Tiny Deathstars of Foulness

Ever been hacked? Had information stolen? Who do you turn to? What do you do? No matter what the level, a security breech has occurred and action must be taken to ensure a repeat offense doesn’t happen. The first reaction to a security breech is to isolate it and fix it as soon as possible. However, writing to the systems in any way can cause clues to be overwritten. Therefore it is important to discover the identity of the attacker.

The more quickly that forensic analysis is performed the more likely that the attacker, vandal or thief will be apprehended. One of the best places to start in analysis is making a copy of the system that hasn’t been written to. For Windows this is done using a program like Ghost. On the Mac platform using Carbon Copy Cloner or the Disk Utility to create an image is a good move. It is best to get a copy of your system as soon after a security incident as possible.

On local systems, there are some valuable pieces of information that can be obtained about the identity of the person stealing data. This can be anything from the IP address of the attacker to the name of the drive they’re transferring data to. On many Operating Systems valuable logs or cached files are overwritten on a routine basis. If a clone is made, it is often best to create a clone, or a replica of the system in its current state, as soon as possible.

If it’s a server, then the logs of the server provide good clues as to where to look for the perpetrator. Once again it is helpful to create a clone of the system. However, this is not always possible on production servers. Copying the log files is the next best thing.

Firewalls can provide good clues as well. The logging cycles on firewalls typically store data for a shorter period of time than on workstations or servers. Creating a screen shot in PDF format of the firewalls logs or exporting the logs into a text file is a good starting point. Firewalls typically provide good information on what addresses are communicating with a network. This makes them good at specifically determining the identity of the attacker and according to logging levels, the attacks used.

No matter what the issue, time is of the essence. Contacting a professional to help is a good idea. Getting the FBI or the LA County District Attorneys office involved can take time and this can cause clues to be damaged, lost or destroyed. IT professionals can also assist in creating a chain of custody on the equipment that can later be used in court when and if the person who’s invaded your privacy is apprehended and put to trial.

August 28th, 2005

Posted In: Mac Security

Tags: , ,

A symbolic link is *not* an alias. A symlink (symbolic link) is in the filesystem so all of the layers of the OS can use symlinks. This includes Carbon, Cocoa, Java, and BSD apps. Alias files are Finder-specific concept. Aliases are not used by the rest of the system. Only the Finder deals with aliases.

At the Finder level, aliases and symlinks are similar, but symlinks are far more versatile and used in pretty much every flavor of *nix.

August 17th, 2005

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , ,

Earlier, we described a LUN.  In Xsan you can take multiple LUNs and stream data to them in a round-robin fashion.  When doing so you will group them together in what Xsan calls Storage Pools.  Each Storage Pool has a maximum throughput of about 4 LUNs worth of storage.  Each of the LUNs (in Xsan 1.0) has a maximum of about 2TB in capacity.  Therefore each Storage Pool can typically net you around 4gbps of speed and about 8TB in capacity.  You can then lump multiple Storage Pools into a given Volume to obtain volume sizes of 32, 40, 48, etc. TB.  However, when you do so you will not attain more than 4gbps of concurrent streams from one host to the storage.  But instead, you are increasing your aggregate bandwidth between hosts.

August 11th, 2005

Posted In: Xsan

Tags: ,

I originally posted this at

Mac OS X 10.4 includes support for link aggregate networking. Link aggregate networking shares network traffic over two or more bonded Ethernet controllers, giving them one IP address for communication. This can allow the servers controllers to run at speeds of 2Gbps. Link aggregation is configured using the Network System Preference Pane.

To enable Link Aggregate Networking
1. Open the Network Pane from System Preferences
2. Click the Show: box and select Network Port Configurations
3. Click New
4. In the Name: box enter a name for the new aggregate port
5. In the Port: box select Link Aggregate
6. Places check marks in the boxes for each port you would like to aggregate
7. Click OK
8. Configure the Port as you would any other network port

Link Aggregate Ports must be used in conjunction with an Ethernet Switch.
Link Aggregate Port status can be viewed for each en adapter using the status tab in Network Preferences for the controller.
Assigning multiple LAN IP addresses to a Link Aggregate port can be tricky. I’d stay away from this if possible.
Do not assign two LAN IP addresses to a Link Aggregate port if they are not in the same IP scheme/subnet.

August 7th, 2005

Posted In: Mac OS X, Mac OS X Server

Tags: ,

To quote wikipedia:

The Information Technology Infrastructure Library (ITIL) is a set of concepts and policies for managing the Information Technology (IT) services (ITSM), developments and operations.

August 2nd, 2005

Posted In: Business, certifications

Is it me or are people here a little strange.  On the outside they seem like loners that want to keep to themselves but then there’s a strange dichotomy where they also seem likely to wear a crystal around their neck and build houses out of recycled tires.  Cool town, if a bit desolate.

August 1st, 2005

Posted In: On the Road

Tags: , ,