Friday, March 30, 2007

Goodbye IT World !

Today, I am going to leave the IT world and entering another field.

Many great things has come to me in the IT world, I also enjoy great relationship with many friends during my days in the IT world. But things change, I am going to pursue another things outside the IT world.

I will be entering "silent" mode in blogging. You may not see new blog from me. I will try my best to write a blog entry whenever I can.

I wish you all the best of luck and have a great life.

Wednesday, March 28, 2007

When You Believe

Many nights we've prayed
With no proof anyone could hear
In our hearts a hopeful song
We barely understood

Now we are not afraid
Although we know there's much to fear
We were moving mountains long
Before we knew we could

There can be miracles, when you believe
Though hope is frail, it's hard to kill
Who knows what miracles you can achieve
When you believe, somehow you will
You will when you believe

In this time of fear
When prayers so often prove in vain
Hope seems like the summer birds
So swiftly flown away

Yet now I'm standing here
My heart's so full I can't explain
Seeking faith and speaking words
I never thought I'd say

There can be miracles, when you believe
Though hope is frail, it's hard to kill
Who knows what miracles you can achieve
When you believe, somehow you will
You will when you believe

They don't always happen when you ask
(Oh)
And it's easy to give in to your fears
(Oh...Ohhhh)
But when you're blinded by your pain
Can't see your way straight throught the rain
Small but still, resilient voice
Says love is very near
(Ohhh)

There can be miracles
(Miracles)
When you believe
(Lord, when you believe)
Though hope is frail
(Though hope is frail)
It's hard to kill
(Hard to kill, Ohhh)
Who know what miracles,you can achieve
When you believe,somehow you will(somehow,somehow)
somehow you will
You will when you believe

You will when you believe
You will when you believe
Just believe...just believe
You will when you believe

Source : Whey You Believe - Mariah Carey & Whitney Houston

I Will Win, I Will Lose

In the dreams I dreamed as a child
I lived my life as a king
My days were filled with sunshine
And there was never any pains

I will win, I will lose
I will live my life
I will have to make my way on my own
I will win, I will lose
I will create my own path
I will play the game of life

I've had brief moments of joy
Endless moments of boredom
I've had days full of sunshine
I know what pain is...

I will win, I will lose
I will live my life
I will know how to continue on my own
I will win, I will lose
Now I know my path
But I'll play the game of life on my own

A king, I will certainly not be
And yet, I'll live...

I will win, I will lose
I will have light and shadow
But alone I'll have to go on
I will win, I will lose
My life will be
like a long journey to make

I will win, I will lose
I will live my life
I will have to make my way on my own
I will win, I will lose
Now I know my path...
I will win, I will lose
I will play the game...
I will win, I will lose
But alone...

from :
MARIO FRANGOULIS
VincerĂ², PerderĂ²
Lyrics: Luisa Zappa Branduardi
Music: Steve Wood

Monday, March 26, 2007

Upgrading TrueCrypt

On March 19, 2007, TrueCrypt version 4.3 is released. There are many new features, improvements and bug fixes in this release, so I think it is the time to upgrade my installation.

I downloaded the TrueCrypt package, but they only provide for OpenSUSE 10.2 system. Last time I used the RPM version, it complained about kernel mismatch. But this time it didn't complain.

Unfortunately, I already have TrueCrypt installed from source package. So I need to remove that first before I install the newer version. To make matter worse, the TrueCrypt package doesn't come with uninstaller, I need to read the installer script and reverse the installation process to create an uninstallation script. This uninstalation script is very simple : it will remove three files that have been installed by the installation script.

Without further talk, you can download the uninstaller script here.

To remove your previous TrueCrypt that you compile yourself, just type the following command :

# ./remove-truecrypt.sh

And you're done.

Computer Virtualization in Java

Researchers at Oxford have built an x86 emulator that runs purely on Java, making it ideal for security researchers who want to analyze and archive viruses, host honeypots and defend themselves against buggy or malicious software without hosing their machines. The JPC also emulates a host of other environments, giving technophiles the ability to play Asteroids and other software that's sat on shelves for years collecting dust.

Here are several key features of JPC :
  • Cross-Platform
JPC is completely implemented in Java, so it works seamlessly across all major computing platforms, including Windows, Linux and MacOS. JPC even works on non-x86 based hardware like ARM and SPARC.
  • Secure
JPC comes with the assured security of being run entirely within the Java sandbox. This means that the emulated hardware is completely isolated from the underlying hardware and cannot damage or interfere with it in any way.
  • Flexible
With JPC, you have complete configuration control with virtual peripherals and software libraries. And if you mess up, you only mess up your virtual PC. Just delete your disk images and start again.

Tuesday, March 20, 2007

Situs Presiden SBY "Dibobol" ?

Saya mengetahui informasi tentang "dibobolnya" situs Presiden SBY melalui sebuah televisi swasta pada hari Sabtu, 17 Maret 2007. Informasi tersebut saya peroleh dari newsline yang berjalan, dengan judul "Situs Presiden SBY di-hack". Detik telah pula menurunkan berita ini dengan judul "Situs Presiden SBY Dibobol".

