lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon Jan 16 05:07:23 2006
From: simon at snosoft.com (SNOsoft)
Subject: Worm?

David, 
	I'm tempted to flame you because of the email that you sent, but
instead, I'll be nice. My first word of advice to you is do not send emails
like this to public mailing lists. They advertise either your lack of
technical competence or lack of time to react to an incident.

Questions:

1-) Why didn't your IPS Vendor (assuming that it's a Managed Security
Services Provider) provide you with any payload information (Packet
Capture)? At the very least they should have told you what port this thing
was sending data to/from and what systems it was impacting. If they didn't
provide you with that, find a better MSSP.

2-) Why haven't you sniffed your network and collected any of this traffic
for analysis on your own? If you have then why didn't you provide this to
the list to analyze? 

3-) Last one... How did you not notice "large volumes of traffic" that are
abnormal? Don't you have any type of network traffic monitors in place?

You are after all the Corporate IT Security guy.... Hell... Doesn't this
very email violate your security policy? 

Just my two cents...

-simon



> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk 
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf 
> Of TheGesus
> Sent: Sunday, January 15, 2006 10:38 PM
> To: Byrne, David
> Cc: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Worm?
> 
> > Our IPS vendor is reporting a number of customers affected by large 
> > volumes of traffic generated by a worm. Anyone have details?
> >
> >
> > Thanks,
> >
> > David Byrne
> >
> 
> Same as it ever was... same as it ever was...
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 




BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