Analyst Journal @ 03 Nov 2008 02:01 pm by ayoi

Human Factor..

The talk that I’ve presented during Infosec.my technical forum this year is Network Security: 3 Key Elements where the key elements are process, technology and Human. I have the idea to give presentation on that topic based on my observation and experience in this field (OK not that long though). Most of our competitor emphasis on how advance their technology is when managing their clients network security. Well I am from the old school in this field where I believe technology is only to assists human in performing their tasks. From the email that I received this morning, I know how right I am in this matter..

Category = Firewall

Severity = Medium

Events = Blocked event

Source IP = Local ISP

Destination IP = Web Server

Destination port = 22, 443

Impact = NetBIOS sharing and possible information disclosure and loss of data

Raw log :
Firewall: Firewall device_id=Firewall [No Name]system-notification-xxxx(traffic): start_time=”today early in the morning” duration=0 policy_id=xx service=https proto=6 src zone=Untrust dst zone=DMZ action=Deny sent=0 rcvd=0 src=(Local ISP) dst=(Web Server)src_port=11866 dst_port=443 session_id=0

Firewall: Firewall device_id=Firewall [No Name]system-notification-xxxx(traffic): start_time=”Few minutes after the first log” duration=0 policy_id=xx service=https proto=6 src zone=Untrust dst zone=DMZ action=Deny sent=0 rcvd=0 src=(Local ISP) dst=(Web Server) src_port=12243 dst_port=443 session_id=0

Can you spot the mistakes? Do you think this event should be escalated? Be my guest to comment  ;)

===============================================================

Update: Thanks for all of your comments.

Actually, this event should not reached the client. In other words, this is event does not require any escalation to be made. The firewall has done its job efficiently and port 22 (SSH) and 443 (HTTPS) has nothing to do with NetBIOS or any of its family. I guess the best comment is from ZiaSay’s (I know who you are hahaha)
———————————————————————————–
Apa la kowang merapu niiiii.. org tanya lain, lain plak kowang jawap yer… kang aku suruh “epul buka TOPENG” kang baru semua terkuzat..

Komen-komen anda semua boleh buat ramai “pecah kapla dan WET wooo uiiii dont make me honi laaa weii ” mehmehmeh..

ok lemme Ella_b0rit’s <– kena ado “aSS” sket

TuanRumah quote’s
“Can you spot the mistakes? Do you think this event should be escalated? Be my guest to comment”

ZiaSay’s
Category = Firewall <– Tak Mistake sbb dari fw event

Severity = “Medium” <– Sikit Mistake kot sbb event ni tak membawa apa-apa “kesan” pung sbb dah kena DENY la katakan.. mehmehmeh it should have been “LOW”.. anyway “wording Severity” tu ader dlm template kan.

Events = Blocked event <– Tak Mistake sbb dari fw rules

Source IP = Local ISP <– Tak Mistake sbb dari fw rules

Destination IP = Web Server <– Tak Mistake sbb dari fw rules

Destination port = 22 <– MISTAAAAAAAAAAAAAKE!!!!! SBBnya.. NTAH MANA-MANA DTG NTAH PORT NI!!!! WEIIIIIII TIDO KA!!! ITU “ssh” LAAAA ADER KER DARI DLM RAW-SYSLOG PAYLOAD TU EK :? YG AKU PERASAAN PAYLOAD TU SEMUA TUNJUK “https-443″ JERRR.. ISKKK…ISKKK

port = 443 <– Tak Mistake sbb dari fw rules

Impact = NetBIOS sharing and possible information disclosure and loss of data <– MISTAAAAAKEEEEEE.. HAHAHHAHAHAHAHA!!! APO KOJADAHNYA KOWANG BUAT KERJAAAA HAAAAAAA!!!!
AKU UMPAMAKAN “ORG” YG BUAT KERJA NI MCM :-
“BARU LEPAS CAPMELAN PASTU DIA TANYA DIRI DIA SENDIRI, HEHHH TADI AKU LUNCH-UP KER or AKU GI MAKAN EK???
PADAN LA IKAN BAKAR KAT KEDAI BASIKAL MOTEN BIKE ALI KOMPUETERRR TU VERY CHEAP-UP LERR…”"
BEST NYERRR!!! …DIA KATA”

HAHAHHAHAHAHA!!!! APOKOJADAHNYA netbios kena ngena gan https & ssh ni weiiii.. sakit “telo” aku gelak!!!!

