Ayoi's

The exhibition will start today with our PM will perform the opening ceremony. Even though it’s a holiday today (for Wesak Day) but as wifey has to man the IBM booth for the whole day, I have to send her to Kuala Lumpur Convention Center near the Kuala Lumpur City Center Twin Towers. As for today, the exhibition will open to public only at 12 noon and of cause I do have plan to take some tour in the exhibition, looking for new technology, solutions that might be useful to us and perhaps can be incorporated with our own solutions.

So if you don’t have anything to do from 19th May 2008 until 21st May 2008, perhaps you can drop by at KLCC and take a look at perhaps the latest technology or solutions that perhaps suits you or your organization. If you come today, perhaps you can listen to wifey “goreng” on IBM solutions and if you plan to come on 21st May, then perhaps you also can visit me at my company’s booth located at the Exhibition Hall 2, Booth number 209 and perhaps you can listen me “goreng” on our solution as well And maybe we can have a TT session after that ?

More on WCIT : http://www.wcit2008.org/Pages/default.aspx

Wifey at IBM’s booth

Btw like I said, the exhibition will be held here

And not in here

Even tho the former is nearby the latter

On this day, I would like to take this opportunity to wish my Idol, my inspiration, my role model, my motivator, my adviser who is the greatest father which I’ve been blessed with;

I really love you abah. . .

And oh.. Happy 32nd birthday to me as well

Finally the end of training days at ESSET. Yey.

This is the best class I ever had as they are so responsive to the topics and the questions posed to me are constructive, challenging, dynamics and also interesting. I wish I could have this kind of audience at every training sessions that I’ve conducted or will conduct in the future. Just a wish eh

Well, it seems that I’ll be doing all the training in the world nowadays. OK I am not but I do feel like that. Anyway from today until Thursday, I will be occupied by training. (No sore throat hopefully) and I can start doing my own work on Friday.

Only this time instead of conducting the training at the training room at the office as usual, I’ve been ask to perform those session at one of the training facilities that is open to public (you need to book and pay la). It is a nice place, has good facilities, nice food, plenty of seminar and training rooms even one large auditorium. Where is it? It located at Bangi and the place called ESSET. Yes it belongs to EPF but any organization can use all the facilities there (including the hostel which is nice where instead of feeling like staying in a hostel, you will feel like you are staying in a hotel) and of cause it comes with prices lor. Want to know about it? Just browse its website here.

In the training room

Oh btw, even though this place is lil bit “ulu bendul” but hey, for Maxis broadband access, I managed to get full HSDPA connection. Nice eh

For the greatest mother in the world.. My mom. . .

You taught me everything
And everything you’ve given me
I always keep it inside
You’re the driving force in my life, yeah

There isn’t anything
Or anyone I can be
And it just wouldn’t feel right
If I didn’t have you by my side

You were there for me to love and care for me
When skies were grey
Whenever I was down
You were always there to comfort me
And no one else can be what you have been to me
You’ll always be you always will be the girl
In my life for all times

You’re always down for me
Have always been around for me even when I was bad
You showed me right from my wrong
Yes you did

And you took up for me
When everyone was downin’ me
You always did understand
You gave me strength to go on

There was so many times
Looking back when I was so afraid
And then you come to me
And say to me I can face anything
And no one else can do
What you have done for me
You’ll always be
You will always be the girl in my life

Mama, mama you know I love you
Oh you know I love you
Mama, mama you’re the queen of my heart
Your love is like
Tears from the stars
Mama, I just want you to know
Lovin’ you is like food to my soul

The pic sums up my feeling. I have to come to the office instead of following my doctor advice, I need to perform something which I believe I’ve delegated last Monday but to no avail. I have to do it myself and I’ve made a mental note; For my unit, I’ll make sure that my team members will be able to perform the tasks given to them. Period. . .

Anyway yesterday, while walking at the Pasar Malam nearby our house, there’s one Maxis stall offering Maxis Broadband service. As for time being even though we have izzi as one of our ISP but due to its coverage unavailability we decided that Maxis broadband should be the alternative especially for email downloading and of cause for browsing (and blogging he he he). Well, for RM100 we get one USB modem, sim card and one gift. Of cause the line will only be activated by today (I’m uploading this post using Maxis broadband )

So far everything is OK, hopefully it stays like that. I can surf the net, download my emails and for time being no FTP transactions yet (I dun think I need one btw).

But I need to pay RM 138 per month for this service.

Yup, this week and next week will be my R&R – Rest and Recuperation period after going through one minor surgery yesterday at Sunway Medical Center. Minor in sense that I will not be warded but will be put under Day Care (At first it sounds like I’m going to be placed in kindergarten ) instead.

