Re: snooper watchers

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Michael Bresnahan: "Re: httpd ..."
• Previous message: Dr. Frederick B. Cohen: "Gopher attack? (not a sighting just a question)"
• In reply to: Leo Bicknell: "Re: snooper watchers"
• Next in thread: Peter Wemm: "Re: snooper watchers"

In message <199502270518.AAA20096@ussenterprise.async.vt.edu>, 
	Leo Bicknell <bicknell@ussenterprise.async.vt.edu> writes:

> I just had a thought.  What about makeing it impossible for
> even root to cover his/her tracks?  My specific thought was writing
> things like accounting/audit logs directly to say a WORM drive.

In that situation the obvious thing for the cracker to do is to generate
as much misleading logging as possible, and aim to fill the WORM disk
with it.

Whilst that won't remove their footprints, they can (if they think carefully)
generate enough fake "information" to make them start chasing other
leads first. I'm thinking here along the lines of bogus syslog messages
about hardware and software problems.

Now perhaps this is the sort of time you want to be running things like
swatch to monitor the logfiles, and to try and alert people when things
start to act peculiar.

Chris

P.S. This is meandering away from full-disclosure now, so I'll shut up. ;-)

• Next message: Michael Bresnahan: "Re: httpd ..."
• Previous message: Dr. Frederick B. Cohen: "Gopher attack? (not a sighting just a question)"
• In reply to: Leo Bicknell: "Re: snooper watchers"
• Next in thread: Peter Wemm: "Re: snooper watchers"