In most cases, the initial compromise was a file that exploits a vulnerability
in the filehandler. The file is introduced either through email (phishing or
spearphishing) or from a web-site (drive-by). Once the bad guys have that
access, they immediately capture local copies of all password hashes looking
for a privileged account (preferably, in the case of Windows, the domain
administrator) and then use that privileged account to spread. In some cases,
the bad guys use exploits that work through vulnerabilities in network-facing
services - usually only for internal spread since the most vulnerable services
are hidden behind firewalls.
Remote access services for employees to work from home, either with a company
or private computer, have been a frequent attack point since the RSA
compromise. Once in as the employee, the bad guys follow the usual path.
On Jan 4, 2012, at 9:52 AM, Owen Densmore wrote:
Interesting mess a supposed gvt strategy contractor got themselves into:
http://it.slashdot.org/story/12/01/04/0630203/cleaning-up-the-mess-after-a-major-hack-attack
Bet: the initial compromise was not password/login based. Most likely a social
stunt or disgruntled employee .. or more lately, a hacked cell phone.
-- Owen
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at http://www.friam.org
Ray Parks
Consilient Heuristician/IDART Program Manager
V: 505-844-4024 M: 505-238-9359 P: 505-951-6084
NIPR: [email protected]<mailto:[email protected]>
SIPR: [email protected]<mailto:[email protected]> (send
NIPR reminder)
JWICS: [email protected]<mailto:[email protected]> (send NIPR reminder)
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at http://www.friam.org
