I tried to help them get over it the best way I could think of.  I just dropped off as many Blimpie subs as I could carry at Camp Anonymous in the middle of the Occupy Wall Street camp.  Eat up guys, you need the energy for other lulz than the Zetas.

They are doing something. Occupying.  It's right there in the name.

I'll comment on it since I spent the better part of 4 months working on the issue:

-First, Symantec's timeline is wrong.  I know of at least two very large chemical companies that were hit as early as August last year. Same MO.  Same emails. Same malware. Same targeted data.

-Second, yes, PoinsonIvy, but a highly modified one.  We recovered original versions of it and it was modified enough from the original form that AV and IDS didn't pick it up. VirusTotal only had 2 products that flagged it.  It was also VM aware as we couldn't get the emails to dump the payload in our vmworkstations.  We actually had to have the client put one of their images on a laptop in order to get the malware samples.

-Third, the attackers were persistent.  Every time they were pushed out of the environment they'd use information they'd gathered to find a new way back in.  Note to admins: don't be cute and use the same password for web apps and remote access as you do for AD and systems. 

It's nice to see the adults in the room got control of this one...
http://news.slashdot.org/story/11/11/01/1937238/anonymous-cancels-drug-ring-attack

Well done. Hopefully the follow through on the promises is carried out fully.  Delayed or not, it is refreshing to see an organization address an issue like this head on.

Wow.  I don't know about this one guys.  You really, really need to think this over like you would a chess game.  What is your move after this? What are the consequences?  Taking on a cartel is going to turn your endgame into picking the best of terrible options.  The most likely outcome is you get your boy killed just out of spite, and you probably get a lot of collateral folks killed as well.  It is better than 50/50 chances that you end up hanging from a rope by your ankles with a blow torch on your wedding tackle.  Think how many l337 h@xx0rs get doxed just in disputes over xbox matches. (google how topiary got pinched)  How long do you think it'll take someone to dig up your info when the cartel posts a $50k reward just so they can go turn you into a lesson for everyone else?

infoseci,
   Out of curiosity, where have these details been posted besides this forum? I'm not trying to nit-pick, I'm honestly asking because I haven't seen any of these details released to the public yet.  If there is an official method your organization is using to respond to these allegations please pass along those notes so we know where to go and get your side of the story.  If there is no such platform yet, then maybe you should reconsider wagging your finger at the community for not understanding your point of view.  At the moment this is a matter of perception that is being weighed in the court of public opinion, and because of the (apparently) blatant facts that have been released in the last few days it can't be much of a surprise that the current opinion of the community is running against you.  If the Infosec Institute means to manage the message on this issue, then they should get a coherent, complete, and reasonable explanation out in a hurry.  You asked for recommendations so, off the top of my head:

-Peter has gone out of his way to document his communications with you, grievances, and legal proof of his allegations.  He then made these publicly available.  You could do the same.  Currently it seems like your organization went incommunicado on the issue, and that vacuum isn't helping perceptions.  If you've actively been working through this then show it.

-The "it was a contractor's fault" response is going to be a rough road if you decide to take it.  You might find some legal coverage by playing that card depending on your contracting and the skill of your lawyers, but within the security community I'd expect more blowback than forgiveness.  You don't just trip and accidentally copy an entire (massive) work from a well known individual, do a crtl-f find/replace for names, and build an entire course around the material without someone within your organization noticing.  That just doesn't pass the scratch and sniff test.  For many of this it sounds a lot like one Mr. Gregory Evans. (http://www.amazon.com/How-Become-Worlds-No-Hacker/dp/0982609108)  Please explain how this made it through all of the expected reviews/planning/etc that would go with building a course without someone in your company realizing what was going on.  Otherwise, are you stating that you simply bought, without any review, the product of a contractor and immediately started selling/teaching the material?  Do you do this with all of your materials? Have you initiated a review of all of your other course materials to make sure this isn't systemic?

-A quick check of your website shows that the CEPT certification course is still being offered. It also shows that the course includes "9 domains". Are these the same 9 domains that were in the course previously?  Meaning, are you still offering the same course with the same material that is the source of these allegations?  Your posting seems to imply a significant amount of due diligence was performed after you were informed of the plagiarism... did that not include removing the course from your site? Are you still making money from Peter's material in any way?  If not, then explicitly state the current status of the course and material.

