But now it’s time to move on, new challenge, new industry…

I’ve now joined Mimecast as a Technical Operations Engineer.

Mimecast provides email management as a single service in the cloud that helps you slash on-premise email storage requirements, ensure complete email availability, email security and email compliance, while providing services to help you get more from your email. We call it “Unified Email Management”.

Here’s a video that explains how mimecast service works.

I’m really excited about this new role and the new challenge where I’ll be working with core grid team to maintain, design and build core infrastructure, network and security.

I was keeping my eye on the price of D90 in UK at Camera Price Buster (very useful site indeed!). When I was ready to buy it from Currys (it was £709.00 at that time), just decided to do a last minute check on Amazon (I prefer buying from Amazon because never had any problems in the past) and to my surprise Nikon D90 Digital SLR Camera, 18-105 VR Kit was there for just £649.99 by a seller called “rodneyjwillis”. Almost £60 cheaper, Excellent – I thought. Checked the sellers profile/review – it had 100% positive feedback from the buyers, nice comments and seller was with Amazon for almost a year. So, ordered it from Amazon marketplace. I didn’t see anything phisy at that time and anyway I was aware that paying via Amazon will guarantee my purchase with their A-to-z guarantee scheme.

When all other stuff I ordered together with D90 arrived (camera bag, sd card and d90 book), but there was no sign of my D90 being dispatched, let alone delivered. I sensed something was wrong. Went back and checked the seller’s profile – there was one new feedback saying

“BEWARE! This account is being used in a scam – items don’t arrive!”

That got me worried. Sent seller an email and alerted Amazon that this might be a scam. The storefront of the seller was immediately taken off (I guess by Amazon)

Contacted the seller for the status of my delivery – got an email next day saying, the item was dispatched (without any details):

I then replied asking when was it dispatched, if he was sending it from UK and if he could give me the tracking number. In reply I received another copy of exactly the same email. Called Amazon several times and sent several emails. By now I had no doubt in my mind that it was a scam and I wanted my money back, but amazon was sticking to it’s policy of waiting for the 3 days to pass after the seller’s advertised delivery date, which was 11 to 23 June ( I actually placed the order in 5th June). That meant I could only file a-to-z claim after 26th June (which is 3 weeks after my order), and would have to wait for amazon’s investigation (one to two weeks), then when they transfer the money back, it can take up to another 10 days to end up in your account. Almost 2 months before you get your money back in worst case scenario.

I think it’s totally unacceptable for a clear fraud case like this!

When I sent a last email to the seller (June 16) – got this auto-reply saying his amazon account was closed.

After a week of persistent complaining Amazon finally filed the a-to-z claim on my behalf. All in all it was a very dreadful experience. What a waste of time! I’ve spent most of my last week just checking the sellers profile, reading other victims comments, contacting Amazon and worrying…

Here’s the link to scammer’s amazon profile, at the time of this writing more than 70 people have fallen victim to this scam.

I’m sure everyone who paid via amazon will get their money back but Amazon has failed here in a big way. Looks like the seller has duped Amazon more than the buyers. At the end of the day buyers will get their money back. Amazon is the real loser here – the lost customer confidence is more costly for them than the refund they’ll have to make. Amazon should have been more proactive to refund the money to customers since it was a clear fraud case, which happened due to weaknesses in their Marketplace system, but they kept on dragging.

Every amazon’s email had this signature:

“We’re Building Earth’s Most Customer-Centric Company”

But I wasn’t convinced. You couldn’t reply to any emails they sent you because the emails were sent from addresses that cannot accept incoming emails. There might be a valid security reason for doing that but as a customer it was quite difficult to track my email conversation with them (the online contact form didn’t keep any record of my previous emails to them either). I found Amazon’s telephone support to be better than their email.

This just shows that it’s not all safe and well on online purchases. The scammers can trick not only innocent users but successfully dupe big companies like Amazon.

