Tuesday, April 05, 2005

Yet another incident write-up...

Not too long after reading JOAT's blog, I was over on Michael Howard's blog and caught a write-up of how he handled a spyware incident. My comments are as follows:

1. I prefer a nice, oaky Chardonnay, or if I'm in the mood for a red, I tend to prefer a shiraz, perhaps Australian.

2. One of the things Michael mentioned using was Port Reporter...excellent suggestion. This nifty tool from MS fills the gap with much of the IP logging that appears on other systems. If you find it daunting to parse through the logs looking for "suspicioius" or "unusual" entries, I'd strongly recommend installing the Port Reporter Parser tool along with it.

3. I would have strongly recommended that he include SpyBot and AdAware on his thumb drive, along with the other tools he mentioned. Thumb drives are becoming ubiquitous, and you can rewrite information to them, such as new versions of tools whenever they're updated.

4. For learning purposes, I would have liked to know a little more about the connections to Brazil and Russia, and how the son was exonerated for the pr0n on the system. Providing details of the steps used, data collected, and decisions made would have been helpful, as well as entertaining.

5. One of the comments that concerns me is "I also ran RootkitRevealer 1.32 from sysinternals.com, and saw nothing out of the ordinary. So I consider the machine clean." After all the posts we've seen about how easily tools like RootkitRevealer and BlackLight can be fooled, I don't know if I'd consider the system "clean" based on that information alone.

6. I do agree that all it takes is a little education, and most folks will be fine. This time of year, folks really need to be careful, though...it's tax season, and lots of people use TurboTax, TaxCut, and other tax preparation software. That's all good and fine, but these products create files on your machine...files that an intruder can easily steal or copy ("YOINK!")...so be sure to batten down the hatches...

1 comment:

Anonymous said...

Wow - you're blog is full of good info. It's getting hard to find blogs with useful content and people talking about tax preparation these days. I have just started my Latest tax preparation news blog and would really appreciate you coming by - thanks again