My immediate Boss told me last week that I might have to assist him on the company’s project at one of the Gulf Countries. The duration? 3 freakin years. It is not definite yet but just like the news that I have to go to Jeddah last time, I think it’s 60% true. Anyway he added that I can bring my family along this time if these things confirmed. (We do get the project, only the man power is still undecided). I told wifey about this and she okay’ed it.

If I do have to go, then I do need to have my family along. 6 months I still can accept being away from my family but years? I’ll missed my twin growth from the moment they learn how to talk, sit, crawl and walk and there is no way I want to miss that.. Damned, even Iman produced a shock sound when she saw me at the airport the moment I reached KL from Jeddah and I only left for two months. I can’t imagine if I am gone for years..

I am supposed to conduct a log analysis training to a group from The Client tomorrow. Based on the topic it seems that it is more on system log analysis which is part of HIDS or I think more on system forensic. I only conduct the last day of the training btw and the topics given to me is SSHD logs and analysis in details (I just dun know how detail they want) and Windows Event Log Analysis. While preparing the material for SSHD logs, (Actually i just want to show why ppl are using SSH connection compared to the old Telnet) I sniffed the telnet and ssh traffic for the sake of comparison and to show the information leakage.

While trying to reconstruct the tcp stream, I used wireshark “Follow TCP Stream” and tcpflow. Both of these yield similar result, but the only different thing is while wireshark “Follow TCP Stream” doesn’t show the inputs from the source, tcpflow does otherwise.

  wireshark             tcpflow

But Alas, I’ve overlooked one thing.. Instead of seeing the stream content in ASCII form, HEX Dump will definitely shows the entire conversation content. I can feel somebody is giving a good smack at my forehead

Lesson Learned. (Warning: I seldom use wireshark to look at the traffic. Most of the time only plain ol tcpdump or Anwindump. I shud start get my hands dirty with wireshark)

 Anyway, I get one good question posed by mr geek00l.

“When I’m doing ICMP ping, it connects to what port?”

It’s a tricky question (for those who doesn’t know) . I think this will help you answer the question.

I will never ever again conduct any training what so ever during my work. I dun mind conduct any training which I believe I have sufficient knowledge and ability to perform. Not some sort like a ad hoc kinda training which I think and believe is not fair to me and of cause to the participant who attend the training. No MORE!!

p/s: Btw it doesn’t matter how passionate I am with the thing/work that I do for a living but there is no way it can replace the needs of my family. Between work and family, I am more than happy to choose my family. Am I pissed off? Kinda.

For the sake of my beloved ones:

I have to upgrade myself.. Err starting by getting a cert first  

Literally. It started when I have this small lump(wifey insists that it is big) on my forehead just above my left eyebrow. Last few days it started producing spurting blood. Yesterday morning after taking a shower, I just came out from the toilet and straight to our cupboard to get a shirt. Whut I missed is the strange look from wifey face the moment I walked out from the bathroom. Then when I took one shirt out then noticed few blood stains on it and ask wifey

“whose blood on this shirt?”

And without hesitation wifey replied,

“oi, it’s your blood, go back into the bathroom and look at the mirror.”

As a good husband, I of cause obey wifey instruction and to my horror, most of my left eye and cheek covered with blood. After washing those red liquid, I walked out and make some smart ass remark to wifey,

“I thought I didn’t dry myself properly.”

“Oi, the blood are still there. Wash properly laaaaaaaaaaa…”

Another 10 minutes and the bleeding stopped. It happened again this morning and  to my horror it happened during a walk towards Masjid Jamek Putra LRT station. Because it was raining (not downpour) and I thought my face covered with rain but until I noticed there are few red spots on my spectacles, then I know that something is wrong. Thank God I did bring wifey’s tissue and minyak gamat along.

I do wonder what are those RapidKL guys thinking when they saw one man happily texting using his handphone with most of his left cheek and forehead covered with blood while listening some nice songs.

