pic source : www.gapingvoid.com

Gonna be busy like hell from now on.

I didn’t know that there is a day when we celebrate the Computer Security Day until I read one of Akram’s post here. So just wishing u guys Happy Computer Security Day (even tho I missed 2 days) on the last 30th November.

My advice, “Educate the management about security, not the users ” 

My maid’s father passed away last few days (before she managed to return home). The news affected our family as well (including my parents as they are the ones who brought her here.) From the 1st day when she started to work at our house where we had to educate her countless of time on performing the house chores (credit to wifey who provide the “trainings”) and when I have thousands of doubt about her taking care of Iman(she’s just 1 year old ++) until now when both of my daughters treat her like their own sister and both of my twin boys are getting along well with her. Mistakes do happen now and then, here and there but she’s getting better and better.

Me and my family only hope that she can be strong to accept the fact that her father is no longer with her and hopefully she realized that somehow he is much alive in her memory.

Al-Fatihah.

With my maid is going back to her hometown for two weeks leave, me and wifey will have our hands full with this two boys..

Thankfully my parents willingly to take both Nisha and Iman back to Kuantan. Help from any sources are highly appreciated

Me and a security consultant from our department managed to arrive at PWTC around 1:40pm (she parked suspiciously at no parking zone. I told her to expect that her car will vanish by the time the forum concluded but thankfully it didn’t happen).

One thing for sure, it’s damn hard to find the place. I mean the exact location where the Forum will be held. Asking direction from the ppl there creates more confusion to us. Ahh we managed to wonder around like a bloody tourist to find the exact hall. At least we managed to even reach the Pan Pacific Hotel based on the direction given by one of the guards there. Btw met geek00l and mel who happen looking for the hall as well. (p/s: At least IMHO we did get the hall name right compare to those two but heck they managed to reach that hall earlier than us)

Need to line up for registration to get our door gift which is a laptop backpack (neat eh and geek00l told me to blog about it hehehe) and with brochures, magazines inside the back pack. So in the end me and my consultant end up sitting beside mel and geek00l. Unfortunately I didn’t bring my lappy along so end up taking down notes on my book.

So as for 1st presentation with the title Internet Banking: Issues and Best Practice by Mr Adli, from cybersecurity Malaysia. Generally it about the main issue faced by banks that offer online banking to their customers; Phising, spamming, Identity theft and so on. I managed to jot down few things (and some of it I can’t read it.. Duh! hahaha). The discovery of the incidents based on the reported cases coupled with statistics and other neat graph. Anyway a good presentation. Get a good mark from me . On other notes, yeah, super flux method will definitely caused problem to us especially in security industry.

For 2nd Presentation, the title is Bluetooth vulnerabilities and Exploits by Mr Ruhama also from cybersecurity. A good topic to discuss but after a good presentation from Mr Adli, this one is lil bit a let down. More on reading the slides instead of elaborate the slide and IMO, the slide is lil bit congested. A brief on Bluetooth history, the technology, the architecture, the stack (shud elaborate more on this) and most of the tools can be found in backtrack cd. Anyway a lil bit let down while performing the live demo as 1st, it needs a vulnerable bluetooth version (I guess) handphone as in his example, Sony Ericsson T610. Well he managed to scan all the bluetooth devices in the hall but can’t exploit em. IMO, for handphone, most of the ppl will always buy the new one or having a handphone that has no bluetooth capability at all (e.g. mel’s )  Anyway again it’s a good topic and I’d love to learn more about it.

After a good and damned nice tea + cigarette break, the session continued with a presentation from Mr Suresh Kumar of Maxis about Network Threat and Intrusions: Security Perspective from the ISP. Another good presentation, about the IDS and the way that ISP gonna handle all the attacks by implementing the Sink Hole. Well I read about this Sink Hole Implementation from Richard Bejtlich’s Extrusion Detection. One thing that I noticed is Mr Suresh from one of his explanation define IDS from network perspective only. Maybe he shud include the existence of HIDS as well. Anyway good and clear presentation. Good mark from me.