Finally the money refunded by Amazon has appeared in my account. I’m off to local Argos store to get my D90.

First briefly about the company – Sourcerfire was founded by the author of Snort (an open source network intrusion prevention and detection system). Snort is the most popular and widely deployed IDS/IPS and has become the de facto standard for the industry.

So, why do we need Sourcefire (very expensive) if Snort is the best and free?

Right, Snort is the best and free out there but it’s implementation, management and maintenance is not a piece of cake for everyone; that’s where sourcefire comes into play. Sourcefire uses snort at it’s heart to utilize it’s powerful IDS/IPS techonology, with added benefit of plug-n-protect simplicity (the purpose-built appliance is easy to install, maintain and manage), and it comes with tons of extra features that make it very powerful. Sourcefire adds an Adaptive IPS and Enterprise Threat Management (ETM) on top of the Snort IPS. It is managed via user-friendly and intuitive web interface, of course you can always do your advanced config from the shell because it’s a snort installed in a linux box anyway.

Components of Sourcefire 3D System

Sourcefire 3D System is comprised of two appliances (Sourcefire Defense Center and Sourcefire 3D Sensor).

Sourcefire Defense Center (DC) is a centralized management console to manage the sensors, centralized event aggregation and sensor policy administration.

Sourcefire 3D Sensors are purpose-built network security appliances that passively aggregate network and user intelligence while defending the network against internal and external threats.

3D Sensor Modules

Each Sourcefire 3D Sensor is capable of running any combination of the following four software components (you need to buy them separately):

Sourcefire IPS (Intrusion Prevention System) it’s the mighty snort running in background, where you can use rules-based detection engine and utilize the acclaimed Vulnerability Research Team (VRT) to protect your network. The IPS component is included in the base system.

Sourcefire RNA (Real-time Network Awareness) passively monitors real-time network traffic and gathers network intelligence, it can detect operating systems, services, applications, protocols, and potential vulnerabilities that exist on your network. This is a very useful component of Sourcefire but you’ll need to buy the RNA license separately.

Sourcefire RUA (Real-time User Awareness) helps to identify the user identity and contact information, it pairs Active Directory and LDAP usernames with host IP addresses involved in security and compliance events. You’ll need to buy the RUA license separately.

Sourcefire NetFlow Analysis is an optional component of Sourcefire’s Network Behavior Analysis (NBA) solution. It gives additional insight to network threats by aggregating and analyzing NetFlow from routers and switches.

Sourcefire 3D System deployment with Master Defense Center

OK that was about sourcefire. Here’s how you go about getting certified.

Training Course

Sourcefire offers several instructor-led classroom training for Sourcfire 3D systems, out of which SF3D 360 Bundle is the one I took.

Sourcefire 3D™ 360 Bundle Includes:

• Instructor-led Training Sourcefire 3D™ (4 days)
• Sourcefire Certified Professional (SFCP) Certification Exam
• Sourcefire Guarantees
• CPE Credits 32 (for CISSPs)

Course Outline

• Sourcefire 3D System Sensor Deployment and Communications Architecture
• Sourcefire 3D System Overview & Product Installation
• Interface Navigation and Dashboard views
• Sensor Configuration and Management with the Defense Center
• Configuring Interface Sets and Detection Engines
• Administration, Maintenance and System Policy
• System Health Monitoring and Alerting
• Real-time User Awareness
• Adaptive Profiles
• User Account Management
• IPS & RNA Detection Policy Configuration
• Compliance Policy, White Lists and Host Attributes
• Event Analysis and Reporting
• End-Point Intelligence
• Flow Data Analysis and Network Profiling
• Nmap and Nessus Scanning
• Basic Rule Structure and Syntax
• IPS Features and Configuration
• Trouble Shooting and Behind-The-GUI Navigation and Architecture

Certification Exam

The following products and skill areas are assessed through this process:

• Intrusion Management System
• Intrusion Sensors
• Defense Center
• RNA Sensor
• Installation and Deployment
• Administration and Management
• Policy Configuration and Management
• Policy Non-compliance and Remediation
• User Administration and Management
• Reporting Creation and Management
• Effective and Performance Oriented Rule Writing

The certification exam itself consists of 200 multiple choice questions, which you’ll have to complete within 4 hours. Passing score is 75%, you’ll immediately know whether you pass or fail and if you pass the exam certificates are available online for you to print.

