HITBSecConf2008 - Malaysia *VENUE CHANGE!*

The venue for this year’s Hack in The Box Security Conference has been changed to CROWNE PLAZA MUTIARA KUALA LUMPUR. The reason for this change is due to unreasonable conditions placed upon us by The Westin which makes it impossible for us to proceed with having the conference there. Trust that we did try everything possible and greatly regret any inconvenience this change may cause.

Location Maps:
Google Earth View

For full details on the Crowne Plaza Mutiara, please click here

Cheers :)
– aphesz

Tags: HITB, HITB Security Conference, HITBSecConf, HITBSecConf2008 Malaysia, Kuala Lumpur, Kuala Lumpur Conferences, Malaysia, security conference, Security Kuala Lumpur

insert random title here

# The draft conference agenda for HITBSecConf2008 Malaysia is now online. Do note that there might be some slight changes in the schedule as we run up towards the conference. The speaker list has been updated and version 2.0 of the PDF conference kit is also available for download. Be advise that come 25th October 2008, conference entrance fee would be MYR1099. Therefore, you are strongly adviced to register your seats latest by 24th October 2008 to avoid paying extra.

# I’m still thinking out loud =\

# A wiseman once said, “Do not attempt to do anything that involves data wiping if you’re sleepy“. Too bad I found out about that saying a bit too late. I lost about 100GB worth of data which includes trip pictures, installers, web templates, source codes etc etc when I sheepishly click “Format” button on TrueCrypt w/o realizing I chose the wrong device to encrypt format. Attempts for data recovery is futile since it was encrypted format with 3 layers of encryption. Lesson well learnt. *Book tickets to re-snap those lost pictures LOL =S*

# It is so frustrating watching someone closed to you decided to start doing stupid things, to the extend of slowly destroying their life without them realising it. Even more disappointed when I know, they wouldn’t listen to what you’d say regardless of how much you care about them. *sigh*

# I recently learnt that amazing sweet ladies have the highest tendencies to pick good looking jerks to become their partners, regrets about it, and repeated the cycle all over again. I wonder why… :P

# iPhone 2.0.1 firmware update works like a charm on my 2G iPhone. Cydia’s repositories are slow as hell and Installer 2.0 is still in beta stage. =(

# qsd remains MIA.

# I really need to take care of that flight reservations to CGK for this Nov. Probably would drop by Bellua one of those days since I’ll be in Jakarta during the same period of time anyways.

# IonBytes is now in her second week of making-sure-everything-runs-smoothly period. A couple of our existing clients residing on various servers are being moved to IonBytes bits by bits. Currently hosting: d1-10rc.com / princeofdrift.com / neoownersclub.com / ariffthani.com and also this particular blog that you’re currently reading ;))

Cheers :D
– aphesz

Coming Soon.. :D

Coming soon to your nearest internet exchange! :D

Intel Core2Quad 2.5Ghz
8GB DDR2 RAM
750GB Sata HDD w/ 160GB Sata HDD as backup
cPanel 11 w/ Installatron
100mbps International Uplink

Savvy much? *giggles*

Cheers :)
– aphesz

Thinking out Loud…

- Wonders when will those monkeys up there gonna stop playing ‘Pass the Banana’ =\ Soon we might just end up like Monkey Kong Jr. No monkeys killed, all buildings destroyed. If you know what I mean ;)

- Islam teaches it’s followers to show their utmost respect to other living beings. But why do I see certain students in colleges that joins in Usrah Society acting up as if they’re fucking better than everyone else?

- Why do people in The United States of America’s administartion offices think they’re *actually* suppose to administrate the whole planet and blatantly ignores local governing power in any other countries not align to their current interest or point of view?

- Why do people still prefer to hire people with certificates eventho they CAN’t do shit?

