Full Disclosure mailing list archives
Re: Linux - Indicators of compromise
From: Григорий Братислава <musntlive () gmail com>
Date: Thu, 26 Jul 2012 09:07:33 -0400
On Wed, Jul 25, 2012 at 3:36 PM, Scott Solmonson <scosol () scosol org> wrote:
I can't tell if I'm being trolled or not...
Inline is MusntLive's comments! MusntLive is now give you guys is some free training on is Incident Response and is Forensics and is CCD{A,P,E}. Is first MustnLive watch really good movie and is use quote from is movie: "Hello Scott. I want to play a game. So far what loosely could be called security, you have made your postings rambling nonsense which would make organizations like ISC2 and ISACA proud. Ramblings which will shall now be shredded to bit. I call you unworthy of responding to my posts. Of the chances you have been given, you have cherished none. The packets in these posts are filled with information. Information you do not seem to grasp. If you do not change your ways and heed the information given to you, organizations like ISC2 and ISACA will continue to pollute your brain. Your brain will close. Think of this information like a venus flytrap. What you are looking at right now is the information that can set you free. Do not heed this information and security nonsense will swallow you whole. Consuming your body into a herd of wandering security zombies. Each with a title: CISSP, CISM, CISA, CEH." --- MusntLive is play security Jigsaw
Whatever layer-2 feats you've performed or will continue to perform, you're still very trackable and monitoring/blocking you at layer-3 is trivial.
Is so very trivial is how so many fester in networks globally undetected. Yes MusntLive understand you are karate kid.
Remote-to-machine or remote-to-network? Ultimately I can just say it again: Whatever layer-2 feats you've performed or continue to perform, you're still very trackable and monitoring/blocking you at layer-3 is trivial.
Monitoring and tracking on is any layer is trivial? How many is enterprise networks is has you worked on.?
You've figured it out- tap-port the entire switch's traffic, and then once you've got what you need, shut down every port. Once data integrity has been compromised, service downtime is almost always the lesser cost.
MusntLive is show you how you fail across many 'vertical' industries. BANKING ------------------- Sample Bank's {N,S}OC is running 10 42Us is filled with servers. Seven 42Us is filled with 1U servers. One 42U is Oracle M9000, one 42U is has QFX3000M fully populated (6,144 10GbE ports) one 42U is has take your pick, EX, Cat, BigIron. MusntLive is compromise a 1U somewhere on a 42U. All racks is run the bank's business. MusntLive broadcast to all on network. You call Gigamon and buy your G-TAP to watch me. Once you "got what you need, you shut down every port" is you say. Really? Shut all ports down? "Integrity is compromised, service downtime" (DR/BCP nonsense). Now what? You still is not find me. Because each 1U is kind of is new, you now need to figure out is what happened where. Each 1U is has half TB data. You now need image these 1Us for your investigation. Is remember is bank you need report to clients as is they have credit card transaction. Forget is fact your bank is will lose more money more you have downtime. Have you is done your homework. What is your estimated MTTR? (CCDP term for you is learn this afternoon). I think Scott you work on network where is has at max 5 Cat 2950s as is your statement not valid even is remotely in the banking industry. HEALTHCARE ------------------- Sample Hospitals {S,N}OC is has 1 42U. Is five racks has 48 port switch, 10 has 2U servers and is each server has 4 network ports. You has firewalls, SSL appliances, DB and is special server to link to room so is when patients ring emergency bell, nurses come running is like flock of seagull (and I ran, ran so far away). You will shut down all is switchport here now too also? MusntLive is not go further into your nonsense reply. SCADA ------------------- Sample hydroelectrical plant... Really? Shut down all ports? Sample gas plant... Really? Shut down all ports? MIL/GOV ------------------- Sample USCYBERCOM Really? Shut down is Pentagon? Sample IC.FBI.GOV Really? Shut down is entire racks? Because you will have backup/standby entire 42Us? MusntLive chuckle. Is you has not even answer "how you will find me" is you really think pulling plug is save you. Lets make believe is your plan work. You pull plug on all ports (shut them down is what you say). Now comes fun stuff! You call up DigitalIntelligence. Even in is small hospital you is has to image 10 drives (small disks remember MusntLive is say half TB). 5TB to image because since is your rack is infected, you must image to retain forensically sound is evidence. After you call the company DigitalIntelligence, they have is fastest network based imaging system. 6.6Gb a minute. MusntLive make believe DigitalIntelligence make delivery in 1hr and you can is start imaging! How much downtime is passed before your imaging is done? Don't worry you can is tell patients, surgeons, ER room: "service downtime is almost always the lesser cost" but you make one big ISACA mistake where ISACA is say "life is most important" MusntLive can make believe you know what you talk about but your post is show you work on network that can fit under MusntLive's desk. Make nice footrest for MusntLive's Nike Air Max! MusntLive is not talk about analyzing memory from 48Gb DB server. What is you think you will do this easy with Mandiant Memoryze? HBGary tool? EnCase? REMNux? MusntLive is also not talk about post compromise. Is you expect to Ghost an entire 42U? Scott, is was your response based on small SoHo 10 computer network? MusntLive is not play GeekSquad! MusntLive is serious security professional. Is too many people confused on my is posts! Is some too many think MusntLive is rookie! (MusntLive share secret (come closer): MusntLive is thirteen 37 is make fun of poser do not is tell anyone!) Scott is you make MusntLive's afternoon. Is many people here is make my afternoon. MusntLive use FD as HR screening tool! Is just filter like-- sed '/poser/!p'||awk '!/CIS|MCS|/'||grep -v "certification" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Linux - Indicators of compromise, (continued)
- Re: Linux - Indicators of compromise Benji (Jul 16)
- Re: Linux - Indicators of compromise Giles Coochey (Jul 17)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 17)
- Re: Linux - Indicators of compromise Giles Coochey (Jul 19)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 18)
- Message not available
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 18)
- Re: Linux - Indicators of compromise Leutnant Steiner (Jul 20)
- Re: Linux - Indicators of compromise Giles Coochey (Jul 25)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 25)
- Re: Linux - Indicators of compromise Scott Solmonson (Jul 26)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 26)
- Re: Linux - Indicators of compromise valdis . kletnieks (Jul 26)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 26)
- Re: Linux - Indicators of compromise Scott Solmonson (Jul 28)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 30)
- Re: Linux - Indicators of compromise jerry (Jul 28)
- Re: Linux - Indicators of compromise coderman (Jul 16)