I found the instructor-led course very helpful. I have worked with snort before but this was my first introduction to Sourcerfire. After the 4 day course, you’ll have 60 days to prepare and take the exam. Every student is given a second attempt if a passing grade of 75% or better is not achieved on the first attempt.

To prepare for the exam, I went through the training material (page by page) one more time. I also had an access to sourcefire boxes installed in our office lab so, it was very useful. It’s an open book exam, you’ll have slightly more than a minute to answer each question, so you won’t have enough time to go through your materials during the exams. You’ll need to know your stuff to pass it, but having an access to sourcefire box at the time of exam will be very handy (for the user interface questions).

I’ve to say that I’ve been quite reluctant to install third-party apps and post family photos due to privacy concerns, but this new terms of service makes it worse. Now anything you post or upload can be used by facebook even after you close your account. In previous terms of service, facebook’s rights on your content would expire after you closed your account, but not any more.

via: Consumerist

Update (17Feb09): facebook ceo, Zuckerberg has written a blog post about the issue, trying to explain why they need this TOS.

Our philosophy that people own their information and control who they share it with has remained constant. A lot of the language in our terms is overly formal and protective of the rights we need to provide this service to you. Over time we will continue to clarify our positions and make the terms simpler.

Update (18Feb09): After a global complain facebook has returned to previous terms of service (until they find a new language to clarify their position). Zuckerberg explains it in his Update on Terms

We concluded that returning to our previous terms was the right thing for now. As I said yesterday, we think that a lot of the language in our terms is overly formal and protective so we don’t plan to leave it there for long.

Update (27Feb09): Finally, democracy has come to facebook, it’s allowing users to review comment and vote over it’s future policies. That the way to go, well done facebook!

Delivering customer-focused managed network and application delivery solutions that leverage a global network with unrivalled reach, depth and breadth to multinational, service provider and global carrier clients. Over 1400 enterprise customers and 200 carriers depend upon Reliance Globalcom to manage business-critical network solutions and address complex requirements for their businesses and partners throughout the world

Vanco is now Reliance Globalcom, Anil Dihrubhai Ambani group, which is also well known because of it’s chairman Anil Ambani, currently 6th on The World’s Billionaires List.

I feel myself privileged and honored to have this opportunity. At Vanco my role will be exclusively focusing on security, I’m really excited about it. This is a perfect opportunity for me to bring forward my previous network/security expertise as well as learn and grow at this truly global organization.

I’ve installed and tested it in my WinXP SP2 running on my MacBook Pro Vmware Fusion, and this is what I found.

Installation and usage
The installation is easy and straightforward. You just need to follow the on screen instruction. You’ll require: a domain administrator account, a smtp server address to send alerts via email and have to choose either Microsoft Access or MS SQL Server for the back-end database.

Scanning, Reporting and Patching
The user interface is intuitive and easy to use. After the scanning is completed, it gives a nice report of the scan (you can choose to scan a single computer, group or the whole network). In the first scan it let me know that my Office and Windows need some critical patches. If you expand each vulnerabilities then it’ll give the Microsoft ID, download link and the patch release date. You can apply the patch or choose to ignore it by right clicking on it. There’s a handy feature to mass deploy the Microsoft updates on selected computers or all computers in the network. Other notable features in patch deployment are:

- Custom Software deployment
- Uninstallation of Microsoft updates
- Detailed Patch Deployment log

Besides the vulnerabilities the scan reports on open tcp/udp ports, open shares, installed applications, password policies, groups and users (with their privilege, last logon and password age).