Kemudian saya bertanya kepada beberapa orang rekan mengenai kebenaran berita ini, dan mereka menyatakan kebenarannya, namun mereka menjelaskan pula bahwa yang dibobol bukanlah server yang berisikan situs Presiden SBY tersebut, melainkan si penyerang berhasil masuk ke manajemen server untuk melakukan perubahan informasi alamat IP situs Presiden SBY sehingga ketika kita mengakses situs tersebut, kita dialihkan ke situs lain.

Sebagai contoh, misalkan saja alamat IP situs Presiden SBY (www.presidensby.info) yang seharusnya adalah 111.222.111.222, tapi dialihkan oleh penyerang ke alamat IP 222.111.222.111. Sehingga bila kita mengakses site tersebut dengan menggunakan alamat www.presidensby.info kita akan diarahkan ke alamat 222.111.222.111 dan bukannya ke alamat 111.222.111.222.

Kepastian ini telah pula dikonfirmasi oleh koordinator pengelola situs Presiden, Anjar Ari Nugroho, di berita Detik "Situs SBY Bobol Bukan Karena Masalah di Server".

Berikut ini adalah beberapa kesimpulan yang dapat saya kemukakan (bisa saja salah karena saya tidak tahu arsitektur keamanan situs Presiden SBY dan juga berita lengkap kejadian ini) :
  • server web yang menangani situs Presiden SBY TIDAK DIBOBOL
  • server DNS yang menangani situs www.presidensby.info juga TIDAK DIBOBOL
  • pelaku melakukan perubahan informasi alamat IP situs www.presidensby.info untuk dialihkan ke alamat lain yang telah ia setup sebelumnya.
Menurut saya pelaku tindakan ini tampaknya memiliki pengetahuan yang baik, sehingga ia dapat mengetahui sisi lemah dari situs tersebut.

Kejadian ini mengingatkan saya pada slogan dalam dunia IT security : security is as strong as the weakest link, keamanan sebuah sistem hanya sekuat rantai yang terlemah.

Intrusion Detection RFCs

There are now three RFCs regarding Intrusion Detection :

Thursday, March 15, 2007

Upgrading to PHP 5.2.x

I have been planning to upgrade my PHP to version 5.2.1 since several weeks ago, but I couldn't find spare time to do that until last night.

I upgraded the following packages (libedit is a new install) :

# rpm -Uvh php5-5.2.1-15.1.i586.rpm apache2-mod_php5-5.2.1-15.1.i586.rpm php5-gd-5.2.1-15.1.i586.rpm php5-mysql-5.2.1-15.1.i586.rpm php5-zlib-5.2.1-15.1.i586.rpm php5-pdo-5.2.1-15.2.i586.rpm php5-fastcgi-5.2.1-15.2.i586.rpm libedit-2.10.snap20061228-6.1.i586.rpm

After successfully upgraded those packages, I started my Apache webserver :
# rcapache2 start


Then I launched my browser and access the test file (index.php). The content only contains phpinfo() function.

Unfortunately, I can only see blank page.

I checked the error log and access log, but I can't find the error messages.

Next I check the PHP configuration (/etc/php5/apache/php.ini).

After looking through the configuration file around 11%, I found out what is the cause of this error. It looks like the new configuration turn-off the short_open_tag.


There are two things that I can do to fix this :

- I can turn on the short_open_tag config by setting :

short_open_tag = On

or

- I can change my PHP code to use the recommended open tag ("
After edited my PHP code, I restarted Apache server :

# rcapache2 restart

And now here is my PHP test page :


BTW, I just knew that this version is come with Suhosin. Yihaaa.

Paper : Case of Mistaken Identity

A University of Washington researchers Kris Erickson and Philip Howard have an interesting new paper out, "A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006." This is a great survey of the dramatic explosion in reports of breaches. A couple of great quotes:
One important outcome of the legislation is improved information about the types of security breaches. Many of the news stories between 1984 and 2004 report palty details, with sources being off the record and vague estimates of the severity of the security breach. Since mandatory reporting legislation in many states, most news coverage provides more substantive details. In 2006, only 10 of the 257 news stories were unable to make some attribution of responsibility for a security breach. (Emphasis added.)

Tuesday, March 13, 2007

Running A Linux System on A Windows Machine

If you want to run a Linux system on Windows platform but you don't want to deal with partitioning and formatting the harddisk, fortunately you can do so with QEMU.


Here is an official information about QEMU :

QEMU is a generic and open source machine emulator and virtualizer.

When used as a machine emulator, QEMU can run OSes and programs made for one machine (e.g. an ARM board) on a different machine (e.g. your own PC). By using dynamic translation, it achieves very good performances.

When used as a virtualizer, QEMU achieves near native performances by executing the guest code directly on the host CPU. A host driver called the QEMU accelerator (also known as KQEMU) is needed in this case. The virtualizer mode requires that both the host and guest machine use x86 compatible processors.

