[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADYtyvL+znY2eyCitSi=xtMdWTrHrFi+Scy--g1djNdv4-t7fA@mail.gmail.com>
Date: Wed, 18 Jul 2012 09:48:16 -0400
From: Григорий Братислава <musntlive@...il.com>
To: alex <fd@...oo.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Linux - Indicators of compromise
On Wed, Jul 18, 2012 at 8:30 AM, alex <fd@...oo.de> wrote:
> Source MAC faking would result in switchport shutdown in some environments.
> Further you cannot communicate with outside world using broadcasts.
> ICMP payloads is quite common and hard to detect.
>
> Me study CISSP, too. Already CCNA Security. CCNA not worth the money. Better get CISA/CISM.
>
>
You miss point. If I sent data to broadcast, original poster is say:
"I will know who you are via MAC address" to which I say: "You is need
to go back to Cisco bootcamp" Everyone is receive broadcast, no way
for him to detect who I am since I am is not alone in receiving the
broadcast. Needle in is haystack.
Second, ICMP tunneling, GRE tunneling is too much trouble. Advanced
Persistent Threats as defined by (is now give North Korean title to
him) Super Grand Master of the Internet Universe Richard Bejtlich as
advanced and is persistent. But is also stupid and lazy. Will not
waste time on this is vector. Will use SSL and HTTP to is stay under
radar.
Attacker >>> Own is your data >>> post data in $WBEDIR >>> visit
$WEBDIR using proxy [small packets]
Is how else can attacker download 867 terabytes of data
(http://www.eddupdate.com/2012/02/cyberthieves-stole-867-terabytes-in-2011.html)?
You believe attackers is using FTP, ICMP, GRE tunnels? No. Too noisy
is this. Better to visit website like everyone else use proxy of
another country, this is country take blame.
MusntLive >>> use is never use 213.24.76.77 address >>> use proxy
210.75.193.49 >>> download data \
Supreme Grand Master of Internet Universe >>> analyze >>> see proxy
>>> chant APT APT APT >>> See I told you is China \
Fox News >>> report on Chinese threat \
MusntLive >>> facepalm at report and go back is drink Stoli
CISA/CISM is have nothing on InfoSecInstitute!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists