[plug] [Fwd: Re: David Conran's talk]

Christian christian at amnet.net.au
Mon Jun 12 10:10:23 WST 2000


On Sun, Jun 11, 2000 at 07:26:55PM +0800, Jeremy Malcolm wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> > Question I have is how does one detect if the network has been 
> > comprised?  I
> > check logs on a daily basis, but exactly what am I supposed to be
> looking
> > for?
> 
> I guess it is true that logs aren't that useful for determining
> whether a compromise has actually occurred.  For one thing, if you
> have a root compromise then you can't trust your log files anyway. 
> The logs are more useful to find out things like where portscans are
> coming from, before they succeed.

There is a very interesting paper by Bruce Schneier and John Kelsey on a
technique for cryptographically guaranteeing protection of all log
entries made prior to a compromise.  I'm not sure if the technique has
been implemented and, besides, it is patented.  Still, Schneier has a
good reputation when it comes to patents (none of his ciphers are
patented) so it's hard to know how useful this will be.  Then again,
Counterpane is now involved in doing 3rd party intrusion detection work
so protecting this sort of patent may be useful to them.  For those who
are interested the paper is "Cryptographic support for secure logs on
untrusted machines", in Proceedings 7th USENIX Security
Symposium, 53--62.

Regards,

Christian.



More information about the plug mailing list