From: Jimi Thompson (jimit@myrealbox.com)
Date: Sat Nov 15 2003 - 14:04:55 EST
All,
Without access to the zombie carrying out the actual attack, you have
exactly 0% chance of backtracking. Even with access to the zombie,
you still need a LOT cooperation from the ISP that the zombie is
living on and you had better hope that their logging, etc. is in
order. In all probability, the zombie you are back-tracking from
will just point back to another zombie, ad nauseam.
Microsoft is exactly right in the approach. Most of the people brag
about what they "accomplished", and this is precisely how they get
caught. Offering a bounty will give financial incentive to those who
have been bragged to, to make a phone call. I wonder how much gear
you can buy with the bounty for Blaster?
Jimi
At 11:09 PM +0000 11/6/03, C Ryll wrote:
>After a discussion with some people regarding Microsoft's two posted
>bounties, I understand that cyber bounty hunters are actually
>available for hire by companies. I am curious what knowledge base,
>or experience, this type of independent position would require.
>Where would you obtain this form of security knowledge? Given that
>MAC and IP can both be spoofed, and that victim systems are often
>used to launch some attacks, how do you actually get back to the
>original source?
>
>Note that I am not talking about fundamental security knowledge
>(I.e., how to secure a system, or determining if/what was on the
>system), but how to trace back to the origin of the attack while
>knowing that the IP and MAC are most likely spoofed and/or attacks
>rerouted.
>
>Respectfully,
>Carolyn.
>
>_________________________________________________________________
>Frustrated with dial-up? Get high-speed for as low as $26.95.
>https://broadband.msn.com (Prices may vary by service area.)
>
>
>---------------------------------------------------------------------------
>Network with over 10,000 of the brightest minds in information security
>at the largest, most highly-anticipated industry event of the year.
>Don't miss RSA Conference 2004! Choose from over 200 class sessions and
>see demos from more than 250 industry vendors. If your job touches
>security, you need to be here. Learn more or register at
>http://www.securityfocus.com/sponsor/RSA_pen-test_031023
>and use priority code SF4.
>----------------------------------------------------------------------------
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:42 EDT