lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 26 Jul 2012 09:07:33 -0400
From: Григорий Братислава <musntlive@...il.com>
To: Scott Solmonson <scosol@...sol.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Linux - Indicators of compromise

On Wed, Jul 25, 2012 at 3:36 PM, Scott Solmonson <scosol@...sol.org> wrote:
> I can't tell if I'm being trolled or not...
>

Inline is MusntLive's comments! MusntLive is now give you guys is some
free training on is Incident Response and is Forensics and is
CCD{A,P,E}. Is first MustnLive watch really good movie and is use
quote from is movie:

"Hello Scott. I want to play a game. So far what loosely could be
called security, you have made your postings rambling nonsense which
would make organizations like ISC2 and ISACA proud. Ramblings which
will shall now be shredded to bit. I call you unworthy of responding
to my posts. Of the chances you have been given, you have cherished
none. The packets in these posts are filled with information.
Information you do not seem to grasp. If you do not change your ways
and heed the information given to you, organizations like ISC2 and
ISACA will continue to pollute your brain. Your brain will close.
Think of this information like a venus flytrap. What you are looking
at right now is the information that can set you free. Do not heed
this information and security nonsense will swallow you whole.
Consuming your body into a herd of wandering security zombies. Each
with a title: CISSP, CISM, CISA, CEH." --- MusntLive is play security
Jigsaw

> Whatever layer-2 feats you've performed or will continue to perform,
> you're still very trackable and monitoring/blocking you at layer-3 is
> trivial.

Is so very trivial is how so many fester in networks globally
undetected. Yes MusntLive understand you are karate kid.

> Remote-to-machine or remote-to-network? Ultimately I can just say it
> again: Whatever layer-2 feats you've performed or continue to perform,
> you're still very trackable and monitoring/blocking you at layer-3 is
> trivial.

Monitoring and tracking on is any layer is trivial? How many is
enterprise networks is has you worked on.?

> You've figured it out- tap-port the entire switch's traffic, and then
> once you've got what you need, shut down every port. Once data
> integrity has been compromised, service downtime is almost always the
> lesser cost.

MusntLive is show you how you fail across many 'vertical' industries.

BANKING
-------------------
Sample Bank's {N,S}OC is running 10 42Us is filled with servers. Seven
42Us is filled with 1U servers. One 42U is Oracle M9000, one 42U is
has QFX3000M fully populated (6,144 10GbE ports) one 42U is has take
your pick, EX, Cat, BigIron. MusntLive is compromise a 1U somewhere on
a 42U. All racks is run the bank's business. MusntLive broadcast to
all on network.

You call Gigamon and buy your G-TAP to watch me. Once you "got what
you need, you shut down every port" is you say. Really? Shut all ports
down? "Integrity is compromised, service downtime" (DR/BCP nonsense).
Now what? You still is not find me.

Because each 1U is kind of is new, you now need to figure out is what
happened where. Each 1U is has half TB data. You now need image these
1Us for your investigation. Is remember is bank you need report to
clients as is they have credit card transaction. Forget is fact your
bank is will lose more money more you have downtime. Have you is done
your homework. What is your estimated MTTR? (CCDP term for you is
learn this afternoon).

I think Scott you work on network where is has at max 5 Cat 2950s as
is your statement not valid even is remotely in the banking industry.

HEALTHCARE
-------------------
Sample Hospitals {S,N}OC is has 1 42U. Is five racks has 48 port
switch, 10 has 2U servers and is each server has 4 network ports. You
has firewalls, SSL appliances, DB and is special server to link to
room so is when patients ring emergency bell, nurses come running is
like flock of seagull (and I ran, ran so far away). You will shut down
all is switchport here now too also?

MusntLive is not go further into your nonsense reply.

SCADA
-------------------
Sample hydroelectrical plant...

Really? Shut down all ports?

Sample gas plant...

Really? Shut down all ports?


MIL/GOV
-------------------
Sample USCYBERCOM

Really? Shut down is Pentagon?

Sample IC.FBI.GOV

Really? Shut down is entire racks? Because you will have
backup/standby entire 42Us?


MusntLive chuckle. Is you has not even answer "how you will find me"
is you really think pulling plug is save you. Lets make believe is
your plan work. You pull plug on all ports (shut them down is what you
say). Now comes fun stuff!

You call up DigitalIntelligence. Even in is small hospital you is has
to image 10 drives (small disks remember MusntLive is say half TB).
5TB to image because since is your rack is infected, you must image to
retain forensically sound is evidence. After you call the company
DigitalIntelligence, they have is fastest network based imaging
system. 6.6Gb a minute.

MusntLive make believe DigitalIntelligence make delivery in 1hr and
you can is start imaging! How much downtime is passed before your
imaging is done? Don't worry you can is tell patients, surgeons, ER
room: "service downtime is almost always the lesser cost" but you make
one big ISACA mistake where ISACA is say "life is most important"

MusntLive can make believe you know what you talk about but your post
is show you work on network that can fit under MusntLive's
desk. Make nice footrest for MusntLive's Nike Air Max!

MusntLive is not talk about analyzing memory from 48Gb DB server. What
is you think you will do this easy with Mandiant Memoryze? HBGary
tool? EnCase? REMNux?

MusntLive is also not talk about post compromise. Is you expect to
Ghost an entire 42U?

Scott, is was your response based on small SoHo 10 computer network?
MusntLive is not play GeekSquad! MusntLive is serious security
professional. Is too many people confused on my is posts! Is some too
many think MusntLive is rookie! (MusntLive share secret (come closer):
MusntLive is thirteen 37 is make fun of poser do not is tell anyone!)

Scott is you make MusntLive's afternoon. Is many people here is make
my afternoon. MusntLive use FD as HR screening tool! Is just filter
like-- sed '/poser/!p'||awk '!/CIS|MCS|/'||grep -v "certification"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