tag:blogger.com,1999:blog-37362424216762351232024-03-12T21:27:16.609-07:00Packet Boy Perseusmsf exploit(ms10_002_aurora) >Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.comBlogger31125tag:blogger.com,1999:blog-3736242421676235123.post-24450958311810469522012-01-29T15:19:00.000-08:002012-01-31T09:50:51.831-08:00What I learned from Simon Sinek: To inspire is greater than gaining Alpha status<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5XdCrtVcdWSlX3Tb2dhmPDVLtSrOzH1oD2nxF_hNyJ5bF24_mc70BvbT3wVlYak9OfupEGbdFkXXC9sMsQGY81zNFy_UB7Kgy8_mU2JszokM65bhWUpwT7PcTDNAK6TRlCDpm9KTnIog/s1600/SimonSinek_speakingevent.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5XdCrtVcdWSlX3Tb2dhmPDVLtSrOzH1oD2nxF_hNyJ5bF24_mc70BvbT3wVlYak9OfupEGbdFkXXC9sMsQGY81zNFy_UB7Kgy8_mU2JszokM65bhWUpwT7PcTDNAK6TRlCDpm9KTnIog/s320/SimonSinek_speakingevent.png" width="320" /></a></div>
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal" style="line-height: 200%;">
<b><span style="font-family: Arial, sans-serif;">What I learned from Simon
Sinek: To inspire is greater than gaining Alpha status<o:p></o:p></span></b></div>
<div class="MsoNormal" style="line-height: 200%;">
<b><span style="font-family: Arial, sans-serif;"><br /></span></b></div>
<div class="MsoNormal" style="line-height: 200%;">
<span style="font-family: Arial, sans-serif;">Most
people believe that that when it comes to leadership and how you can be an
influencer at the workplace, it’s either you need you need to be an “Alpha
Male” or an “Alpha Geek” and other types of Alphas so others will follow
you. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%;">
<span style="font-family: Arial, sans-serif;">We
need to change this mindset. Being the
leader of the pack does not necessarily require gaining Alpha status. Let’s put
this concept in a geek’s perspective. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%;">
<span style="font-family: Arial, sans-serif;">If
you are behind the service desk, specifically the technical support department,
others look up to you if you are the Alpha Geek; the person who knows almost
every technical detail about the product or the service your company is
offering. You are the go to guy because
you can troubleshoot complex issues in a breeze. You can be the Subject Matter Expert (SME) in
your organization. An SME is someone who
has expert –level knowledge on a specific subject; it may be industry laws and
regulation, Service Level Agreements, database optimization, and other
technical stuff. You own this domain;
you live and breathe on this stuff. You
can also be the guy or girl who gets things done because you know how to push
and “Boss” people around. These Alphas lead
because of authority, others are forced to follow them or face their
wrath. These bossy Alphas are the ones
that can go and speak directly to C-level executives because they simply have
the balls to speak with them. </span><span style="font-family: Arial, sans-serif; line-height: 200%;"><o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%;">
<span style="font-family: Arial, sans-serif;">You
can be any of these types of Alphas and be the leader of your pack. You are the leader because you possess
something others don’t have, a skill, power and/or authority. However there is
a different route to leadership. We can
still be leaders even though we are at the bottom of the organizational
hierarchy or at the bottom of the food chain.
If you have the natural ability
or at least try to make it your purpose to inspire others do better on what
they do. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%;">
<span style="font-family: Arial, sans-serif;">Here
are some simple things that you can do to inspire people you work with at the
workplace:<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;"><br /></span></b></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;">If
you know a success story, share it.</span></b><span style="font-family: Arial, sans-serif;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%;">
<span style="font-family: Arial, sans-serif;">Focus
on how the hero was able to accomplish the goal and overcome adversity. Everyone loves a monomyth; the story of a
hero’s journey, leaving the comfort of his home to answer the call of
adventure, and going back home victorious.
This bullet works best when dealing with a project gone astray and the
deadline was yesterday.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;"><br /></span></b></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;">Know
the first names and last names of the people you work with.</span></b><span style="font-family: Arial, sans-serif;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%;">
<span style="font-family: Arial, sans-serif;">This
sounds obvious but in big companies, most only know each other by last name and
what is their position at work. Often
times, the names of those with key positions are the ones mostly remembered by
other employees. <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;"><br /></span></b></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;">Make
it a habit to always check “How is family doing?” before you ask for a
work-related favor or task.<o:p></o:p></span></b></div>
<div class="MsoNormal" style="line-height: 200%;">
<span style="font-family: Arial, sans-serif;">Show
compassion towards the people you work with and be vocal that you always want
them to do well in life.<b><o:p></o:p></b></span></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;"><br /></span></b></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;">Let
the other person stuck at the cubicle right next to you that you are his friend
first before his or her co-worker. <o:p></o:p></span></b></div>
<div class="MsoNormal" style="line-height: 200%;">
<span style="font-family: Arial, sans-serif;">Share
stories, check on each other, and spend lunch and coffee breaks. Developing a bond with people you work with
makes problem-solving fun.<b><o:p></o:p></b></span></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;"><br /></span></b></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;">Show
to the people you work with that you trust their experience over technology</span></b><span style="font-family: Arial, sans-serif;"> <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%;">
<span style="font-family: Arial, sans-serif;">You
will always prioritize listening to what your co-worker has to say on a
specific issue rather than focus on what software is saying about a specific
issue or task. In the absence of data,
we rely on people with enough experience about an issue to make an intelligent
decision what to do next. Wisdom will
never be a trait of computer software.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;"><br /></span></b></div>
<div class="MsoNormal" style="line-height: 200%; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="font-family: Arial, sans-serif;">Approach
people you work with at their desk and engage them about a work-related task or
issue</span></b><span style="font-family: Arial, sans-serif;">. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, sans-serif;"><span style="line-height: 200%;">Avoid
wasting bandwidth through endless e-mail exchanges. Nothing beats face-to-face communication when
trying to clarify something. A lot of
issues gets escalated merely because of “lost in translation” – the e-mail
thread has gone too long that the root cause of the issue is now buried with </span><span style="line-height: 32px;">hearsay</span><span style="line-height: 200%;">.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, sans-serif;"><span style="line-height: 200%;"><br /></span></span></div>
<span style="font-family: Arial, sans-serif; line-height: 115%;">There you go. Thank
you for reading my blog and I hope this works for you while you climb the
corporate ladder. Just don’t forget to
help the people you work with in climbing their own ladders </span><span style="font-family: Wingdings; line-height: 115%;">J</span>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-63265908827672516662011-10-17T16:10:00.000-07:002011-10-17T16:31:06.952-07:00Yes, this blog is still alive, expect new posts by next month<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeJk7ZZ2ue1Na9YkLYIg1WWm8aEEv8ZTmSKKM8qMxmjL-TKTPhs8xbOZLGcJnK0KuIMWfU5nmQc_SD59nEG82uJNPDdNZr0awBA4fqDb9-rLbe93pfOmBwgglxN3v8l2hGhHtyuVopMYI/s1600/Armitage_Sticker_Ron.jpg" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 320px; height: 239px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeJk7ZZ2ue1Na9YkLYIg1WWm8aEEv8ZTmSKKM8qMxmjL-TKTPhs8xbOZLGcJnK0KuIMWfU5nmQc_SD59nEG82uJNPDdNZr0awBA4fqDb9-rLbe93pfOmBwgglxN3v8l2hGhHtyuVopMYI/s320/Armitage_Sticker_Ron.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5664606534210822322" /></a><br /><div><b style="font-size: x-large; "><br /></b></div><div><b style="font-size: x-large; "><br /></b></div><b style="font-size: x-large; "><div><b style="font-size: x-large; "><br /></b></div><div><b style="font-size: x-large; "><br /></b></div><div><b style="font-size: x-large; "><br /></b></div><div><b style="font-size: x-large; "><br /></b></div><div><b style="font-size: x-large; "><br /></b></div><div><b style="font-size: x-large; "><br /></b></div>Y</b><span class="Apple-style-span">es, this blog is still alive, and I plan to start posting new materials starting next month. Topics will range from Armitage for Metasploit, Artillery for Linux, Cloud Computing Security, QualysGuard Scanner, Nessus Scanner, ITIL and ISO27K, and of course, our favorite playground, Metasploit Open Source Framework. HD is the man!</span><div><span class="Apple-style-span"><br /></span></div><div><span class="Apple-style-span">I feel blessed for the past 10 months despite my inactivity from blogging.</span></div><div><span class="Apple-style-span"> </span></div><div><span class="Apple-style-span">I met an awesome mentor that paved the way for me to meet excellent minds in InfoSec (Thanks <a href="http://www.sans.org/security-training/instructors/Eugene-Schultz">Gene Schultz</a>, we miss you already R.I.P). </span></div><div><span class="Apple-style-span"><br /></span></div><div><span class="Apple-style-span">Through grit and passion I was able to get the position I want with my current company; without the hassle of starting new relationships with another company. How did I get the job?</span></div><div><span class="Apple-style-span"><br /></span></div><div><span class="Apple-style-span">I pen tested my way to it :-)</span></div><div><span class="Apple-style-span"><br /></span></div><div><span class="Apple-style-span">I have some major milestones up ahead before the year ends. Hopefully I clear the following tasks so by 2012 I am back to blogging:</span></div><div><span class="Apple-style-span"><br /></span></div><div><span class="Apple-style-span">1. IAM Level III Certification Exam</span></div><div><span class="Apple-style-span">2. Industry Compliance Initiatives with my current company</span></div><div><span class="Apple-style-span"><br /></span></div><div><span class="Apple-style-span">"Stay hungry. Stay foolish" - Steve Jobs 1955-2011</span></div><div><span class="Apple-style-span"><br /></span></div><div><span class="Apple-style-span">Ron</span></div><div><span class="Apple-style-span">@guerilla7 on Twitter</span></div><div><span class="Apple-style-span"><br /></span></div><div><span class="Apple-style-span"><br /></span></div>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-37062267793513297062011-01-29T22:41:00.000-08:002011-02-20T21:27:33.311-08:00Confessions of a script kiddie and a l337 wannabe<div><div>Dear interviewer,</div><div><br />I do not know how to code. I only know a limited amount of Python and Ruby scripts. I can't figure out assembly language and C++. <span class="blsp-spelling-error" id="SPELLING_ERROR_0">Shellcode</span> scares me. Socket Programming, yeah, a little bit.</div><div><br />But there's a couple of tricks that I do know. I know how packets are made of and how they behave. The <span class="blsp-spelling-error" id="SPELLING_ERROR_1">OSI</span> layer and <span class="blsp-spelling-error" id="SPELLING_ERROR_2">TCP</span>-<span class="blsp-spelling-error" id="SPELLING_ERROR_3">IP</span> 3-way handshake is something close to my heart. I know how to leverage the <span class="blsp-spelling-error" id="SPELLING_ERROR_4">MSF</span>3 Framework for a goal-oriented penetration testing engagement. I know how to evade firewalls and overall detection using <span class="blsp-spelling-error" id="SPELLING_ERROR_5">NMAP</span>. I know how to craft my own packets using <span class="blsp-spelling-error" id="SPELLING_ERROR_6">NPING</span>. I know what a reflective <span class="blsp-spelling-error" id="SPELLING_ERROR_7">DLL</span> injection is. I know how to migrate an existing exploit from one running process to another. I know the difference between a compromised Windows <span class="blsp-spelling-error" id="SPELLING_ERROR_8">XP</span> and a clean one by just looking at a running <span class="blsp-spelling-error" id="SPELLING_ERROR_9">Wireshark</span> capture. I know how to maintain my connection. I know how clean my tracks.</div><div><br /></div><div> </div><div>I know how to go over a list of check boxes, namely <span class="blsp-spelling-error" id="SPELLING_ERROR_10">SAS</span>70 Type2 Audit (Now called Service Organization Control Reports), the legendary <span class="blsp-spelling-error" id="SPELLING_ERROR_11">PCI</span>-<span class="blsp-spelling-error" id="SPELLING_ERROR_12">DSS</span>, or <span class="blsp-spelling-error" id="SPELLING_ERROR_13">HIPAA</span>, or the ISO27001. I love the <span class="blsp-spelling-error" id="SPELLING_ERROR_14">GAPP</span> document by <span class="blsp-spelling-error" id="SPELLING_ERROR_15">AICPA</span>/<span class="blsp-spelling-error" id="SPELLING_ERROR_16">CICA</span>. Pretty straight forward. </div><div><br /></div><div> </div><div>Yes, I am a script kiddie. I do not breath and live codes. All I need to do is read and follow how to exploit a specific vulnerability. The l337 coders already made the codes, the payloads, and the guide how to attack. The difficult part is done and all I need to do is follow the guide from step 1. And yes I hate the command-line. Thank you Raphael for creating <span class="blsp-spelling-error" id="SPELLING_ERROR_17">Armitage</span>, makes <span class="blsp-spelling-error" id="SPELLING_ERROR_18">MSF</span>3 like child's play. Hail Mary see you tonight!</div><div><br />Thank you for hearing me vent by reading this blog. I am just frustrated because everyone is looking for "paper-certified" security researchers when I go over Dice.com, Monster.com and other job hunting websites.</div><div><br />Goodnight.</div></div>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-24794137644157709392010-12-15T08:42:00.000-08:002010-12-15T09:07:55.098-08:00Meet Evan Kohlmann: The Terrorist Search Engine<span class="Apple-style-span"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil3pIh0M7nc2k6-rU4WzJZvHkzY8nc92A6Zcg_BOiXNFI38EuuHbvcEp5JgOCThugqbwFrQPhs9Xvfeu3Fus6QoS4ADdF7LgSbpSTt_rSkurJxuR3hYhFyqRyReWvzsUSCRHV05mIv6S0/s1600/kohlmann101213_1_250.jpg"><img style="cursor:pointer; cursor:hand;width: 133px; height: 200px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil3pIh0M7nc2k6-rU4WzJZvHkzY8nc92A6Zcg_BOiXNFI38EuuHbvcEp5JgOCThugqbwFrQPhs9Xvfeu3Fus6QoS4ADdF7LgSbpSTt_rSkurJxuR3hYhFyqRyReWvzsUSCRHV05mIv6S0/s200/kohlmann101213_1_250.