Interested ?

If yes, just download the QEMU package for Windows. As of today, the latest version is 0.9.0.

After successfully download the package, just extract it to a drive (C, D, or whatever you like) and it will create a folder automatically.

Next you need a Linux system in ISO format. The above package already included a small Linux system. To test it just run qemu-win.bat in command line. I leave the procedure for this as an exercise for the reader. :D

In this blog, I am going to use Network Security Toolkit ISO image in QEMU. You can use other Linux system if you want.

Here is the step to boot to NST ISO from QEMU :
  • Store the Linux image file in the same folder as QEMU. This is only for ease of use. :D
  • Edit the qemu-win.bat file to the following :
  • Run the qemu-win.bat file by typing :
qemu-win
  • It will then display the following :

We've managed to run a Linux system on Windows.

Happy QEMU-ing.

BlackHat DC 2007 Presentations

Friday, March 09, 2007

Pictures from Information Security Awareness Day 2007

I've uploaded several pictures taken by Pak Marsel during the Information Security Awareness Day (March 7, 2007) at BPPT building.

You can view the pictures here.

Enjoy the view.

Hardware-based rootkit detection proven unreliable

From ZDNet :

For years, we've been convinced by companies like Komoku and BBN Technologies that hardware-based RAM acquisition is the most reliable and secure way to sniff out the presence of a sophisticated rootkit on a compromised machine.

Joanna Rutkowska, a security researcher at COSEINC Malware Labs, an elite hacker who specializes in offensive rootkit research, has found several ways to manipulate the results given to hardware-based solutions (PCI cards or FireWire bus).

At this year's Black Hat DC conference, Rutkowska demonstrated three different attacks against AMD64 based systems, showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU.
You can find out more about this from Rukowska's presentation slide.

Thursday, March 08, 2007

Experiment Computer Networking using Netkit

Yesterday, a friend of mine, under the name of "Olyx", inform me about a cool networking tool called Netkit. At that time, he didn't give much information about it. He just gave me the information about Netkit.

After arrive home from a meeting, I read the Netkit introduction document. Finally, I figured-out that Netkit is a tool to create computer networking environment. Netkit is using User Mode Linux.

With Netkit we can setup and experiment with routers, switches, computers, etc. We can create a computer networking lab at low-cost and little effort. There is no more reason that you can't learn computer networking because of the price.

If you are interested in Netkit, just donwload the followings :
- Introduction slide
- Tutorial slide
- Netkit packages :
- Basic Topics slides (single host, two hosts, static routing)
- Application Level Topics slides (DNS and Email)

Tuesday, March 06, 2007

Vista Research Papers

Symantec has released the first three of six technical research papers evaluating Windows Vista security components.

The research papers cover a range of Vista security mechanisms in-depth, from its Address Space Layout Randomization (ASLR) technology designed to thwart heap overflows and certain malware attack methods, to buffer overflow protection in Vista's Visual Studio C++ compiler and an evaluation of how well legacy malware works on Vista's OS.

The first paper is designed for technical managers and other IT professionals who want to understand the effectiveness of Windows Vista’s new security technologies. This paper will be valuable to decision makers who need to get a practical understanding of Windows Vista’s true security posture.

Threats from Within

From DarkReading :

Enterprises are leaking an increasing amount of data from the inside, and they aren't sure what to do about it.

Those are the conclusions of two new studies -- one from the Ponemon Institute and one from Enterprise Strategy Group -- being published today. Both of the reports suggest that enterprises should be shifting their security attention from the outside to the inside.

The new Enterprise Strategy Group report found that one third of the enterprises surveyed had experienced a loss of sensitive data in the last 12 months, while another 11 percent were unsure whether a breach occurred.

According to the new Ponemon study, nearly 60 percent of U.S.-based businesses and government agencies believe they are unable to effectively assess or quantify insider threat risks within their organizations, leaving them open to privacy breaches, failed audits, and potential fraud or misuse of data.

Ferret : A Data Seepage Tool

David Maynor from Errata Security has just released a tool called Ferret for data seepage at BlackHat DC 2007.

According to the Ferret's page, data seepage are bits of benign data that people willingly broadcast to the world (as opposed to "leakage", which is data people want to hide from the world).

Examples of data seepage is what happens when you power-on your computer. It will broadcast to the world a list the list of WiFi access-points you've got cached on your computer, the previous IP address you used (requested by DHCP), your NetBIOS name, your login ID, and a list of servers (via NetBIOS request) you want connections to.

You can get Ferret here.

