I just installed a new Ubuntu 14.04 LTS. Skype is my favorite app, so i installed it first. But, something happen after i log in to my Skype account. Usually, when I close the application, skype tray icon is still active. But, in this new Ubuntu version, there is no Skype tray icon. When i open another Skype windows from Launcher, there is a warning that tell me the SKype application is already running. What the?. Okay, i do a quick googling and find this article :

http://www.webupd8.org/2014/04/10-things-to-do-after-installing-ubuntu.html

To fix the missing Skype tray icon in your Ubuntu (i am using Ubuntu 14.04 63 Bit) you have to install Skype tray / appindicator manually because it is not installed automatically. Open your terminal and type this command :

$ sudo apt-get install sni-qt:i386

Voilla, wait a second, your Skype tray icon will show immediately.

The Skype tray icon might disappear after you log in, but it should show up after a few seconds.

Happy Hacking

PT Noosc Global merupakan perusahaan yang bergerak di bidang information security di Indonesia. PT Noosc Global mengadakan kompetisi hacking Capture The Flag dengan tema PEMILU.

Tujuan kompetisi Capture the Flag (CTF) bertema Pemilu ini adalah untuk membangun minat, kesadaran, dan skill pelaku TI Indonesia dalam bidang keamanan informasi. Dalam kompetisi ini, peserta diberikan sejumlah misi (challenges) yang harus dipecahkan satu-persatu secara bertahap. Pemenang adalah peserta yang paling pertama berhasil menyelesaikan misi level tertinggi saat masa kompetisi berakhir, dan akan mendapat hadiah berupa satu perangkat Apple IPhone 5.

Kompetisi ini tidak memungut biaya sama sekali, Selama kompetisi berlangsung, informasi resmi terkini mengenai registrasi, dan persyaratan lainnya dapat diperoleh di halaman

http://www.noosc.co.id/events/

atau di facebook page :

https://www.facebook.com/noosc.global

Peserta dapat langsung menyelesaikan challenge-challenge yang akan disediakan secara bertahap pada halaman web

http://www.noosc.co.id/ctf/

Bagi anda yang ingin ikut serta dalam kompetisi ini, anda bisa segera join. Saat ini sudah ada 4 Challenge yang sudah di rilis. Challenge yang ada kompetisi ini terdiri dari beberapa soal. Saat ini yang sudah di rilis challenge berupa :

1. Weak Password
2. Credential in HTML
3. Directory Indexing
4. Packet Analysis

Challenge lainnya akan segera menyusul. Total ada 8 challenge yang akan di rilis dalam kompetisi ini.

Selamat Berjuang!!

Happy Hacking :D

Last week, i updated the old Splunk in my Laptop. Last version that i have is version 4.x.x. I got an email from Prelert about their new feature. For you who don’t know about Prelert : Prelert is a layer of highly advanced predictive analytics software that easily integrates with and turbocharges your existing management tools. It enables truly proactive management by automatically learning the normal behaviour of your application and supporting environment and alerting you to potential problems as they develop. Prelert is Splunk App that can enhance Splunk feature into anomaly detection through machine learning process.

Anomaly Detective’s self-learning predictive analytics with machine intelligence assistance recognize both normal and abnormal machine behavior. Using highly advanced pattern recognition algorithms, Anomaly Detective identifies developing issues and provides detailed diagnostic data, enabling IT experts to avoid problems or diagnose them as much as 90 percent faster than previously possible

Prelert Dashboard feature included :

• QuickMode - quickly converts your existing timechart searches to on-going, proactive anomaly searches
• Real-Time - detect developing anomalies using continuous background anomaly searches
• Compare - use to compare two searches at different times
• AutoDetect - extend an ad-hoc Splunk search with on-the-fly anomaly detection
• Categorize - automatically categorizes raw text fields based on similarity of text strings

Since the new version of Prelert (3.1.8) needs the latest Splunk version, so i have to update my Splunk first.

This post just a quick post for introduction in Splunk, Splunk Apps, and Prelert. Maybe my next post will tell you about technical explanation step by step how to setup your Splunk, and setup Prelert in Splunk.

Below is some screenshots from my Splunk Dashboard, example of some Splunk Apps, and Dahboard for Prelert anomaly detective :

This is my screenshot for Prelert Anomay Detective new feature “Qucik Mode” :

I got cool T-Shirt from Mr. Kevin Conklin for showing my Quick Mode feature.

If you want to try Prelert Anomaly Detective, it is very simple, just visit this link :

https://prelert.com/reg/anomaly-detective-trial.html

Register your trial account, Download the Prelert Splunk Apps, Deploy Prelert in our Splunk machine, take the screenshot, and get your cool T-Shirt.

