picture from www.Magnistudios.com

Yeah.. one of the reasons why I didn’t manage to go to the office today. To be honest there are other factors but those factors can be KIV’ed but this one is beyond any KIVs or suppressions.

(more…)

Not at my current company, but at General Electric in United States. The position? Incident Handler with Reverse Engineering/Malicious codes analysis skills (intermediate to advance). IF I did have the skills of Mr.Bejtlich and Mr Ed Skoudis, I will definitely apply for that post. For time being better for me to continue my Football Manager campaign complete reading and studies on the topics that I’ve started before. Btw, I yet to sit for the GCIH exam.

Anyway if you have what it takes for that post (it will be based in Cincinnati) please read GE Director of Incident Response’s blog here

I DO Believe that I am as cute as that kitten

It’s not because we are in Ramadhan. Nothing different actually. The only thing that make me so lazy (with intention of being lazy) because of the current condition of my work and status. Hmm not that bad eh by doing nothing (actually I read SANS whitepaper produced by the GCIA and GCIH graduates.)

I am easily distracted from my work. My Big Boss request for an evaluation of this one application that I can call as one of the Unified Threat Management Systems available in the market. Plus this network gateway security application has won the 2008 Best Gateway Security for Open Source by Infoworld BOSSIES award. The name of this apps is Untangle. Like other UTMS, Untangle offers 3 types of services where Spam Blocker, Web Filter and Protocol Control for Productivity while under Security service it has Virus Blocking, IPS and others. Other functions like Remote Access, Reporting and Networking also offered by Untangle. And yes, Untangle was built based on Debian via Knoppix (Discovered when the message appeared during shutting down procedure of Untangle

(more…)

First of all, the picture that I’ve published on previous post.. It was taken back in 1994. When I was still young and a lil bit naive. Just 18 years old ma.. Hehehe..

Anyway past few months, I was invited to give a talk during the UiTM’s i-Hack 2008 event this coming August. I have few topics in my mind and as the majority of the audience will be students, I decided to pick on either Cyber Attack Phases: Why you need to know and Fundamental Security Requirement: The Policies. I’ve worked on the presentation slides on both of the topics and then something came up.

(more…)

Spent most of my after lunch time doing my SANS GCIH Practice exam. It has 150 objective type of questions and must be completed within 4 hours. Initially I want to go through the practice exam in October or November, but then what the heck, I just want to get used with the type of questions, exam format etc so I can make appropriate notes on the subject.

(more…)

I think this is one of the most overlooked items when putting machines/systems/application on the wire. Perhaps when we build up as example a machine that will host web applications that will be offered to the public via internet, or for our business partner via extranet and perhaps for internal purpose only via Intranet, we might concentrate on the auditing the source code to eliminate any possible flaws, opened ports, necessary services required to run on the machine, platform harderning and many others.

(more…)

Well my itchy fingers playing around the courses offered by SANS and GIAC. And then out of curiosity I just access the demo of SANS on Demand for the course 517: Cutting Edge Hacking Techniques. It is just a demo and I can see the glimpse of what the course will cover for 2 days. Basically I think it is extention of the course that I’ve taken, Hacker Techniques, Exploits and Incident Handling where IF I passed the exam, then I will be a GIAC (Global Information Assurance Certification) Certified Incident Handler -GCIH.

So this on-demand course demo let me accessed 2 sets of slides that covers 2 topics and the assessment will be done on the second topics. To be honest, the questions are not that difficult but you might failed the assessment once you DID NOT look carefully.

Oh yeah, you need an account at SANS Portal to access the demo btw.

So hopefully I will get the real certification later on

I dun have any appropriate post topic actually but let me sums up whatever that I have in my head.

For yesterday’s interview, like I’ve mentioned in my previous post, I didn’t expect too much and boy it helps. On the happy note, most of the candidates show a lot of passion and it seems that they have the right attitude to be in this industry but perhaps because whenever you are in an interview, you will try your best to project that you ARE the suitable candidate and you DO HAVE the right attitude rite? But as I am a good person, I just give good recommendation for the higher management to decide. Sad note? I think it is better for me to keep it to myself.

On the other hand, I think I am getting more and more macro view on overall picture of my current work. It seems that I (think) managed to pull all the strings together. Use other information to relate on my current work and managed somehow to see the bigger picture. Even though I have to admit that I do miss doing some full blown tasks like research and learning on new things fully (not on ad hoc basis), reading properly (like my assembly thingy) but somehow I think I can live with that for now. I’ve downloaded all the packets listed in the openpacket.org but for now that’s all. Hope I can play with those later on and still not yet finish with those brute force thingy.

Hopefully I can finally managed to do all the stuff that I love to do but for now, I think I am doing just fine.

Ahh.. I’ve notice that my poyo interview questions attract some interest here. Unfortunately the reply is not that accurate. So let me ellaborate or just giving the answer here.

Q1: If I ping from host A to host B, using ICMP Type 8 code 0, this ICMP packet will goes to which port?

A1: No port. The ICMP protocol structure didn’t has any port field in it. The message or the code and types will be processed by the receiving machines and appropriate response will be given.