What is this surgery for? To remove my annoying “horn” above my left eyebrow. I’ve been carried that “horn” for about 6 months plus now and somehow lil bit tired to explain to literally everybody on how did I have this lil “horn”

Ok based on the checklist that I received by the nurse on Saturday, it is recommended that to bring magazines or books as the surgery’s time will depends on your queue number. As I will be slotted as replacement to some guy how suddenly postponing his surgery, I can expect that my surgery will be done sometime in the evening. So the day before the D-Day, me and wifey wondering around at IOI Mall Puchong to look for Nisha’s text book and also my reading material while waiting for my surgery. So I bought this;

Nice for light reading. Ok to be honest I was inspired to buy this book based on the movie that starred by Tom Cruise and the shouting-all-the-time Dakota Fanning (BTW she’s richer than you and me eh).

So yesterday (Monday) wifey decided to take one day off to accompany me at the hospital (thanks wifey) even though she never failed to tease me or gave some “encouraging” words, I am still grateful for her willingness to be by my side. We register at 8 am (early in the morning as I need to fulfill the Insurance time-at-the-ward requirement) and for a guy who will be gone through his first surgery, to wear the hospital green robe without wearing anything else is lil bit awkward. Of cause wifey never stops laughing as I looked like wearing a skirt.

And after my blood sample taken, endless trip to the toilet, sleeping (quite difficult to sleep in those cold condition – And not wearing anything underneath the robe is not helping), finally the moment of truth arrived. So I was taken to the Operation theater, while the anesthetist perform his tasks, my mind start drifting away and black out. It seems like a while then I can feel that someone is pulling some tubes out from my mouth and my left eye has this stinging sensation which take a while for me to readjust the view.

My throat felt so sore that I can’t speak but from the corner of my eyes I can see wifey smiling. I managed to ask wifey how long I’ve been gone and she said, only one hour. ONLY one hour? dang. But I am grateful that everything is fine and I am safe and sound. Perhaps need some time to recover back my strength ( I can’t laugh or frown to avoid my stitches undone – that’s my theory lor)

Nice stitches above my left eyebrow eh

I’ve been given one week rest by the doctor and been advised against any “stressful” work for time being. Well as I’ve read all the emails (yeah I did go to the office today to check the emails and sort some things) it seems that while my “resting” period, perhaps I need to prepare or device some plan for my new unit. Yes, I’ve been promoted to head a new unit that will deal with the practices and also on research and development. To my Bosses, thanks for the trust given to me and I’ll try my best to lead and perform.

But for time being, perhaps I should start back one of my hobbies… Sketching.

See you next week

I’ve been tag by my former bedmate here

These are the rules :

1. Post YOUR photo wearing red, may it be red top, bottom, the least would be red accessories if u hate wearing red. If u can’t find one, u still have an option.Either post your significant other’s photo or your child’s photo, if u have one.Of course, they should be wearing red.

2. Let us know the reason why u were wearing that particular day.Was it ur birthday? Is red ur fave color or was it the shirt that u first saw in ur closet that day?

Red is one of my favourite colors. Alas I just can’t find any pic of me wearing Manchester United’s jersey but as a substitute, I’ll let Adam to be in center stage

Red walker can also la eh?

OK, this is the second part of the previous post here.

For security monitoring, the most important factor is HUMAN factor. Without a knowledgeable and skillful analyst who can give appropriate dissection on the output presented to them by the tools, the detection process will definitely failed on Identification process level. If they failed to provide any useful context on the output or indicator produced, then how can they produce appropriate warning? It doesn’t matter how advance the application will be, how comprehensive the guidelines prepared because at the end of the day, these analysts failed to understand what are they looking at, what actually happened and what are the appropriate reactions needed.

According to one of NSM’s Principles;

“Indicators are collected and analyzed where Products perform collection because people need assistance in interpreting the network traffics. People will perform analysis as product or tool will only provides outputs or conclusions about the traffics but PEOPLE will provide context based on the situation and network environment.” Unless we have super intelligent tools that can replace human decision making and intuition, then this statement remains true.

Like the previous post, I’ve provided a simple example of using wireshark. Again I will use this example again..

The KEY point here is simple, IF you know what you are looking for, where to look and consequently understands what are being presented to you by the tools (the outputs) then you might have no or less complaints on using that tool.

From the information presented by the wireshark, we know that SYN Flood attack occurred. From the general view we know that the attacks source seem like from many hosts to 192.168.2.127. We also know that the targeted port is increasing from each packet came from these hosts. Agree? But you might say that due to the increasing destination port (increment by 1), perhaps the source hosts are performing NMAP -sS scanning?

Well the TCP control flags involved in those two type of traffics (SYN Flood and Nmap -sS) might be the same (SYN Flag) but the objective is totally different. Scanning or reconnaissance is the act of information gathering meaning that when you sending some request, you want to know the reply. In Nmap -sS case, when you send a SYN packet to a machine at specific port, you want to know whether the service that using the port is running or not based on the response given by the targeted machine. A SYN + ACK flagged response will indicates the service via the targeted port is available while a RST + ACK shows otherwise.

