Anyone have a suggestion for a good tool for auditing folder/file permissions on a Windows file server?  (open source or commercial). 
cacls and xcacls is pretty lame when you have lots of groups and tons of subfolders.  I'd like to be able to send the owner of the folder an easy to read report (remembering the folder owners are mostly non technical and BUILTIN\Administrators    Full Control [ALL] doesn't mean too much to them), so they can determine if the access is appropriate.  Obviously, over time as peole change job responsibilities and what not people end up with many more permissions then they require.

I have seen a demo from a vendor called Varonis and the tools looked pretty good.  Wondering what other people out there are doing or have experienced. Especially any open source tools out there 

oh, and we obviously asked the third party to remove from their website and determine how it got exposed in the first place.

Hey guys,

  We've had a confidential document exposed (not by us, but a third party) and is now available on Google and other search engines if you search the right keywords.  I know you can contact most search engines and have them remove the link and any cached data of the file they may have. 

Anything else I'm missing?

I agree with Morpehus.

If you do want to pursue things legally, you should quickly hire a firm experienced in incident response and forensics, as it sounds from your post, your company does not have this in house capability.  And is this is the case, you should stop your attempts at any removal as you may be destroying evidence.

As Morpheus mentioned, I think your best bet is to completely rebuild the system from scratch being sure to apply all necessary security patches for the OS AND any applications running before allowing access again from the interent.  Careful with restoring anything from backups as it may be difficult to dtermine when exactly the machine was compromised and you may be restoring infected files.

you mentioned that ftp is not allowed from your server to the internet.  However, from the quick googling i did on these trojans, at least one of them has the ability to connect over http to a malicious server on the internet.  I would think you need to allow inbound http and established replies, but there is probably no reason to allow outbound http from the server, if there is a reason, you should limit it to only the IPs required.

Also based on my quick googling, it looks like the malware you mentioned does not have a propagation mechanism in and of itself.   You might want to look at if an administrator or someone else recently downloaded and installed something from the interent, this may have been the initial infection point.  Of course, someone could have written something to exploit a vulnerability and dump these trojans so its hard to say, but still something to look at.

posted on Bugtraq this morning and the other day on Salshdot:

Abstract Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.

http://citp.princeton.edu/memory/

Thanks!!!

How about have a challenege to come up with a challenge? It would have to be themed, as all previous ones have been, author must also provide the solution, etc.   It might be difficult to put parameters around what a winning submission must be though i.e. must be challenging, but not absurdly so, etc.   On the bright side, one month would be the challenge to come up with a challenege, the next month, every tries to solve that winning entry - get two for the price of one :-)  anyways, just a thought.

yes, not an idle scan.  That IP is the FW.  Or at least there isn't enough info to determine if an internal host was trying to do a scan.  You'd expect to see the attacker sending SYn ACK directly to zombie in the last step of an idle scan to get the IP ID.  With all the IPs redacted, there is't enough info.  Good right up here on idle scans
http://insecure.org/nmap/idlescan.html


Could be a lot of things.  Could also be that a legitimate SYN was sent outbound, but the internet server had a long delay and the outbound entry was cleared from the state table.  Could be a bad guy doing packet crafting trying to get past sa simple packet filter.  Could also be a NAT issue.   However, I think you might be on the right track with the ECN. 

As with any technology implementation, what is "best" is dependent on what your requirments are.

  Do you have need to manage many firewalls and wish to do so from a signle console for polciies and logging?  then maybe Checkpoint is best

  Do you have really high bandwidth needs and have a ton of VPN clients coming in?  Well, then Netscreen might be your choice.

  Does your security policy or risk analysis make you move more toward a proxy type firewall versus a stateful inspection firewall?  then Maybe Sidewinder is best

  etc, etc ,etc

Every vendor will always claim to solve all your needs when the truth is something different.

I agree

Anyone see this months issue of Info Sec magazine? 

Bruce Schneier and Marcus Ranum did a face off piece on Penetration testing.  Not exactly a glowing recommendation of the profession.  At some level, I have to agree with what they say though.

what are the command line switches you are using with fgdump?

Why MSFT includes this in NTFS, yet provides no native tools to work with ADS is completely beyond me.

When points like this are raised from time to time, I always relate it back to the physical world.  If this hackivist had broken into the judges home to look for evidence, he could have (and should have) been arrested for breaking and entering.   In my mind there is no differnce between the cyber world and the physical world when it comes to instrusion.   And i agree with the other points mentioned above about mucking with evidence and giving the defense atorneys ammunition.  The ends  do not justify the means. 

Where do you draw the line?  How would people feel if the RIAA was installing trojans to see who is downloading music illegally?  Granted its no where near the level crime of child pornography (not even in th same ballpark), but you see my point.

Also, under US laws, the hackivist himself could have been arrested.  The articel states "... wrote the Trojan and embedded it in images of child pornography. He then planted the images on newsgroup sites frequented by pedophiles...."  This implies he had the child porn images on his computer.  The child porn laws are quite clear and he should have been arrested for possession himself.

ah yes, I forgot to mention the "Run As" option.  Which we do use when applicable.