On behalf of my family, I would like to wish muslims all over the world, “Selamat Hari Raya Aidil Fitri“. May all of us (I mean ALL of you regardless of races, religion or nationality) can live together happily and respect each other.

For Malaysian, be careful on the road for Balik Kampung. I will go back to family’s home at Kuantan tonite and will be on leave starting tomorrow until 20th October 2007. So Happy Holiday guys and gals

Selamat Hari Raya Aidil Fitri, Maaf Zahir dan Batin.

Ayoi, Shahniza Ismail

Nisha Adrianna Amani, Nur Iman Nadhirah

Adam Danish and Ariff Danial

Yeah, I was sick yesterday. High Fever and sore throat (but still can shout to my noisy daughters). However, I still have to fulfill the task of taking care of the twin (meaning the earliest time I can sleep is around 5 am in the morning), sore throat or not as that is the decree of wifey and I dun have any guts (or voice) to argue.

it is not easy to make them from this state;

to this

Sometimes I do feel that they have this conspiracy to deprive me from my sleep

 
Tee..He..He.. 

 And especially when Iman start to smile like this

However my Sec.Consultant did ring me to inform that suppose I have to attend a meeting regarding the development of new detection tools. For the first session, our developers presented the proposed detection engine and I voiced my dissatisfaction of having snort output through syslog. I did mention that unless the rules are properly tuned and customized, it may not be an issue but for the Client sites that “requires” all rules to be enabled, I found that it is not practical or suitable to have this alerts sent over from flat file format. Hey, even with the alerts armed with payloads (only) we have problem doing Identification on those alerts.  I did mention that from my view that in order to perform proper analysis, I do need sufficient information at my disposal. Meaning I want that information to be there. If not then it will turn out to be another guessing game and I pretty much hate that.

So I dun have any idea whatever happened or the result of that meeting but I’ve been informed that there will be another round of that meeting. This time I dun want to miss it.

My friend geek00l will conduct interviews for the post of Security Analyst at the company he worked for. I’d say good luck to all the candidates and prepare yourselves. My tips?

Search/google to find what the hell are Security Analyst tasks and responsibilities, knowledge and skills required and plus the right attitude for the job. It is a good thing to know the fundamentals, such as the security itself (its process, practices etc), and I love to remind my SAs that they need to know Networking fundamental especially the protocols, attacks phases (you need to know the appropriate response for different phases of attacks), security components, IDS (NIDS and HIDS concept)  and some others which I am too lazy to put it down here. Yeah, you need to have the passion of reading.

I love reading 

You have to read everyday.. Trust me. If not you will feel that this job is damn boring. I can assure you that. Some of the SAs I’ve knew did tell me that they think this job is so damn boring but once I ask them the questions on the tasks and responsibilities of SA, they just dun know the answer.

TCP/IP? Intrusion? IDS? Threat Model? 

And yes, surprisingly even I’ve met Security Analyst who simply dun have any idea of what is connection oriented and connectionless all about. Never mind things such as tcp handshake (this is my favourite question because I do believe it is fundamental. If you have IT degree especially in Networking, this information shud be at your fingertips. In fact you are the one who shud teach me.) OK OK I in fact know one fella who claimed he has 9 years experience in Security Industry but dun have any idea about port scanner (Nmap purposely mentioned) or do not know what are the purpose of snort. (Just quick google and you know the function of snort in IDS maaa)

Anyway, good luck again and welcome

Few pics taken using my phone. I can’t afford to get one truly cybershot camera, but at least now I have a cybershot camera that can make phone calls

Nisha Adrianna Amani

Nur Iman Nadhirah

I have some minor problem with my picture gallery. Will upload the rest of the pictures when the problem rectified

p/s: Yeah, I have 4 kids now

Psst..Papa is not feeling well..

Demotivated, dumbstruck, disappointed, tired, bored, angry, sad. I just dunno why, maybe I need a kick at the backside to get me going or just need a change of scenery or environment.. Who knows rite