Presented to:
LSA IT Staff (and anyone else that wants to attend)
By: LSA-Sec-ITAM Group October 24, 2007
0

• Chris Brenner
• Michelle Burr
• Scott Lemm
• Jeremy Hallum
• WCC Interns – Laurel Marotta & Kyle Ellicot
*All members (excepting Jeremy) are Infragard Members
(b_checks)
1

• Wireless
• SNMP
• Instant Messaging
• Exchange Email
2

• Incident Tracking
• Scanning and Reporting (Retina, Spider*, Web Application scanning)
• Departmental Risk Assessments
• Protecting Sensitive data on laptops, removable media
• Secure NAS solutions
• Printer Security (config)
Any items you would like to add?
*We have a CD version of this for those interested
BTW: Terry MacDonald signed the LSA Security Plan
3

• http://www.lsa.umich.edu/lsait/admin/security.asp
• LSA Security Initiative
• Notification Policy for Security Incidents
• Email Groups
• Advisories
• Encryption Solutions (LTD.)
Links to UM resourses (ITSS, the SPG, etc)
4

• Frequent Data Breaches
• Russian Business Network
*Or at least SHOULD BE more critical
5

•
•
•
5/06 – 137K SSNs
12/06 – 800K SSNs
6/11/07 - 6000 SSNs
•
•
SSNs
School of Ed – 7/3/07 – 5500 SSNs
School of Nursing – 9/19/07 – 8000
• specific Incidents:
– July 2006 SQL Injection (potential SSN exposure – in
English Dept)
– August 2006 - Internet facing vitae containing SSN
6

• Loss of Alumni donations
• Damage to the College’s Image & Reputation
• Lawsuits filed against the College
• Potential for Identity Theft and fraud crimes (will attackers sell this info to organized crime?)
• Informing victims is now required (MI ESB #309 Law
7/07) – fines for non-compliance can reach $750K
• UVA offered one year of credit monitoring to the victims ($240K)
• Costs of Forensics Investigation and Service
Disruption/Restoration
• Media Notification & Negative Public Relations
7

8

• What to do with a Suspicious Computer
So you got an Alert from UMNET Admins, the NOC or ITSS (or
LSA.Security)….
• Check Network Connections
• Check Services and Processes on the system
• Web Searches for anomalies
• WhoIS or NICR DB for abuse contacts (email)
• Look for unusual local accounts
• Check Log files (Event logs, firewall logs, etc)
• Run Full AV scan (Rootkitrevealer, Stinger, Malicous software removal tool)
• Spyware/Adware removal tools
• Trace the MAC address to a network jack to track system location
• Search Local Files for IP address of Bot Server for example
• Recent File access can be found in Registry
9

• FPORT.EXE, Netstat – an, TCPView
• Event logs
• Search Google for any unknown processes or services running on suspect computer
• Compare Properties, Date, Size and Ownership of suspicious files with those of a Clean computer ’ s
• Bart PE disk, Knoppix
• Ps –aux, Process Explorer, Regmon, FileMon, etc
• Sh cam <MAC address> (COS version)
• Sh MAC_Add <HH.HH.HH> (IOS version)
• Latest backup media
• Write protected Flash ROM (or CDs) with the binaries you need

Here is our current collection of tools for Compromised
Systems.
11

FPORT.EXE /P
(shows all open TCP/UDP ports on local computer and the EXEs running on them)

• Netstat will show you connections the computer has on the network, much like fport, but rather than providing a list of what processes are using each port (a very useful thing and a good reason to use fport) netstat gives you information about the port numbers at both ends instead, and also shows you the current state of each network socket.
• netstat -e - Shows you E-net interface information
• netstat -s - Shows you some general networks stats
• netstat – rn - Shows you machine's routing tables
• TCPView – GUI version.

I
E
W
P
V
T
C

NOTE: On Some Computers, you may need to check the
“Show Processes from all users” Check box.
You can click on the Column headers to sort processes alphabetically (shown) or based on CPU utilization, etc.
You may see .EXE’s running in
FPORT and NOT see them in
Task Manager or Manage ->
Services!
Tasklist command on XP.

TASKLIST
You may see
.
EXE’s running in
TASKLIST and NOT see them in Task
Manager or
Manage ->
Services!

20

• Whois.geektools.com, whois.arin.net, whois.ripe.net, etc
• Umnet NICR Information: https://netinfo.umnet.umich.edu/
• Sam Spade Utility (GUI for all this – later slide)
Info from WhoIS should include:
Two Points of contact, The Mailing Address, The phone #(s), the IP range, the ISP (if exists) and the DNS name servers.

• Retina Scans
• FailedLogins.pl (Eventlog.VBS)
• Contacts to Mark Weishan
• Contacts with UMNET Admins (umnet.admins@umich.edu)
• Peakflow-X
• V-Firewall
• UMNET Flow data (ITSS too)
• Antigen on Exchange
• MS Outlook 2000 Security Update on all LSA build clients (blocked extensions) – slipstreamed into Office 2000 package
• [\\lsa-dev\dev-w2k-packages\secure] dir
• File System Auditing (when requested – explain procedure)
NOTE: With Regards to the contacts and email lists I’m posting here. Please be aware that these resources are NOT for basic OS/Networking questions. Don’t abuse the privilege. Call/email LSA-SST first if in doubt.

• PING (is the offending machine alive and running?)
• NSLOOKUP (is the offending computer in DNS? – do
Internet name AND IP address)
• WHOIS (find remote Admin ’ s email)
• IP BLOCK WHOIS (find remote Admin ’ s email)
• DIG (for DNS)
• TRACEROUTE (tracert.exe – Windows)
• FINGER (find user in x.500 or on a specific server)
• ARP – to match IP to MAC address (PING from LAN)

29

Presentations or Reports from other LSA-Sec-
ITAM members
•Scott Lemm
•Michelle Burr
30