Well my itchy fingers playing around the courses offered by SANS and GIAC. And then out of curiosity I just access the demo of SANS on Demand for the course 517: Cutting Edge Hacking Techniques. It is just a demo and I can see the glimpse of what the course will cover for 2 days. Basically I think it is extention of the course that I’ve taken, Hacker Techniques, Exploits and Incident Handling where IF I passed the exam, then I will be a GIAC (Global Information Assurance Certification) Certified Incident Handler -GCIH.

So this on-demand course demo let me accessed 2 sets of slides that covers 2 topics and the assessment will be done on the second topics. To be honest, the questions are not that difficult but you might failed the assessment once you DID NOT look carefully.

Oh yeah, you need an account at SANS Portal to access the demo btw.

So hopefully I will get the real certification later on

I dun have any appropriate post topic actually but let me sums up whatever that I have in my head.

For yesterday’s interview, like I’ve mentioned in my previous post, I didn’t expect too much and boy it helps. On the happy note, most of the candidates show a lot of passion and it seems that they have the right attitude to be in this industry but perhaps because whenever you are in an interview, you will try your best to project that you ARE the suitable candidate and you DO HAVE the right attitude rite? But as I am a good person, I just give good recommendation for the higher management to decide. Sad note? I think it is better for me to keep it to myself.

On the other hand, I think I am getting more and more macro view on overall picture of my current work. It seems that I (think) managed to pull all the strings together. Use other information to relate on my current work and managed somehow to see the bigger picture. Even though I have to admit that I do miss doing some full blown tasks like research and learning on new things fully (not on ad hoc basis), reading properly (like my assembly thingy) but somehow I think I can live with that for now. I’ve downloaded all the packets listed in the openpacket.org but for now that’s all. Hope I can play with those later on and still not yet finish with those brute force thingy.

Hopefully I can finally managed to do all the stuff that I love to do but for now, I think I am doing just fine.

Ahh.. I’ve notice that my poyo interview questions attract some interest here. Unfortunately the reply is not that accurate. So let me ellaborate or just giving the answer here.

Q1: If I ping from host A to host B, using ICMP Type 8 code 0, this ICMP packet will goes to which port?

A1: No port. The ICMP protocol structure didn’t has any port field in it. The message or the code and types will be processed by the receiving machines and appropriate response will be given.

Q2: Based on this information=handshake2.txt point out the handshake packets.

A2: Packet 7, packet 9 and packet 10. Take note on the TCP Control Flags AND the Sequence Numbers.

Q3: What kind of event that you can derive from this trace file :trace1.pdf

A3: Port Scanning using SYN flag or nmap -sS.

Q4: And what kind of event that you can derive from this trace file? : trace2.pdf

A4: SYN FLOOD. I used hping2 to create this packet. SO what’s the diff with trace1? Scanning is a form of information gathering, meaning you need to know and receive the response from the targeted machine. While when flooding a system, you DO NOT WANT its responses.

Q5: Based on this alerts information :alerts.pdf , can you identify any possible irregular behaviour of the traffic?(traffic_a.pdf)

A5: Possibly that the 443 port was used for other means. HTTPS channel is an encrypted channel and there’s no way IDS (without any SSL terminator/SSL proxy/SSL Accelerator used) can observe its traffic and subsequently produce alerts. And yes, when you can see uid=0 and guid=0 in a suppose encrypted channel, you need to investigate further.

Q6: With the existence of IPS, what do you think on the relevance of IDS

A6: This is merely an opinion question, so IMHO, the IDS is still relevant as in sense of deployment, IPS is more inline device which need to have super correct detection/prevention rules or zero false positive rules. In this perspective, most of the time, only confirmed, selective rules will be implemented. While IDS is a passive device which will never interrupts the network flow. So when an attack which the IPS rules didn’t recognized or filtered (due to false positive risk), the IDS will become the safety net (in sense of alerting for investigation). I’ve posted many times on this matter so I won’t ellaborate more.

So that’s it.

Yeah, it is always delightful to be back home after leaving the family for some times. Only this time I only left my adorable twin and my daughters for a week because of attending a training but still it is hard to leave them behind.

It is raining cats and dogs before departure and yeah, I am nervous. (Damn that NGC’s Plane Crash Investigation series)

Up up and away… Where’s my house?

This is Singapore I guess

So far the journey to and from Singapore is fine (only 45 minutes and we only have this lil drink in flight). Initially we thought of buying some cigarettes in flight but alas of cause because of the short flight, there are ain’t any. And thankful for that as Singapore never allows any cigarettes to be brought into the country (besides the one that U have) and of cause chewing gum is a big NO NO in Singapore as well.

Despite for few SNAFU when we try to check in our hotel, everything were just fine. Like wifey said, the customer service is tip top here and it seems that Singaporean generally is very polite, helpful and talkative. No doubt about that (to some extent I do feel that in this sense they are better than us, Malaysian). Even though this country is not smoker friendly (and a pack of cigarettes will cost you around 11.60 Singapore Dollar, about 27 or 28 Ringgit Malaysia -based on 2.4 exchange rates). Yeah damn expensive.. But it does nothing to deter our smoking habits tho.. He he he.