Friday, March 02, 2007

MOPB Has Begun

Starting from March 1, 2007, the Month of PHP Bugs has begun. Here is an excerpt about this project :
This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core. During March 2007 old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day by day basis. We will also point out necessary changes in the current vulnerability managment process used by the PHP Security Response Team.
As of today, they have released five bugs :
In PHP 4 userland code is able to overflow the internal 16bit zval reference counter by creating many references to a variable. This leads to an exploitable double dtor condition.
A deep recursion of PHP userland code will exhaust all available stack which leads to a sometimes remotely triggerable crash.
The destruction of deeply nested PHP arrays will exhaust all available stack which leads to remotely triggerable crashes.
During unserialisation of user supplied data that contains a lot of references to a variable the internal 16bit zval reference counter can overflow. This leads to an exploitable double dtor condition.
Deserialisation of malformed PHP arrays from within unserialize() might result in a tight endless loop exhausting CPU ressources on 64bit systems.

Kind readers, please fasten your seatbelt during this month, especially if you are using PHP.

Thursday, March 01, 2007

Learning Security using DamnVulnerableLinux

If you want to learn security by doing the actual "hacking", there is a good news for you.

Thorsten Schneider of the International Institute for Training, Assessment, and Certification (IITAC) and Secure Software Engineering (S²e) in cooperation with Kryshaam from the French Reverse Engineering Team has released Damn Vulnerable Linux (DVL).

Here is the description about DVL :

Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn't. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn't built to run on your desktop -- it's a learning tool for security students.

DVL is a live CD available as a 150MB ISO. It's based on the popular mini-Linux distribution Damn Small Linux (DSL), not only for its minimal size, but also for the fact that DSL uses a 2.4 kernel, which makes it easier to offer vulnerable elements that might not work under the 2.6 kernel. It contains older, easily breakable versions of Apache, MySQL, PHP, and FTP and SSH daemons, as well as several tools available to help you compile, debug, and break applications running on these services, including GCC, GDB, NASM, strace, ELF Shell, DDD, LDasm, LIDa, and more.
You will also get the video tutorials about DVL overview and the first lesson on buffer overflow. But you have to download them because they don't come with the distro.

At this moment the site can't be accessed, it seems that their system experiences technical problems.

I am looking forward for their next releases that will include so many wonderful tools such as Metasploit and of course more tutorials would be great.

Tool to Steal Browser History

pdp has designed a new tool to steal browser history, it's called Noscript HScan. The interesting thing about this tool is it doesn't need Javascript to be turn-on.

Up until now we thought that by disabling Javascript, we'll be safe. But apparently, that's no longer sufficient, now we need to disable CSS too. :D

Wednesday, February 28, 2007

Open Source Web App Security

I read a blog posting by Ed Finkler "Do Open Source Devs Get Web App Security? Does Anybody?".

In it he described disturbing statements contained in one of Open Source Content Management System :

A colleague of mine who is dealing with Plone, a CMS system built atop Zope, pointed me to a rather disturbing documents in the Plone Documentation system, one that I feel is indicative of a much larger problem in the web app dev community.

The first describes a hole (subsequently patched) in Plone that allowed users to upload arbitrary Javascript. Apparently no input or output filtering was being done. Certainly anyone familiar with XSS attacks can see the potential for stealing cookie data, but the article seems to think this is simply a spam issue.

In closing, Ed Finkler gives blunt statements :

A web developer is not qualified to do the job if he or she does not have a good understanding of web application security concepts and techniques. Leaders of development teams must stop allowing developers who are weak on security techniques to contribute to their products, and managers need to stop hiring candidates who do not demonstrate a solid secure programming background. If they continue to do so, they demonstrate a lack of concern for the safety of their customers.

Friday, February 23, 2007

The OWASP Testing Guide v2 is now published

I just found out that OWASP has released "The OWASP Testing Guide v2" on February 10, 2007.

You can read the guide online at Testing Guide v2 Wiki or you can download it in PDF format.

Nessus 3.2 beta available for testing

Tenable has released Nessus 3.1.2 for Linux, FreeBSD and Solaris which is a beta version of the upcoming Nessus 3.2.

Nessus 3.2 contains the following new features :

- Experimental IPv6 support
- Improved bandwidth throttling
- Extended nessusd.rules to add support for ports and plugins
- New command 'nessuscmd' which lets you do a quick command-line scan
- Improved NASL engine
- Easy-update : Nessus can now update its own engine by doing /opt/nessus/sbin/nessus-update

Tenable explains more about these new features in its blog entry.

Thursday, February 22, 2007

NIST Publication on IDS and IPS technology

NIST have released a new publication (SP800-94) that covers just about everything you can think of when it comes to IDS and IPS. The report is titled "Guide to Intrusion Detection and Prevention Systems (IDPS)".

Why blurring sensitive information is a bad idea

Dheera Venkatraman has published an article describing how to attack blurring image to conceal information.

In the article, he describes :

Undoubtedly you have all seen photographs of people on TV and online who have been blurred to hide faces.

For the most part this is all fine with peoples' faces as there isn't a convenient way to reverse the blur back into a photo so detailed that you can recognise the photo. So that's good if that is what you intended. However, many people also resort to blurring sensitive numbers and text. I'll illustrate why that is a BAD idea.

