90 likes | 254 Views
Lesson 11 Case Study I: Cuckoo’s Egg Review. Overview. What Happened What Techniques Worked What Techniques Didn’t Lesson to Teach. What Happened?. Unknown user exploited a computer at UC Berkeley Exploited a vulnerability in Email System Gained Super User Created Accounts
E N D
Overview • What Happened • What Techniques Worked • What Techniques Didn’t • Lesson to Teach UTSA IS 6353 Security Incident Response
What Happened? • Unknown user exploited a computer at UC Berkeley • Exploited a vulnerability in Email System • Gained Super User • Created Accounts • Installed backdoors • Wiped Logs • Hacked other networks • Pilfered Systems UTSA IS 6353 Security Incident Response
Enter Cliff Stoll • Poor Astronomer who needed $$$$ • Worked in Computer Center • Noticed a 75 cents anomaly in accounting system • Found the “Hunter” account • Grabbed the tiger by the tail and didn’t let go • Persistence, persistence, persistence • 1+ year chase UTSA IS 6353 Security Incident Response
Innovative Techniques • First Intrusion Detection System • Key stroke logging • Internet traceback • Use of a “honey pot” • Electronic signals analysis on Kermit UTSA IS 6353 Security Incident Response
The Good • His persistence • His willingness to learn • Diligently researched unknowns • Obtained supervisor’s approval • Kept detailed notes in his log book • Time stamped everything • Cross-correlation of data • Maintained tight operational security • Communicated with everyone UTSA IS 6353 Security Incident Response
The Bad • No incident response plan • Initially removed “Hunter” account • Broke the chain of evidence by mis-handling the bulk of the printouts outside of a controlled environment • Conducted social engineering to get information • Sometimes failed to get permission • Failed to obtain funding (but he has a great book deal!) • Jumped to conclusions at times UTSA IS 6353 Security Incident Response
The Ugly • He social engineered others • He hacked in to some systems • Government investigators slow to respond UTSA IS 6353 Security Incident Response
Summary • Though provoking novel of intrigue • Many concepts still in use today • Common pitfalls: • Failed to discuss what didn’t work • Failed to reference properly • Lack of bibliography—minimum references UTSA IS 6353 Security Incident Response