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5550950930560976610" /></a><br /></span><div><span class="Apple-style-span"><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; display: inline !important; "><br /></p></span></div><div><span class="Apple-style-span"><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; display: inline !important; ">Meet Evan Kohlmann "The Terrorist Search Engine"</p></span></div><div><span class="Apple-style-span"> <p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; "><a href="http://nymag.com/news/features/69920/">http://nymag.com/news/features/69920/</a><o:p></o:p></p> <p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; ">However, despite having an unprecedented success rate inside the court as an "Expert Witness" in putting bad guys to jail, a lot of IT Security Experts are questioning his research and investigation methods.</p> <p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; "></p><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; display: inline !important; ">One good question from a fellow IT Security Professional posted at Schneier on Security: </p><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; display: inline !important; "></p><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; display: inline !important; "><a href="http://www.schneier.com/blog/archives/2010/12/open_source_dig.html#comments">http://www.schneier.com/blog/archives/2010/12/open_source_dig.html#comments</a></p><p></p><p></p> <p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; "></p><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; display: inline !important; "></p><p></p><blockquote><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; "></p><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; display: inline !important; "><i>@Clive "court recognized Expert Witnesses"</i></p><p></p> <p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; "></p><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; display: inline !important; "><i>This is related to the profile on Kohlmann. There was the comment on "if his method is sound". Well what's an expert? Someone who knows what they are talking about. How can you tell they are an expert? They know more than me.</i></p><p></p> <p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; "><i>Kohlmann should be being challenged by the opposition lawyers as to his qualifications and knowledge. But what can a lawyer really know about any experts’ area? They usually just get the CV and "has testified in many trials of this nature" kinds of anecdotal assurance. While the opposition can try to challenge an expert's testimony they really can't try to impeach an expert, can they?<o:p></o:p></i></p> <p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; "><i><o:p> </o:p></i></p><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; display: inline !important; "><i>They are limited to putting their experts up to testify, to rebut the other side’s expert. So the jury has two sets of conflicting expert opinion. What's needed is an expert cross examining the witnessing expert to reveal those misstatements, lies, distortions, and 'reduction in detail' that technical people use to make complex ideas understandable by executives, lawyers, judges, and their juries.</i></p><p></p></blockquote><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; "></p><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; display: inline !important; "></p><p></p> <p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; "></p><p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; display: inline !important; ">In my opinion, every research and investigative methodology, framework, etc. in used by an expert for Computer Forensics purposes and presented in Court, should be heavily scrutinized no matter how effective and successful it is when it comes to putting bad guys to jail. Of course we value the credibility and integrity of the Expert based on his track record, but as technology progresses things are getting easier to be digitally manipulated, even worst, "hacked".</p><p></p> <p class="MsoNormal" style="margin-bottom: 0.0001pt; line-height: normal; "></p></span></div><div>But Evan Kohlmann, I think this guy is legitimate. His obsession in tracking terrorist on the Internet for years is what made him an expert in this field of investigative IT research slash counter-terrorism. I think you can compare him to an 18 year-old teenager; obsessed in browsing Facebook, looking for new and old friends.</div><div><br /></div>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com1tag:blogger.com,1999:blog-3736242421676235123.post-50199920858032875512010-10-10T14:55:00.000-07:002010-10-10T20:41:11.538-07:00Defenders of the Cloud: Certificate of Cloud Security Knowledge (CCSK)<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSGfydr8vTSnnn2mJScBsqo7E-s5QtGySnSXwCiyjrimT6q7C74wUOag1eBUNIOGWrhKCDee1LJ7ctoblSXMD-KcyGl5MVSvWM8wKI71e-O8cLiKwzpgLnlZvL5YoFWjNCKoJ8HHIbRrs/s1600/Defenders_of_the_Cloud.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 261px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSGfydr8vTSnnn2mJScBsqo7E-s5QtGySnSXwCiyjrimT6q7C74wUOag1eBUNIOGWrhKCDee1LJ7ctoblSXMD-KcyGl5MVSvWM8wKI71e-O8cLiKwzpgLnlZvL5YoFWjNCKoJ8HHIbRrs/s320/Defenders_of_the_Cloud.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5526540648431262482" /></a><div>As <a href="http://www.gartner.com/technology/research/cloud-computing/index.jsp"><span class="Apple-style-span" >Cloud Computing adoption rises</span></a>, more and more experienced IT Security Professionals are suiting up for the challenge, upgrading their existing arsenal with new concepts and best practices in securing the various layers and components that makes up Cloud Computing. </div><div><br /></div><div>Since I am in the IT Security and Cloud Computing industry, I am starting to notice the certification initials "CCSK" alongside their CISSP, CISA, CEH, Security+, PMP, ITIL and other noteworthy titles. This is a strong indication that IT Security Professionals do recognize the new challenges that Cloud Computing brings to the table.</div><div><br /></div><div>The <a href="http://cloudsecurityalliance.org/certifyme.html"><span class="Apple-style-span" >Certificate for Cloud Security Knowledge (CCSK</span>)</a> is pioneered by the <a href="http://cloudsecurityalliance.org/"><span class="Apple-style-span" >Cloud Security Alliance (CSA)</span></a> So far, the industry support for the first ever certificate in cloud security knowledge is showing accelerated growth <a href="http://cloudsecurityalliance.org/Membership.html"><span class="Apple-style-span" >garnering support and participation even from major companies</span></a>. </div><div><br /></div><div>As one of the members of the <a href="http://cloudsecurityalliance.org/ccsk_experts.html#ce_r"><span class="Apple-style-span" >early adopters of the certification</span></a>, the main reason why I want to be part of the initiative is to show my dedication and passion in the new technology and play my part in generating positive public perception on how individuals, small business and large enterprise can harness the power of the cloud without thinking of too many risks. </div><div><br /></div><div>There is a gap that exists big between traditional Information Technology security concepts and Cloud Computing security concepts. The co-mingling of data from various customers in a centralized or shared server, is one of the major characteristics of Cloud Computing as defined by the<a href="http://csrc.nist.gov/groups/SNS/cloud-computing/"> <span class="Apple-style-span" >National Institute of Science and Technology (NIST</span></a><span class="Apple-style-span" >)</span>. This gap is what the Cloud Security Alliance aims to fill, by providing industry-standard best practices on how to adopt and implement Cloud Computing securely. Cloud Computing adoption is all about losing control in a gracious manner.</div><div><br /></div><div>Learn more about the Cloud Security Alliance Certificate in Cloud Security Knowledge (CSA-CCSK) here:</div><div><b>Cloud Security Alliance</b></div><div><a href="http://cloudsecurityalliance.org/"><span class="Apple-style-span" >http://cloudsecurityalliance.org/</span></a></div><div><br /></div><div>Other noteworthy links:</div><div><b>CloudAudit</b></div><div><a href="http://cloudaudit.org/"><span class="Apple-style-span" >http://cloudaudit.org/</span></a></div><div><b>NIST Cloud Computing Group</b></div><div><a href="http://csrc.nist.gov/groups/SNS/cloud-computing/"><span class="Apple-style-span" >http://csrc.nist.gov/groups/SNS/cloud-computing/</span></a></div><div><br /></div><div><br /></div><div><br /></div><div><br /><br /></div>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-25568500800878439452010-07-29T09:29:00.000-07:002010-07-29T09:43:46.887-07:00RTP Packet inspection without hurting the quality of the voiceNice, I would like to try this solution, deep packet inspection on RTP streams coming in (and out) of your enterprise network without degrading the quality of the voice:<br /><br />Overview:<br /><br />Attackers can spoof the firewall and SBC into determining that the RTP stream is safe to relay. Passing the attacks through the RTP stream is called Vunneling. The alternative is to inspect the RTP packets which can slow down the transmission and distorts the voice.<br /><br />The Salare solution , vPurity software, relies on a number of techniques to solve the Vunneling problem. Network Behavior Analysis (NBA) is employed by Salare. The passive NBA technique is well known for producing many false positive and false negative alerts. Salare's Active NBA virtually eliminates false positives. This is accomplished by introducing stimulus events and observing the reaction or non-reaction This provides accurate and precise recognition of the traffic types passing through the network. <br /><br />The Salare technique inserts distortion in the packet that destroys embedded data and executable transmissions; this distortion is not perceptible by the listener. The insertion does not impact the quality of the voice conversation. <br /><br />Complete article and links here:<br /><a href="http://tinyurl.com/2gxrwv6">http://tinyurl.com/2gxrwv6</a>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-57217083344334669182010-04-07T17:12:00.000-07:002010-10-08T16:33:38.935-07:00Making the Cloud Trustworthy<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhieMDLnQccRryxFDvyAPf9gSDl0cbzJgXPIe-eNOJzxCRldYEGqtLDa5P7KMLJ6lE-jlksNw0iXs6_JuYacoobNvg80DIj5maml6uB6dvBwmscKJ8SBL7I2Kbvzd526Z4MqEsivMthtgY/s1600/Making+the+cloud+trustworthy.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 138px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhieMDLnQccRryxFDvyAPf9gSDl0cbzJgXPIe-eNOJzxCRldYEGqtLDa5P7KMLJ6lE-jlksNw0iXs6_JuYacoobNvg80DIj5maml6uB6dvBwmscKJ8SBL7I2Kbvzd526Z4MqEsivMthtgY/s400/Making+the+cloud+trustworthy.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5525822467439265506" /></a><br /><div style="text-align: center;">Yet another Cloud Security initiative, <a href="http://www.trusted-cloud.com/">http://www.trusted-cloud.com/</a> is an initiative by pioneer computer networking company<a href="http://www.novell.com/home/"> Novell</a>.</div><br /><span style="font-style: italic;">"Mission Statement: To Promote Education, Research and Certification of Secure and Interoperable Identity in the Cloud</span> <p style="font-style: italic;">The Trusted Cloud Initiative will help cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices. We well develop reference models, education, certification criteria and a cloud provider self-certification toolset in 2010. This will be developed in a vendor-neutral manner, inclusive of all CSA members and affiliates who wish to participate." </p>Trusted Cloud focuses on the notion that eventually it will be us users and the industry itself, that will make the Cloud more secure and trustworthy. We need to start trusting the Cloud, we need to start educating users what to and what not to expect when they join the bandwagon of Cloud Computing, we need to reiterate to users that the Cloud is not the solution for the recession, and finally, we need to let them know that Cloud Computing services, may it be Software-as-a-Service (SaaS), Platform-as-A-Service (PaaS) and Infrastructure-as-a-Service (IaaS) is now a mature and capable platform that promotes business and IT objectives alignment. Trusting the Cloud is a win-win situation, but of course with a few caveats.<br /><br />We just don't have the solid security framework yet to manage and implement effective IT controls. Which is what the guys at <a href="http://www.cloudaudit.org/">http://www.cloudaudit.org</a>/ and <a href="http://cloudsecurityalliance.org/">http://cloudsecurityalliance.org/</a> is working on. It might be early, but I would like to thank these guys for driving the Cloud Computing community to the right path of security with a common sense in mind, and not completely reliant on well-known IT controls and "best practices" which does not really scale and apply well to Cloud Computing.<br /><br />Onwards,<br />RonRonhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-16468164702566922962010-04-04T18:07:00.000-07:002010-04-04T19:55:45.569-07:00Jolicloud OS for pen tests works, at least for me<div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHvwqasMGSF_UYyECr9m0D5ryw9UUMCaeD6CdSANVYxcR4m_gDzx71QIdbnNHBeE2uAuEWRGKFpK2x2RBW2x_dy12byyG2cQTt-cEQQk2MYiawsjWCJkh0COZQGJymt8jfyBqDPLC4MRo/s1600/Screenshot-M.png"><img style="cursor:pointer; cursor:hand;width: 400px; height: 234px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHvwqasMGSF_UYyECr9m0D5ryw9UUMCaeD6CdSANVYxcR4m_gDzx71QIdbnNHBeE2uAuEWRGKFpK2x2RBW2x_dy12byyG2cQTt-cEQQk2MYiawsjWCJkh0COZQGJymt8jfyBqDPLC4MRo/s400/Screenshot-M.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5456481279029720978" /></a></div><div style="text-align: center;"><br /></div><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT8visXNQcV7GuM4amXcJvoq2ofvD7ipPRAhf3vwEVg0dTjecPkDnCwWzJc82bxp-7KhCQbobEtVwF84pz9Y_gAiotkzWhvUZN40FF6RkGwDST3jnPdxIDCM6MkJYeUdA9DfI-2RLKde0/s1600/Screenshot.png"><img style="cursor:pointer; cursor:hand;width: 400px; height: 234px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT8visXNQcV7GuM4amXcJvoq2ofvD7ipPRAhf3vwEVg0dTjecPkDnCwWzJc82bxp-7KhCQbobEtVwF84pz9Y_gAiotkzWhvUZN40FF6RkGwDST3jnPdxIDCM6MkJYeUdA9DfI-2RLKde0/s400/Screenshot.png" border="0" alt="" id="BLOGGER_PHOTO_ID_5456478518430926434" /></a></div>Yet another lightweight, built-for-the-web OS, <a href="http://www.jolicloud.com/">Jolicloud OS</a> works well with my pen testing ways, at least for me. Why does it work for me you ask?<div><br /></div><div>It detects my netbook's native Wi-Fi card out of the box. And I love that feature alone.