Académique Documents
Professionnel Documents
Culture Documents
Richard Bejtlich
richard@taosecurity.com
www.taosecurity.com / taosecurity.blogspot.com
1
Introduction
2
Lessons from The Cuckoo’s Egg
3
Screen Captures from PBS
In 1990, PBS’ “Nova” aired “The KGB, the Computer, and Me.”
4
Cliff Stoll
5
It Started with 75 Cents
6
Hunter
Stoll determined the user “Hunter” was responsible for the $0.75 discrepancy.
7
First Response
8
Third Party Notification
10
The First Intrusion Detection System for LBNL
Stoll programmed his terminal to beep every time someone logs in!
11
After 100s of Logins
12
Engage the Network Team
20
Stoll Tests the System
Now Stoll can wait for his LBNL IDS to call him at
home when Sventek logs in.
22
Additional Alerts
23
Stoll Gets Another Hit
24
LBNL Is a Stepping Stone
25
Accounts Created by Intruder
26
Accounts Created by Intruder
27
Accounts Created by Intruder
28
Accounts Created by Intruder
29
Get the ISPs Involved
30
More ISPs
31
Tracing the Next Login
33
Manual Effort
34
Stymied
Pacific Bell traced the call to VA, but the phone company
said Stoll’s search warrant is only good in CA. They
wouldn’t tell Stoll the origin of the phone call!
35
Back to the Logs
36
Enter the CIA
37
Start Calling
40
Statistics
Scotty?
42
The West German Connection
43
Modern Germany
44
Rotary Switches
The intruder spent too little time online. Stoll needed a way to
keep the intruder online longer so the Bundespost could
complete their manual trace.
46
Building the Honeypot
50
Stoll Goes to Germany
51
Brezinski and Carl
http://www.youtube.com/watch?v=v1swbLfrP6g
55
Lessons: Monitoring and Analysis
58
Watch Cliff Stoll’s TED Appearance
http://www.youtube.com/watch?v=Gj8IA6xOpSk
59
Questions?
Richard Bejtlich
richard@taosecurity.com
taosecurity.blogspot.com
60