1. Forum
  2. sp00knet
  3. SN SECURITY

  • Getting a baseline & seeing variations

    From warmfuzzy@700:100/0 to All on Wednesday, June 06, 2018 10:02:37
    Think back to the Edward Snoden leaks... could it have been prevented? Yes, and quite easily if they had the right fail-safes in place. How? Well determining a baseline and monitoring variations. What doe that mean? Well
    if you monitored what a normal traffic pattern is on the file server and
    there is a massive spike in download activity you could shut down a leech of data before all of the crown jewels are exposed. If an agency as elite as
    NSA doesn't use a baseline and leeching controls there is something very
    wrong in the intelligence community. If they do implement such controls but lets it get through anyway there is still a problem in the IC. This is basic CEH (certified ethical hacking) type of practice to be implemented---its not
    a hard thing to put into place.

    --- Mystic BBS v1.12 A39 2018/04/21 (Linux/64)
    * Origin: Sp00knet Master Hub [PHATstar] (700:100/0)
  • From m00p@700:100/26 to warmfuzzy on Wednesday, June 06, 2018 10:46:13
    Think back to the Edward Snoden leaks... could it have been prevented? Yes, and quite easily if they had the right fail-safes in place. How? Well determining a baseline and monitoring variations. What doe that mean? Well if you monitored what a normal traffic pattern is on the
    file server and there is a massive spike in download activity you could shut down a leech of data before all of the crown jewels are exposed.
    If an agency as elite as NSA doesn't use a baseline and leeching
    controls there is something very wrong in the intelligence community.
    If they do implement such controls but lets it get through anyway there
    is still a problem in the IC. This is basic CEH (certified ethical hacking) type of practice to be implemented---its not a hard thing to
    put into place.

    Okey, ive been working as a penetration tester/exploit developer/security reseracher for over 20 years. Also speaking at the largest IT-sec conferences in the world, being an advisory for some of the largest companies in the
    world discussing these things.

    CEH is a pile of sh*t to be honest, it doesnt teach you anything else than
    how to run Core Impact, Nessis, SQLmap, nmap, Metasploit and other "hacker tools".
    Regarding the snowden leak. You are correct that some NETWORK based patterns can be identified, but imagine that they had this in place. A person like Snoweden would know which security mechanisms they had, so he could find a
    good way of extracting this information.

    What about dumpng the leaks into a USB stick directly from the file server? This would default any network monitoring software.

    I am pretty sure that leaks in this scale cant be prevented. The Snowden case is completely different from some hacker-gang compromising a machine with a
    SQL injection and dumping that data, or extracting mail-spools etc. Snowden
    was a pure inside job, and im pretty sure that the ONLY way to precent this
    is simplt with ACL (Accessl Control Lists), water marking of documents and maybe a quota system. You are not even allowed to access that many files at
    the same time. Doesnt matter if you access them locally or over the network.

    But these Ethical Hacking classes are a pile of crap! I even have a tshirt
    with the CEH logo written wrong, CUNT = Certified Unethical Network Tester :)

    Well, these are my personal thoughs, im not saying that you are wrong, im
    just saying that i dont agree with you :)

    --- Mystic BBS v1.12 A38 2018/01/01 (Windows/64)
    * Origin: SLiME CiTY BBS (700:100/26)
  • From warmfuzzy@700:100/0 to m00p on Friday, June 08, 2018 13:54:30
    I am pretty sure that leaks in this scale cant be prevented. The Snowden case is completely different from some hacker-gang compromising a
    machine with a SQL injection and dumping that data, or extracting mail-spools etc. Snowden was a pure inside job, and im pretty sure that the ONLY way to precent this is simplt with ACL (Accessl Control Lists), water marking of documents and maybe a quota system. You are not even allowed to access that many files at the same time. Doesnt matter if you access them locally or over the network.

    I understand your point of view, however there has to be some mechanism that can shut access down when a sucking sound comes upon the file server. The
    idea of a quota is a good start, but writing an algorithm that prevents sequential (one file after the next alphabetically), or excessively large number of files should be able to mitigate the problem.

    --- Mystic BBS v1.12 A39 2018/04/21 (Linux/64)
    * Origin: Sp00knet Master Hub [PHATstar] (700:100/0)