</div><div><br /></div><div>After playing around with the standard apps that comes with it, the next logical step is for me to install my security apps, and being a Gnome-based Linux distro, this is super-easy to accomplish. </div><div><br /></div><div>Fire up the Terminal app located at the Accessories menu and apt-get install away:</div><div><br /></div><div><i>sudo apt-get install wireshark</i></div><div><i>sudo apt-get install zenmap</i></div><div><br /></div><div>And to install <a href="http://www.metasploit.com/redmine/projects/framework/wiki/Install_Ubuntu">Metasploit</a>, you need a couple of things to do, which is beautifully covered step-by-step by this guide:</div><div><a href="http://www.metasploit.com/redmine/projects/framework/wiki/Install_Ubuntu">http://www.metasploit.com/redmine/projects/framework/wiki/Install_Ubuntu</a></div><div><br /></div><div>Why not use BT4 instead? Installing a persistent <a href="http://www.backtrack-linux.org/">BT4</a> is a little bit cumbersome for script kiddies like me. BT4 is awesome, everything is in there, but most of the time I will only use a couple of the tools there. For a sniffer learning the hacker ways like me, that will be <a href="http://www.wireshark.org/">Wireshark</a>, <a href="http://nmap.org/">NMAP</a> and <a href="http://www.metasploit.com/">Metasploit</a>. And I would like to thank Carlos "<a href="http://www.darkoperator.com/">dark0perator</a>" Perez for this excellent piece of advice he gave on a previous episode of the multi-awarded Podcast Pauldotcom.com Security Weekly. If you want to learn the craft, don't use an all-in-one distro. Download and install Ubuntu, and work your way there. This has been my mantra for the past two years.</div><div><br /></div><div>If I were to market the hacker ways to the public, I would pre-package these tools on social-networking centric, lightweight OS like the Jolicloud. My security apps icons are right next to my Facebook, Gmail, and Pidgin IM app, and that adds a little bit of a cool factor and a political statement that we are indeed in the age of point and click hacking.</div><div><div><br /></div><div>Play safe kidz.</div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div></div>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-50990995804297841362010-02-15T10:05:00.001-08:002010-02-15T10:09:57.663-08:00Asterisk Dialstring InjectionsIt's like an SQL Injection attack, trying this one now on my VoIPSec lab. Time to fix those Asterisk cookbooks guys! - Ron<div><br /></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: rgb(41, 48, 59); font-style: italic; line-height: 22px; "><pre style="font-size: 1em; font-style: italic; width: 450px; overflow-x: auto; overflow-y: auto; "></pre><blockquote><pre style="font-size: 1em; font-style: italic; width: 450px; overflow-x: auto; overflow-y: auto; ">[from_sip]</pre><pre style="font-size: 1em; font-style: italic; width: 450px; overflow-x: auto; overflow-y: auto; ">exten => _X.,1,Dial(SIP/${EXTEN}@testsip)</pre><pre style="font-size: 1em; font-style: italic; width: 450px; overflow-x: auto; overflow-y: auto; "><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-style: normal; line-height: 21px; white-space: normal; "><span class="Apple-style-span" style="font-size: medium; ">He writes: “<em>And if ${EXTEN} = “<strong>000@testsip&SIP/333</strong>” what turns out to happen</em><em> then is similar to SQL injection <img src="http://www.voip-forum.com/wp-includes/images/smilies/icon_sad.gif" alt=":-(" class="wp-smiley" style="border-top-width: 5px; border-right-width: 5px; border-bottom-width: 5px; border-left-width: 5px; border-style: initial !important; border-color: initial !important; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: rgb(255, 255, 255); border-right-color: rgb(255, 255, 255); border-bottom-color: rgb(255, 255, 255); border-left-color: rgb(255, 255, 255); max-width: 470px; " /> </em></span><em> ”</em>He is exactly right. Many VoIP protocols, including IAX2 and SIP, has a very large allowed character set in the dialed extension, a character set that allows characters that are used as separators to the dial() and the queue() applications, as well as within the dialstring that these applications send to the channel drivers in Asterisk. A user can change the dial options and dial something we should not be able to dial in your system. This article describes the issue in more detail and gives you some help on how to avoid this causing trouble in your Asterisk server.</span></pre></blockquote><pre style="font-size: 1em; font-style: italic; width: 450px; overflow-x: auto; overflow-y: auto; "><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-style: normal; line-height: 21px; white-space: normal; "></span></pre><pre style="font-size: 1em; font-style: italic; width: 450px; overflow-x: auto; overflow-y: auto; "><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-style: normal; line-height: 21px; white-space: normal; ">complete technical details here: <a href="http://www.voip-forum.com/?p=241&preview=true">http://www.voip-forum.com/?p=241&preview=true</a></span></pre></span></div>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-52947158243595865532010-02-14T21:26:00.000-08:002010-02-14T21:35:40.539-08:00CloudAudit A6 - The Audit, Assertion, Assessment, and Assurance API<span class="Apple-style-span" style=" color: rgb(102, 102, 102); line-height: 17px; font-family:Helvetica, Arial, sans-serif;font-size:12px;"><strong>CloudAudit and the Automated Audit, Assertion, Assessment, and Assurance API (A6)<br /><br /></strong>The goal of CloudAudit (codename: A6) is to provide a common interface that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology.<br /><br />CloudAudit is a volunteer cross-industry effort from the best minds and talent in Cloud, networking, security, audit, assurance and architecture backgrounds.<br /><br />The CloudAudit/A6 Working group was officially launched in January 2010 and has the participation of many of the largest cloud computing providers, integrators and consultants. You can find out more about CloudAudit by visiting the Forums.</span><div><span class="Apple-style-span" style=" color: rgb(102, 102, 102); line-height: 17px; font-family:Helvetica, Arial, sans-serif;font-size:12px;"><br /></span></div><div><span class="Apple-style-span" style=" color: rgb(102, 102, 102); line-height: 17px; font-family:Helvetica, Arial, sans-serif;font-size:12px;">For someone involved in the Cloud Computing industry, information assurance and compliance, this is freakin' awesome! I would like to congratulate everyone involved, especially security guru and fellow-grappler Chris Hoff (Cisco) of rationalsurvivability.com</span></div><div><span class="Apple-style-span" style=" color: rgb(102, 102, 102); line-height: 17px; font-family:Helvetica, Arial, sans-serif;font-size:12px;"><br /></span></div><div><span class="Apple-style-span" style=" color: rgb(102, 102, 102); line-height: 17px; font-family:Helvetica, Arial, sans-serif;font-size:12px;">Find more about the A6 initiative at <span class="Apple-style-span" style="color: rgb(0, 0, 0); line-height: normal; font-family:Georgia, serif;font-size:16px;"><a href="http://www.cloudaudit.org/">http://www.cloudaudit.org/</a> <span class="Apple-style-span" style=" color: rgb(102, 102, 102); line-height: 17px; font-family:Helvetica, Arial, sans-serif;font-size:-webkit-xxx-large;">and please spread the word!</span></span></span></div><div><span class="Apple-style-span" style=" color: rgb(102, 102, 102); line-height: 17px; font-family:Helvetica, Arial, sans-serif;font-size:12px;"><br /></span></div><div><span class="Apple-style-span" style=" color: rgb(102, 102, 102); line-height: 17px; font-family:Helvetica, Arial, sans-serif;font-size:12px;">Thanks,</span></div><div><span class="Apple-style-span" style=" color: rgb(102, 102, 102); line-height: 17px; font-family:Helvetica, Arial, sans-serif;font-size:12px;">Ron</span></div>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-45179390075359570652009-11-21T08:46:00.001-08:002009-11-21T10:11:24.206-08:00"New Moon" Movie Now Playing on Torrent Sites<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHhFmR9C-VvhrY4rnDagc0EFSFDP9UUkwkkyIM-EXmsbEWpm2UZc5dpbCEYMBfqK7fprGf9CaALkNYZqNa4-1FOphqU2sYCFI7Ec2Y_ul8cwJHtwKQTCPOxpeEKBfUF4sPDlMrsnXFdkM/s1600/New_Moon_Now_Playing_on_Torrents!.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 353px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHhFmR9C-VvhrY4rnDagc0EFSFDP9UUkwkkyIM-EXmsbEWpm2UZc5dpbCEYMBfqK7fprGf9CaALkNYZqNa4-1FOphqU2sYCFI7Ec2Y_ul8cwJHtwKQTCPOxpeEKBfUF4sPDlMrsnXFdkM/s400/New_Moon_Now_Playing_on_Torrents!.jpg" alt="" id="BLOGGER_PHOTO_ID_5406607248837471106" border="0" /></a><span style="font-size:180%;"><span style="font-weight: bold;">C</span></span>apitalizing on the Team Edward versus Team Jacob fever, a couple of New Moon.avi movie files are now appearing on well-known torrent sites. Of course its not the real thing, opening the actual .avi file redirects you to cleverly crafted website, www.microsoftmedicenter.com. Yes kids, look closely before you click:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFTmE_ppdPyex8lRhjS6brrD0c5FFfrREKofZPISVyRnD7T5t63aC32Vre1TNDUtc4Bps5OmCZ6mUsel-RteRy66_xWXuf176TXs45afvxtrUonCaNOEIj9-UOCWZIv1o-duVUqGqiaLQ/s1600/microsoftmedicenter_website.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 88px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFTmE_ppdPyex8lRhjS6brrD0c5FFfrREKofZPISVyRnD7T5t63aC32Vre1TNDUtc4Bps5OmCZ6mUsel-RteRy66_xWXuf176TXs45afvxtrUonCaNOEIj9-UOCWZIv1o-duVUqGqiaLQ/s400/microsoftmedicenter_website.jpg" alt="" id="BLOGGER_PHOTO_ID_5406605528037727234" border="0" /></a><br />Its mediacenter, minus the letter "a". Good job guys, but its an old trick, only works for kids and those who do not practice safe Internet use in the first place.<br /><br />I found out about this from a friend who IM'ed me that I need to fix his laptop again because he caught a nasty virus or something for the Nth time this month. He told me the last thing he did was simply open an .avi movie file that redirected him to Microsoft's website and that's when thing started to act funky.<br /><br />The problem is that this guy never listens. He downloads a lot. He refuses to pay for music and movies. Downloading illegal copies of media is hurting the industry. And nothing is free in this world, download a free new movie, get a free evil payload (virus, adwares, scarewares, etc.)<br /><br />So I inspected his laptop and immediately browsed to the New Moon Movie folder. Everything looks legit, you can even do a quick scan of the .AVI file using Microsoft's Security Essentials and no alerts came out.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhegHQ93P36kGJwV_O_g1Ia44pLUsHvNf40IEUR-OOQEuP-qQW8wMWU8jXfyFOOqsa-O08xhQmtZPyGxc-TCRlT4UQlxoDR_NblJ9nXBmtGRj2EuV2tPU268T89GWHrtrkyM5-fFdkd-Rw/s1600/New_Moon_Evil_Payload.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 110px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhegHQ93P36kGJwV_O_g1Ia44pLUsHvNf40IEUR-OOQEuP-qQW8wMWU8jXfyFOOqsa-O08xhQmtZPyGxc-TCRlT4UQlxoDR_NblJ9nXBmtGRj2EuV2tPU268T89GWHrtrkyM5-fFdkd-Rw/s400/New_Moon_Evil_Payload.jpg" alt="" id="BLOGGER_PHOTO_ID_5406605784479811714" border="0" /></a>So off I go and I opened the movie and as expected my browser popped open and gets directed to www.microsoftmedicenter.com.<br /><br />However, what I got was a Bandwidth Exceeded return error. Hopefully someone DDoS'ed his website for good, or it got taken down already, or this guy is indeed maxing out the allotted bandwidth for his website because his clever trick is working.<br /><br /><span style=";font-family:courier new;font-size:100%;" >Bandwidth Limit Exceeded</span><span style="font-family:courier new;"> </span><span style=";font-family:courier new;font-size:100%;" > The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later. </span><hr style="height: 3px;font-family:courier new;"> <address style="font-family:courier new;"><span style="font-size:100%;">Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_python/3.3.1 Python/2.4.3 mod_bwlimited/1.4 PHP/5.2.6 Server at microsoftmedicenter.com Port 80</span></address><address><br /></address>So I made my part as good Netizen of this world and decided to explore and learn more about this poorly-spelled website. First stop is a back trace to see where this guy is hosted:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEighGMbrMPuKJSTT20geoaXkGaS5RkDlAk4-QK8hxEfMkHedW7QRX5XmJpWK4rYJaX6EL85Cy3ktdQaBccCX4rP5RjfM1zCVy5uBqhVXlu9SkSObxnhDMq67hv9PZsMHow5m83voGgmlks/s1600/Backtrace_to_microsoftmedi.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 343px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEighGMbrMPuKJSTT20geoaXkGaS5RkDlAk4-QK8hxEfMkHedW7QRX5XmJpWK4rYJaX6EL85Cy3ktdQaBccCX4rP5RjfM1zCVy5uBqhVXlu9SkSObxnhDMq67hv9PZsMHow5m83voGgmlks/s400/Backtrace_to_microsoftmedi.jpg" alt="" id="BLOGGER_PHOTO_ID_5406610974619790898" border="0" /></a>Wow, Amsterdam, land of the free. If it is indeed hosted in that country. Let's try a whois test:<br /><br /><span style="font-size:85%;"><a href="http://whois.domaintools.com/microsoftmedicenter.com">http://whois.domaintools.com/microsoftmedicenter.com</a><br /><br />Here's what we know about microsoftmedicenter.com:<br /><br />* "James Gonzaga" owns about 13 other domains View these domains ><br />* is a contact on the whois record of 3 domains<br />* 1 registrar has maintained records for this domain since 2009-05-14<br />* This domain has changed name servers 3 times over 0 year.<br />* Hosted on 4 IP addresses over 0 years.<br />* View 49 ownership records archived since 2009-05-16 .<br />* Wiki article on Microsoftmedicenter.com<br />* 193 other web sites are hosted on this server.<br /><br />DomainTools for Windows®<br /><br />Now you can access domain ownership records anytime, anywhere... right from your own desktop! Find out more ><br />Registrant:<br />James Gonzaga<br />Roxas Boulevard<br />Manila, NCR 2000<br />Philippines<br /><br />Domain Name: MICROSOFTMEDICENTER.COM<br /> Created on: 14-May-09<br /> Expires on: 14-May-10<br /> Last Updated on: 27-Oct-09<br /><br />Administrative Contact:<br /> Gonzaga, James<br /> Roxas Boulevard<br /> Manila, NCR 2000<br /> Philippines<br /> +63.9194341212 Fax --<br /><br />Technical Contact:<br /> Gonzaga, James<br /> Roxas Boulevard<br /> Manila, NCR 2000<br /> Philippines<br /> +63.9194341212 Fax --<br /><br />Domain servers in listed order:<br /> NS1.WATCHUNDERGRADS.COM<br /> NS2.WATCHUNDERGRADS.COM</span><br /><br />And the plot thickens! Domain name was registered to a fellow-Filipino residing in Manila? Who knows. Unless Domain Name registration requires a high-level of authentication and presentation of credentials, I doubt if there is even a James Gonzaga along Roxas Boulevard in Manila. I am going to try that listed Philippine number in some other time, who knows, maybe there is a real James Gonzaga prowling the streets of Manila.<br /><br />If someone picks up, I will ask "Is this James? Can I pay in $$$ and distribute some of my stuff on your website and be part of my worldwide BOT NET operation?"<br /><br />Evil grin. That's how easy bad guys do transaction with smart kids from developing countries. All they need to do is mention the word US Dollars.<br /><br />Next stop is let's NMAP this baby, I don't care if he backtracks on my trace, I make sure I cover my tracks:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgirJgx9rDaGFyhtCd60ha0fS8flF01FvTHRtVq1RMktYS_alfZAIXGbTch0_QsttEGIhso5QwTEAULjkpDFc4CwK64l1yaji6Lyx8ocHGxUzguU4g1sMROtJ-8IHD79iVkGCTCSGfpTPE/s1600/microsoftmedicenter_nmap_results.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 181px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgirJgx9rDaGFyhtCd60ha0fS8flF01FvTHRtVq1RMktYS_alfZAIXGbTch0_QsttEGIhso5QwTEAULjkpDFc4CwK64l1yaji6Lyx8ocHGxUzguU4g1sMROtJ-8IHD79iVkGCTCSGfpTPE/s400/microsoftmedicenter_nmap_results.jpg" alt="" id="BLOGGER_PHOTO_ID_5406613696339271138" border="0" /></a>Hmm, a couple of filtered interested ports. Maybe next time.