A view from the smoking area.

A view from night time. Spot the difference. You see any? Yeah, nothing different besides now I am smoking the expensive cigarette.

Anyway even with that, the Hotel does provide some smoking area for us the smokers to enjoy our bad habits (this phrase uttered by one of the tourists from Cyprus) and I don’t think incidently they allocate the smoking space very near with the Lounge and Pubs nearby the Hotel. So while enjoying our bad habit, we also enjoy some “panoramic” views of miniskirts (yeah very very short mini skirts).

For my class, GCIH, there are not so many participant from Malaysia especially Malay (in fact I am the only Malaysian Malay) and I only have some brief chats with the person who sits right beside me in the class. Btw I think I spent most of my time during the exercises and Capture the Flags exercise on helping here to get things done and prepared. Well you can call me a very helpful guy (like my colleague always said, Org Malaysia memang bersopan santun). Surprisingly most of new friends that I made during the training period are from GCFA class, either from Brunei, Malaysia, or even Netherland. (Of cause business card exchange occurred )

Anyway, for my class, most of the topics and tools used are common and some of them are quite old but like my instructer said, even though some of the tools are old but the methodology and the techniques are recycleable. meaning the methods and the approach of the tools used will be innovated by new ones. Like BO2k? The granddaddy of all the bots nowadays? And yeah, our instructur, Mr John Strand is very knowledgeable in all the subjects covered in the GCIH class. New knowledge like LANMAN weak implementation (now I know why), why UNIX based systems implement ‘salt” in its passwords hashing and other things. Btw he is one of the professors at Denver University and you can’t be a professor if you know nothing.

p/s: Yeah, I remove my antivirus and disable my fw (or some of the tools will not working as it suppose to do especially the evergreen netcat. And yes, during the last day, I even saw some of the guys probing my machines notty notty..

I have to admit, GCIA is more suitable for me but hey, even though I spent most of my time in Blue Team, but it is very beneficial for me to know the techniques, methodology that the Red Team used for a change. Btw how can you defend when you don’t know the attack methodology. True?

What is next? I will definitely try to implement and make use all the knowledge that I gained during the course. And perhaps maybe I might sometimes pursue the 560 course (penetration testing) in the future.

For time being, it is better for me to complete my Assembly reading. It will make Buffer Overflow much more fun.

I’m having less and less time to update my blog. Perhaps now I am beginning to assume the new post which automatically requires me to pay my attention on few key areas that need to be addressed by the unit (and now I do really need assistance which indirectly requires me to update my unit plan and indirectly update the staff requirements and whatsnot. For time being it will be good to have another clone of me doing other tasks as well but alas that’s not possible because I dun want wifey to get confused later on. Another pair of hands? It’ll be weird and I do feel like a spider (and I DO NOT like spider). So? Just do whatever I can one at a time or perhaps everything at the time (I wish).

Another thing is I can forget on thinking of continuing my office’s tasks at home as I’ve tried many times (even during the weekends) but the twin is too naughty rite now and wifey needs help as much as possible from me.

What makes me so busy?

a). I need to complete the unit plan, by hook or by crook. At least it will be the master plan or the high level guidelines for the unit.

b). My immediate task now is to provide analysis guidelines for the SA. (I know I’ve posted about the guideline thingy before but then the SA always has these excuses “We did not have any proper instruction/flow/guidelines”. So cannot blame them also.

c). Currently to fill in my time while travelling in the LRT from and to the office, I’ve read this book. It is about Assembly Language step by step by Jeff Duntemann. It is a nice book with good explanation, examples and anologies as well. The style is similar with my favourite author, Richard Bejtlich and thankfully not as complex as my other favourite author Tom Clancy. The purpose? Just to assist me on understanding this language and perhaps I can pursue the malicious code analysis thingy later on. And no, I dun have any intention on writing exploits, not my strength btw. And I dun want to be another sk (he’s too good tho)

d). Currently I just playing around with the SSH brute force packets and perhaps try to implement any possible detection mechanism or rules for this type of attacks. I’ve discovered few key indicators when the brute force launched from tools like window size etc but still need more packets and more analysis.

e). Preparing myself of SANS GIAC Certified Incident Handler training and certification. Why GCIH and not GCIA? Because I will participate event held by sansasia where they only offer GCIH and GCFA (GIAC Certified Forensic Analyst). So I chose GCIH and let my colleague take GCFA. It will be held at Furama Riverfront Hotel, Singapore from 30th June until 5th July.

p/s: Thanks to wifey in advance for her sacrifice to take care of our double whammy naughty twin while I’m not around to assist her.

So that’s all. Hopefull everything goes well and according to plan. Wish me luck eh?