tag:blogger.com,1999:blog-4088979.post115331540872992001..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Israeli Incident Response ReportRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4088979.post-1153530317909063862006-07-21T21:05:00.000-04:002006-07-21T21:05:00.000-04:00Hi John,Thanks for getting feedback from the parti...Hi John,<BR/><BR/>Thanks for getting feedback from the parties involved!Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1153529431659189382006-07-21T20:50:00.000-04:002006-07-21T20:50:00.000-04:00I talked to them and ask the questions raised here...I talked to them and ask the questions raised here. They said:<BR/>"You are right, but in this case we did not have the option of shutting anything down or, off".<BR/>Also:<BR/>"Friend, sorry, but we were under instructions to stop it. No future legal case was to be considred".<BR/><BR/>Lastly, from Gadi Evron:<BR/>"The comments you mention are still correct, but you should note that a lot of conflicting concepts in security are also correct. Non are the "absolute truth". Implementation largely depends on necessity vs. demand".<BR/><BR/>JW.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1153478143737884122006-07-21T06:35:00.000-04:002006-07-21T06:35:00.000-04:00Although it appears clever to use the very tools o...Although it appears clever to use the very tools of an attacker to defeat him, I agree this would most definitely cause a lot of problems later, talk about evidence preservation. Not to mention that they seem to have worked in parallel with the intruders. If this went to court, I guess an opposite lawyer would tear the whole case to shreds, considering what even Keith Jones, who did a remarkable job on the UBS case and worked very diligently, did have to face from the defense. The UBS case is an excellent example of how high the standards in courtrooms really are, and how one should approach forensic investigations.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1153338202048196672006-07-19T15:43:00.000-04:002006-07-19T15:43:00.000-04:00I agree with you Richard. I'm not a forensics expe...I agree with you Richard. I'm not a forensics expert, but I would disconnect the server right away since I have all of the session data and full packet captures prior to and during the attack. <BR/><BR/>It's apparent to me that a lot of forensics training involves some basic common sense and understanding of evidence preservation. It's not as hard as people make it out to be.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1153331010408946372006-07-19T13:43:00.000-04:002006-07-19T13:43:00.000-04:00In that case, the victim sys admin should have imp...In that case, the victim sys admin should have implemented a firewall block for all activity except from that of a trusted IP used by the incident response team.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1153330220029691592006-07-19T13:30:00.000-04:002006-07-19T13:30:00.000-04:00As far as I undestood report, the IR team was work...As far as I undestood report, the IR team was working online - remotely. So this is an <B>"uptime argument"</B>, to not shut down the switch port.<BR/><BR/>greetsAnonymousnoreply@blogger.com