<br /><br />Stay tuned.Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com2tag:blogger.com,1999:blog-3736242421676235123.post-60755430532274368232009-10-16T08:58:00.001-07:002009-10-16T09:11:40.892-07:00Thawte dumps free personal E-mail Certificates<span class="Apple-style-span" style="font-family:Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 18px;"><b><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; font-weight: normal; line-height: normal; "><table width="598" border="0" cellspacing="0" cellpadding="0"><tbody><tr><td width="379" valign="top" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font-family: arial, sans-serif; padding-top: 12px; padding-right: 12px; padding-bottom: 0px; padding-left: 20px; "><table width="566" border="0" cellspacing="0" cellpadding="0"><tbody><tr><td width="660" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font-family: arial, sans-serif; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; "><span style="font-size: 16px; line-height: 18px; font-family:Arial, Helvetica, sans-serif;color:#000000;"><strong><span style="color:#9b0033;">Important Thawte&reg Personal E-mail Certificate Holder Notice</span><br /><span><br />Thawte Personal E-mail Certificates and Web of Trust are being discontinued</span></strong></span></td><td width="166" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font-family: arial, sans-serif; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; "></td></tr></tbody></table><table width="566" border="0" align="center" cellpadding="0" cellspacing="0"><tbody><tr><td style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font-family: arial, sans-serif; padding-top: 12px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; "><span style="font-size: 12px; line-height: 14px; font-family:Arial, Helvetica, sans-serif;color:#000000;"><br />Dear (My Complete Full Name - PacketBoy),</span></td></tr></tbody></table><table width="566" border="0" align="center" cellpadding="0" cellspacing="0"><tbody><tr><td style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font-family: arial, sans-serif; padding-top: 12px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; "><span style="font-size: 12px; line-height: 17px; font-family:Arial, Helvetica, sans-serif;color:#000000;">Over the past several years, security compliance requirements have become more restrictive, while the technology infrastructure necessary to meet these requirements has expanded greatly. Despite our strong desire to continue providing the <b>Thawte Personal E-mail Certificate</b> and <b>Web of Trust</b> services, the ever-expanding standards and technology requirements will outpace our ability to maintain these services at the high level of quality we require. As a result, <b>Thawte Personal E-Mail Certificates</b> and the<b>Web of Trust</b> will be discontinued on <b>November 16, 2009</b> and will no longer be available after that date.<br /><br />Deciding to conclude these services was a difficult decision for us to bear, specifically because of the community that has been built around these products over the years.<br /><br />To express our gratitude and sincere appreciation for being a part of our <b>Thawte</b> community, we would like to offer you up to $100.00 off the purchase price of our SSL and/or code signing certificates.<br /><br />If you would like to take advantage of our offer, please forward this email to our sales department. Their contact details are listed at the foot of this message. Please note that this offer expires on November 16, 2009.<br /><br />We have also made a special arrangement with VeriSign regarding replacing your personal email certificate. VeriSign's exclusive offer to you is for a FREE 1-year replacement personal email certificate - a $19.95 value. This offer will be open for 2 months after the service is discontinued and will no longer be available after January 16, 2010. Simply follow appropriate link below to request your certificate:<br /><br />MS Internet Explorer:<br /><a href="https://digitalid.verisign.com/client/class1MSToken.htm" target="_blank" style="color: rgb(0, 101, 204); "></a><a href="https://digitalid.verisign.com/client/class1MSToken.htm" target="_blank" style="color: rgb(0, 101, 204); ">https://digitalid.verisign.<wbr>com/client/class1MSToken.htm</a><br /><br />For Mozilla, Firefox, Netscape, or Apple Safari:<br /><a href="https://digitalid.verisign.com/client/class1NetscapeToken.htm" target="_blank" style="color: rgb(0, 101, 204); "></a><a href="https://digitalid.verisign.com/client/class1NetscapeToken.htm" target="_blank" style="color: rgb(0, 101, 204); ">https://digitalid.verisign.<wbr>com/client/<wbr>class1NetscapeToken.htm</a><br /><br />You may replace each of your active certificates with a VeriSign® Digital ID for Secure Email using the following token(s):<br /><br /><table width="179" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font-family: arial, sans-serif; "><span style="font-size: 12px; line-height: 14px; font-family:Arial, Helvetica, sans-serif;color:#000000;">A3067904AD83FDD2B34E76631A09A1<wbr>78</span></td></tr></tbody></table></span></td></tr></tbody></table><br />Click here to receive answers to questions you may have with regard to enrolment for and installation of your free VeriSign Digital ID class 1:<a href="https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO12704" target="_blank" style="color: rgb(0, 101, 204); "></a><a href="https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO12704" target="_blank" style="color: rgb(0, 101, 204); ">https://search.thawte.com/<wbr>support/ssl-digital-<wbr>certificates/index?page=<wbr>content&id=SO12704</a><br /><br />For answers to further questions you may have about the discontinuation of this service and the impact to your existing certificates please refer to the following FAQ:<a href="https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO12658" target="_blank" style="color: rgb(0, 101, 204); "></a><a href="https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO12658" target="_blank" style="color: rgb(0, 101, 204); ">https://search.thawte.com/<wbr>support/ssl-digital-<wbr>certificates/index?page=<wbr>content&id=SO12658</a><br />(we will keep this FAQ updated with responses to common questions)<br /><br />We hope we can keep you in the <b>Thawte</b> family as customers of our SSL and code signing products. Thank you for your support of <b>Thawte Personal E-mail Certificates</b> and <b>Web of Trust</b>over the years.</td></tr></tbody></table><table width="566" border="0" align="center" cellpadding="0" cellspacing="0"><tbody><tr><td width="566" colspan="2" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font-family: arial, sans-serif; padding-top: 12px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; "><span style="font-size: 12px; line-height: 14px; font-family:Arial, Helvetica, sans-serif;color:#000000;"><br />Kind regards,<br /><br /><b>Thawte Technical Support</b><br />E-Mail: <a href="mailto:personalcert@thawte.com?subject=Thawte+Class1+EOL+Message" target="_blank" style="color: rgb(0, 101, 204); "></a><a href="mailto:personalcert@thawte.com" target="_blank" style="color: rgb(0, 101, 204); ">personalcert@thawte.com</a><br />FAQ: <a href="https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO12658" target="_blank" style="color: rgb(0, 101, 204); ">Click here for FAQ</a></span></td></tr><tr><td width="566" colspan="2" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font-family: arial, sans-serif; padding-top: 12px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; "><span style="font-size: 12px; line-height: 14px; font-family:Arial, Helvetica, sans-serif;color:#000000;"><br />If you would like to take advantage of our free SSL and code signing offer, please forward this email to our sales department using the details listed below:</span></td></tr><tr><td width="206" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font-family: arial, sans-serif; padding-top: 12px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; "><span style="font-size: 12px; line-height: 14px; font-family:Arial, Helvetica, sans-serif;color:#000000;"><b>North American Sales</b><br />Tel: +1 888 484 2983<br />E-Mail: <a href="mailto:us-sales@thawte.com?subject=Thawte+Personal+Cert+EOL+Message+Discount" target="_blank" style="color: rgb(0, 101, 204); "></a><a href="mailto:us-sales@thawte.com" target="_blank" style="color: rgb(0, 101, 204); ">us-sales@thawte.com</a><br /><br />Online Chat: <a href="https://www.thawte.com/chat/chat_retail_new.html" target="_blank" style="color: rgb(0, 101, 204); ">Click Here to Chat</a></span></td><td width="360" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font-family: arial, sans-serif; padding-top: 12px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; "><span style="font-size: 12px; line-height: 14px; font-family:Arial, Helvetica, sans-serif;color:#000000;"><b>International Sales</b><br />Tel: +27 21 937 8902<br />E-Mail: <a href="mailto:int-sales@thawte.com?subject=Thawte+Personal+Cert+EOL+Message+Discount" target="_blank" style="color: rgb(0, 101, 204); "></a><a href="mailto:int-sales@thawte.com" target="_blank" style="color: rgb(0, 101, 204); ">int-sales@thawte.com</a><br /><br />Online Chat: <a href="https://www.thawte.com/chat/chat_retail_new.html" target="_blank" style="color: rgb(0, 101, 204); ">Click Here to Chat</a><br /><br /></span></td></tr></tbody></table></span></b></span></span>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-46754748514397300062009-10-13T21:38:00.000-07:002009-10-14T09:32:42.255-07:00October 13, 12 Updates for my Vista box, 1 Goal: Security<span style="font-size:100%;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://img.photobucket.com/albums/v246/guerilla7/MyWindowsVistaUltimateSP210-13-09Av.jpg"><img style="cursor: pointer; width: 799px; height: 465px;" src="http://img.photobucket.com/albums/v246/guerilla7/MyWindowsVistaUltimateSP210-13-09Av.jpg" alt="" border="0" /></a><br /><br /></span><span style="font-size:100%;">I </span><span style="font-size:100%;">would like to thank <a href="http://www.ddo.com/index.php">Dungeons & Dragons Online</a> MMORPG for giving me a reason to play around with my Lenovo SL300 again and at the same time discover the multiple security updates for Vista released today by Microsoft.<br /><br />This laptop has been sitting around gathering dust for a while. Simply because I hated the bundled Windows Vista Ultimate Sp2 OS. I would consider it a moderate-gaming laptop, with a dedicated Nvidia 128mb graphics chip. I rarely open this laptop, save for occasions where I need to do cross-Windows OS platform compatibility and <a href="http://en.wikipedia.org/wiki/Acceptance_testing">User Acceptance Testing (UAT)</a> of our proprietary VoIP application.<br /><br />Another reason I boot it up is just to make the <a href="http://www.free-av.com/">Avira Free Anti-Virus</a> and <a href="http://www.safer-networking.org/index2.html">Spybot S&D</a> definitions updated, and of course, checking for Windows Updates is critical and has always been a routine for me every time I boot up my Windows systems, and any Windows systems I play around with regardless if I have it set to acquire Automatic Updates.<br /><br />Today, October 13, after getting tired of completing Rank 2 Quests for my female Monk character (Yes, shame on me, my account in DDO is VIP) I decided to log out of my alternate universe, head back to the real world and work on my Security+ reviewers and <a href="http://www.sans.org/reading_room/last.php">SANS Institute Reading Room materials</a>.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG7fBtQzqzlsrZCQMOE7hKibNbmtP8DhxV5d8KizamAdrd9WRd2SMX2uM1OR7_hQgJJsMOTTu1iIjJR4fpUA4CFWdA4kgPXuZ5Id5FgaWy4rxMDFNPkTd-v3NAU18hFH7XsmJd3TT5zrU/s1600-h/Phoebe_DDO_Avatar.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 134px; height: 200px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG7fBtQzqzlsrZCQMOE7hKibNbmtP8DhxV5d8KizamAdrd9WRd2SMX2uM1OR7_hQgJJsMOTTu1iIjJR4fpUA4CFWdA4kgPXuZ5Id5FgaWy4rxMDFNPkTd-v3NAU18hFH7XsmJd3TT5zrU/s200/Phoebe_DDO_Avatar.jpg" alt="" id="BLOGGER_PHOTO_ID_5392325999175161634" border="0" /></a></span><span style="font-size:100%;">Jumping from one security website to another is a good alternative method to review. Sometimes staring and reading a book with 1000 pages will bore you one way or another, and you will want something more interactive. </span><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span style="font-size:100%;">One of the websites I frequently visit is <a href="http://threatpost.com/">Threatpost.com</a>, a relatively new site which I find very enjoyable to read. Not 2600'ish, but the articles and pictures are very enticing. The white page background and colorful graphics on this website makes the hardcore articles look like easy-reading, hence the enticing factor.<br /><br />Threatpost also scales well on my Blackberry 8330's screen; as well as this humble blog of yours truly. Please go and try it. I find it very convenient to just pop-out my smartphone and read along every time I ride the BART going to work. Keeps me updated on the current IT security news. It's like Slashdot but only with Security-related topics.<br /><br />Back to my Vista Ultimate SP2 box and its merry 12 updates from Microsoft on a single day, here's a screen shot of the list (click on thumbnail to enlarge screen shot)<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV7TbfLhAO_-scmLFUb6R5x05JhOKHt7sWerA1mAGSC-Z7gOXf4Fo3-9-Xn1WVzG92I6ZQpO_s3aARXbu18Ui-KTrZ0zAuV7Ptn1Os_EO6DvPlhbaGxGXMF2Vvdh_sWINA9g09lJ6DEpY/s1600-h/12+Security+Updates.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 200px; height: 136px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV7TbfLhAO_-scmLFUb6R5x05JhOKHt7sWerA1mAGSC-Z7gOXf4Fo3-9-Xn1WVzG92I6ZQpO_s3aARXbu18Ui-KTrZ0zAuV7Ptn1Os_EO6DvPlhbaGxGXMF2Vvdh_sWINA9g09lJ6DEpY/s200/12+Security+Updates.jpg" alt="" id="BLOGGER_PHOTO_ID_5392340514030382114" border="0" /></a></span><span style="font-size:100%;"><br /></span><span style="font-size:100%;">Just by looking at these KB numbers I am already having headaches :-) Head to Microsoft's Security Bulletin website to find out what each Knowledge Base (KB) is all about:<br /><a href="http://www.microsoft.com/technet/security/current.aspx">http://www.microsoft.com/technet/security/current.aspx</a><br /><br />You may want to try and use <a href="http://support.microsoft.com/kb/320454">Microsoft's Baseline Security Analyzer</a> on a couple of your Vista boxes. Just to make sure your Vista boxes, your brother's, your sister's, even your friend's friends Vista boxes are updated and safe.<br /><br />Vista is beyond <a href="http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx">SMBv2 exploit (MS0-9050)</a> nowadays, it has been a haven of choice for wannabe hackers and script-kiddies.</span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span style="font-size:100%;">I wonder what's going to happen with Vista with Windows 7 coming out in a few days. Will it be the new Windows ME in memory?<br /><br />Play safe kids.