[ale] A story of Proactive Log Review and the best developer in the world.

Geoffrey Myers lists at serioustechnology.com
Wed Jan 16 09:26:09 EST 2013


+1

--
From my iPhone
Geoffrey Myers

On Jan 16, 2013, at 9:18 AM, Jim Kinney <jim.kinney at gmail.com> wrote:

> How do I get in on this? I would like to focus on brewing while retaining the income of a senior sysadmin.
> 
> On Wed, Jan 16, 2013 at 9:13 AM, JD <jdp at algoloma.com> wrote:
>> Summary:
>> * Security at small IT shop is actually proactively looking at system logs.
>> * They see a VPN connection from China. Suspicious.
>> * They are using RSA-based fob authentication. All commercial with vendor
>> support. (JD: A few yrs ago, RSA had a leak that made predicting the numbers on
>> a fob possible if the fob serial number was known. I think RSA had a spreadsheet
>> with that data stolen).
>> * Research shows the VPN connection is active every day
>> * the fob being used is always the same. It is assigned to a well-known,
>> respected, liked employee, family man, mid-40s. Always got excellent annual reviews.
>> * Security figures someone inside the company had their PC hacked
>> * Further research shows a few emails with PDFs from China to the mid-40s
>> programmer, so security thinks it is a targeted attack using PDF. A common
>> attack vector.
>> * Security mirrors his PC and scans for malware, rootkits, viruses.
>> * Security talks to the employee who finally volunteers that he had sent his fob
>> to a company in China to perform software development. He had "outsourced" his
>> coding.
>> * Further research finds that he's performing work for a few other "client
>> companies" and earning a few hundred $K annually.
>> 
>> I don't recall any concrete statement about non-disclosure agreements being signed.
>> 
>> This is all from memory, so please correct what I got wrong.  Read it a few
>> hours ago.
>> 
>> 
>> On 01/16/2013 08:47 AM, Jim Kinney wrote:
>> > VERY short read:
>> >
>> >
>> >   Error establishing a database connection
>> >
>> >
>> >
>> > :-)
>> >
>> > On Tue, Jan 15, 2013 at 11:18 PM, Brandon Wood <woody at 2143.net
>> > <mailto:woody at 2143.net>> wrote:
>> >
>> >     This isn't a long read; well worth your time. :)
>> >
>> >     http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/
>> >
>> >     Shamelessly stolen from Reddit.
>> >
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
> 
> 
> 
> -- 
> -- 
> James P. Kinney III
> 
> Every time you stop a school, you will have to build a jail. What you gain at one end you lose at the other. It's like feeding a dog on his own tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
> 
> http://electjimkinney.org
> http://heretothereideas.blogspot.com/
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130116/c84fdcc8/attachment.html>


More information about the Ale mailing list