As Example  (This scanning is targeted to closed https port):

ayoi# nmap -sS 192.168.2.126 -p 443

Starting Nmap 4.52 ( http://insecure.org ) at 2008-05-02 22:01 MYT
Interesting ports on 192.168.2.126:
PORT    STATE  SERVICE
443/tcp closed https
MAC Address: 00:1E:C9:BA:E0:8E (Dell)

And the packets will be

22:01:55.144824 IP 192.168.2.7.47264 > 192.168.2.126.443: S 3725734349:3725734349(0) win 3072 <mss 1460>
22:01:55.145338 IP 192.168.2.126.443 > 192.168.2.7.47264: R 0:0(0) ack 3725734350 win 0
22:01:55.246070 IP 192.168.2.7.47265 > 192.168.2.126.443: S 3725799884:3725799884(0) win 2048 <mss 1460>
22:01:55.246394 IP 192.168.2.126.443 > 192.168.2.7.47265: R 0:0(0) ack 3725799885 win 0

Note the Bold ones. Btw how on earth that NMAP knows that 192.168.2.126 is using DELL NIC? Of cause based on the first 3 bytes of the MAC Address. For MAC Address, the first 3 bytes belongs to Manufacturer.

Ok proceed with the open port scanning result (MSSQL port)

ayoi# nmap -sS 192.168.2.126 -p 1433

Nmap done: 1 IP address (1 host up) scanned in 0.818 seconds

Let see the packets generated by this activity

22:07:26.614121 IP 192.168.2.7.39401 > 192.168.2.126.1433: S 2210806291:2210806291(0) win 4096 <mss 1460>
22:07:26.614298 IP 192.168.2.126.1433 > 192.168.2.7.39401: S 1072455176:1072455176(0) ack 2210806292 win 16384 <mss 1460>
22:07:26.614312 IP 192.168.2.7.39401 > 192.168.2.126.1433: R 2210806292:2210806292(0) win 0

So by this kind of responses then you know which port or services is available and which is not.

As for SYN Flood attacks, you definitely do not want any response from the targeted machine. Your main purpose is to brought down the machine or any services that running on that particular machine. So the wise way is to send many SYN flagged packets to the targeted machine with spoof IPs as the sender. Meaning the targeted machine will reply to non-existence hosts. Agree?

Back to the packet captured shown in the wireshark, based on the Layer 2 information also we can identify that those spoof IPs are coming from one source. Take note on the MAC address, for each packet will have different source IP but same source MAC address.

OK, the packets shown below not exactly taken from wireshark, I used Windump (too lazy to do screen capture and photoshop editing)

12:31:05.298444 00:0c:29:f3:a6:39 > 00:16:d3:06:6f:0e, ethertype IPv4 (0×0800), length 54: 138.248.102.217.2898 > 192.168.2.127.4: S 1224680571:1224680571(0) win 512
0×0000:  0016 d306 6f0e 000c 29f3 a639 0800 4500
0×0010:  0028 4688 0000 4006 7f4f 8af8 66d9 c0a8
0×0020:  027f 0b52 0004 48ff 247b 66b4 2cad 5002
0×0030:  0200 ecb7 0000
12:31:06.299688 00:0c:29:f3:a6:39 > 00:16:d3:06:6f:0e, ethertype IPv4 (0×0800), length 54: 75.4.79.22.2899 > 192.168.2.127.5: S 937274104:937274104(0) win 512
0×0000:  0016 d306 6f0e 000c 29f3 a639 0800 4500
0×0010:  0028 592a 0000 4006 c464 4b04 4f16 c0a8
0×0020:  027f 0b53 0005 37dd aaf8 3a03 9c6f 5002
0×0030:  0200 8c00 0000
12:31:07.301244 00:0c:29:f3:a6:39 > 00:16:d3:06:6f:0e, ethertype IPv4 (0×0800), length 54: 222.140.18.61.2900 > 192.168.2.127.6: S 725808845:725808845(0) win 512
0×0000:  0016 d306 6f0e 000c 29f3 a639 0800 4500
0×0010:  0028 8fb7 0000 4006 3728 de8c 123d c0a8
0×0020:  027f 0b54 0006 2b42 f6cd 3959 22eb 5002
0×0030:  0200 7043 0000
12:31:08.302673 00:0c:29:f3:a6:39 > 00:16:d3:06:6f:0e, ethertype IPv4 (0×0800), length 54: 107.230.246.46.2901 > 192.168.2.127.7: S 382745863:382745863(0) win 512
0×0000:  0016 d306 6f0e 000c 29f3 a639 0800 4500
0×0010:  0028 3fdf 0000 4006 15b5 6be6 f62e c0a8
0×0020:  027f 0b55 0007 16d0 3d07 4156 a244 5002

SO again, it doesn’t matter what kind of tools or applications that you are using, but the most important thing is you understand and know how to give a proper dissection on the information presented. Once you know what, when, How, why to give proper analysis, the relevance information needed then you can start demanding or perhaps insisting on having the rite tools to give you the right information in performing your tasks. Not just a mere guidelines.

…For My Brother;

And for My Brother and his wifey;

And lastly to all of you;