<br />Ron<br /><br /><span style="font-weight: bold;"><br /><br /></span><br /><br /></span><span style="font-size:100%;"><br /><br /><br /><br /><br /><br /></span></div>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-45485244963456159072009-10-07T20:14:00.000-07:002009-10-07T22:59:29.259-07:00Poor City Planing and your Disaster Recovery Plans<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrK5nUe3WdIJTEzDX-IHCStzerrUmrosotpPuhOrGEKnAjx3QRTsryXK5dYuxxwrVuzIE3mTXksIQMMIr8uDiGuYRC_5Th78yb3RD7nUU0Nm0V4JwNqHm4lTB34RFTB-8HrCAFAD6NjPw/s1600-h/Typhoon-Ondoy_Flood.jpg"><img style="cursor:pointer; cursor:hand;width: 200px; height: 135px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrK5nUe3WdIJTEzDX-IHCStzerrUmrosotpPuhOrGEKnAjx3QRTsryXK5dYuxxwrVuzIE3mTXksIQMMIr8uDiGuYRC_5Th78yb3RD7nUU0Nm0V4JwNqHm4lTB34RFTB-8HrCAFAD6NjPw/s200/Typhoon-Ondoy_Flood.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5390084353603445266" /></a><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn4HqylsrbaAc4SrvXQ_z-NMRzMssPLveXc_hn10k2889s7jkpOt0JJIRxrSfO0UiEVcIr4qNMAn3dx-oOxwi_lrdTDp6dXbAMyyKlLbvrdLvyi_311IAm5senUh6lPjLZgd9LQLJWDnk/s200/687px-Datacenter-telecom_rectilinear_r10deg_120x105deg.jpg" style="cursor:pointer; cursor:hand;width: 200px; height: 174px;" border="0" alt="" id="BLOGGER_PHOTO_ID_5390084468754023938" /><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiSgI-ABjaW5fYimsLkR1iWblwJauBOyVDXefeHlEXa3AKykeG4-6o6byI1CdUBn1jO8pOc9kHfhNa77QRtTWdvx25R4VgkN7XDIC_FjIHE4MHmahkCP19TzzTC8cS3Heej6uzDumIeOc/s200/datacenter_disaster.jpg" style="cursor:pointer; cursor:hand;width: 200px; height: 150px;" border="0" alt="" id="BLOGGER_PHOTO_ID_5390084610097542962" /><br /><b><span class="Apple-style-span" style="font-size:x-large;"><div><br /></div>T</span><span class="Apple-style-span" style=" font-weight: normal;"><span class="Apple-style-span" style="font-size: medium;">he Philippine Government finally admitted that</span><a href="http://news.ph.msn.com/regional/article.aspx?cp-documentid=3626055"><span class="Apple-style-span" style="font-size: medium;"> poor city planning was the root cause of the recent massive flooding claiming the lives of nearly 300 people</span></a><span class="Apple-style-span" style="font-size: medium;"> near and around the City of Manila.</span></span></b><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">Growing up in the Philippines, it doesn't take a genius to figure this out. We do not need statistics or blueprints of how the city was designed to scale presented to us to understand this.</span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">You see it and you smell it. </span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">I hate to say the "smell" thing because its very unlikely to come out from a patriotic Filipino guy like me, but it is the truth at least in my experience and opinion. Some part of Metro Manila is so congested that you do not need to open your eyes to know that this area is overpopulated. </span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">You can't blame those people. Healthy conditions are the least priority of people who rarely eat at least twice a day and needs a shelter at night. Celebrities and politicians residing in tall buildings were not spared as well by the flood. There was even a story circulating around of a "dashing" rescue, worthy of a movie, wherein a famous actor rescued an actress in distress from her tall residential building using a speedboat. And not helping the less-privileged neighbors.</span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">In the corporate IT world, I can almost imagine the feeling of helplessness of the people in charge of the Disaster Recovery and Business Continuity Plans (DRP & BCP) for their respective organizations.</span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">These guys, mostly the Senior Network Administrators and Chief Security Officers of the corporate world, spent hundreds of man-hours in designing, testing, and implementing plans to</span></div><div><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: medium;">disaster-proof their business, regardless if its a natural or man-made disaster. The basic and ultimate goal is to survive such events and still continue to do business. </span></span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span"><span class="Apple-style-span" style="font-size: medium;">The problem is the actual city where your network infrastructure and organization is physically located. If the city was not designed with security, room for growth, and disaster recovery in mind, your plans get tossed out of the window.</span></span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">Major City planners of the world should take a page out of secure software developers book: Design with security in mind. And spend less time mitigating risks.</span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">If your city gets flooded to the point that major streets and thoroughfares look like a wild, gushing river, your well-laid plans most likely will take a detour. This detour is where your plans will be actually tested because you do not know whats going to happen next.</span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">However, on major events like this, disaster recovery and business continuity plans should be tossed out of the window for the time being and self-preservation and helping other lives should be the number one priority.</span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">After securing the lives of people working for your organization, go out and help out. Events like this happen for a reason and it makes organizations and cities plan and prepare better for the future.</span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">Lessons learned is always the last phase of such events. Take detailed notes, recall how the event escalated, and learn from your mistakes.</span></div><div><br /></div>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com1tag:blogger.com,1999:blog-3736242421676235123.post-80385297753428270952009-09-21T09:40:00.000-07:002009-09-26T20:37:39.973-07:00PDF Reader Risk Mitigation and Herd Mentality in IT Security Best Practice<span style="font-weight: bold;font-size:180%;" >T</span><span style="font-size:100%;">he prevailing trend for security conscious system administrators and IT personnel nowadays regarding the risks that Adobe Acrobat PDF reader presents in the network is to dump the entire PDF reader application in favor of another.<br /><br />This trend is an attempt to accomplish Risk Avoidance. Risk Avoidance is a Risk Management Method wherein you terminate the activity that is introducing the risk. In short, no need to implement and keep track of your Risk Mitigation process since there is nothing to keep track of in the first place. No Adobe PDF Reader, no risk. And why worry about Adobe PDF Reader Zero-Day exploits when you can use another PDF reader that is not affected by such vulnerabilities? Ok, that sounds logical and you may have a point Mr. IT Admin Sir, but please listen.<br /><br />Enter Foxit PDF reader, the leading candidate and alternative for Adobe's dominant PDF Reader. However, converting your entire company to Foxit PDF reader does not guarantee 100% Risk Avoidance. The Top 2 misconceptions about Foxit PDF Reader are the following:<br /><br />1. Foxit PDF Reader does not have Javascript (Who needs Javascript on a document reader anyways?!)<br /><br />>False. Foxit PDF Reader (the most recent version in time of this writing is 3.1.1.0901) also has Javascript and as a matter of fact, is also enabled by default during first installation. So go ahead and disable that damn Javascript by going to Tools>Preferences>Javascript and remove the check mark to disable it.<br /><br />2. Foxit PDF Reader doesn't have exploits and vulnerabilities like Adobe PDF Reader.<br /><br />>False. Although Adobe PDF Reader leads in scoring when it comes to exploits and vulnerabilities (Like 10 Exploits Adobe PDF Reader, and 2 Exploits Foxit PDF Reader) Foxit has its own share of bad apples. From Buffer Overflow Exploit to Remote Denial of Service Exploit, yes, Foxit is also prone to PDF-related exploits and vulnerabilities.<br /><br /></span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs9WnCXi12OeErT_vbNqLl9PtRBhpHlHFfog4zpZlFS_SSfQRiRucwa9nYM9hXIZox9lYKZQDEghPXianVihyqqZuuYIXNPiBsKkzrjElSbfVfgyxdZCzh69K4DC8cPXbs2vLKD83DjRk/s1600-h/replace+Adobe+PDF+reader+with+Foxit+PDF+reader.jpg"><img style="cursor: pointer; width: 545px; height: 84px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs9WnCXi12OeErT_vbNqLl9PtRBhpHlHFfog4zpZlFS_SSfQRiRucwa9nYM9hXIZox9lYKZQDEghPXianVihyqqZuuYIXNPiBsKkzrjElSbfVfgyxdZCzh69K4DC8cPXbs2vLKD83DjRk/s400/replace+Adobe+PDF+reader+with+Foxit+PDF+reader.jpg" alt="" id="BLOGGER_PHOTO_ID_5384168198904849042" border="0" /></a><br /><br /><span style="font-size:100%;">It won't take long for malware authors and security researchers to create new and more exploits targeting alternative PDF readers such as Foxit PDF Reader. The same rule applies when dumping Adobe PDF Reader in favor of another; patch your applications and systems on a regular basis, keep tab of Zero-Day exploits. Enforce your company or organization Policies, Standards, Baselines, Guidelines and Procedures to the full extent but not to the point that you lose your sanity in the process, and your co-workers start tagging you as control freak.<br /><br />Although I find random on-the-spot, casual conversation, Security Awareness Training the best tactic one can employ inside the workplace. So every morning, while lining up for coffee at the pantry room, go ahead and break some "cool" and "leet" IT security news to your fellow workers, they will enjoy it as long as you tell the story like how movies tell them. Avoid jargon and acronyms please and make it exciting. Think Quentin Tarantino directing a hacker-movie.<br /><br />Bruce Schneier made an excellent point on his speech about "The Future of the Security Industry: IT is Rapidly Becoming a Commodity" on a recent OWASP Meet. Bruce mentioned that the trend nowadays with IT security is slowly turning into a somewhat herd mentality. They are doing it, so let's do it, that kind of thing. Even current Best Practices recommended by the community is suffering from such herd-mentality syndrome. I somehow agree on this notion since everywhere I go and every material I read describes a Best Practice guide which usually doesn't always apply to all.<br /><br />We need to treat each system, no matter how closely it resembles other systems, as a unique system with a different set of variables and behavior. So please, stop treating those Best Practice Guides as your bible and study your network how it behaves.<br /><br />Cheers!<br />Ron</span><br /><br /><span style="font-size:85%;">Sources:<br />1. "Handling Risk" Page 107, Chapter 3: Information Security and Risk Management, All-in-One CISSP Exam Guide 4th Edition by Shon Harris, CISSP, MCSE<br />2. Bruce Schneier: The Future of the Security Industry: IT is Rapidly Becoming a Commodity, <a href="http://vimeo.com/groups/owaspmsp/videos/6495257">http://vimeo.com/groups/owaspmsp/videos/6495257</a><br />3. Open Web Application Security Project (OWASP), <a href="http://www.owasp.org/index.php/Main_Page">http://www.owasp.org/index.php/Main_Page</a><br />4. <a href="http://www.schneier.com/">http://www.schneier.com/</a><br /></span>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-39087339174420133622009-09-13T12:16:00.001-07:002009-09-13T13:02:38.900-07:00Steganography meets VoIP in hacker world<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOT9XFFQU7mROX5xUBfethLnpWVfQi1EzgDPbB24Tsl2F-nJiRHJW2cKa61g-bL_0r4CxFbdZ-e83TOYskCF_OllpJ1syL9nV1WdyHpmHkUdTWHmUp2K7SPXecQIQw33JwoyAkYN-Vc94/s1600-h/UA+SIP+Restart.jpg"><img style="cursor: pointer; width: 320px; height: 154px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOT9XFFQU7mROX5xUBfethLnpWVfQi1EzgDPbB24Tsl2F-nJiRHJW2cKa61g-bL_0r4CxFbdZ-e83TOYskCF_OllpJ1syL9nV1WdyHpmHkUdTWHmUp2K7SPXecQIQw33JwoyAkYN-Vc94/s320/UA+SIP+Restart.jpg" alt="" id="BLOGGER_PHOTO_ID_5381044854996532946" border="0" /></a><br /><br /><span style="font-weight: bold;font-size:180%;" >A</span>n excellent way to hide messages or malicious payloads, making use of the unused UDP-RTP bits on a voice stream. I bet I can see the malformed or modified part of the RTP stream on Wireshark! Back to the lab for some tests!<br /><br />Complete details on the link below.<br /><br /><a href="http://shar.es/1Hsbo">Steganography meets VoIP in hacker world</a><br />Posted using <a href="http://sharethis.com/">ShareThis</a><br /><br />Have fun inserting stuff on those unused bits!<br />RonRonhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-24447958549993721582009-09-09T00:26:00.001-07:002009-09-12T23:54:17.461-07:00"Daemon" by Daniel Suarez.<span style="font-weight: bold;"></span><span style="font-weight: bold;font-size:180%;" >A</span> must-read for everyone interested in the future of AI, automation and technology in general.<br /><br />This novel is awesome. All the enumeration, sniffing and penetration methods and tools used in the story are all real and up-to-date. A computer game software genius dies and leaves behind the best AI ever created and a kick-ass "daemon" process to automate things. How do you fight evil packets? Go figure it out how the rest of the story unfolds.<br /><br />So for a change, get out of your chair, away from your computer monitor and pick up the book from the nearest bookstore t. Currently enjoying the Audio Book version for my second reading of the book, and drooling of having my hardcover copy signed by the author.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://thedaemon.com/images/DuttonCoverIsometric01.jpg"><img style="cursor: pointer; width: 224px; height: 281px;" src="http://thedaemon.com/images/DuttonCoverIsometric01.jpg" alt="" border="0" /></a><br /><a href="http://thedaemon.com/">http://thedaemon.com/</a><br /><br />Below is a brief E-mail exchange with the genius behind the book, Daniel Suarez:<span style="color: rgb(0, 0, 0);"><br /><br /></span><br /><span style="font-size:85%;"><blockquote><span style="color: rgb(0, 0, 0);">Excellent novel Daniel, looking forward to Freedom (TM).</span><br /><br /><span style="color: rgb(0, 0, 0);">One question though, regarding this line from the novel:</span><br /><br /><span style="color: rgb(0, 0, 0);">"So far, Gragg had a cache of nearly two thousand high-</span><br /><span style="color: rgb(0, 0, 0);">net-wort identities to sell on the global market, and the Brazilians and Filipinos</span><br /><span style="color: rgb(0, 0, 0);">were snapping up everything he offered."</span><br /><br /><span style="color: rgb(0, 0, 0);">Does this mean that based on your research (and statistics), most of these bad guys lurking around IRC channels are either from Brazil or the Philippines?</span><br /><br /><span style="color: rgb(0, 0, 0);">I am a Filipino residing here in the Bay Area and I am into VoIP Security, and overall IP-based Systems Security as well.</span><br /><br /><span style="color: rgb(0, 0, 0);">All the best,</span><br /><span style="color: rgb(0, 0, 0);">Ron</span><br /><br /><span style="color: rgb(0, 0, 153);">+++<br /><br />Hi Ronald,</span><br /><span style="color: rgb(0, 0, 153);"></span><br /><span style="color: rgb(0, 0, 153);">Thanks for the kind note. I'm glad you enjoyed Daemon.</span><br /><span style="color: rgb(0, 0, 153);"></span><br /><span style="color: rgb(0, 0, 153);">When I wrote Daemon back in 2004, Brazil and the Philippines were big</span><br /><span style="color: rgb(0, 0, 153);">centers for identity theft; however, much of that has since moved to other </span><span style="color: rgb(0, 0, 153);">countries. With the rise of botnets, though, it's</span><span style="color: rgb(0, 0, 153);"> increasingly difficult to tell where exploits and penetrations originate</span><span style="color: rgb(0, 0, 153);"> (with zombies serving as proxies...).