| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
|
Forensics
|
|
Incident Response Team
|
|
Discovery, Eradication and Analysis of an attack on an open system: Welcome to the Jungle This is not necessarily a technical paper analyzing rootkit operation. There have been many excellent papers written that perform this function, some of which are referenced later. This paper is rather intended to help others who find themselves in a similar situation to deal with an attack of this nature. It should also serve as an illustration that defense in depth can be extremely effective in reducing the possibility of a major break-in, but cannot guarantee that break-ins can be entirely prevented. The most important theme of this paper is that no matter how much protection is in place, there must be documented policies and procedures that can be followed when an incident occurs. Without this last line of "defense", even the most secure systems will become unavailable for unacceptable periods of time.
By Steve Terrell, 03/28/2004
|
|
Alien Autopsy: Reverse Engineering Win32 Trojans on Linux In my last article, Reverse Engineering Hostile Code, I described the tools and processes involved in basic reverse engineering of a simple trojan. This article will offer a more detailed examination of the reversing process, using a trojan found in the wild. At the same time, this article will discuss some techniques for reversing Windows-native code entirely under Linux. As an added bonus, all the tools used in this article are either freeware or free software. They are: * Wine - the Win32 API implementation for Unix; * gdb - our favorite Unix debugger and disassembly environment; and, * IDA Pro Freeware Version - Win32 disassembler (runs on Linux under Wine release 20021007, may run under other versions as well). Note: Readers who haven't read the previous article, Reverse Engineering Hostile Code, may want to stop and do that now, unless they already have some knowledge of C and assembly language.
By Joe Stewart , 03/24/2004
|
|
Win2K First Responder's Guide When it comes to handling computer security incidents, proper first response handling of computer security incidents is second in importance only to incident prevention. Improper handling or collection of available information can do irreparable harm to an investigation. Investigators need to have a thorough understanding of what information they intend to collect, as well as the tools they can use and the effects those tools have on the system itself.
By H. Carvey, 03/24/2004
|
|
Moment's Notice: The Immediate Steps of Incident Handling This article covers the topic of response, including matters of scale, operational constraints, appropriate countermeasures, legal concerns, and hints for proper implementation. While not technical in nature, this study of response procedures might give you some insight on how to handle the more ambiguous elements of systems security: human factors, policy, and time.
By Ben Malisow, 03/24/2004
|
|
Incident Management with Law Enforcement Working with law enforcement may be the most interesting and challenging part of the computer security professional's job. Depending upon how well the professional prepares prior to a security incident, such an interaction can offer either a smooth, pleasant ride or a rough, rocky ride. This article will offer an overview of dealing with law enforcement agencies in security incident handling. It will offer some suggestions that will help to make private sector involvement with the cyber-police satisfactory and effective for both sides.
By Ronald L. Mendell, 03/24/2004
|
|
Have Root, Will Hack: This story is true; only the names have been omitted to protect the (sort of) innocent. Monday, 7:15 AM: I log onto my Solaris box and start the day's regimen. After scanning my 245 email messages for anything that might require immediate attention, I settle in to do some log surfing. As I pull down the first log, I notice that the Perfmeter session I had running to monitor a remote Sun enterprise server has suddenly coughed up little "RIP" icons for each of the system parameters I was tracking. This can't be a Good Thing (TM).
By Robert G. Ferrell, 03/24/2004
|
|
Going to the Source: Reporting Security Incidents to ISPs My interest in abuse notifications began when Warez pirates started using my trustingly anonymous FTP server as their personal playground. I realized that my system needed to be locked against this type of intrusion and that I had failed to provide adequate safeguards. But I still felt violated - these people were intruding into a place where they knew they had no business.
By James C. Slora Jr., 03/24/2004
|
|
Detecting and Removing Trojans and Malicious Code from Win2K The purpose of this article is to recommend steps that an administrator can use to determine whether or not a Win2K system has been infected with malicious code or "malware" and, if so, to remove it. This article will specifically address network backdoor Trojans and IRC bots, but the information delivered in this article should assist the reader in a variety of situations.
By H. Carvey, 03/24/2004
|
|
Detecting and Removing Malicious Code Has it happened yet? The phone call, the e-mail, the page, or maybe you discovered it yourself. Something wasn't right: sluggish performance, too much network activity, a missing file. After a little investigating, the realization - you've been cracked. If this isn't familiar to you yet, odds are it will be in the future. Crackers have access to countless variations of malicious code: automated rootkits, trojans, viruses and specific exploits, all designed to breach your security. Detecting and removing these programs can be a daunting task, with little room for wasted time or error. In this article, I'll explain techniques readers can use to get their system back on-line and prevent it from happening again.
By Matthew Tanase, 03/24/2004
|
|
Detecting and Containing IRC-Controlled Trojans: When Firewalls, AV, and IDS Are Not Enough This paper discusses IRC-based trojans as a distinctly underestimated class of malicious activity, and how real time security event monitoring is the key to identifying and containing similar compromises. It discusses the general methodology used to discover, track, and stop such malicious activity by presenting a real-world case study.
By Corey Merchant and Joe Stewart, 03/24/2004
|
|
Page: 1 2 3456 |
