1 / 9

Lesson 11 Case Study I: Cuckoo’s Egg Review

Lesson 11 Case Study I: Cuckoo’s Egg Review. Overview. What Happened What Techniques Worked What Techniques Didn’t Lesson to Teach. What Happened?. Unknown user exploited a computer at UC Berkeley Exploited a vulnerability in Email System Gained Super User Created Accounts

gil
Download Presentation

Lesson 11 Case Study I: Cuckoo’s Egg Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lesson 11Case Study I:Cuckoo’s EggReview

  2. Overview • What Happened • What Techniques Worked • What Techniques Didn’t • Lesson to Teach UTSA IS 6353 Security Incident Response

  3. What Happened? • Unknown user exploited a computer at UC Berkeley • Exploited a vulnerability in Email System • Gained Super User • Created Accounts • Installed backdoors • Wiped Logs • Hacked other networks • Pilfered Systems UTSA IS 6353 Security Incident Response

  4. Enter Cliff Stoll • Poor Astronomer who needed $$$$ • Worked in Computer Center • Noticed a 75 cents anomaly in accounting system • Found the “Hunter” account • Grabbed the tiger by the tail and didn’t let go • Persistence, persistence, persistence • 1+ year chase UTSA IS 6353 Security Incident Response

  5. Innovative Techniques • First Intrusion Detection System • Key stroke logging • Internet traceback • Use of a “honey pot” • Electronic signals analysis on Kermit UTSA IS 6353 Security Incident Response

  6. The Good • His persistence • His willingness to learn • Diligently researched unknowns • Obtained supervisor’s approval • Kept detailed notes in his log book • Time stamped everything • Cross-correlation of data • Maintained tight operational security • Communicated with everyone UTSA IS 6353 Security Incident Response

  7. The Bad • No incident response plan • Initially removed “Hunter” account • Broke the chain of evidence by mis-handling the bulk of the printouts outside of a controlled environment • Conducted social engineering to get information • Sometimes failed to get permission • Failed to obtain funding (but he has a great book deal!) • Jumped to conclusions at times UTSA IS 6353 Security Incident Response

  8. The Ugly • He social engineered others • He hacked in to some systems • Government investigators slow to respond UTSA IS 6353 Security Incident Response

  9. Summary • Though provoking novel of intrigue • Many concepts still in use today • Common pitfalls: • Failed to discuss what didn’t work • Failed to reference properly • Lack of bibliography—minimum references UTSA IS 6353 Security Incident Response

More Related