And the last presentation is from Mr Mohamed F. Haron from Intel on Web Intrusion Life Cycle. Basically it is a good presentation but lil bit dull but perhaps because of his VMware crashes before his presentation and that apps failed on him again and again so no live demo as well. Anyway the content of his presentation is structured and methodological which for is nice for a beginner (including me as well). My consultant managed to ask him to send his presentation slide to her for later use .

Overall it’s good to have this kind of knowledge sharing forum but perhaps what we lack is good speakers. I mean a speaker who can draw the crowd to his speech and presentation. And at least I get a lappy back pack (OK but I wont use it as mine is better) and of cause the mysterious gift (few mouse pads) for us.

Maybe I will participate another Technical forum in the future if I had the chance.

Who said you can’t have fun while performing your Security Analyst job? This is what my colleague post to me early in the morning.

my_colleague: PRIVMSG #fakap :aktiviti harian pepagi… berak!!! #my chat payload
my_colleague: hahahahah
my_colleague: )
me: hahaha #what else can I do besides laughing? Damned sometimes I do hate security analyst. )

p/s: Now what I have to do is disable these chat related rules at our sensors

update: Ok, I do feel lil bit strange why my chat at webchat.org traffics trigger the alerts while the ones at freenode.org didn’t. I asked my colleague to tell me the alert message and here it is :

BLEEDING-EDGE ATTACK RESPONSE IRC – Private message on non-std port

Ahh okay, now let see what will trigger this alert.

alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: “BLEEDING-EDGE ATTACK RESPONSE IRC – Private message on non-std port”; flow: to_server,established; dsize: <128; content:”PRIVMSG “; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: trojan-activity; sid: 2000347; rev:5; ) 

Ok let describe this rules. (OK I wont dwell into RTN-Rule Tree Node and OTN -Option tree node. Just a simple description).

The Rule Header 

alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 -

any traffic using tcp from home_net at any port towards external network (internet la) but not port 6661 to port 6668 will trigger the alert. Ok not yet trigger the alert as this is only the alert header, now let see the Rule Option;

The Rule Option 

(msg: “BLEEDING-EDGE ATTACK RESPONSE IRC – Private message on non-std port”; flow: to_server,established; dsize: <128; content:”PRIVMSG “; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: trojan-activity; sid: 2000347; rev:5; )

msg: “BLEEDING-EDGE ATTACK RESPONSE IRC – Private message on non-std port <– this is the alert message

 flow: to_server,established <– obvious. Established connection to server.

 dsize: <128 <– payload size is less than 128 bytes

content:”PRIVMSG “; nocase  <— content of the payloads that triggers the alert. Case insensitive

offset: 0 <– snort will start looking at 1st bytes.

depth: 8 <– snort will look into till 8 bytes of the payload

tag: session,300,seconds <– tag tag the session that triggers the alert for 300 seconds.

Meaning alert of this rule will be triggered when PRIVMSG or privmsg detected within 1st 8bytes of the tcp traffic payload which did not exceed 128 bytes from any source and port defined in the HOME_NET to internet at any port besides 6661 to 6668. And the traffic will be logged for 300 seconds.

And when I execute netstat at my lappy,

TCP    Slackers:2208          anthony.freenode.net:6667                 ESTABLISHED
TCP    Slackers:2218          pool.webmaster.webchat.org:7000  ESTABLISHED

That’s why my chat traffics at webchat always trigger the alert but not my freenode traffic.

I will attending Infosec.my technical forum today (27th November 2007) which will be held at PWTC (Putra World Trade Centre). Actually this event will only take half of my day (from 2 pm till 5.30pm) and my Bosses already given their blessings (authorization) for me to attend this technical forum. Thanks to geek00l who informed me about this forum and after looking at the topics that going to be presented, I think 3 out of 4 really catch my attention. Perhaps I can post the summary of the presentations here later. Also hopefully I can see familiar faces there as well (including one of the former colleagues who join this cybersecurity-formerly known as NISER-).

You can read more about the technical forum and the organization that organized this event as well at their website.

See you there..

I received an sms from wifey today.