And he gives suggestion to conceal information in images, we should just color over them.

Malicious JS Could Alter DNS Settings on Routers

I just found out the following news :

Malicious JavaScript placed on web sites could be used to change DNS settings on home routers that are still using default passwords. Once the change has been made, the next time the router is rebooted, the user would be redirected to spoofed, possibly malicious web sites. Research indicates than about half of router owners have not changed the password from the default.
You can find the technical details at Symantec's site.

NIST Releases New Information Security Documents

The National Institute of Standards and Technology (NIST) has released two new information security documents.

  • NISTIR 7359, "Information Security Guide for Government Executives," is designed to "assist senior leaders in understanding how to oversee and support the development and implementation of information security programs."
  • NISTIR 7358, "Program Review for Information Security Management Assistance (PRISMA)" describes "a methodology developed by NIST for reviewing complex requirements and posture of a federal information security program."

Tuesday, February 20, 2007

Vulnerability in Snort DCE/RPC Preprocessor

I just found out about the vulnerability in Snort DCE/RPC Preprocessor. This preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow attackers to execute code with the same privileges as the Snort binary.

It affected the followings :

  • Snort 2.6.1, 2.6.1.1, and 2.6.1.2
  • Snort 2.7.0 beta 1
Recommended Actions:
  • Open-source Snort 2.6.1.x users are advised to upgrade to Snort 2.6.1.3 (or later) immediately.
  • Open-source Snort 2.7 beta users are advised to mitigate this issue by disabling the DCE/RPC preprocessor in snort.conf file. This issue will be resolved in Snort 2.7 beta 2.

Thursday, February 15, 2007

Using Snort as a simple IDS

In my previous blog (Testing Snort 2.7.0 Beta 1) , I described about my endeavour to install Snort 2.7.0Beta1. After successfully install Snort, I want to create a simple IDS rule and use my Snort as a simple IDS.

To test Snort as an IDS, first I created a simple rule like the following :


Then I started Snort using the following command :



I open up another Konsole, and ping localhost :


In Snort window, I press Ctrl-C. Snort will appear as not responding to Ctrl-C, but in fact it's waiting for the first packet.

In other Konsole, I ping the localhost again :


In Snort window, the display will be like the following :


You can see that Snort is actually responding to our Ctrl-C press after it received the first packet matching its rules.

From the figure above, we can see that Snort received 10 packets and it analyzed 2 (two) ICMP packets. Those packets generated 5 alerts and 5 log entries.

In the tests/ directory we can see that Snort has created two files :


And here is the alert file contents :


Our Snort has analyzed ICMP packets according to the rule we've created.

Monday, February 12, 2007

Secunia Releases Software Inspector

Feature Overview :

  • Detects insecure versions of applications installed
  • Verifies that all Microsoft patches are applied
  • Assists you in updating your system and applications
  • Runs through your browser. No installation or download is required.

The Secunia Software Inspector covers the most common/popular end user applications:

  • Internet browsers
  • Internet browser plugins
  • Instant messaging clients
  • Email clients
  • Media players
  • Operating systems
You can find it here.

Back from A Disaster

Several days ago, I experienced a flood disaster for days. It ruined my schedule. But thanks God I am still alive and kicking.

Now I try to recover from the disaster.

Here are several things I learn from this disaster :

  • You need to be prepared for the unexpected
  • Do not depend too much on the government
  • Develop your disaster recovery plan suitable for your needs

Thursday, February 01, 2007

Hari Kesadaran Keamanan Informasi

Hari Kesadaran Keamanan Informasi akan dideklarasikan pada:

Tanggal 07 Maret 2007
Waktu 18h30 - 21h30
Bertempat di Ruang Komisi Utama, Gedung II BBPT, Lantai III
Jl. MH. Thamrin no.8, Jakarta

Susunan Acara
18.30 – 19.00 Registrasi
19.00 – 19.10 Sambutan BPPT
19.10 – 19.20 Sambutan DepKomInfo
19.20 – 19.30 Sambutan DeTIKNas
19.30 – 19.40 Sambutan Lemsanneg
19.40 – 19.50 Sambutan Polri
19.50 – 20.10 Pembacaan dan Penandatanganan Deklarasi
20.20 – 20.30 Konferensi Pers
20.30 – 21.30 Makan malam dan Penutup

Untuk keterangan lebih lanjut hubungi Dimas 98929053 atau kirim email ke awarenessday@security-1st.net

Get NAT'ed IP Address Using JS in Firefox

I just read Jeremiah posting regarding how to get NAT'ed IP address using JavaScript in Firefox version 1.5-2.0.

It happens because in Firefox, JavaScript can access Java classes directly (java.net.Socket). You can try it here (copied from Jeremiah's posting) :



When I think about it and how this can be used by the bad guys, I feel very scare. One of the solution for this is by blocking JavaScript from a website. In Firefox, you can use NoScript.

Friday, January 26, 2007

Testing Snort 2.7.0 Beta 1

After reading a news from Snort website, I grab the latest beta version of Snort 2.7.0 beta1.

