In most cases, the initial compromise was a file that exploits a vulnerability in the filehandler. The file is introduced either through email (phishing or spearphishing) or from a web-site (drive-by). Once the bad guys have that access, they immediately
capture local copies of all password hashes looking for a privileged account (preferably, in the case of Windows, the domain administrator) and then use that privileged account to spread. In some cases, the bad guys use exploits that work through vulnerabilities
in network-facing services - usually only for internal spread since the most vulnerable services are hidden behind firewalls.
Remote access services for employees to work from home, either with a company or private computer, have been a frequent attack point since the RSA compromise. Once in as the employee, the bad guys follow the usual path.
On Jan 4, 2012, at 9:52 AM, Owen Densmore wrote:
Interesting mess a supposed gvt strategy contractor got themselves into:
Bet: the initial compromise was not password/login based. Most likely a social stunt or disgruntled employee .. or more lately, a hacked cell phone.
-- Owen
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at http://www.friam.org
Ray Parks
Consilient Heuristician/IDART Program Manager
V: 505-844-4024 M: 505-238-9359 P: 505-951-6084
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at
http://www.friam.org
Locked