You can buy an extra ReportPack to create vulnerabilities scanning reports and system information reports for your managers and bosses. I think it would have been great to have this reporting built in to NSS.

Useful Tools
GFI LANguard NSS comes with very handy tools that a network/security admin uses every day

Conclusion
I’ve tried the GFI LANguard N.S.S 8 for few days and think that it is a very useful tool for network and security administrators. I liked the fact that it has all three useful tools i.e. network vulnerability scanning, patch management and auditing integrated into one. It’s also easy to use and manage. The lack of built-in ReportPack is the only down side of it. Here, I’ve just scratched few features of the product, if you’re interested you can try it for free with 30 days evaluation version before buying it.

Update: GFI have now included the ReportPack for free with GFI LANguard N.S.S. and all other ReportPack-powered software titles on top of the 45% price cut.

Basically you’ve two choice — go for the hardware solutions (expensive with many nice features) or software solutions (possibly free but with limited features). If you want a free and open source solution then Pound is the choice.

Pound is a Free Open Source reverse-proxy, load balancer, SSL wrapper, http/https sanitizer, fail over server and a request redirector:

1. a reverse-proxy: it passes requests from client browsers to one or more back-end servers.
2. a load balancer: it will distribute the requests from the client browsers among several back-end servers, while keeping session information.
3. an SSL wrapper: Pound will decrypt HTTPS requests from client browsers and pass them as plain HTTP to the back-end servers.
4. an HTTP/HTTPS sanitizer: Pound will verify requests for correctness and accept only well-formed ones.
5. a fail over-server: should a back-end server fail, Pound will take note of the fact and stop passing requests to it until it recovers.
6. a request redirector: requests may be distributed among servers according to the requested URL.

Pound is built with security in mind, it can run as setuid/setgid and/or in a chroot jail. It’s a very small, robust and efficient program.

It’s very easy to install and configure.

Installation

pound can be installed from the source or the binary depending on your os distribution.

Configuration

Here’s an example of simple configuration to share the loading between two web servers behind the Pound load balancer

ListenHTTP
Address <real ip address>
Port 80
End
ListenHTTPS
Address <real ip address>
Port 443
Cert “/etc/pound/ssl-cert.pem”
End

Service
BackEnd
Address 192.168.1.2
Port 80
End
BackEnd
Address 192.168.1.3
Port 80
End
End

Pound can keep track of sessions between a client and a back-end server by client address, Basic authentication, URL parameter, cookie or header value. Here’s how we keep the session by cookies

Session
Type Cookie
ID “sess”
TTL 300
End

Pound is straight forward to configure and understand. It’s a perfect choice for free and open source load balancer.

* User enters pass-phrase to begin using the system. Browser retains the pass-phrase as a global variable.
* User requests a list of all data belonging to him.
* For each record, the system stores the associated user ID in plain-text, the record ID in plain form, and the record content only in encrypted form. (The message content is one or more database columns, each encrypted.) Thus, system is able to return a list of record IDs for this user.
* User selects one of the record IDs.
* System checks that this user ID is associated with the record ID, and returns the corresponding message content.
* Browser uses stored pass-phrase to decrypt the contents.

Ok, with that background if you’re ready to store your sensitive information online, here are few choices for you.

Halfnote
Halfnote is a very simple and secure notepad. Easy to register — provide your email address, choose a password, and you’re done. A simple blank notepad is presented, where you can write your secret passwords or documents. It’s very fast and the information is auto-saved as you type. The information you send is encrypted with your pass-phrase but it lacks SSL protection, which could have provided extra security by encrypting the session information.

