Robert Betts wrote: >> I learned after he
gave me a research paper to read, because there was a computer technician there
working on his PC to help him reinstall his backed up files.
>>
How do you know this technician isn’t the
hacker in question? Which underscores the next point…
Stilgherrian wrote: >> If you wish to pursue some legal sanction, consider the
legal concept of "chain of custody" that applies to
evidence.>>
The hacker will get off based on the
following:
1)
Chain of custody: any evidence you have (logs, reports, disk files, etc)
can not be proven to reflect the changes you indicate because these records
could have been manufactured or tampered with after the fact
2)
Direct evidence vs. hearsay evidence: The physical hard disk is the only
direct source of evidence. Any report derived from hard disk records can be
challenged. For a report to be admissible it must either be reproducible from a
physical source that has had a proven “chain of custody” or else the report must
have been created in the standard course of doing business and have been
regularly audited (mitigating controls)
3)
Glorification of the hacker: the jury/judge/police/etc lack of awareness
that what has taken place is a serious crime
The very act of responding and recovering
from an attack will usually compromise both the chain of custody and direct
evidence, and the ad-hock nature of printed reports will also undermine their
weight in court.
SOLUTION
To catch and successfully prosecute an
attacker you must take proactive steps including:
1) Have an incident response policy and
security awareness training so that people know how to preserve evidence and
chain of custody
2) Set up intrusion detection procedures
that are regularly checked so that printed reports can be admissible in
court
Better yet, prevent the intrusion. In
addition to applying you regular security patches, consider internal firewalls
and personal firewalls. In a university setting the internal network is rife
with hacking. Apply a firewall right in your office or local subnet. This can be
done very inexpensively with an old Pentium 75 and Linux/IPCHAINS.
-Karl Muenzinger, CISSP
____________________ ADDENDUM: The Tokai Bank Limited disclaims all liability for the views and content of this message, except where the message states otherwise and the sender is authorized to make this statement on behalf of the bank. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you receive this in error please contact the sender and delete the material from any computer. Unless otherwise stated, any pricing information given in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted. Any reference to the terms of executed transactions should be treated as preliminary only and subject to our formal written confirmation. |
- Is It possible to trace a hacker, and on Diffie-Hellman fkafka271828
- Re: Is It possible to trace a hacker, and on Diffie-... Alvin Oga
- Re: Is It possible to trace a hacker, and on Diffie-... Stilgherrian
- Re: Is It possible to trace a hacker, and on Dif... Ron DuFresne
- Re: Is It possible to trace a hacker, and on Diffie-... Stilgherrian
- Re: Is It possible to trace a hacker, and on Diffie-... Bill Hinton
- Re: Is It possible to trace a hacker, and on Diffie-... Muenzinger, Karl
- Re: Is It possible to trace a hacker, and on Diffie-... Muenzinger, Karl