Q2: Based on this information=handshake2.txt point out the handshake packets.

A2: Packet 7, packet 9 and packet 10. Take note on the TCP Control Flags AND the Sequence Numbers.

Q3: What kind of event that you can derive from this trace file :trace1.pdf

A3: Port Scanning using SYN flag or nmap -sS.

Q4: And what kind of event that you can derive from this trace file? : trace2.pdf

A4: SYN FLOOD. I used hping2 to create this packet. SO what’s the diff with trace1? Scanning is a form of information gathering, meaning you need to know and receive the response from the targeted machine. While when flooding a system, you DO NOT WANT its responses.

Q5: Based on this alerts information :alerts.pdf , can you identify any possible irregular behaviour of the traffic?(traffic_a.pdf)

A5: Possibly that the 443 port was used for other means. HTTPS channel is an encrypted channel and there’s no way IDS (without any SSL terminator/SSL proxy/SSL Accelerator used) can observe its traffic and subsequently produce alerts. And yes, when you can see uid=0 and guid=0 in a suppose encrypted channel, you need to investigate further.

Q6: With the existence of IPS, what do you think on the relevance of IDS

A6: This is merely an opinion question, so IMHO, the IDS is still relevant as in sense of deployment, IPS is more inline device which need to have super correct detection/prevention rules or zero false positive rules. In this perspective, most of the time, only confirmed, selective rules will be implemented. While IDS is a passive device which will never interrupts the network flow. So when an attack which the IPS rules didn’t recognized or filtered (due to false positive risk), the IDS will become the safety net (in sense of alerting for investigation). I’ve posted many times on this matter so I won’t ellaborate more.

So that’s it.

Yeah, it is always delightful to be back home after leaving the family for some times. Only this time I only left my adorable twin and my daughters for a week because of attending a training but still it is hard to leave them behind.

It is raining cats and dogs before departure and yeah, I am nervous. (Damn that NGC’s Plane Crash Investigation series)

Up up and away… Where’s my house?

This is Singapore I guess

So far the journey to and from Singapore is fine (only 45 minutes and we only have this lil drink in flight). Initially we thought of buying some cigarettes in flight but alas of cause because of the short flight, there are ain’t any. And thankful for that as Singapore never allows any cigarettes to be brought into the country (besides the one that U have) and of cause chewing gum is a big NO NO in Singapore as well.

Despite for few SNAFU when we try to check in our hotel, everything were just fine. Like wifey said, the customer service is tip top here and it seems that Singaporean generally is very polite, helpful and talkative. No doubt about that (to some extent I do feel that in this sense they are better than us, Malaysian). Even though this country is not smoker friendly (and a pack of cigarettes will cost you around 11.60 Singapore Dollar, about 27 or 28 Ringgit Malaysia -based on 2.4 exchange rates). Yeah damn expensive.. But it does nothing to deter our smoking habits tho.. He he he.

A view from the smoking area.

A view from night time. Spot the difference. You see any? Yeah, nothing different besides now I am smoking the expensive cigarette.

Anyway even with that, the Hotel does provide some smoking area for us the smokers to enjoy our bad habits (this phrase uttered by one of the tourists from Cyprus) and I don’t think incidently they allocate the smoking space very near with the Lounge and Pubs nearby the Hotel. So while enjoying our bad habit, we also enjoy some “panoramic” views of miniskirts (yeah very very short mini skirts).

For my class, GCIH, there are not so many participant from Malaysia especially Malay (in fact I am the only Malaysian Malay) and I only have some brief chats with the person who sits right beside me in the class. Btw I think I spent most of my time during the exercises and Capture the Flags exercise on helping here to get things done and prepared. Well you can call me a very helpful guy (like my colleague always said, Org Malaysia memang bersopan santun). Surprisingly most of new friends that I made during the training period are from GCFA class, either from Brunei, Malaysia, or even Netherland. (Of cause business card exchange occurred )

Anyway, for my class, most of the topics and tools used are common and some of them are quite old but like my instructer said, even though some of the tools are old but the methodology and the techniques are recycleable. meaning the methods and the approach of the tools used will be innovated by new ones. Like BO2k? The granddaddy of all the bots nowadays? And yeah, our instructur, Mr John Strand is very knowledgeable in all the subjects covered in the GCIH class. New knowledge like LANMAN weak implementation (now I know why), why UNIX based systems implement ‘salt” in its passwords hashing and other things. Btw he is one of the professors at Denver University and you can’t be a professor if you know nothing.

p/s: Yeah, I remove my antivirus and disable my fw (or some of the tools will not working as it suppose to do especially the evergreen netcat. And yes, during the last day, I even saw some of the guys probing my machines notty notty..

I have to admit, GCIA is more suitable for me but hey, even though I spent most of my time in Blue Team, but it is very beneficial for me to know the techniques, methodology that the Red Team used for a change. Btw how can you defend when you don’t know the attack methodology. True?

What is next? I will definitely try to implement and make use all the knowledge that I gained during the course. And perhaps maybe I might sometimes pursue the 560 course (penetration testing) in the future.

For time being, it is better for me to complete my Assembly reading. It will make Buffer Overflow much more fun.