MORAL OF THE STORY:
Kalau suka sgt guna mouse utk copy & paste pastu dan MALAS utk re-read or re-confirm or perasan “aku dah terrel” beginila jadi nya jon@@@@@@..

TuanRumah quote’s
“Do you think this event should be escalated?”

ZiaSay’s
HAHAHHAHA.. in da perst pelace i would say NO!!! and the one should be escalated and executed and should have been sent to ISA detention center was “mamat” yg buat anal_is_is dan JOKE of the year ni!!! hoiii kowang baru bgn tido kaaa atau mmg tgh tido masa buat kejadah ni..

adeh–adehhh..

ZiaSay’s.. Nyampah I..

You need a translator for this :) )

15 Comments »

15 Responses to “Human Factor..”

  1. on 03 Nov 2008 at 4:48 pm   pikachu

    Netbios? :D https and its blocked? i dont know but it looks like a legit traffic for https and the scary firewall block it(correct me if i’m wrong, still learning here :D ).

  2. on 04 Nov 2008 at 10:24 am   hairie

    hmm shouldn’t be laa kot,the firewall has been wrongly configured…rasanyela:)

  3. on 04 Nov 2008 at 1:47 pm   ahmad_albab

    22 and 443 for Netbios? C’mon…

  4. on 04 Nov 2008 at 5:34 pm   ahmoudie

    ->session_id=0, that’s why it got blocked

  5. on 04 Nov 2008 at 10:09 pm   unknownimous

    this one shud not be escalated.the src comes from untrust zone,mmg patut pon kena deny/blok.always bear in mind whenever we notify client about any security alert/incident,it must be associated with solution/recommendation/eradiction/remedy on the addressed matter.so, from the case above, if we decided to sent notification email, what would be the recommendation?

    faktor kemanusiaan ni…mebi the person is very exhausted at that time.

    suggestion: have 2 or more ppl in the same team to review the email b4 sending it.

  6. on 04 Nov 2008 at 11:59 pm   ahmoudie

    dier block coz kene mengene ngan state table (e.g. nmap -sA)..anything from the Internet can fall under untrust zone, up to the admin nk kasik service pe accessible from the Internet..

  7. on 05 Nov 2008 at 12:02 am   ZiaSay's

    Salam all,

    Apa la kowang merapu niiiii.. org tanya lain, lain plak kowang jawap yer… kang aku suruh “epul buka TOPENG” kang baru semua terkuzat..

    Komen-komen anda semua boleh buat ramai “pecah kapla dan WET wooo uiiii dont make me honi laaa weii ” mehmehmeh..

    ok lemme Ella_b0rit’s <– kena ado “aSS” sket

    TuanRumah quote’s
    “Can you spot the mistakes? Do you think this event should be escalated? Be my guest to comment”

    ZiaSay’s
    Category = Firewall <– Tak Mistake sbb dari fw event

    Severity = “Medium” <– Sikit Mistake kot sbb event ni tak membawa apa-apa “kesan” pung sbb dah kena DENY la katakan.. mehmehmeh it should have been “LOW”.. anyway “wording Severity” tu ader dlm template kan.

    Events = Blocked event <– Tak Mistake sbb dari fw rules

    Source IP = Local ISP <– Tak Mistake sbb dari fw rules

    Destination IP = Web Server <– Tak Mistake sbb dari fw rules

    Destination port = 22 <– MISTAAAAAAAAAAAAAKE!!!!! SBBnya.. NTAH MANA-MANA DTG NTAH PORT NI!!!! WEIIIIIII TIDO KA!!! ITU “ssh” LAAAA ADER KER DARI DLM RAW-SYSLOG PAYLOAD TU EK :? YG AKU PERASAAN PAYLOAD TU SEMUA TUNJUK “https-443″ JERRR.. ISKKK…ISKKK