</span><br /><span style="color: rgb(0, 0, 153);"></span><br /><span style="color: rgb(0, 0, 153);"></span><br /><span style="color: rgb(0, 0, 153);">Best,</span><span style="color: rgb(0, 0, 153);"></span><br /><span style="color: rgb(0, 0, 153);">D.S.<br /><br /><span style="color: rgb(0, 0, 0);">+++<br /><br />Daniel,</span><br /><span style="color: rgb(0, 0, 0);"></span><br /><span style="color: rgb(0, 0, 0);">Agreed, 2004, those where the days. Now the Philippines is into hosting Call Centers<br />(and exploiting them) and Brazil is into US-Satellite tapping, lol.</span><span style="color: rgb(0, 0, 0);"><br /><br /></span><span style="color: rgb(0, 0, 0);">Do you mind if I post your reply to my blog? (http://packetboyperseus.blogspot.com) I am planning to put up a simple personal review so my network of friends can see it and eventually pick it up from the nearest bookstore. I am sure they will love it as well.</span><br /><span style="color: rgb(0, 0, 0);"></span><br /><span style="color: rgb(0, 0, 0);">All the best,</span><span style="color: rgb(0, 0, 0);"><br />Ron</span><br /><br />Hi Ronald,<br /><br />My main point is that the future of cyber warfare is going to be driven by botnets and<br />distributed attacks originating from small groups of individuals (not<br />nations).<br /><br />I don't want to sound like I'm 'blaming' that on Russians,<br />Brazilians, or Filipinos. The root cause of our IT security problem is<br />the inherently open architecture of global networks and the monoculture<br />that is modern software.<br /><br />There are now cyber criminals and cyber warfare<br />units all around the world, and solving the infrastructural issues is<br />more important than playing international whack-a-mole with would-be<br />perpetrators--no matter what country they hail from.<br /><br />Best,<br />D.S.<br /><br />+++<br /></span></blockquote><span style="color: rgb(0, 0, 153);"><br /></span></span>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-45916056251707847172009-09-05T01:52:00.000-07:002009-09-09T00:22:08.381-07:00Tracing packet drops in Florida and sniffing traffic from 35K feet<span style="font-size:180%;"><span style="font-weight: bold;">I</span></span> recently traveled to Hollywood, Florida for a customer on-site network troubleshooting. We usually do things over the phone and remote access if needed, but this customer insists that its our VoIP application acting up, and not their network. So the next day I went to their facilities, met with one of their IT Staff and immediately started mapping out their wired network (for fun and profit).<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDM6zO1YWs0TzaVy7rsn0i6ajfopSxnpBNxN233fdKJK1kwlN1z6_RNiBGUOpG3gmSUeX7KK7YS7rMa4kxWwgOnBAnuna84SR_VxkSHRnsU6YhzGSnxvb4ipPAGk3-BN2QNXQeeWXIfPM/s1600-h/Ron+%40+Fort+Lauderdale+Beach.jpg"><img style="cursor: pointer; width: 320px; height: 240px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDM6zO1YWs0TzaVy7rsn0i6ajfopSxnpBNxN233fdKJK1kwlN1z6_RNiBGUOpG3gmSUeX7KK7YS7rMa4kxWwgOnBAnuna84SR_VxkSHRnsU6YhzGSnxvb4ipPAGk3-BN2QNXQeeWXIfPM/s320/Ron+%40+Fort+Lauderdale+Beach.jpg" alt="" id="BLOGGER_PHOTO_ID_5379342451918677650" border="0" /></a><br /><br />After a couple of minutes of tracing un-labeled RJ45 cables and network devices in general, I was able to trace the root cause. The bottleneck is originating from a commercial firewall installed on their network. I am not going to identify the brand and model, but its one of those firewall not meant to handle tremendous amount of traffic. In short, its a small-office-home office firewall/router. Their facility generates around 12 to 20mbps of outbound traffic on a daily basis. <br /><br />This firewall goes gaga when hit by too much traffic; it simply drops all concurrent connections and resets as evident on the firewall and router logs. Good thing their Network Admin made the right choice and decided to get hold of a Cisco ASA 5505 Security Appliance and replace their current firewall. The problem is this guy does not know how to configure the ASA and needs to outsource the configuration and installation, so the ASA needs to wait while the problem still persists on their converged network.<br /><br />To add salt to the wound, they are using old-school workstations; running Celeron 2.0ghz processors with a measly 256mb of SDRAM. Understand that these workstations handle a softphone-based VoIP client, a web-based CRM, Instant Messaging client, and Agent productivity apps. I say good luck with that. As suspected, Agents usually encounter the white screen of death where everything halts and freezes, hitting the Reset button is their usual routine.<br /><br />Add the workstation hardware issues and misconfiguration on the network and you get a very painful and regretful VoIP experience.<br /><br />Knowing how painful this experience is to their Agents, what I did was strip down Windows XP Pro to the bare minimum to free additional memory and overall system resources. What I meant with a stripped-down version is by disabling all Local Services that are not needed, adjust the workstation to Best Performance, disable tons of start up and running applications via msconfig, and finally, lock down the Agent login to Limited Rights so they can't install those nasty shopping IE add-on toolbars, lol. Things you must do when no Domain Controller is not present on a large network.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7EZtekYBUmmaAMT7txN43QtuSk63UL_dqxoPnPjZzfbdMJJYuP6vnavGa6W3Hui_p2M3YM4JwDMuQ-BMEbLvDuKp5L83N_MXi1k31dDwP0ut1A4v93dGTk-ebfkvPkNCuWv0NycpB88s/s1600-h/Gogo,+Wireshark+and+Intel+WiFi.jpg"><img style="cursor: pointer; width: 406px; height: 140px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7EZtekYBUmmaAMT7txN43QtuSk63UL_dqxoPnPjZzfbdMJJYuP6vnavGa6W3Hui_p2M3YM4JwDMuQ-BMEbLvDuKp5L83N_MXi1k31dDwP0ut1A4v93dGTk-ebfkvPkNCuWv0NycpB88s/s320/Gogo,+Wireshark+and+Intel+WiFi.jpg" alt="" id="BLOGGER_PHOTO_ID_5379240191133996242" border="0" /></a><span style="font-size:180%;"><span style="font-weight: bold;"><br />O</span></span>n my way back home to the Bay Area, I had some fun on-flight thanks to Gogo In-flight Internet without actually signing up for their service.<br /><br />Thanks to Wireshark, ZenMAP GUI, and my laptop's Intel(R) Wireless WiFi Link 5100 card I was able to take a glimpse of the WiFi activity on-board the plane.<br /><br />Intense Scan plus UDP output on NMAP:<br /><blockquote style="font-family:courier new;"><span style="font-size:85%;"><i>nmap -sS -sU -T4 -A -v -PE -PA21,23,80,3389 172.19.131.2</i><br /></span><span style="font-size:85%;"><br />Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-03 16:40 Pacific Daylight Time<br />NSE: Loaded 30 scripts for scanning.<br />Initiating ARP Ping Scan at 16:40<br />Scanning 172.19.131.2 [1 port]<br />Completed ARP Ping Scan at 16:40, 0.22s elapsed (1 total hosts)<br />Initiating Parallel DNS resolution of 1 host. at 16:40<br />Completed Parallel DNS resolution of 1 host. at 16:40, 11.39s elapsed<br />Initiating SYN Stealth Scan at 16:40<br />Scanning 172.19.131.2 [1000 ports]<br />Discovered open port 80/tcp on 172.19.131.2<br />Completed SYN Stealth Scan at 16:40, 5.05s elapsed (1000 total ports)<br />Initiating UDP Scan at 16:40<br />Scanning 172.19.131.2 [1000 ports]<br />Completed UDP Scan at 16:40, 4.26s elapsed (1000 total ports)<br />Initiating Service scan at 16:40<br />Scanning 1001 services on 172.19.131.2<br />Service scan Timing: About 0.40% done<br />Service scan Timing: About 1.50% done; ETC: 18:43 (2:00:31 remaining)<br />Service scan Timing: About 3.00% done; ETC: 18:13 (1:29:33 remaining)<br />Service scan Timing: About 4.50% done; ETC: 18:02 (1:18:15 remaining)<br />Service scan Timing: About 5.99% done; ETC: 17:57 (1:12:09 remaining)<br />Service scan Timing: About 7.49% done; ETC: 17:54 (1:08:07 remaining)<br />Service scan Timing: About 10.39% done; ETC: 17:43 (0:56:12 remaining)<br />Service scan Timing: About 10.49% done; ETC: 17:50 (1:02:43 remaining)<br />Service scan Timing: About 13.39% done; ETC: 17:43 (0:54:02 remaining)<br />Service scan Timing: About 13.49% done; ETC: 17:48 (0:58:55 remaining)<br />Service scan Timing: About 16.38% done; ETC: 17:43 (0:52:03 remaining)<br />Service scan Timing: About 16.48% done; ETC: 17:47 (0:55:49 remaining)<br />Service scan Timing: About 19.38% done; ETC: 17:42 (0:50:03 remaining)<br />Service scan Timing: About 19.48% done; ETC: 17:46 (0:53:11 remaining)<br />Service scan Timing: About 22.38% done; ETC: 17:42 (0:48:06 remaining)<br />Service scan Timing: About 28.37% done; ETC: 17:42 (0:44:16 remaining)<br />Service scan Timing: About 34.37% done; ETC: 17:42 (0:40:29 remaining)<br />Service scan Timing: About 40.36% done; ETC: 17:42 (0:36:45 remaining)<br />Service scan Timing: About 46.35% done; ETC: 17:42 (0:33:01 remaining)<br />Service scan Timing: About 52.35% done; ETC: 17:42 (0:29:19 remaining)<br />Service scan Timing: About 58.34% done; ETC: 17:42 (0:25:37 remaining)<br />Service scan Timing: About 64.34% done; ETC: 17:42 (0:21:55 remaining)<br />Service scan Timing: About 70.33% done; ETC: 17:42 (0:18:13 remaining)<br />Service scan Timing: About 76.32% done; ETC: 17:42 (0:14:32 remaining)<br />Service scan Timing: About 82.32% done; ETC: 17:42 (0:10:51 remaining)<br />Service scan Timing: About 88.31% done; ETC: 17:42 (0:07:10 remaining)<br />Service scan Timing: About 94.31% done; ETC: 17:42 (0:03:30 remaining)<br />Service scan Timing: About 98.90% done; ETC: 17:43 (0:00:41 remaining)<br />Completed Service scan at 17:42, 3688.53s elapsed (1001 services on 1 host)<br />Initiating OS detection (try #1) against 172.19.131.2<br />NSE: Script scanning 172.19.131.2.<br />NSE: Starting runlevel 1 scan<br />Initiating NSE at 17:42<br />Completed NSE at 17:43, 36.19s elapsed<br />NSE: Starting runlevel 2 scan<br />Initiating NSE at 17:43<br />Completed NSE at 17:43, 5.02s elapsed<br />NSE: Script Scanning completed.<br />Host 172.19.131.2 is up (0.0014s latency).<br />Interesting ports on 172.19.131.2:<br />Not shown: 1000 open|filtered ports, 999 filtered ports<br />PORT STATE SERVICE VERSION<br />80/tcp open http?<br />| html-title: Site doesn't have a title.<br />|_ Did not follow redirect to http://airborne.gogoinflight.com/abp/page/abpDefault.do?REP=127.0.0.1&AUTH=127.0.0.1&CLI=172.19.131.153&PORT=54273&RPORT=54272&acpu_redirect=true<br />MAC Address: 00:E0:4B:22:96:D9 (Jump Industrielle Computertechnik Gmbh)<br />Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port<br />Device type: general purpose<br />Running: Linux 2.6.X<br />OS details: Linux 2.6.18 - 2.6.27, Linux 2.6.26<br />Uptime guess: 0.405 days (since Thu Sep 03 07:59:45 2009)<br />Network Distance: 1 hop<br />TCP Sequence Prediction: Difficulty=197 (Good luck!)<br />IP ID Sequence Generation: All zeros<br /><br />Host script results:<br />|_ nbstat: ERROR: Name query failed: TIMEOUT<br /><br />Read data files from: C:\Program Files\Nmap<br />OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .<br />Nmap done: 1 IP address (1 host up) scanned in 3757.66 seconds<br /> Raw packets sent: 4045 (148.498KB) | Rcvd: 31 (1502B)</span></blockquote>Wireshark Capture Screenshot:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIhCjM1WBBDVkvC8wKy5_ViQt3i08s8jcGtOBCWgnuEGKH4zGO3LBH5QKLBZDADddjR2RcOlVlGU31BQAo-A0Lf9BewEqKsjd01WcuQNtMDsQ2kpwnHmvIyjNj_-pmxVukZ-tpZW8UU6g/s1600-h/Wireshark+capture.gif"><img style="cursor: pointer; width: 320px; height: 174px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIhCjM1WBBDVkvC8wKy5_ViQt3i08s8jcGtOBCWgnuEGKH4zGO3LBH5QKLBZDADddjR2RcOlVlGU31BQAo-A0Lf9BewEqKsjd01WcuQNtMDsQ2kpwnHmvIyjNj_-pmxVukZ-tpZW8UU6g/s320/Wireshark+capture.gif" alt="" id="BLOGGER_PHOTO_ID_5379357699360176370" border="0" /></a><br /><br />Noteworthy discovered Protocols and Services gathered from the Wireshark .pcap capture:<br /><br />- Cisco IP-SLA<br />- TACACS and XTACACS<br />- BOOTP<br />- TFTP<br />- CLDAP (Connectionless Lightweight Directory Access Protocol)<br />- Cisco Wireless LAN Context Control Protocol<br />- Mobile IP Protocol (RFC 3344)<br />- RIP (Routing Information Protocol)<br />- OpenVPN<br />- OCSP (Online Certificate Status Protocol)<br />- Slimp3 Communication Protocol (Device ID: 101) (Firmware Revision: 6:12 (0x6c)<br />- Base Station Subsystem GPRS Protocol (BSSGP)<br />- CFLOW (Cisco NetFlow/IPFIX)<br />- CUPS (Common Unix Printing System)<br />- GPRS Tunneling Protocol (GTP)<br />- H.225.0 RAS<br /><br />Discovered Network Device Signatures/MAC OUI's:<br /><br />- JUMP INDUSTRIELLE COMPUTERTECHNIK GmbH (00:e0:4b)<br />- Hon Hai Precision Ind. Co., Ltd. (00:22:69)<br /><br />You can easily Google those two identified manufacturers and you will have and idea what type of devices they produce.<br /><br />As always, hit me up on E-mail if you want a copy of the complete .pcap capture and I will be glad to send you a copy, for research and analysis of course. Let me know if you guys need additional information as well about my recent 35K feet packet-sniffing adventure.<br /><br />On my next flight, I am bringing an external USB antenna with packet-injection capability :-) attached to my future 1000HE netbook.<br /><br />Happy packet-sniffing everyone and try not to break any law in the process!<br />RonRonhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-77185224658036225902009-08-28T10:21:00.000-07:002009-08-28T10:41:03.161-07:00Source Codes for a Skype Eavesdropper Trojan Released for Public Viewing<div class="posttitle"><h2><a href="http://www.megapanzer.com/2009/08/25/skype-trojan-sourcecode-available-for-download/" rel="bookmark" title="Permanent Link to Skype trojan sourcecode available for download.">Skype trojan sourcecode available for download.</a></h2> <p class="post-info">Aug 25th, 2009 by <a href="http://www.megapanzer.com/author/carrumba/" title="Posts by carrumba">carrumba</a> </p> </div> <p><img src="http://www.megapanzer.com/wp-content/uploads/trojan_horse.jpeg" alt="trojanhorse" title="trojanhorse" class="alignright size-full wp-image-2132" width="50" height="48" />As announced some weeks ago the <strong>Skype trojan sourcecode</strong> will be available for download. You find the source packages in the <a href="http://www.megapanzer.com/source-code/#skypetrojan">Tools & sources</a> section if you are the impatient type.</p> <p>The code is simple and straightforward. You have know <a class="glossaryLink" href="http://www.megapanzer.com/?page_id=1210" onclick="" title="Glossary: Malware" target="_blank">malware</a> development is no rocket science and if you expect big magic you are at the wrong place. The <a class="glossaryLink" href="http://www.megapanzer.com/?page_id=1301" onclick="" title="Glossary: Backdoor" target="_blank">backdoor</a> receives instructions from the <a class="glossaryLink" href="http://www.megapanzer.com/?page_id=1272" onclick="" title="Glossary: Dropzone" target="_blank">dropzone</a> and transferres audio files. The Skype-Tap intercepts the Skype function calls, extracts and dumps audio data to files, converts it to the mp3 format and encrypts it. </p> <p>The code is not 100% complete. I removed the plugin system in the backdor and also the firewall bypassing system is not there anymore. I will publish both of them in separate tools later. If you don’t like this … well, I can’t help you. Thats how it is. Take it or leave it. </p> As always I am open for your opinions and criticism.