Thursday, February 14, 2008

HeX 1.0.3 Release

HeX System 1.0.3 is finally released, we call it CNY(Chinese New Year) release, in fact it is Valentine now. Here's the list of changes -

- pkg_info works after installation
- ping works without sudo
- procfs is correctly mounted on /proc at boot

1. NSM Console 0.6-DEVEL
- 'dump' command added, you can now dump packet payloads into a binary file for later analysis
- Significant speedups in the harimau module and 'checkip' command if wget is installed
- tcpxtract configuration file changed to extract more types of files
- Added foremost module
- Added clamscan module (Thanks JohnQPublic)
- Argus and tcptrace have reverse dns turned off by default now, it was causing the module to hang for extremely large pcap files. Can be switched on by changed the module options
- rot13 encoding and decoding added :)
- alias command
- urlescape (en|de)coding
- file existence check
- many other things
All the other enhancements, bugfixes and additions since the 0.2 release (there have been many!)

New Application Packages:
- xplot
- uni2ascii
- vnc
- vsftpd
- samplicator
- sflowtool
- pmacct
- ming
- ploticus
- tcpick
- bvi
- elinks
- feh
- tftpgrab
- arpwatch

- New wallpapers with different color schemes

Thanks to the whole HeX development team for continuous effort to make HeX possible! Download while it's hot now! On the other hand, download mirror and liveUSB will be up soon!

- liveCD ISO
- MD5 sum
- SHA256 sum

- liveCD ISO
- MD5 sum
- SHA256 sum

With the release of FreeBSD 7.0 RC2, we expect FreeBSD 7.0 Release is soon, therefore we are now moving to HeX 2.0 development completely.

Enjoy (;])

Wednesday, February 06, 2008

Happy Chinese New Year 2008

To everyone in da world, Happy Chinese New Year or Happy Holidays!

Wish you all have great performance in everything in the year of RAT!

Enjoy <^(, ,) ~

ISSA Journal Toolsmith: HeX System

Thanks to our friend - Russ McRee who has featured HeX System in February ISSA Journal under Toolsmith section. You can grab a copy of that particular section at -

I don't want to talk much about the article as Spoonfork has covered the outline here.

If you want to know more about HeX, the easiest way is - download and try it out! Again if you have any question, feel free to shoot in mailing list or come to join us at Freenode IRC #rawpacket channel. By the way, HeX 1.0.3 is almost released.

Cheers ;]

Friday, February 01, 2008

The Harimau Watchlist

The other day Spoonfork and I have discussion about the Global Watchlist and we think that it can assist network security analyzt in certain way. Therefore Spoonfork started to work it out and here's the first alpha version of Global Watchlist -

So what's the function of this watchlist anyway, basically we pull the list of suspected malicous IPs/Net ranges from different sources such as Sans dshield, Arbor atlas and so forth, then putting all of them in one place. This can assist security analyzt during their operation especially when they need to determine certain suspected IP is doing what, they can just query the IP at the watchlist link and see if it matches and identify them quickly.

The reason why we put them together not because of eliminating the usefulness of the original site but making use of them efficiently(I don't think you will want to go to each original site and query the IP one by one) so it's best to have the global watchlist that pull everything together and this eases the job of the security analyzt. In fact all the credits goes to the original party as usual.

A lot of virus/malwares researchers rely on Virustotal and we think we should have something for network security analyzt, in fact dakrone will create the module for you to query the IP from NSM Console.

For the moment, you can also query the IP with command line -

shell>curl | grep '',,botcc,2008-01-31 17:15:55

You may notice that we name our global watchlist as The Harimau Watchlist . If you don't know what is Harimau, it means Tiger in Malay Language, thanks to Spoonfork for such creative name ;P

Enjoy ;]

Mumbling about Scope Detection Process

Putting aside the Firewall, IPS and H/N IDS technology, or better forget about it? But now there's one question in mind, what's your answer to detection process?

Mr.Hacko : No I don't need all those crappy technologies, what I need is my 1337 skill to hunt for the bugs and fix "all of them" if they introduces serious security flow. With that I don't need detection no more.

As we are living in the world of dynamic dimensions, security is not something as simple as 1+1. There are many things that we need to take into account aside from identifying vulnerabilities in the softwares, even a single misconfigured router or whatever application can introduce the hole in the network. On the other hand, people who work in large scale environment should know that deploying anything in critical networks requires set of procedures and efforts. As well we all know there are certain issues that can't be solved by technical mean.

To me, I advocate Network Security Monitoring(NSM) as it appreciates the value of data in process of detection and I believe in perimeter security. Forget about how effective it is your Firewall, IPS or IDS such as how well it can detect and block malicious traffics, but think of what they can do to assist you in detection process, the answer is pretty simple - scoping. With scoping it reduces the network traffics you need to examine, and it might as well give you the lead for what you need to look at. It's better than finding a noodle in the haystack without clue. On the other hand, vulnerability assessment and code auditing are important too because they eliminate the security hole in application layer but not all.

If you are following security scene, you may realize most of the successful intrusions/extrusions are using known attack techniques and usually it is driven by script kiddies. While targeted attack is totally different case, it mostly happens with co-operation of insiders with careful planning and the malicious party will choose not to leave the footprint(you can't do this without insider). They can either use 0 days, known vulnerabilities or even valid account in your network to hit you since they have full compromise of how things work in your network(remember the role of insider), it doesn't matter.

Attack techniques are getting complex and dynamic today and it evolves over time, we can't rely on single defensive technology to cover our ass anymore. Therefore if you think you don't need Firewall, IPS or IDS in place, you might as well throw away vulnerability assessment and code auditing because no matter what have you done, you will still be compromised. For better security, I still believe it requires combination of different components to make it harder for the threats, but ease our detection process.

I know there are people who think Firewall, IPS or IDS are useless because they can be bypassed, but have you questioned how many companies that having gone through vulnerabilities assessment and security code audit process but they are still being compromised, I'm really curious about this.

Play your own role!

Peace ;]