- Why the fuck isn’t MY’s minister of technology and etc etc do something or anything about the current average speed and quality of our broadband network? 1Mbps shouldn’t even be categorized as broadband =\. If Streamyx couldn’t even maintain the quality of service for their 1Mbps package and guarantee stability & constant rate, how do they expect others to believe that they can afford to provide 4Mbps ? “Best effort” reasons are BULLSHIT. Jaring’s best effort is 100% better than you guys.

- Why are people tripping about fuel prices gone up? It’s a global phenomena for fuck’s sake! It’s unavoidable since we import oil instead of using our own for local usage (which is half dumb, half smart given the fact that our oil are grade A oils) .

- Wonder who’s the smart aleck that came out with a plan to help reduce the people’s burden by giving away MYR625 rebates to everyone that owns a vehicle under 2.0 liter engine capacity, when the gov could’ve just take the total amount given away and put them into fuel subsidy tab so the people wouldn’t suffer paying MYR2.70 per liter for fuel.

- Why are the people working in HR or Finance department remains ignorant in how important IT Security Awareness really is and hope that their in-house technicians knows what to do in-case of digital security breach. Reality check people, you may get back your papers if it’s a physical breach but digital breach (read: hack) means expect your private & confidential data to end up on the internet for everyone to see, read, copy, redistribute, etc etc.

- Wonders why do I prefer to keep a distance and see her happy rather than make myself happy. *bangs head on the wall* … Oh well.. :D

Cheers :)
– aphesz

OSSEC HIDS Phishing detection rule

Web hosting admins always had problems with phishing attacks / attempts and usually just sits around for an email from the phishing victims’ representatives / datacentre / ISP. For some reasons I couldn’t accept up to this day, a certain datacentre in KL, Malaysia, straight away pull the plug on their client’s server whenever they receive a phishing email notice, and told their clients’ to “delete the phishing sites before we plug it back in“. I’ve faced such problem for more than twice this year alone and I’d say stupid. I googled around for an phishing detection scripts or similar tools of trade, I couldn’t find any. All that are available on the net, are tools for end-users / consumers / businesses. So I decided to mingle around with OSSEC HIDS rules, and created a rule that’ll detect phishing sites whenever it is being accessed via port 80.

The beauty of this being an IDS rule instead of some bash script running on crontab is that the IDS itself will automaticly deny the detected IP from accessing the box again. ALL of phishers would definately try to access their own newly uploaded phishing site at least once, so when that happens, OSSEC IDS will pick it up, deny the IP and thus, blocking the phishers from doing any more damage. All you need to do is to just add this new rule to web_rules.xml, at the end of file but before </group> closing tag.

<rule id="31190" level="12">
<if_sid>31100</if_sid>
<url>paypal.co|hsbc.co|citibank.co|ebay.co|barclays|amazon.co|</url>
<url>verizon.net|lloyds.com|maybank2u|maybank|e-gold.com</url>
<description>Phishing sites detected. System check advisable.</description>
<group>attack,</group>
</rule>

Now restart OSSEC and it should be picking up sites according to the <url></url> keywords set. Keep in mind that the keywords above are just among the few popular sites that are usually being targeted. You’re free to add/remove those keywords as per your needs. Also, if you set OSSEC to email alerts to your mailbox, you’ll be getting these whenever it detects a phishing site:

OSSEC HIDS Notification.
2008 Jun 24 01:34:22

Received From: culprits->/var/log/apache2/evil-access.log
Rule: 31190 fired (level 12) -> "Phishing?"
Portion of the log(s):

xx.xx.xx.xx - - [24/Jun/2008:01:34:20 -0400] "GET /paypal.com/ HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0"

--END OF NOTIFICATION

OSSEC HIDS: www.ossec.net

Cheers :)
– aphesz

Tags: OSSEC HIDS, OSSEC IDS, OSSEC phishing rule, OSSEC phishing rules, phishing detection ids, phishing detection rule ids, phishing HIDS rule, phishing IDS, phishing rule ids