Poor Macbook thieves

Thieves had stolen a set of Macbooks from a school in the northern Sweden according to this Swedish newspaper:

Macbooktjuvar klev rakt i fällan - IDG.se

However, what they did not know was that software from Orbicule had been installed. With this software they could among other things identify the computers new IP addresses and send pictures of the thieves from the built-in webcam. Then it was easy for the police to identify the thieves and capture them.

That is kind of an intrusion response system!

Powered by ScribeFire.

TaoSecurity: Fight to Your Strengths

In an interesting blog entry by Richard Bejtlich, TaoSecurity: Fight to Your Strengths, he suggests that sometimes security through obscurity might be suitable. He uses an example where he lets OpenSSH use another port than the default port and thus he gets less number of attacks against sshd. I have added a question at his blog that would be interesting to investigate:

Would it be possible to let a firewall or inline IDS automatically block incoming ssh traffic to the default port and then make ssh communication going out using the default port appear to be using a different port?

The idea would be to automatically make a temporarily obfuscation until it is possible to switch port on the server. In this way it might be possible to not interfere with the running service but still stop automated attacks. Is there anybody out there who can tell me if this would work in reality?

Powered by ScribeFire.