    port = 443 <– Tak Mistake sbb dari fw rules

    Impact = NetBIOS sharing and possible information disclosure and loss of data <– MISTAAAAAKEEEEEE.. HAHAHHAHAHAHAHA!!! APO KOJADAHNYA KOWANG BUAT KERJAAAA HAAAAAAA!!!!
    AKU UMPAMAKAN “ORG” YG BUAT KERJA NI MCM :-
    “BARU LEPAS CAPMELAN PASTU DIA TANYA DIRI DIA SENDIRI, HEHHH TADI AKU LUNCH-UP KER or AKU GI MAKAN EK???
    PADAN LA IKAN BAKAR KAT KEDAI BASIKAL MOTEN BIKE ALI KOMPUETERRR TU VERY CHEAP-UP LERR…”"
    BEST NYERRR!!! …DIA KATA”

    HAHAHHAHAHAHA!!!! APOKOJADAHNYA netbios kena ngena gan https & ssh ni weiiii.. sakit “telo” aku gelak!!!!

    MORAL OF THE STORY:
    Kalau suka sgt guna mouse utk copy & paste pastu dan MALAS utk re-read or re-confirm or perasan “aku dah terrel” beginila jadi nya jon@@@@@@..

    TuanRumah quote’s
    “Do you think this event should be escalated?”

    ZiaSay’s
    HAHAHHAHA.. in da perst pelace i would say NO!!! and the one should be escalated and executed and should have been sent to ISA detention center was “mamat” yg buat anal_is_is dan JOKE of the year ni!!! hoiii kowang baru bgn tido kaaa atau mmg tgh tido masa buat kejadah ni..

    adeh–adehhh..

    ZiaSay’s.. Nyampah I..

  8. on 05 Nov 2008 at 1:25 am   anton

    i thought nebios was 139? most probably this is a false alarm

  9. on 05 Nov 2008 at 11:22 am   ZiaSay's

    FALSE ALARM??? :o

    ELLOOOOOOOO… ni bkn pasal false alarm or pasal untrust zone or pasal session_id=0 or pasal fw wrongly configured or pasal legitimate traffics and shits all!!!!!

    Ni pasal TAK GETI BUAT KERJA LA!!! PERIOD! <– BKN DARAH tauuW..

    Ni adalah KESILAPAN yg paling GEMPAK dalam dunia anal_is_is bagi mereka-mereka yg mengambil MUDAH kerjaya sbg Anal_Yst.. tu jer..

    Apsal la kowang takbleh SPOT soalan dan kesilapan yg KETARA!!

    Anyway.. i feel u ahmad_albab :)

    ps: I wanna More mistake!!! argggg GCefffA

  10. on 05 Nov 2008 at 1:35 pm   nz

    isk isk isk… ini laaa dunia mu… wa fenin++
    dun understand at all..

  11. on 05 Nov 2008 at 1:46 pm   hairie

    aisey salah ye..takpela saya budak baru belajar.
    Tq bro Ayoi n bro ZiaSay..

  12. on 05 Nov 2008 at 3:19 pm   ahmad_albab

    Atuk ZiaSays garang le, takut i… Atuk FFFiiiaaSays, ANALyst ni kene send ke Interanal Sex Act (ISA). Atuk FFFiiaaSays sure must be kinky one.

  13. on 06 Nov 2008 at 11:35 pm   anton

    hahaha…i don’t deal with IDS/Firewall anymore hence the guess…tried hard to dig deep down my IDS brain…tx for the lesson though

  14. on 07 Nov 2008 at 12:37 am   ZiaSay's

    hoshhh!!

    ahmad_sembab I [a]iiiickkkk U arr bebeh!!!! #whoami

    anton combonG!! nyampah i :P
    say my name–say my name!! What’s my Name!!?

    Hev phun g[a]uysssss!

  15. on 07 Nov 2008 at 9:37 pm   anton

    ler..ko la ek. ingat sapa tadi. mana ada combong…bila mau kene sup kambing?

Comments RSS

Leave a Reply