I am retiring this social media account. Find me as @hal_pomeranz@infosec.exchange

Orlando, FL
Joined November 2008
This was a fun and worthwhile project. Can’t believe it was 20 years ago!
20th Anniversary of the Center for Internet Security. So glad to have been a part of that with my buddies @hal_pomeranz @jaybeale cisecurity.wistia.com/medias… @SANSInstitute @CISecurity @educause
1
1
Replying to @bettersafetynet
Far too many Linux incidents I investigate would not have happened had the site been using SELINUX in enforcing mode.
2
1
1
Replying to @bettersafetynet
Feign narcolepsy
2
Replying to @k8em0
“The Good Place” — trust me
1
3
Replying to @ElleArmageddon
More than agree with them, they are them in many cases.
2
Hal Pomeranz retweeted
Good morning infosec. Here's some free consulting advice. Remember that list of indicators CISA released for ransomware? Go through that list and detail what you have logs for and how far back you can search them. Document your capability gaps and share those with leaders. 1/2
5
109
8
586
The problem is that while you control the entire data store, you have to give access to small pieces of info. Those pieces will be aggregated outside of your control, just as they are today.
2
Which means your password was not stored as a hash on at least some systems.
1
Replying to @v3rtig0
istat is just returning inode data, nothing else AFAIK
1
Replying to @v3rtig0
Also not clear on the context for your request. You could track file access in excessive detail using auditd on Linux, but it would have to be configured beforehand. Won’t help if you’re investigating activity that has already happened.
1
2
Replying to @v3rtig0
See extundelete and ext4magic. The source code here is probably the best documentation you are going to find on this. There is no USN equivalent for Linux file systems.
1
shamelessly stolen from imgur. because relevant.
88
2,412
269
6,371
0
For the morning crowd...
Your most indispensable Windows app(s) and why? GO!
Your most indispensable Windows app(s) and why? GO!
30
1
3
15
Replying to @jtsylve
Not that I'm seeing.
Replying to @mykill
Good idea, not the execution mechanism in this case
2
Replying to @jtsylve
Good thought, but I'm not finding any
Replying to @phillmoore
Yeah, that's basically what I'm down to at this point