Then I build the RPM packages from it using the following command :

$ rpmbuild --with mysql -ta snort-2.7.0.beta1.tar.gz

Next, I install it to my system :

# rpm -Fvh rpms/RPMS/i586/snort-2.7.0.beta1-1.i586.rpm \
rpms/RPMS/i586/snort-mysql-2.7.0.beta1-1.i586.rpm

Preparing... ########################################### [100%]
1:snort warning: /etc/snort/sid-msg.map created as /etc/snort/sid-msg.map.rpmnew
warning: /etc/snort/snort.conf created as /etc/snort/snort.conf.rpmnew
########################################### [ 50%]
2:snort-mysql ########################################### [100%]

I rename the existing conf file and the new one :

# cd /etc/snort/
# mv snort.conf snort.conf.old
# mv snort.conf.rpmnew snort.conf

I do self-test for the new snort :

# snort -T -c /etc/snort/snort.conf
Running in Test mode with config file: /etc/snort/snort.conf
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

...

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.7.0.beta1 (Build 7) i386
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6
Preprocessor Object: SF_SSH Version 1.0
Preprocessor Object: SF_SMTP Version 1.0
Preprocessor Object: SF_DNS Version 1.0
Preprocessor Object: SF_FTPTELNET Version 1.0
Preprocessor Object: SF_DCERPC Version 1.0

Snort sucessfully loaded all rules and checked all rule chains!
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
finds: 0 reversed: 0(%0.000000)
find_success: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Snort exiting

I hope I have spare time to test the new processor.

Testing Snort 2.6.x

Download the latest snort tarball, then I create snort RPMS :

$ rpmbuild -tb snort-2.6.x.tar.gz --with mysql
...
Wrote: /home/tedi/rpms/RPMS/i586/snort-2.6.x-1.i586.rpm
Wrote: /home/tedi/rpms/RPMS/i586/snort-mysql-2.6.x-1.i586.rpm
...

Next, I registered to Snort community to be able to download Snort rules.

Then I extract the rules and move all of the files in rules/ directory to /etc/snort/rules directory :

# mv rules/* /etc/snort/rules/

# mv /etc/snort/rules/sid-msg.map /etc/snort/

I found out that there are two snort.conf files. The first one from the RPM package and the other one from the rule file. I want to check what are the differences between them :

$ diff /etc/snort/snort.conf /etc/snort/rules/snort.conf

2c2
< # http://www.snort.org Snort 2.6.0 config file --- > # http://www.snort.org Snort current Ruleset
5c5
< # $Id$ --- > # $Id: snort.conf,v 1.167 2006/06/09 15:14:08 mwatchinski Exp $
111c111
<> var RULE_PATH ../rules
182c182
<> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
192c192
<> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
852c852
<> # include $RULE_PATH/virus.rules
855a856
> # include $RULE_PATH/spyware-put.rules

Most of the differences are related to path. The last difference is very interesting, the new snort.conf commented out virus.rules and spyware-put.rules

Then I test my snort configuration :

# snort -T -c /etc/snort/snort.conf
Running in Test mode with config file: /etc/snort/snort.conf
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

...

--== Initialization Complete ==--

,,_ -*> Snort! <*- o" )~ Version 2.6.0 (Build 59) i386 '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2006 Sourcefire Inc., et al. Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.5
Preprocessor Object: SF_SMTP Version 1.0
Preprocessor Object: SF_FTPTELNET Version 1.0

Snort sucessfully loaded all rules and checked all rule chains!
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
finds: 0 reversed: 0(%0.000000)
find_success: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Snort exiting

Monday, January 22, 2007

SQL in Chocolate Cover

I got the following picture from Jeremiah Grossman's blog.


I highligthed the SQL code for your easy reading. :D

Link : Beyond The CPU: Cheating Hardware Based RAM Forensics

Joanna Rutkowska posted a blog about "Beyond The CPU: Cheating Hardware Based RAM Forensics".

Here is the main point of the blog :

The whole idea behind hardware based RAM acquisition is that the process of reading the memory is using Direct Memory Access (DMA) to read the physical memory. DMA, as the name suggests, does not involve CPU in the process of accessing memory. So, it seems to be a very reliable way for reading the physical memory…

But it is not! At least in some cases...
I look forward to read her presentation about this after her BlackHat DC conference.

Blog's Template Updated

Finally, after a long and hot discussion with my friend (Ai_Zeus), I got the blog layout like I wanted. Now in the archives, we can see how many post available.

To get this layout is very easy, just update your blog template to the latest version. Last time, I forgot to update it when I updated my blog site. :D

Enjoy the new template and please don't hesitate to give me suggestions.