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtllLxCdja5h0FyyvvGL2H-D1qX8tf0opphlG_DX4h8Ryj9msqa5pRAdkAHCaOcQPPDyhjf5ygQ29qsLDTlD4-EQ36oi3E6hTTmoe-YUkn9K7DyHJk95hmt_6SiiLKF3VK9Qa_ukrz3Pc/s1600-h/SkypeTap_overview.png"><img style="cursor: pointer; width: 320px; height: 258px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtllLxCdja5h0FyyvvGL2H-D1qX8tf0opphlG_DX4h8Ryj9msqa5pRAdkAHCaOcQPPDyhjf5ygQ29qsLDTlD4-EQ36oi3E6hTTmoe-YUkn9K7DyHJk95hmt_6SiiLKF3VK9Qa_ukrz3Pc/s320/SkypeTap_overview.png" alt="" id="BLOGGER_PHOTO_ID_5375070727311015650" border="0" /></a><br /><br />Complete article and technical details from Megapanzer's website:<br /><h2 face="trebuchet ms" style="font-weight: normal;"><a href="http://www.megapanzer.com/"><span><span style="font-size:100%;">From http://www.megapanzer.com/</span></span></a></h2>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-88537529443062660102009-08-24T15:42:00.001-07:002009-08-24T16:58:16.110-07:00The day my box almost got 0wn3d by Chinese boxes<p class="MsoNormal"><b><span style=";font-family:";font-size:13pt;" >L</span></b><span style=";font-family:";font-size:13pt;" >ast month, I moved to a new apartment and decided to hook-up a high-speed Cable </span><span style=";font-family:";font-size:13pt;" >Internet from Comcast (as openly documented on this very same blog) as my primary connection</span><span style=";font-family:";font-size:13pt;" > to the world wide weird. This was July 15 and I was working at home that day.</span><br /><span style=";font-family:";font-size:13pt;" ><br />With no router or a switch at hand yet, my Sony Vaio </span><span style=";font-family:";font-size:13pt;" >VGN-BZ560 laptop is connected directly to Comcast's modem, getting a </span><span style=";font-family:";font-size:13pt;" >dynamic Public IP address from time to time. Something exciting </span><span style=";font-family:";font-size:13pt;" >happened right in front of my eyes as my Symantec Endpoint Protection software started displaying notification windows, stating a </span><span style=";font-family:";font-size:13pt;" >couple of Intrusion Prevention logs. I immediately accessed the Client Management Logs - </span><span style=";font-family:";font-size:13pt;" >Security Log feature of Symantec's Endpoint Protection and here's what I found:</span></p> <p class="MsoNormal"><span style=";font-family:Courier;font-size:13pt;" >[SID: 20081] MS SQL Stack BO detected.<br />Traffic has been blo</span><span style=";font-family:Courier;font-size:13pt;" >cked from this application: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe<u4:p></u4:p><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" > <u4:p></u4:p></span><span style=";font-family:Courier;font-size:13pt;" ><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:Courier;font-size:13pt;" >Traffic from IP address 58.51.89.122 is blocked from 7/15/2009 1:33:12 PM to 7/15/2009 1:43:12 PM.<u4:p></u4:p><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" > <u4:p></u4:p></span><span style=";font-family:Courier;font-size:13pt;" ><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:Courier;font-size:13pt;" >Active Response that started at 07/15/2009 13:33:12 is disengaged. The traffic from IP address 58.51.89.122 was blocked for 600 second(s).<o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:Courier;font-size:13pt;" ><o:p> </o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" >I immediately launched my Wireshark to capture the network interface, then went inside Symantec Endpoint Protection's Client Management - Security Logs and turns out the attack has started since 5AM this morning PST!<o:p></o:p></span></p> <u4:p></u4:p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" > <u4:p></u4:p><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" >Here are the logs of the first attempt:</span></p> <u4:p></u4:p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" ><o:p> </o:p></span></p> <p class="MsoNormal"><span style=";font-family:Courier;font-size:13pt;" >[SID: 20081] MS SQL Stack BO detected.<br />Traffic has been blocked from this application: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe<u4:p></u4:p><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" > <u4:p></u4:p></span><span style=";font-family:Courier;font-size:13pt;" ><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:Courier;font-size:13pt;" >Traffic from IP address 218.23.37.51 is blocked from 7/15/2009 5:48:38 AM to 7/15/2009 5:58:38 AM.</span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" > <u4:p></u4:p><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" >The logical thing for me to do is to trace where these IP addresses are coming from.<span style=""> </span>So I made a few back traces using my VisualRoute Tool and surprise! Surprise! Yes, the IP addresses are all from China.<o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" ><o:p> </o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" >The source IP's are all from China, if the back trace is reporting it correctly and these attackers are not using some mechanism to hide their real location, or probably just a bunch of compromised boxes or BotNets serving their master somewhere here in the States.<span style=""> </span>But my guts keep on telling me that these are really coming from China.</span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" > <u4:p></u4:p><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;color:black;" >My Sony Vaio Laptop is running Windows XP SP3. Installed is Microsoft Office 2007, with Microsoft SQL Server 2005 pre-installed which is the backdoor of this attack based on the Symantec Endpoint Protection Security Logs.</span></p> <u4:p></u4:p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" > <u4:p></u4:p><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" >I am sure that my MS SQL Server 2005 service is not running on the background as a Service on my laptop turns-out that our new customer network connectivity troubleshooting tool called PathView by Apparent Networks is using a Local SQL Server Service on my laptop as well. By virtue of logic, I believe this application gave another backdoor for this MS SQL based vulnerability.</span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" > <u4:p></u4:p><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" > <u4:p></u4:p><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" >Below are actual screen shots while the attack is occurring:</span></p><p class="MsoNormal">(Click on the images to enlarge them)<br /><span style=";font-family:";font-size:13pt;" ><o:p></o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" ><o:p> </o:p></span></p> <p class="MsoNormal"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8sjrFgT_YFbgqfn_GWUtcZ1JXg7B3fJHIM7khjpJg9DP79lBk349xQgEeG1nB6Hej0bQLb0NhW9mhyZLzmmKxMeH9-m7Ph4ABsg6JAApKe3vegOAVNMrS2hyphenhyphenX9qFFmLAxSv3XMuEZolk/s1600-h/Ron+Client+Management+Security+Log+Screenshot.jpg"><img style="cursor: pointer; width: 400px; height: 336px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8sjrFgT_YFbgqfn_GWUtcZ1JXg7B3fJHIM7khjpJg9DP79lBk349xQgEeG1nB6Hej0bQLb0NhW9mhyZLzmmKxMeH9-m7Ph4ABsg6JAApKe3vegOAVNMrS2hyphenhyphenX9qFFmLAxSv3XMuEZolk/s400/Ron+Client+Management+Security+Log+Screenshot.jpg" alt="" id="BLOGGER_PHOTO_ID_5373680459111436786" border="0" /></a></p><p class="MsoNormal">Symantec Endpoint Protection Client Management Logs - Security Logs</p><p class="MsoNormal"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiFr2zs2MqHJUOnMP0Oa7hf2iwsAsCABO7Tpj_iQNMKldfw6JDI8MF6Sorc3sDYD7JG0STK2fp-s1CErI2syxTvWvQMy127s3Xao152_sn6YqwtI-lhC2HgHsZB0vI4nl-I4krrKTfO1o/s1600-h/SQL+Server+PathView+Windows+Local+Service.jpg"><img style="cursor: pointer; width: 320px; height: 89px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiFr2zs2MqHJUOnMP0Oa7hf2iwsAsCABO7Tpj_iQNMKldfw6JDI8MF6Sorc3sDYD7JG0STK2fp-s1CErI2syxTvWvQMy127s3Xao152_sn6YqwtI-lhC2HgHsZB0vI4nl-I4krrKTfO1o/s320/SQL+Server+PathView+Windows+Local+Service.jpg" alt="" id="BLOGGER_PHOTO_ID_5373680936943944290" border="0" /></a></p><p class="MsoNormal">PathView SQL Server running as a Local Service</p><p class="MsoNormal"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinYky0PMd0dcD_W-ql1AWr0i-Y0noQwV0Iz9sQD_zl7SMLPRASwr66Q6EvpPVO1ZtkyNgSzgu4uwc9_AuuNdYPJvR1aOmkoNTQljKW4Xd-brqsGEm9vfN3QrBQKKhyX32pUEp-bBtZ7BQ/s1600-h/Actual+Wireshark+Capture+during+the+attack.jpg"><img style="cursor: pointer; width: 320px; height: 173px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinYky0PMd0dcD_W-ql1AWr0i-Y0noQwV0Iz9sQD_zl7SMLPRASwr66Q6EvpPVO1ZtkyNgSzgu4uwc9_AuuNdYPJvR1aOmkoNTQljKW4Xd-brqsGEm9vfN3QrBQKKhyX32pUEp-bBtZ7BQ/s320/Actual+Wireshark+Capture+during+the+attack.jpg" alt="" id="BLOGGER_PHOTO_ID_5373681494668725090" border="0" /></a></p><p class="MsoNormal">Wireshark capture while the attack is happening<br /></p><p class="MsoNormal"><span style=";font-family:";font-size:13pt;" >Let me know if you guys need a copy of the actual Wireshark capture (.pcap file) for analysis, I have no problem sending it out.</span></p><p class="MsoNormal"><span style=";font-family:";font-size:13pt;" >So what have I learned from this? Always double-check your new machine what applications are pre-installed on it, as well as ensure that unnecessary Services are not running on the background. This happened to me because I got lazy when the new Sony Vaio was handed over to me from work and I did not bother hacking into it like what I usually do with my personal machines.</span></p><p class="MsoNormal"><span style=";font-family:";font-size:13pt;" >Peace out and spread the word.<br /></span></p><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiANerY_3wMkfnd47qZQySstqyNHAseSS8kc3ZZTI0m-N70CBwsELboxTdhKH9cc61Im6pImsznkSyKCNU83fITLMRAouEvmZhXgIxO1P25hQ0SkfBvNcjeT-9Q9kNBLOBbSdnC53IIBs/s1600-h/Ron+Client+Management+Security+Log+Screenshot.jpg"></a><p class="MsoNormal"><span style=";font-family:";font-size:13pt;" ><ron client="" management="" security="" log="" screenshot=""><o:p></o:p></ron></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" ><o:p> </o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" ><sql server="" pathview="" windows="" local="" service=""><o:p></o:p></sql></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" ><o:p> </o:p></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" ><actual wireshark="" capture="" during="" the="" attack=""><o:p></o:p></actual></span></p> <p class="MsoNormal"><span style=";font-family:";font-size:13pt;" ><br /><br /><br /><br /><!--[if !supportLineBreakNewLine]--> <!--[endif]--></span><span style=";font-family:";font-size:13pt;" ><o:p></o:p></span></p>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-71728649259755836822009-07-13T23:13:00.000-07:002009-07-13T23:33:25.961-07:00The madness stopped on the 4th day: My Comcast Hell<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://tbn0.google.com/images?q=tbn:ZXAQWTH1gvPHLM:http://blogs.abc.net.au/queensland/images/2009/05/20/handyman.gif"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 113px; height: 115px;" src="http://tbn0.google.com/images?q=tbn:ZXAQWTH1gvPHLM:http://blogs.abc.net.au/queensland/images/2009/05/20/handyman.gif" alt="" border="0" /></a><br /><span style="font-size:180%;"><span style="font-weight: bold;">I</span></span>t took them 4 days in total, to resolve a simple physical connection problem. Turns out that my actual cable was disconnected. The apartment located on the 2nd floor got disconnected from their Comcast Service so someone from Comcast Provisioning disconnected them. They did not even check that the connection was originating from a splitter, one goes to the apartment on top of me, one goes to my apartment. They disconnected the entire cable feed. Another epic provisioning to on-site tech coordination FAIL.<br /><br />My savior on my 4th day in fire and brimstone of zero Internet was a good-natured on-site tech guy named Tom. Tom was a classic good-ol'-American gentleman. He reminded me of those 1950's to 60's Handymen portrayed on television. He has a cool utility belt with all the tools he need, he has a cool mustache and beard, and sports an old-school baseball cap. He was a little bit odd with his seemingly non-sense gibbering while tracing the coax cables from my living room all the way outside the veranda but one thing is for sure, he knows his craft. He knows how to pacify someone who has been deprived of their connection for days by virtue of hard-work and results. Comcast Tech Support people should take a page out of Tom's book of work ethics.<br /><br />All work, less talk. No promises.Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-38768054022621846442009-07-06T19:59:00.000-07:002009-07-06T20:12:39.869-07:00My Comcast Hell Continues....<span style="font-size:180%;"><span style="font-weight: bold;">I</span></span>t has been 3 days now and my Comcast Cable Internet is still down. I guess that gives me the right (and pleasure) to say that Comcast Technical Support sucks, as well as how they coordinate with their local dispatch units that handles installation and on-site troubleshooting. <br /><br />The thing is, Comcast Call Centers are distributed in North America and most of their on-site technicians are contractors, even better, sub-contractors. lol. Earth to Comcast, please stop hiring and giving out contracts to clueless companies to render service to your poor customers.<br /><br />And one more thing, in case you call in Comcast Technical Support Hotline, ask them to transfer you to their Call Center based in Tucson, Arizona because the guys there will help you. The rest are plain stupid, newbies, too old to do technical support jobs, or just completely clueless.<br /><br />I was in a hurry to go home today so I can meet the Comcast tech guy at 6PM PST, as promised over the phone yesterday by another clueless Supervisor. So around 5:45PM PST they called me and I told them to wait for just at least 5 minutes, 8 minutest tops, because I am already on my way to my apartment walking, coming from the BART station.<br /><br />You know what was the reply of the guy who called me representing Comcast?<br /><br />"Sorry, but we cannot wait because we have other job orders pending today." And that was it.<br /><br />OMFG. I have been patiently waiting for the past 3 days for them to restore my Internet service, and the freakin' on-site Tech Guys couldn't even wait for just 10 minutes for a customer who has been down for 3 days?!<br /><br />How I wish Comcast Managers can read my post. You guys gave me a new definition for ultimate customer service FAIL.<br /><br />Have a goodnight Comcast people.Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com2tag:blogger.com,1999:blog-3736242421676235123.post-85297967354657887422009-07-04T15:27:00.000-07:002009-07-04T16:10:56.338-07:00Sorry Comcast, but first impression lasts!<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://middlegeek.files.wordpress.com/2007/11/evil-comcast-logo.