I would ask the FBI if they have a recommendation for a Incident Response Team that could come in and sweep the machines. The more time you spend looking and scanning the better the chance they will get out and leave nothing behind. They may have only connected long enough to get the information and then cleaned up after themselves already.
Jon On Wed, Aug 26, 2009 at 11:49 AM, David W. McSpadden <[email protected]>wrote: > It wanted to leak by the girls in that department just refused to process > the fraudulent item. > Buck stops here so to speak. Now I am just trying to cover our butts and > determine out the creds got out.... > > ----- Original Message ----- > *From:* Jon Harris <[email protected]> > *To:* NT System Admin Issues <[email protected]> > *Sent:* Wednesday, August 26, 2009 11:40 AM > *Subject:* Re: Reporting user fraud > > You forgot HR some of them can create positions with salaries or modify a > persons salary. Either way money could be leaking out that should not be. > > Jon > > On Wed, Aug 26, 2009 at 11:12 AM, Jonathan Link > <[email protected]>wrote: > >> A is too specific, could've been brute force or an easily guessed password >> in addition to malware/keylogger. >> Can you determine what was accessed with any degree of certainty? What >> regulatory agencies is your organization governed by? I'd start with that. >> >> Interestingly, did you read this Washington Post article? >> >> >> http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html?nav=hcmodule&sid=ST2009082500907 >> (beware the wrap) >> I would also review banking information if this person is at all involved >> with bookkeeping, AP or AR functions. >> On Wed, Aug 26, 2009 at 10:59 AM, David W. McSpadden >> <[email protected]>wrote: >> >>> If someone has access to your ssl website with valid username and >>> password you assume that either 1 of 2 things have happened: >>> A someone has a keylogger and their computer is compromised. >>> B someone just out and out gave the information away. >>> >>> Is that a correct assessment? >>> >>> If you have the IP from the 'hacker' that accessed your website who do >>> you report it too??? >>> Most likely it is a bot and nothing can be done but who do you report it >>> too none the less??? >>> >>> >>> >>> >>> >>> >>> >> >> >> >> >> > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
