Friday, February 18, 2005

Incident Scenario #1, follow up

As of this morning, there are 4 comments under the subject blog entry, and after reading them, I thought I'd post some of my own comments...

First off, just as a reminder, this incident scenario was based on a real-world issue, something I dealt with. I have no doubt that others have had to deal with similar incidents.

With regards to your comments, Brandon hit the nail pretty squarely on the head. Remember, this laptop was only used for dial-up access to the Internet...others may have read a bit too much into things and blown the scenario out of proportion.

One things many folks don't seem to remember is that, particularly with Windows 2000, dialing into the Internet still leaves you exposed. I didn't know for sure because the appropriate logging wasn't enabled, but I suspect that a null session was used to enumerate user names, and from there, it was pretty trivial to guess the password...a simple script could be used to enumerate through the biggies (ie, blank, "password", the username, etc.).

Having gone through the system, there really wasn't any malware involved. There wasn't too much in the way of spyware on the system, because the user (a) used a browser other than IE, and (b) pretty much only stayed to a small handful of specific sites.

I fully agree with many of the comments, but not necessarily the order. For example, what's the point of installing patches, and then wiping the drive?

If the system is a multi-user system (several users use the same system), then one way option for addressing this is to install VMWare. What you do is install the host operating system, then put XP or 2K on as a guest os. Now, I'm not sure of the steps required (or if there are any) to really lock things down so that the user is forced to use the VMWare session, but once you've got the guest os patched and configured, create a snapshot. Let the other users (ie, your kids) do their surfing, and if the configuration gets out of hand...revert to the snapshot (after making sure that any important data or documents are saved, of course).

Thanks for the input, folks...keep it coming!

1 comment:

Anonymous said...

Good use of VMWare. I use, as I am sure most other readers of the blog do, primarily for testing various 'ideas' that I have either come up with or have come across that I would like to test with. But using VM in situations where you have users who are just going to browse cartoon network or not really power use the system is a great idea. I'm am going to set this up this weekend on the 'public home' box.