[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Removing Fired admins
- To: full-disclosure@lists.netsys.com
- Subject: RE: [Full-Disclosure] Removing Fired admins
- From: "Michael T. Harding" <michael_t_harding@hotmail.com>
- Date: Fri, 13 Feb 2004 11:01:46 -0500
<html><div style='background-color:'><DIV class=RTE>
<P>Guys;</P>
<P>Thanks for the input and I love the philosophical debate about how this
happened, what I can do in the future to prevent it, etc.</P>
<P>A little more info; I am being brought in to help consult on this project,
the ex-admin is, well, let's just say the local and state law enforcement teams
are being brought in today to assist, and therefore the problem is probably
pretty deep. He has been a fully entrenched admin since the inception of the
agency.</P>
<P>What I really am looking for is some kind of checklist/ information sheet so
we don't forget anything major, at least to check.</P>
<P> </P>
<P>Depending on what we might find today, the decision is already on the table
as to whether we should treat this as a total breech and scrub the whole plant
and start over. That remains to be seen.</P>
<P>While an automated solution would be great to have, I don't have time to
research them before we get to work. (I am of the belief that they won't work
well anyway but that is another debate.)</P>
<P>Does anyone know of a SANS, or GIAC or any other security body who has a
"minder" list of some sort? I know others have gone through this and have
learned some lessons, both good and bad ones, that I hope they can share.</P>
<P>If not, I will try and document what we do and maybe look to publish
something for future reference.</P>
<P>Thanks,<BR><BR></P></DIV>
<DIV></DIV>>From: "James Patterson Wicks" <PWICKS@OXYGEN.COM>
<DIV></DIV>>To: full-disclosure@lists.netsys.com
<DIV></DIV>>Subject: RE: [Full-Disclosure] Removing FIred admins
<DIV></DIV>>Date: Fri, 13 Feb 2004 08:06:57 -0500
<DIV></DIV>>
<DIV></DIV>>Only the senior administrator and the CTO have the root password
to the
<DIV></DIV>>Unix systems. The senior admin does not "own" and
servers, but is the
<DIV></DIV>>manager for all of the other admins. Could he get mad
and make changes
<DIV></DIV>>to the interpreter, but the server "owner" would notice this and
check
<DIV></DIV>>the changes against the change management log. Any
unusual events would
<DIV></DIV>>be sent to the CTO.
<DIV></DIV>>
<DIV></DIV>>Like you said, there is no magic button to press and instantly
remove an
<DIV></DIV>>admin's influence from an enterprise. BUT if you have
a good process in
<DIV></DIV>>place that leverages existing technologies, you can do a good
job of
<DIV></DIV>>protecting your enterprise. Admins leave companies
all the time, but
<DIV></DIV>>enterprises continue to operate without a problem.
<DIV></DIV>>
<DIV></DIV>>If all else fails, make sure that the company lawyer is in the
office
<DIV></DIV>>when you fire the admin. A good threat can go a long
way.
<DIV></DIV>>
<DIV></DIV>>-----Original Message-----
<DIV></DIV>>From: full-disclosure-admin@lists.netsys.com
<DIV></DIV>>[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
Volker
<DIV></DIV>>Tanger
<DIV></DIV>>Sent: Friday, February 13, 2004 2:51 AM
<DIV></DIV>>To: full-disclosure@lists.netsys.com
<DIV></DIV>>Subject: Re: [Full-Disclosure] Removing FIred admins
<DIV></DIV>>
<DIV></DIV>>Hi!
<DIV></DIV>>
<DIV></DIV>> > We are working on something called "The Button", which is
nothing but
<DIV></DIV>> > small script that activates a series of scripts that
change all root,
<DIV></DIV>> > local and domain administrator passwords on our Unix and
Windows
<DIV></DIV>> > servers when run.
<DIV></DIV>>
<DIV></DIV>>The ex-admin had ROOT access to "his" servers, right? So he can
change
<DIV></DIV>>ANYTHING, right? Including the script, e.g. like NOT changing
passwords
<DIV></DIV>>or adding secret admin-level accounts, right?
<DIV></DIV>>
<DIV></DIV>>You said "script", so it uses BASH, PERL or something. ROOT can
change
<DIV></DIV>>anything, right? So he could have changed the BASH, PERL
interpreter or
<DIV></DIV>>something, right?
<DIV></DIV>>
<DIV></DIV>>There is no technical solution to a social problem - well,
except in
<DIV></DIV>>this case maybe reformatting the disks and reinstalling from
scratch and
<DIV></DIV>>clean media.
<DIV></DIV>>
<DIV></DIV>>Sorry
<DIV></DIV>>
<DIV></DIV>>Volker Tanger
<DIV></DIV>>ITK-Security
<DIV></DIV>>
<DIV></DIV>>_______________________________________________
<DIV></DIV>>Full-Disclosure - We believe in it.
<DIV></DIV>>Charter: http://lists.netsys.com/full-disclosure-charter.html
<DIV></DIV>>
<DIV></DIV>>
<DIV></DIV>>This e-mail is the property of Oxygen Media, LLC. It
is intended only for the person or entity to which it is addressed and may
contain information that is privileged, confidential, or otherwise protected
from disclosure. Distribution or copying of this e-mail or the information
contained herein by anyone other than the intended recipient is prohibited. If
you have received this e-mail in error, please immediately notify us by sending
an e-mail to postmaster@oxygen.com and destroy all electronic and paper copies
of this e-mail.
<DIV></DIV>>
<DIV></DIV>>
<DIV></DIV>>_______________________________________________
<DIV></DIV>>Full-Disclosure - We believe in it.
<DIV></DIV>>Charter: http://lists.netsys.com/full-disclosure-charter.html
<DIV></DIV></div><br clear=all><hr> <a
href="http://g.msn.com/8HMBENUS/2749??PS=";>Keep up with high-tech trends here
at "Hook'd on Technology."</a> </html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html