Happy Hacking

Last week i gave a short speech about Cyber Security Trend. This speech talked about a brief explanation recent trend, recent attack, in global and Indonesia. The audience is very excited, because mostly the audience come from univesity student and high school student. They are young and talented. Hopefully this short speech give them an overview about security, and how to deal with security things.

If you are interested in my slide presentation, you can access my Slideshare account : http://www.slideshare.net/digitoktavianto/cyber-security-attack-and-trend-stt-kebumen-30502741

Happy Hacking

Hi Fellas,

This is just a quick post from me. I just signed up a great and free course in IT Security. If you are interested in Network Security Administrator short course for free you can register here : http://www.itmasters.edu.au/free-short-course-network-security-administrator-certification/

Network Security Administrator is a free short course offered by Charles Sturt University. This short course is designed to partially prepare you for certification as an EC-Council Network Security Administrator (ENSA). The ENSA certification program looks at network security from a defensive view. It is designed to provide fundamental skills needed to analyze the internal and external security threats against a network, and to develop security policies that will protect an organization’s information.

This short course is an online course. You can register, and get access to their E-Learning portal (based on Moodle CMS). You can get the materials, link to recorded webinar, reference, etc. You can attend the webinar every week (weboinar using GoToMeeting Apps). At the end of the course, they will give you a test, and after passing the final test, you can get a Certificate for you attendance. Please note, that this is not an EC-Council ENSA certificate.

Charles Sturt University also offer some great course like CISSP short course, CCNA, Windows Server, etc. You can get the details about the short course here : http://www.itmasters.edu.au/about-it-masters/free-short-courses/

I Hope you enjoy the e-learning course from Charles Sturt University !

Happy Hacking

This is the last day of 2013. 2013 is so amazing. I got my forst SANS training, and also my first GIAC certification. Thanks God for all the things in 2013. I have so many plans that already listed in my notes. I dont know if i can reach all the goals or not. Hopefully 2014 will be nice for me.

This post is a reminder for me to do some plans.

1. Research about virtualization especially in Vmware. I have a high spec machine that is not used until now. And i have a Vmware licensed (Thanks to Honeynet Project and Mt. Brian Hay :) ). So this is the best time for me to continue my research in Vmware.

2. Splunk released a new version, and this version will be great. COmbine Splunk and Prelert to detect unknown threat based on Machine Learning.

3. Learning reverse engineering. This is very important for me since my plan to take a GREM certification is waiting for me. If i want to get a deep knowledge in Malware analysis area, this one should be the top priority in 2014.

4. Playing with networking area. I signed up a premium member in New GNS3 crowdfunding. This is awesome project. They will release a new tools, and include a pack of training and tutorial from basic to high level in networking area (especially in security area : CCNA, Juniper, etc) . It is a great opportunity for me to learn networking using New GNS3. Hopefully.

That’s all from my checklist fir 2014. There are a lot of things that not written in there. Happy New Year :)

Happy Hacking

This is just a quick post from me. I made a summary notes for Dupal Security Best Practice and Drupal Hardening Guide. Yesterday, i found some interesting link from /r/netsec about Drupal Security Best Practice. You can download the PDF from here :

http://openconcept.ca/sites/openconcept/files/DrupalSecurityBestPracticesforGovernment-0.92.pdf

I add another links and resources about Drupal Security :

http://www.slideshare.net/kirkstenvon/drupal-security-hardening

http://www.madirish.net/242

http://security-24-7.com/hardening-guide-for-drupal-7-7/

http://montenasoft.com/files/Securing_Your_Drupal_Site.pdf

Enjoy!

Happy Hacking

Indicator of Compromise is something that we often hear in these days. I think it is a buzz word like a cloud computing terminology in IT industry. In Incident Response area, IOC is already introduced in 2007. Based on Lenny Zeltser blog http://blog.zeltser.com/post/44795789779/indicators-of-compromise-entering-the-mainstream IOC first introduced by Mandiant. Kriss Kendall paper http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Paper/bh-dc-07-Kendall_McMillan-WP.pdf mention about IOC in part of his reversing malware paper. Now, IOC terminology is well known in IT security area, especially in DFIR (Digital Forensic and Incident Response).

An easy way to understand about IOC is like this : you know that there is an incident, you know the behavior, how they act, what change being made, and then you make a simple standard to detect their presence. As simple like that. In a technical area, IOC is a forensic artifact from an intrusion that can be identified on a host or a network. The attribute that can be used in IOC document is : AP Address / Domain Name, URL, hash, File Mutex, HTTP User Agent, X-Mailer, etc.