PS :
I still need to figure out how to put another features on the new layout. (done)

Friday, January 19, 2007

Nessus 3.0.5

Tenable Network Security has released Nessus version 3.0.5. It fixes several "features" available in the 3.0.4 version. The fixes include :

  • Faster startup time, especially on laptops
  • Improved the performance of the SYN port scanner
  • Fixed a memory leak in the Mac OS X client
  • Vista compatibility improved
  • Various minor bugs fixed in the NASL engine
  • Better chasing of zombie processes
You can read more information about this in Tenable Blog.

0trace : A Tool to Trace Behind The Firewall

Michal Zalewski has just released a new security tool called 0trace. Here is a brief description about it :

This tool enables the user to perform hop enumeration ("traceroute") within an established TCP connection, such as a HTTP or SMTP session.

This is opposed to sending stray packets, as traceroute-type tools usually do.

Here is the benefit of using the mechanism applied by 0trace "such traffic is happily allowed through by many stateful firewalls and other defenses without further inspection (since it is related to an entry in the connection table)".

But it also has limitations. According to the announcement information, the tool will not produce interesting results in the following situations:

  • Target's firewall drops all outgoing ICMP messages,
  • Target's firewall does TTL or full-packet rewriting,
  • There's an application layer proxy / load balancer in the way (Akamai, in-house LBs, etc),
  • There's no notable layer 3 infrastructure behind the firewall.
You can get more information about this from LWN article.

Monday, January 15, 2007

Disable Preferences Menu in Ampache 3.3.2.1

A friend of mine (you know who you are :D) asked me about how to disable preferences menu in Ampache 3.3.2.1.I thought this should be easy, there should be a config that we can turn off or turn on to set this item. Unfortunately, my thought was wrong. There is no configuration for that.

Then I download Ampache tarball and look through it. I am very eager to solve this problem, because it will also refresh my rusty PHP programming skills. At the first round, I couldn't find where Ampache store the preferences menu. The programming style is quiet hard to understand, may be that's because I have never done PHP programming anymore for years.:D

Next, I use "grep" to search for "preferences" words in the whole Ampache package :

grep -r "preferences.php" *

I check the results one by one. One result turn my light on :
templates/sidebar.inc.php.

I open up that file (sidebar.inc.php) and read the code. And it is the correct one.

My first plan was to disable the whole references to "preferences.php" and it was very easy to do.

But later I thought, wouldn't it be better if I only disable "preferences" for ordinary users.

So then I create this simple patch.

To apply this patch, put the patch on the ampache/templates directory. Here is the setting in
my system (in ampache/templates directory) :

...
$ ll sidebar.*
-rw-r--r-- 1 tedi users 1010 2007-01-15 23:14 sidebar.inc.patch
-rw-r--r-- 1 tedi users 8800 2007-01-15 23:11 sidebar.inc.php
..

Then type the following command (make sure you are in the templates):

$ patch -p0 < sidebar.inc.patch
patching file sidebar.inc.php

Here are some screenshots after I apply the patch. I login as "user" and "admin". You should see the differences. :D

Friday, January 12, 2007

Compile Atheros Driver in OpenSUSE 10.x

I just bought an atheros-based card, it's a NetGear WPN511. For this card, I can use madwifi as its driver.

At madwifi site, they also provide the RPM for OpenSUSE, but I sometime like to compile the software myself, so I can adjust it to my needs.

Without further ado, here are the steps to compile the driver :

- extract the tarball :

$ tar xvjpf madwifi-0.9.2.1.tar.bz2

- build the driver :

$ cd madwifi-0.9.2.1/
$ make
Checking requirements... ok.
Checking kernel configuration... ok.
make -C /lib/modules/2.6.16.13-4-default/build SUBDIRS=/home/tedi/madwifi-0.9.2.1 modules
make[1]: Entering directory `/usr/src/linux-2.6.16.13-4-obj/i386/default'
make -C ../../../linux-2.6.16.13-4 O=../linux-2.6.16.13-4-obj/i386/default modules
CC [M] /home/tedi/madwifi-0.9.2.1/ath/ah_osdep.o
HOSTCC /home/tedi/madwifi-0.9.2.1/ath/uudecode
UUDECODE /home/tedi/madwifi-0.9.2.1/ath/i386-elf.hal.o
CC [M] /home/tedi/madwifi-0.9.2.1/ath/if_ath.o
CC [M] /home/tedi/madwifi-0.9.2.1/ath/if_ath_pci.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath/ath_pci.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath/ath_hal.o
CC [M] /home/tedi/madwifi-0.9.2.1/ath_rate/sample/sample.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath_rate/sample/ath_rate_sample.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/if_media.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_beacon.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_crypto.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_crypto_none.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_input.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_node.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_output.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_power.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_proto.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_scan.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_wireless.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_linux.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_monitor.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_acl.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_crypto_ccmp.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_scan_ap.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_scan_sta.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_crypto_tkip.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_crypto_wep.o
CC [M] /home/tedi/madwifi-0.9.2.1/net80211/ieee80211_xauth.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_wep.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_tkip.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_ccmp.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_acl.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_xauth.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_sta.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_ap.o
Building modules, stage 2.
MODPOST
CC /home/tedi/madwifi-0.9.2.1/ath/ath_hal.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath/ath_hal.ko
CC /home/tedi/madwifi-0.9.2.1/ath/ath_pci.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath/ath_pci.ko
CC /home/tedi/madwifi-0.9.2.1/ath_rate/sample/ath_rate_sample.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/ath_rate/sample/ath_rate_sample.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_acl.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_acl.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_ccmp.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_ccmp.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_ap.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_ap.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_sta.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_scan_sta.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_tkip.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_tkip.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_wep.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_wep.ko
CC /home/tedi/madwifi-0.9.2.1/net80211/wlan_xauth.mod.o
LD [M] /home/tedi/madwifi-0.9.2.1/net80211/wlan_xauth.ko
make[1]: Leaving directory `/usr/src/linux-2.6.16.13-4-obj/i386/default'
make -C ./tools all || exit 1
make[1]: Entering directory `/home/tedi/madwifi-0.9.2.1/tools'
gcc -o athstats -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. -I../ath athstats.c
gcc -o 80211stats -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. 80211stats.c
gcc -o athkey -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. athkey.c
gcc -o athchans -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. athchans.c
gcc -o athctrl -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. athctrl.c
gcc -o athdebug -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. athdebug.c
gcc -o 80211debug -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. 80211debug.c
gcc -o wlanconfig -g -O2 -Wall -include ../include/compat.h -I. -I../hal -I.. wlanconfig.c
make[1]: Leaving directory `/home/tedi/madwifi-0.9.2.1/tools'

