciously acting system. Typically they're much better prepared and equipped than our fictional friend Chuck, but there is still a very real threat that crosses over from horror movies. What if the thing lurking on the system tries to stealing the digital identity of the brave incident responder? Suddenly we've got Good Ash and Bad Ash*, both with the same credentials access and privileges. The fight to contain an incident on just one system has now expanded to any system Ash's credentials has access to. This isn't a going to end well.

So how can we as incident responders on Windows systems protect ourselves against this?

Enter some fantastic research culminating in a presentation given at 2011 Digital Forensics and Incident Response Summit[1] by Mike Pilkington. Mike's talk, Protecting Privileged Domain Accounts during Live Response [2], covers the work he did to understand and protect the incident responder's domain credentials on remote Windows systems.

The presentation focuses on three areas where credentials are at risk from an attacker:

  • Password Hashes -Method for storing credentials on the local system
  • Access Tokens - Single sign-on functionality within Windows
  • Network Authentication -Protocols for authenticating to remote systems

This is worth printing out and spending some quality time going through. It discusses theses three areas of concern, takes you through the process so you can re-create each scenario and finally how to protect and detect against this type of attack.

After you've read it, take time to sit with your Windows Admins and explain to them the importance of protecting their credentials. This is well worth your time and energy educating any who has a privileged account. During an incident these folks need to be aware of the risk of remotely connecting to a possibly compromised system and how to do it safely. If you don't have a basic security training process for your system admin teams, this is a great starting point or ship 'em off and have some else educate them [3].

Once you’ve adopted Mike’s findings in to your incident response processes and into the Windows admins’ understanding, having your credentials used against be that one thing less to fear when facing that next digital cellar door. In the immortal words of Good Ash, to sum up, “Groovy.”

[1] http://www.sans.org/forensics-incident-response-summit-2011/agenda.php
[2] http://securityscaper.com/Protecting%20Privileged%20Domain%20Accounts%20during%20Live%20Response%20-%20June%202011.pdf
[3] http://www.sans.org/security-training/hacker-detection-systems-administrators-continuing-education-program-1312-mid

* Army of Darkness - so many lessons can be learnt, or one-liners stolen, for the IR world - Thank you Bruce Campbell!
 

Chris Mohan --- Internet Storm Center Handler on Duty

4 comment(s)
Diary Archives