Peoples,

I've recently put a Nepenthes server into production. There were several reasons for this, from trying to get a better view of what's out there, training resources and just 'for fun' (yes I'm a bit strange).

Unfortunately, the server is being too successful and is providing more samples than I can analyse in the timeframe available. Can anyone provide tips so that I can quickly identify and focus on the 'interesting' samples rather than spend time and resources investigating 'garden variety' malware?

Any advice appreciated, thanks in advance.
RR

wow.... thats a lot of business

couldn't agree more though, it seems that current business culture makes it difficult and rare to get full management buy-in for improving security beyond the minimum. Unfortunately the current climate allows the man (& women) at the top can earn as much (and sometimes more) for a golden boot as a golden handshake.

idscore,

I think that on a diverse and distributed system like the Internet what you are proposing could be nearly impossible without physical authentication.

As has been said MAC/IP address isn't going to be the way forward even just due to people having access to multiple machines/public access/etc. before we even get into the realm of spoofing. Likewise multiple, unique individuals may try to access your system from the same IP or MAC address, a shared/public terminal for example.

As Shawal has suggested debit/credit card information should be unique, but a person can have more than one card legitimately (If I only had one my finances would look nicer )

Even going to the extreme of requiring physical authentication (such as RSA keyfobs, swipe cards, etc) whilst each device is unique, again an individual could have access to more than one device, for example registering/recieving one from multiple addresses.

However, whilst it may/will be impossible to get a 100% perfect system it is important to remember that you only need to remove enough flaws to make the system usuable. Holes can and will be found in any non-simple system, online or otherwise, what is required is reducing the level of holes to an acceptable level depending on your context and requirements.

Hope this helps, good luck

Guys,

I've just read this article on Dark reading regarding penetrating databases. Gave me food for thought and I'll be looking over my own sysems in response to make sure I haven't missed the obvious.

Is also a good example of ways to penetrate systems without requiring an exploit which was recently queried by Loic all methds mentioned rely on poor configuration, poor input validation or simple human error. No 'sploit required

I feel your pain. GF has a habit of infecting her (& my) machine on a semi regular basis.

Recently took the huff when I explained that you actually need to (god forbid) run your AV rather than just install it gotta love non-techies...

Sounds great, just wish I could make it
Spare a thought for us poor unfortunates stuck at home...

From my experience (BS7799/ISO27001 standards) pen testing isn't required for standards but it is the de factor standard for 'proving' your security posture is working. Basically if you don't do pen-testing you better have a good reason for not doing it and be able to explain to the auditors why you feel your systems are secure without standard testing.

Thanks Vijay2,

I'm working on a new Apache installation now so I'll give them a once over and see if it adds anything to my usual bag of tricks, looks nice and compact at first glance though. Cheers for sharing

Yup the advantage of having more technical know-how than the teachers, I help set the filters up (and no, I didn't shoulder-surf whilst the teachers pecked the admin password at 1 character a minute, allowing me to add what I wanted. That would have been unethical )

Interesting, I would have thought that active participation in the security community (of any form) would have been a plus for potential employers. It's got to be an advantage over someone who took a bootcamp two use ago and hasn't updated their skills/knowledge-set since.

Any one else had similar issues? (or should I hide my online dealings behind aliases and ToR )

Hadn't come across those yet, should stop me from being bored tonight, cheers.

Cheers Don,

it's nice to see a story where no evidence of foul play was found after investigation and that additional pre-emptive changes have been made to improve the environment anyway.

If we could get more 'good news' stories like this it might make companies worry less about PR effects of a breach and not try to cover up any potential issues, which should improve security as a whole. Might even stop suits and beancounters from seeing security as a necessary cost/evil .... (pinch me, I'm dreaming )

HonorTech,

I agree with the theory, however I don't imagine that this will become too common. As it stands there are easier ways to remain anonymous (unsecured/poorly secured wireless) without commiting a real-world offence and leaving physical evidence.

I'll agree with the general consensus so far, I've found EH-Net to be a great source of information and debate (cheers Don, keep blushin').

I did take a look at HoH and it may have some potential if the top bloke (Petko Petkov, I think) can manage to keep in on track, however only time will tell if it manages to stay legal/professional/ethical for long or if it will attract any knowledgable top contributors.

As for why we need anything else with EH-Net around, if the only place you look for information is EH-Net then you may find yourself falling behind as no single resource can cover every topic to full depth, especially in such a diverse and rapidly evolving field. It never hurts to have a seperate source of information (or to keep an eye of the 'bad guys' if the site goes that way).

I've just taken a closer look at the site and think it could be really useful for anyone starting out as a kid.

The section that really caught my attention was 'For Parents'. It could make a lot a people's lives easier if they had some way of explaining to on non-technical parent what it really means to be a hacker. From my perspective I was lucky, my mother read the first few chapters of 'A complete hacker's handbook' by Dr-K (at least until the binary and TCP/IP stuff confused her), after that I got no more complaints (and a few more books for christmas).

However, after I recently moved in with my girlfriend I still get od comments from friends/relatives when the read the titles on my bookshelf. This sort of information, if it gets wide exposure, could increase the number of talented individuals able to enter the profession and possibly increase the level of awareness and funding available from other parts of the business if the suits and beancounters can better understand what they are paying for.