[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Reporting hacking attempts

I believe you should report any malicious activity to CERT.  But make sure
you first follow their guidlines.  Basically any of the following should be
reported:

1.attempts (either failed or successful) to gain unauthorized access to a
system or it's data
2.unwanted disruption or denial of service
3.the unauthorized use of a system for the processing or storage of data
4.changes to system hardware, firmware, or software characteristics without
the owner's knowledge, instruction, or consent

Just a port scan is really not substantial enough to report.

They have a form you can use to report the violation.

U.S. citizens can also contact their local FBI office if you wish to pursue
it.  It may be best, to first go through local law enforcement.  But keep in
mind they are very busy and very understaffed in the region of computer
security; thus they may not be able to help if it is not too serious.  There
also may not be anyone in your local office with any training so its not too
unheard of to be calling many, many different offices...

Remember, though, if you are contacting law enforcement, you'll want to
ensure that you maintain as much evidence as possible.  So before you go
crazy trying to clean up your machine, you should carefully assess the
situation.  Determine how the break-in occured, document everything
(including the steps you take) and try to make a backup of stuff like log
files (also maintain, as much as possible, the original files).  It would be
best to contact law enforcement prior to cleaning the system, especially if
you are looking to do a complete reinstall.  It will do them no good if all
the clues are removed.  Also, try to do some of the investigation yourself.
That is, go through your logs, contact the administrators of the source of
your attack to see if they can provide information.  Most likely it will
reveal a chain of servers.  If you can go back as far as possible, it can be
helpful information to law enforcement.

A company, no matter how large or small, should have a incident response
checklist that will help in, well, responding to incidents.  I guess its the
old Boy Scouts' motto... be prepared.  A good response plan is as necessary
as a good preventative strategy.  Because no matter how much you try to
secure your servers, a cracker will find ways to get in.

Anyway, at a bare minimum I would contact CERT with an incident report.  At
the very least, it helps them with statistics, which is nice.  And they may
be able to help you with some of the technical aspects.

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Gregory Galant
Sent: Monday, February 19, 2001 7:14 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] Reporting hacking attempts


Use this address to report incidents:

http://www.nipc.gov/incident/cirr.htm

The FBI will often follow up. If there is no large financial damage, it is
not very likely the FBI will pursue the claim.

Gregory Galant
President/CEO, Halenet, Inc.
(631) 673-7157 -- Fax: (631) 673-5557
galant@xxxxxxxxxxx -- http://www.halenet.com


-----Original Message-----

Date: Mon, 19 Feb 2001 15:34:20 -0500 (EST)
From: Michael Schumacher <cobaltraq@xxxxxxxx>
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: [cobalt-users] Reporting hacking attempts
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

With all the recent talk of hacked RAQs, I began to wonder if everyone was
reporting these hacks and/or hack attempts.

Where are you reporting hacking attempts? cert.org? Are there better places
to report incidents?

Where do you draw the line? Do you report every port scan that you detect?
Do you just report malicious activity?

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users