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 452px; height: 193px;" src="http://middlegeek.files.wordpress.com/2007/11/evil-comcast-logo.jpg" alt="" border="0" /></a><br /><br /><br />So I just moved to a new apartment. The place is totally empty, I have no furniture yet except for my laptop, <span class="blsp-spelling-error" id="SPELLING_ERROR_0">HD</span> LCD and game console. That's it. My clothes are still inside my traveling bags even, and yes, I am sleeping on the carpeted floor, reminds me of my college years.<br /><br />So whats the very first thing I worked on on my first day at the new spot? Yes, you got it, Internet. I am nothing without Internet, the rest of the bare necessities can wait.<br /><br />In reading the Apartment Lease form, I saw a big <span class="blsp-spelling-error" id="SPELLING_ERROR_1">Comcast</span> Cable Service Ready smack at the bottom of the document. Turns out <span class="blsp-spelling-error" id="SPELLING_ERROR_2">Comcast</span> has first dig on the apartment complex, AT&T can't touch the area for some reason. So I immediately called the courteous guys at <span class="blsp-spelling-error" id="SPELLING_ERROR_3">Comcast</span> and in a couple of minutes a technician is already installing the Cable Internet. He brought a used Modem with a big <span class="blsp-spelling-error" id="SPELLING_ERROR_4">Comcast</span> logo on it, I said fuck it, I don't mind if its used, as long as its working right. So after a few minutes, Coax Cable on wall to the back of the Modem is installed. Ethernet Cable plugged it, and I politely asked the tech guy if I can hook it up at the back of my laptop already so we can test it. He said "<span class="blsp-spelling-error" id="SPELLING_ERROR_5">Ok</span> but its not up yet, I need to call to get it provisioned, but yeah you can hook it up because I need to check on it as well."<br /><br />After hooking up the modem I immediately launched the terminal console on my <span class="blsp-spelling-error" id="SPELLING_ERROR_6">Macbook</span> to check what <span class="blsp-spelling-error" id="SPELLING_ERROR_7">IP</span> the gray box is giving me. The box was on a default gateway <span class="blsp-spelling-error" id="SPELLING_ERROR_8">IP</span> address 192.168.0.1, immediately opened my <span class="blsp-spelling-error" id="SPELLING_ERROR_9">Firefox</span> 3.5 and headed straight to it. The modem has a web-based <span class="blsp-spelling-error" id="SPELLING_ERROR_10">configuration</span> access but there is nothing we can do currently because it still needs to be provisioned. The tech guy said "<span class="blsp-spelling-error" id="SPELLING_ERROR_11">Hmm</span>, so you know how to do this huh?" I said, yeah only a little. This guy definitely needs to look around my empty living room because right next to us are scattered <span class="blsp-spelling-error" id="SPELLING_ERROR_12">Cisco</span> and <span class="blsp-spelling-error" id="SPELLING_ERROR_13">CISSP</span> books, <span class="blsp-spelling-error" id="SPELLING_ERROR_14">lol</span>.<br /><br />The tech guy made a few calls on his <span class="blsp-spelling-error" id="SPELLING_ERROR_15">NexTel</span> phone, and after like 10 to 15 minutes, modem was up and operational, signal was good, and firmware updated. I saw this with my own eyes. The tech guy told me to do some speed tests, so he directed me to <span class="blsp-spelling-error" id="SPELLING_ERROR_16">speedtest</span>.net. The site testing gave me remarkable results, 15<span class="blsp-spelling-error" id="SPELLING_ERROR_17">mbps</span> download, 3<span class="blsp-spelling-error" id="SPELLING_ERROR_18">mbps</span> upload. Destination San Jose, from my place in Union City. Perfect. He told me that's <span class="blsp-spelling-error" id="SPELLING_ERROR_19">Powerboost</span> baby, but since you are not signed up for it, you may only get something like around 8<span class="blsp-spelling-error" id="SPELLING_ERROR_20">mbps</span> down, and 2<span class="blsp-spelling-error" id="SPELLING_ERROR_21">mbps</span> up. So I said, <span class="blsp-spelling-error" id="SPELLING_ERROR_22">ok</span>, its cool, still more than sufficient for my needs. Signed the papers that service was installed and working properly, a few chit-chat, tech guy left.<br /><br />Everything was doing good till the next day, the <span class="blsp-spelling-error" id="SPELLING_ERROR_23">freakin</span>' Cable Internet went out on me. Multiple calls to their 24x7 Support Department wasn't fruitful, they could not even tell remotely from their Support Contact Center if there is a problem with the line or the modem. The first tech support guy that I spoke with told me I need to pick up a replacement modem, for free of course, but turns out I need to drive all the way to their office in Fremont or Hayward. Fuck that, its freaking far. So I told them I'd rather go to Radio Shack because Its right next to my place, all I need to do is walk.<br /><br />So I asked the guys at their Technical Support Department, Supervisors included, what is my assurance that once I go out and spend like 40 to 60 bucks on a cable modem, swap it, that it will fix the problem?! Their answer? NONE. If its not a modem issue, I'm negative 60 bucks, if its a line issue, they can only send in an on-site tech guy on Monday, because of the long weekend. <span class="blsp-spelling-error" id="SPELLING_ERROR_24">WTF</span>. Another epic FAIL in customer service.<br /><br />So I made a call again to their Support Department next day, 2<span class="blsp-spelling-error" id="SPELLING_ERROR_25">nd</span> day of my outage, made a plea of my case, and finally, they told me they will send in a tech guy on-site to check on the modem. The tech guy will bring a modem so he can swap it out. So I said yes, finally progress, and a sign of true customer service. But turns out there was a catch to it. If it turns out to be a line problem, cable problem, etc, or anything aside from the the modem being the source of the problem, they will charge me $46.00+ for the on-site service. Wow. The rabbit hole gets deeper. But the courteous lady tech support told me, I can avoid the service charge If I sign up for the 99 cents monthly service fee to cover such similar issues. Wow, another can of crap opened right in front of me. I politely replied to the support lady that I will not sign up, just send someone out for heavens sake, I just signed up for your service, and its already out the next day. Do me a favor please.<br /><br />So here I am, typing this blog, spilling my guts out in disgust to their service at Starbucks so I can be online, its $3.99 plus tax for 2 hours by the way. They told me to wait for the call somewhere between 1PM to 5PM PST. They will call me on my mobile phone before they drop by. So I said, fuck it, I'll give them another chance, or not.<br /><br />Its almost 4:15PM PST, assuming they come and fix the problem today, what I am going to do is call first thing on Monday and cancel the service. I am switching to AT&T's <span class="blsp-spelling-error" id="SPELLING_ERROR_26">DSL</span> and Telephone Line service instead.<br /><br />Ah, revenge, so sweet I can almost taste it. Sorry <span class="blsp-spelling-error" id="SPELLING_ERROR_27">Comcast</span>, but first impression lasts!Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-23339151129498881392009-06-18T23:33:00.000-07:002009-06-19T11:38:58.070-07:00Upgrade yourself @ 30 years old<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://farm4.static.flickr.com/3412/3556332444_793777d98a.jpg?v=0"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 500px; height: 333px;" src="http://farm4.static.flickr.com/3412/3556332444_793777d98a.jpg?v=0" alt="" border="0" /></a><br /><br /><span class="Apple-style-span" style="font-size:x-large;"><b>I</b></span> am 30 years old and honestly I feel more fit then I was like 5 to 6 years ago. I think I am in the best shape of my life, both physically and mentally. <div><br /></div><div>I grapple, I wrestle, I box, I jog, I ride skateboards, I read a lot of networking, programming, and quantum physics books, all in a span of 7 days. Could it be possible that my physical and mental being has improved despite aging? I can never do all this 5 to to 6 years ago, I get tired easily, and my patience for reading and digesting complex concepts is absolutely horrible. Now, I can read a book for the first time, and absorb its content without going back to it and reading it again. I never even imagined I can learn to write codes! Now, I am creating my own <span class="blsp-spelling-error" id="SPELLING_ERROR_0">Cisco</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_1">IOS</span> simulator using Python and thinking of porting it as a Java Applet.</div><div><br /></div><div>Whatever it is I'm doing, I am sticking to it. I think its my positive outlook in all things in life that is helping me a lot. </div><div><br /></div><div>Dreaming while awake, of things I want to accomplish and acquire is also helping me push harder to achieve them. A man without a dream will never reach his potential. </div><div><br /></div><div>Good thing its Friday, I can now work on my <span class="blsp-spelling-error" id="SPELLING_ERROR_2">Fakie</span> 180 <span class="blsp-spelling-error" id="SPELLING_ERROR_3">Ollies</span>, hell, there's even a 4-set stairs in a park nearby that I am trying to <span class="blsp-spelling-error" id="SPELLING_ERROR_4">ollie</span> on. The young kids, around 15 to 18 years old that skates on that park can easily <span class="blsp-spelling-error" id="SPELLING_ERROR_5">ollie</span> and <span class="blsp-spelling-error" id="SPELLING_ERROR_6">kickflip</span> those 4-set of stairs without breaking a sweat. If they can do it, I can do it. I will even do it better, in style, style comes with age :-)</div><div><br /></div><div><br /></div><div><br /></div>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0tag:blogger.com,1999:blog-3736242421676235123.post-13295305491815199162009-06-14T02:19:00.000-07:002009-06-14T03:19:50.020-07:00Multi-Factor Authentication FTW!<b><span class="Apple-style-span" style="font-size:x-large;">T</span></b><span class="blsp-spelling-error" id="SPELLING_ERROR_0">wo</span>-factor authentication is old-school now, it has served its purpose in the past. Bank institutions that offers on-line banking to its customers should think beyond two-factor, why not make a multi-factor authentication? <div><br /></div><div>The current safeguard, standards, policies and other techniques to mitigate on-line banking fraud cannot keep up to the meteoric rise of tools to commit fraud. A simple kid struck by the hacking curiosity phenomenon (thanks to Hollywood of course) can easily just search Google for keywords "hacking tools download" and voila, links and links where to download and how to use them. In the past, one needs to understand how to write codes and navigate the command line interface, today, its the age of point and click cracking. Thank goodness for that rich, easy to use graphical user interface.</div><div><br /></div><div>As Security Expert Bruce <span class="blsp-spelling-error" id="SPELLING_ERROR_1">Schneier</span> recommended, Bank institutions should focus on authenticating the transaction itself and not the identity of the individual. Identity information theft is so easy to accomplish nowadays. Crackers owe <span class="blsp-spelling-error" id="SPELLING_ERROR_2">MySpace</span>, <span class="blsp-spelling-error" id="SPELLING_ERROR_3">Friendster</span>, <span class="blsp-spelling-error" id="SPELLING_ERROR_4">FaceBook</span>, <span class="blsp-spelling-error" id="SPELLING_ERROR_5">LinkedIn</span> a lot. No need to do some serious underground data mining work, almost all personal and private information are tucked inside social networking website user profiles. You will be amazed on the high number of people setting their profile to public, exposing all their family pictures and personal information to the world wide weird.</div><div><br /></div><div>Focusing on authenticating the actual on-line bank transaction is indeed a better way of controlling fraud. </div><div><br /></div><div>Below is a sample Multi-Factor Authentication Process that Bank institutions can utilize:</div><div><br /></div><div>1. Bank provides a secure <span class="blsp-spelling-error" id="SPELLING_ERROR_6">login</span> page for customer <span class="blsp-spelling-error" id="SPELLING_ERROR_7">username</span>, account number and password input.</div><div>2. Bank Server checks on the source public <span class="blsp-spelling-error" id="SPELLING_ERROR_8">IP</span> address and computer OS and/or MAC address of the transaction, which I am calling as "on-line transaction signature" logs the transaction attempt, and checked against that account owners database of <span class="blsp-spelling-error" id="SPELLING_ERROR_9">logins</span> if this <span class="blsp-spelling-error" id="SPELLING_ERROR_10">IP</span> address and other transaction signature has been used already in the past.</div><div>3. If public <span class="blsp-spelling-error" id="SPELLING_ERROR_11">IP</span> address is not listed, computer OS signature and/or MAC address does not match or not on the database for that account owner, this will trigger an alert to the Bank Customer Support Anti-Fraud Agents and they will call the customer on his listed telephone numbers for transaction verification.</div><div>4. If customer cannot be reached, the transaction is denied by default. </div><div>5. If Bank Agent was able to contact the customer, the Bank Customer Support Anti-Fraud Agent then asks a series of challenge questions to the customer to verify the identity of the customer.</div><div>5. As the customer answers the challenge questions, a voice recognition software runs on the background of the Bank Agent's telephone and analyzes the voice signature of the customer. The voice recognition signature software is the safeguard for impersonation attempts.</div><div>6. If customer was able to provide correct answers to the challenge questions and passes the voice signature match, customer is authenticated and authorized and transaction is allowed.</div><div>7. All transaction logs, denied or authenticated are stored on a secure server, and mirrored on a hot-site server.</div><div><br /></div><div>Although possible, It will be very difficult even for the smartest social engineer to go through this multi-step authentication. It will make them think twice because of the tedious process. I know many of you will react that this will make on-line banking tedious which basically defeats the purpose of on-line banking, but id rather spend a couple of extra minutes doing secure on-line banking than opting for the fast method but opens the process to a lot of back doors for evil doers to come in.</div><div><br /></div><div>Bank institutions should go above and beyond in protecting the investments of their depositors. They should invest serious money on research and development of the latest technology in transport layer security, cryptography and other safeguard mechanisms as well as improving standard policies and procedures. They should be liable for every on-line transaction fraud that involves one of their accounts, not the depositors because they should have complete control of a transaction that involves their network. All money matters should be taken seriously, no matter how small the amount is. This multi-factor authentication is one serious approach to curb the rise of on-line bank transactions.</div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div> </div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div>Ronhttp://www.blogger.com/profile/17182153958235614709noreply@blogger.com0