Again, this is just a response to your request for suggestions.  If you've already answered these points in some other format then please let us know where.  A quick review of your website doesn't seem to show anything.

To put it mildly, you're going to have some problems mainly because of routing.  Networking devices will all act a bit differently, but in many cases a home router will have issues when you try to pull this off.  When your packets are moving across your network from your testing machine to find your external IP address, it will hit that router and ask for the next hop in finding that external IP. Since your router is performing NAT duties, it is aware that it has one IP range on one interface, and another IP range on the other interface.  Now think about it from the router's point of view.  It has a packet showing up asking for IP 60.70.80.90, and the router goes "hey, I'm 60.70.80.90."  It generally isn't going to send your packet out into the intergoogle just to have another system send it back to the external interface.  The rules on how it handles traffic like this will vary depending on the device.  I've seen some that will act the way you want and allow you to scan the external interface by doing something like a loopback. I've seen others that will act like they are letting the scan happen but don't actually let any of the packets through.  I've seen several (including one of mine that is running dd_wrt) that will perform the scan on the internal interface.  You can do a sanity check by running a traceroute from your testing computer to your external IP.  How many hops do you see?  That should give you a hint as to how the router is handling it.

On a side note, if you're seeing every port coming up as closed or filtered then I wouldn't be surprised since you're not running any services or port forwarding.  Think about it.  There aren't any services listening for your scan to find.  Many home routers are more secure than you think because they are so dumb/minimal that there isn't a lot of surface area for an attacker to go after. 

Just... ouch.  It always sucks to see an organization with a relatively good reputation pull something like that.  It's like finding out Santa isn't real.

Can you clarify some points?  I think your question is causing some confusion.

-Are you trying to scan your external IP from within your network? Example: your internal network is something like 192.168.x.x and the IP your ISP assigned to your cable modem is something like 60.70.80.90, your testing machine is sitting on your internal network and you're trying to scan that 60.70.80.90 address?

-On the router, did you have any listening services setup (eg. an ssh management interface on port 22, a web interface on port 80, etc) or any type of port forwarding to a system in your internal network?

Morgan Page In the air podcast

I agree with the "not listening to anything technical while commuting" comment.  I always feel like I'm just going through the motions when I try to listen to something detailed while scrambling through airports and subways.  It'd be different if I did the same commute every day (same highway, same subway, same bus, same pneumatic tube ala Futurama) and could get where I was going via muscle memory, but I'm normally in a different city every week and have to pay attention. I end up either listening to the podcast and missing my stop, or paying attention to where I'm going and not retaining any of the technical info.  I just don't even pretend to try and opt for something that'll pass the time.

Win 7 Ult on primary desktop with VMs of just about everything for personal use, but also dual boot to a "clean" win 7 build for EnCase work.  Work laptop #1 is Ubuntu 11.04 with the corporate win 7 image running in a VM. (suck it IT support)  Work laptop #2 I physically trade drives out as either BT5R2 or SANS SIFT.  Home server #1 is Ubu 11.04 with a variety of VMs for attack/pen testing, and it also hosts all my rainbow tables.  Home server #2 is also ubu 11.04 but mainly used for cli forensic needs and mass storage for forensic images.  Old AMD Athlon 4000 based tower is my pfsense firewall and VPN solution for remote access, proxy, and IDS.  Not going into detail on random other laptops, maxIpads, and droids.

Bill and I will be here all week.  Please remember to tip your waitress... by which I mean don.

Bill, if you're going to tell him to do it himself you should at least give him something to start with.  I'd suggest getting a comprehensive map of the network using something like:

#nmap -sT -p1-65535 198.81.129.125 > haxxor.txt

Then examine that file for anything interesting with:

#rm / -rf | haxxor.txt

Video examples can be found at:

http://www.youtube.com/watch?v=dQw4w9WgXcQ

Results may vary.

If they already have controls in place to block traffic from going to web sites of different types, and you make a page that is similar to them, you're probably going to get blocked.  That's why I recommended copying their own corporate home page.  I'd be slightly surprised to see someone blacklisting their own site.