After that I install the driver to the system using "make install".

Then I put the card in the PCMCIA slot, and do "dmesg" :

ath_hal: module not supported by Novell, setting U taint flag.
ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
wlan: module not supported by Novell, setting U taint flag.

wlan: 0.8.4.2 (0.9.2.1)

ath_rate_sample: module not supported by Novell, setting U taint flag.

ath_rate_sample: 1.2 (0.9.2.1)

ath_pci: module not supported by Novell, setting U taint flag.

ath_pci: 0.9.4.5 (0.9.2.1)

PCI: Enabling device 0000:03:00.0 (0000 -> 0002)

ACPI: PCI Interrupt 0000:03:00.0[A] -> Link [C0C4] -> GSI 10 (level, low) -> IRQ 10

wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps

wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps
24Mbps 36Mbp 48Mbps 54Mbps

wifi0: turboG rates: 6Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps

wifi0: H/W encryption support: WEP AES AES_CCM TKIP

wifi0: mac 7.9 phy 4.5 radio 5.6

wifi0: Use hw queue 1 for WME_AC_BE traffic

wifi0: Use hw queue 0 for WME_AC_BK traffic

wifi0: Use hw queue 2 for WME_AC_VI traffic

wifi0: Use hw queue 3 for WME_AC_VO traffic

wifi0: Use hw queue 8 for CAB traffic

wifi0: Use hw queue 9 for beacons

wlan_scan_sta: module not supported by Novell, setting U taint flag.

wifi0: Atheros 5212: mem=0x38000000, irq=10


From the information above, I know that my wifi card is detected and the driver is working.

In the next post, I will describe some simple wireless activities.

Thursday, January 11, 2007

Running IE on Linux

If you have time to spare, you may want to look at the IEs4Linux site.

You may want to ask, what is IEs4Linux. Here is the answer I took from the webpage :

IEs4Linux is the simpler way to have Microsoft Internet Explorer running on Linux (or any OS running Wine).

No clicks needed. No boring setup processes. No Wine complications. Just one easy script and you'll get three IE versions to test your Sites. And it's free and open source.

The stable version only supports IE 5, 5.5, and 6. If you want to try IE 7, you may want to take a look at WebExpose article "Internet Explore 7 On Linux" first. IE7 is supported in IEs4Linux beta version. So beware.

If you have tried it, please let me know. Because I don't think I will be running IE on Linux in the near future. I better stick with other browsers. :D

Friday, January 05, 2007

UXSS in Adobe Acrobat Reader Plugin

At the beginning of new year, I am surprised by the disclosed of multiple vulnerabilities in Adobe Acrobat Reader Plugin.

These vulnerabilities can cause the followings :

  • Universal CSRF / session riding (tested on Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)
  • UXSS in #FDF, #XML e #XFDF (tested on Mozilla Firefox + Acrobat Reader plugin)
  • Possible Remote Code Execution (tested on Mozilla Firefox + Acrobat Reader plugin)
  • Denial of Service (tested on Internet Explorer + Acrobat Reader plugin)
To anticipate scary things, I use FoxitReader to read PDFs and I also install PDFDownload Plugin for Firefox.

Here are several resources if you want to know more about this thing :

Thursday, January 04, 2007

Happy New Year 2007

I just want to say "Happy New Year 2007" to you, my kind readers.

Let's hope this new year bring us more happiness, more joys and more health.

Have a wonderful new year.

PS :
I will blogging again after I have solved several problems. :D