“Promote la kedai u! I dah upload barang..(and the rest about the needs on the template enhancement)”

So as a good, supportive husband, I always try my best to fulfill wifey needs and passion with patience

So guys and gals if you looking for goodies like handbags (not a brand new ones perhaps in the future) as wifey has lots of ‘em and she really took care of them, clothes for baby and kids (especially for gals), baby related items (like baby cots or cribs) you can always go to http://shop.hazrulnz.net.

Current items? Guess Handbag. Selling price is RM 35.00 (including delivery which meaning within KL I assume).

Also a homemade cake which is RM20 for each (weigh 1.5kg++)

Why shop.hazrulnz.net? Because i can add unlimited subdomain for free.. That’s why ;P

p/s: This is self paid advertisement  

My new tasks of cause. And yeah of cause there will be no fanfare, no signing off ceremony etc (ingat apo?). To be exact, there’s no changes at all haha besides all the things in my head. For a start, I left my Company ID card in the car (hanging by the look-back-mirror) which wifey either intentionally or honestly overlooked when I left the car to the office this morning. Thankfully there’s some sort of training at my floor so they will leave the door open.

Anyway I was given a task by my boss to complete an A-Z standard operating procedures of using our SIEM. This definitely reminds me of my day at The Client Site. This SOP will show how to log on (damned including the URLs as well) and to be honest, it is some sort of Using SIEM for DUmmy. Only short of doing an SOP of how to perform the analysis. OOpss, I’ve forgotten that The Client used to ask me to do that SOP as well. Sometimes I do wonder if these ppl think that they can perform those analysis tasks just by reading a book or manual. If I managed to write a SOP/Manual/Handbook/ on how to perform security analysis, I might as well sell that and get some money..

Ahh btw last thursday I’ve attended the MyOSS meetup held at OUM. Interesting presentation from geek00l on Hex Development and he managed to show some demos on HEX usage. Lol I can hear some ppl yawning as that demos basically showing the capability of Hex in assisting analyst in performing their task. The neat part is the rawpacket team managed to combine the tools (instead of performing them separately which can save precious time) and of cause the ability of visualizing the data. But sometimes I do prefer the blacks and whites instead of the colors (I do state sometime rite). A lite TT after the presentation at Pelita which I manage to have around few minutes as wifey was waiting to fetch me home

And on Friday, a presentation from a master student with the topic “HYBRID MODEL FOR INTRUSION DETECTION USING LIGHT-WEIGHT INVESTIGATIVE MOBILE AGENTS”. Of cause  I can’t reveal the content of the presentation here but as I can conclude is ;

a). He is academician, and he introduces a good platform for the future (I guess) but lack of proper real world implementation.

b). Concentrate on the ability of this Mobile Agent to perform Investigation when receives alerts. MEaning this Mobile agent has this Artificial intelligent to perform analysis or investigation on the attacked or compromised machine. And I think the platform is Java. (If I am not mistaken laaa… He did show a bunch of java codes for his MA). I do think in the end it won;t be lightweight anymore.

c).  I think the deployment or his architecture is similar to the ones that we have currently. Including the Correlation engine as well. Anyway I think few terms he used is not suitable. He argue that our NIDS deployment/arch is not DIDS (distributed IDS) but when I look into the definition and searching thru goolge, ours is DIDS. And he uses the term enhancing the IDS but concentrating about his MA abilities which of cause draws arguments from my consultants )

Many more as I think this presentation is more on how his model perform THEORITICALLY, so my mind is lil bit drifting off ). To be honest IMHO, the presenter is lil bit agitated when the audience questioned his theory.

Enuff ranting, better finish off my SOP and the report requested by my colleague at Jeddah. And to geek00l, I will complete my write up.. hopefully

Again, yesterday I was given new task by my immediate boss. Why he gave me that task? I think I shudn’t disclose the events that lead to my boss to make that decision. Anyway, as far as I was informed as at yesterday, I will no longer work in shift, and my main tasks will be preparing all the SOPs, internal training materials and conducting them besides identify the areas that need improvement in order to perform our tasks. And I will only based in KL, no more overseas travelling. UNLESS my CSO says otherwise.

Like wifey said yesterday when I told her the news,

“You told me many times that you want a settle down job. Dun have to go anywhere and just do ur job. Now you get your wish la..”

I dun know what to say, but sometimes we have to think before wishing something