In this APT-era (I know this is bullshit), intelligence threat sharing become a serious thing that should be implemented in each environment / organization. IOC is one important component in intelligence threat sharing. Why do we care about intelligence threat sharing? Because it is faster and easier way to detect and respond immediately the intrusion in our organization. It is also important for every individual or organization to build a trust relationship.

Unfortunately, there is no standard format to describe IOCs attribute. There are several organization / company that create their IOCs standard. It is naive, that in this intelligence threat sharing era, we dont even have a clear standard. And how do we share our IOCs if there is no clear standard format data?

The most common standard that being used in large organization is OpenIOC http://openioc.org/. OpenIOC is a framework to describe the IOC that was developed by Mandiant. OpenIOC is written in XML (Extensible Markup Language). XML provides a well-recognized standard format of encoding data into a machine readable format that is used in many different standardized methods of communicating data. The use of XML provides several benefits for consumers of OpenIOC.

The second IOC standard is come from MITRE. They develop a IOC standard that called as CyBox http://cybox.mitre.org/. From the website : CybOX is a standardized schema for the specification, capture, characterization, and communication of events or stateful properties that are observable in the operational domain. A wide variety of high-level cyber security use cases rely on such information including: event management/logging, malware characterization, intrusion detection, incident response/management, attack pattern characterization, etc. CybOX provides a common mechanism (structure and content) for addressing cyber observables across and among this full range of use cases improving consistency, efficiency, interoperability, and overall situational awareness. CyBox allows the incident responder use this standard in these following area :

• Threat assessment and characterization (detailed attack patterns)
• Malware characterization
• Operational event management Logging
• Cyber situational awareness
• Incident response
• Forensics
• ETC.

In my opinion, CyBox can not stand alone. CyBox need help from another MITRE standard (STIX, TAXII, CAPEC, MAEC) to describe a threat security assesment in identifying the incident and intrusion. It is lookalike there is some overlap attribute in MITRE standard. It is difficult for me to determine wheteher this attribute belongs to CyBOX, STIX, TAXII, CAPEC or MAEC.

Another IOC standard format is IODEF. https://www.ietf.org/rfc/rfc5070.txt. The IODEF is a standing IETF RFC (RFC 5070) that is designed to address and define a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. The basic premise is that organizations need help from third parties to mitigate malicious or nefarious activity targeting their hosts and networks. The architects of the Incident Object Description Exchange Format (IODEF) are a format that offers the users a means by which to represent computer security information as described above. It is communicated via an XML schema that conveys incident information across administrative domains amongst parties that have an operational responsibility for both remediation and notification of their user population.

The conclusion about Indicator of Compromise : there are several standard that may applied in your organization. You can choose wisely which one is the best to be implemented. In my personal opinion, it is difficult to apply the intelligence threat sharing, if everyone has a different standard. OpenIOC, CyBox, and IODEF, is just the big three standard format for IOC. When you talk about spesific vendor, they may use their own IOC standard. Maybe law of the jungle will prevail, who is the most widely used, then they will be the winner.

PS : If you want to compare one by one, about the pros and the cons about the big three IOC standard (OpenIOC, CyBox, and IODEF), you can read the detail in this RSA Conference slide : http://www.rsaconference.com/writable/presentations/file_upload/dsp-w25a.pdf

Edit :

If you want to create a sample of IoC, here is the recommended reading list for you:

http://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/240162469

Source :

https://blogs.rsa.com/understanding-indicators-of-compromise-ioc-part-i/ https://blogs.rsa.com/understanding-indicators-of-compromise-ioc-part-ii/ https://blogs.rsa.com/understanding-indicators-of-compromise-ioc-part-iii/

Verizon Enterprise melalui salah satu komunitas yang dibentuknya, VERIS (Vocabulary for Event Recording and Incident Sharing) adalah salah satu komunitas yang berperan aktif dalam hal incident response. VERIS berperan cukup besar dalam hal information sharing dalam hal IT security and incident report. Jika anda lumrah dengan istilah intelligence threat, indicator of compromise, collective intelligence security, maka VERIS adalah salah satu komunitas yang turut berpartisipasi dalam inlelligence threat sharing tersebut.

Saya baru saja mendapat informasi dari Twitter mengenai Data Breach Investigation Report yang di rilis oleh Verizon Enterprise, selaku perusahaan yang menaungi VERIS Community. Data breach report ini merupakan report mengenai incidnet yang terjadi selama tahun 2013 ini. Incidet itu meliputi threat yang berasal dari hacking activity, malware, phishing, dan banyak threat factor lainnya. Verizon Enterprise dengan baik hati berbagi data ini untuk anda sebagai acuan di lapangan mengani incident yang terjadi selama tahun 2013 ini.

