Agent-fu, So apart from Agent Smith... Options

[crizh]

I was looking at the Agent clarifications in Unwired and this hack occured to me.

Once you've successfully infiltrated a system the first thing you're going to do is mess with the Access Log and set up some backdoors, right?

So, I was thinking, if you're in the Access Log already, why not pull up the Access ID's of the IC the system loaded the last time an alert was triggered?

Now you can quietly load an Agent onto the node and Spoof it to have that Access ID. Now, if you glitch or get spotted the IC is locked out of the node until the Spider can crash your Agent. Keeps the Spider busy and the big nasty IC off your back long enough to make a clean get-away.

Anybody else got any cool exploits they've spotted?

[hobgoblin]

do the logs actually show that?

[Dumori]

If they show the Access IDs of your and your agents and what programs are running I dont see why they wont show you the Access ID of an IC running on the node.

[hobgoblin]

showing access id's for external connections have some use, but showing that for internal stuff?

[crizh]

showing access id's for external connections have some use, but showing that for internal stuff?

Remember computers are real, real dumb at the basic level.

How's it to know what is and is not internal? It's only got it's own word for it and your in it's logs altering it's own perception of reality. Trusting software that is stored locally doesn't seem the best policy really.

Additionally, Unwired has opened up the very attractive possibility of running IC remotely on another Node and just calling it in as you need it. I imagine a legal copy of decent IC for every node could get pretty expensive in a big hurry.

On a related note, if the system is using Access ID Accounts for IC, then spoofing it's own IC's Access ID gives your Agent a free Admin Account to play about in.

[Zaranthan]

Warning: In-Character post ahead.

I'm a security rigger. Everything that happens in my network is my responsibility. When an alert is triggered, I need to respond appropriately. Once the dust settles, I have to jack out at the end of my shift and have a debriefing with my boss. My boss wants to know what happened. I'm going to want a log to pull up so I can walk him through the incident.

If your IC's activity isn't logged, you're not going to have a job soon.

OOC Addendum: I should hope that backing up and securing the logs of a security incident would be SOP for the very reason brought up in the OP. You don't want the next incident to include "Load FirstResponse 3.2 failed: duplicate ID", it's kind of embarrassing.