Verizon Enterprise bekerja sama dengan 19 perusahaan dan organisasi lainnya dalam penyusunan Data Breaach Investigation Report ini, di antaranya adalah, Deloitte, CyberSecurity Malaysia, CERT, Homeland Security, dan banyak organisasi lainnya.

Untuk mendownload report ini anda cukup mengunjungi web ini : http://www.verizonenterprise.com/DBIR/2013/

Untuk melihat Executive Summary dari Report ini anda bisa mendownloadnya disini : http://www.verizonenterprise.com/resources/reports/es_data-breach-investigations-report-2013_en_xg.pdf

Jika anda ingin melihat lebih lanjut produk dan kontirbusi dari VERIS Community, anda bisa mengunjungi websitenya disini : http://www.veriscommunity.net/

Next post, saya akan membahas salah satu produk dari VERIS yang berkaitan dengan intelligence threat sharing, yaitu Verizon Enterprise Risk and Incident Sharing Framework atau biasa disebut sebagai VZ-RISK. VZ-RISK ini bertujuan untuk mengumpulkan informasi, memetakan, serta memberikan laporan mengenai incident yang terjadi untuk tujuan non-commercial. Bagi anda yang berprofesi atau tetarik dengan duni DFIR (Digital Forensic and Incident Response), hal ini tentu saja akan menajdi hal yang sangat menarik.

Untuk melihat dashboard dari VZ-RISK ini anda bisa melihat tampilannya pada : http://public.tableausoftware.com/views/vcdb/Overview

Untuk ulasan lebih lanjut mengenai VCDB dan VZ_RISK ini anda dapat membaca di link berikut ini : http://www.verizonenterprise.com/security/blog/index.xml?postid=4642

Happy Hacking

Log atau biasa disebut dengan Log file adalah kumpulan rekaman informasi berupa aktivitas dan kejadian yang ada pada sistem. Jenis log berbeda-beda tergantung dari setiap perangkat dan sistem operasi yang digunakan. Informasi yang terdapat pada log data bermacam-macam isinya. Isi dari log data tersebut secara mendasar dapat di klasifikasikan dalam beberapa kategori di bawah ini :

1. Informational
   Log message ini berisi informasi mengenai aktivitas yang terjadi pada perangkat. Sebagai contoh informasi mengenai user yang login atau logout ke mesin anda. Log message yang berisi informasi ini biasanya adalah general event (normal event) yang terdapat pada perangkat anda

2. Debug
   Log message debug biasanya di generate oleh aplikasi atau sistem operasi. Debug message ini biasanya berupa log ketika dilakukan proses troubleshooting. Pada operating system sepert Linux, biasanya log berupa kernel debugging akan muncul ketika proses kernel debugging dilakukan.

3. Warning
   Warning message pada log menandakan suatu hal yang perlu diperhatikan dan di analisa lebih lanjut. Walaupun biasanya jika warning message diabaikan tidak akan terlalu mengganggu jalannya sistem tersebut, namun warning message tetap perlu diperhatikan. Akan lebih baik jika warning message tersebut ditindaklanjuti.

4. Error
   Error message pad log menandakan terdapat kesalahan pada sistem. Untuk mengetahui lebih lanjut mengenai error yang terjadi pada sistem dibutuhkan investigasi lebih mendalam mengenai penyebab error tersebut agar error message tersebut dapat ditangani dengan baik. Sebagi contoh saya lampirkan sample error log pada mesin Linux saya.

     root@digit-laptop:~# cat /var/log/syslog | grep error
     Aug  8 09:52:00 digit-laptop NetworkManager: *<WARN>*  nm_device_wifi_set_mode(): error setting card wlan0 to mode 2: Device or resource busy
     Aug  8 09:52:00 digit-laptop nm-dispatcher.action: Script '/etc/NetworkManager/dispatcher.d/01ifupdown' exited with error status 1.
   

   Secara sederhana, dapat diambil kesimpulan bahwa pada error log di atas terjadi karena ada permasalahan di Network Manager, terutama dalam hal ini perangkat keras networking saya. Namun untuk mengetahui lebih lanjut perlu dilakukan analisa lebih mendalam mengenai error tersebut.

5. Alert
   Alert message mengindikasikan adanya sesuatu yang aneh atau sesuatu yang menarik yang terjadi apda sistem / aplikasi. Alert message ini bisa juga menandakan adanya anomali yang terjadi pada sistem.

Note: Sebagai tambahan, jika anda ingin bermain-main atau mencoba melakukan trigger log pada Linux / Unix based OS, anda dapat menggunakan Logger. Logger berfungsi untuk men-trigger log untuk melihat log-log yang ada.

Demikian sedikit pembahasan mengenai klasifikasi log message berdasarkan kategori yang ada.

Happy Hacking