Passlet
Passlet is a typical online password manager, currently in beta. It has an easy to input entry from where you can input: Title, Username, Password, and Notes. It encrypts the data by deriving 128-bit AES key from your master password. The key derivation is completely performed within the browser. In addition to secure data, Passlet uses SSL for session encryption, we can be sure of connecting to Passlet server by viewing the SSL Certificate.

eSecureKey
eSecureKey is another online password manager, currently in beta. It has a Portlet, which can be accessed with a Secure Key. This Secure Key is different from your login password, and is never transmitted to the server. This is the key used to encode and decode data. The portlet lists the existing entries and allows to add new information with tags for easy listing and searching. eSecureKey sends encrypted data to the server but lacks SSL for the session encryption.

PassPack
PassPack is currently in beta. It uses Packing Key to pack/unpack (encrypt/decrypt) data, which is all done in client side, inside the browser, no keys are sent to the server. It uses AES encryption and special security techniques, like disposable logins, which can be created in advance. Disposable logins are good for one time login only. This is useful when you access your data using a public computer. PassPack has taken the fight against phishing to a new level by allowing users to setup their custom Greeting Message after login, and ip address restriction, where users can choose to allow only certain ip address to have login access. PassPack uses SSL to encrypt session data as well. Other useful features in PassPack are import/export from/to a csv file. You can make an encrypted backup of your secret data using the packing key, and the restoration from the backup file is very easy too.

Clipperz
Clipperz uses local encryption within the browser so, your data is safe like all other online password managers. But Clipperz has some useful features that other online password managers lack. For example, it has a cool feature called direct login, which allows to quickly create a “direct login” link: just one click to authenticate and access the online service without typing any username and password. Another good feature is offline copy, which allows users to dump their encrypted data from Clipperz servers to a local hard disk or USB drive and create a read-only version of Clipperz to be used when there’s no internet connection available. Clipperz is currently available in English, Japanese and Chinese. It stores the passwords and other confidential data in predefined templates called cards. Clipperz has several predefined templates for storing websites, banking, credit card, address book and custom card. There’re some new features coming soon, among them Import and Sharing should be very useful.

Conclusion
I think online password managers are handy and secure enough to store the username/passwords of many websites that we visit on daily basis like, digg, delicious, flicker, etc …. but for myself, I wouldn’t store critical secrets and financial data online yet! If you’re a system admin you might want to check KeePass that works across all platforms. Having said that, if you’re ready to take a plunge into online password managers then technology is ready and there’re excellent choices available. So, if you love simplicity, Halfnote is for you, if you want cool features like direct login or multiple language support, then go for Clipprez, if you want extra security like disposable logins and phishing protection go for PassPack.

1. Passwords

Cryptographic methods, biometrics, and two-factor authentication are becoming popular these days, but in reality we still have to deal with passwords most of the time. So, proper management of password is absolutely critical to the security. It doesn’t have to be complicated. Here are few simple things I recommend to do with the passwords:

Use password manager
Manually keeping up with 100s of login ids and passwords is very difficult, impractical and sometimes impossible. So, use some kind of password management tool. With a proper password manager you don’t have to worry about generating secure passwords, you’ll stop writing passwords in paper, and you don’t have to remember any of them. The password manager will help you with all of these tasks. I use KeePass to manage the passwords. It’s an excellent multi-platform password manager available for Windows, Linux, Mac OS X and Windows Mobile.

Change passwords regularly
Never use same password for two servers or devices, and change them regularly, at least once every 3 months. By using an unique passwords per system you’ll reduce the damage in case a single password is compromised, and by changing the passwords regularly you’ll make the guessing and attacking for the bad guys much harder.

Never send naked passwords
What I mean is, never send a clear-text password over the network. The packets can be easily captured with many freely available tools and packet sniffers. Always use some form of protection when you need to transmit the passwords, e.g. SSL, SSH or VPN connection. You should never use HTTP or Telnet to manage anything over the network. Replace them with HTTPS (SSL) and SSH.

2. Security Updates

Keeping your systems up-to-date is very important, there’re new security patches released by most of the vendors all the time. Sometimes the security updates negatively affect production environment, so it’s recommended to first test the fixes and then only apply to production environment. Anyway, patching the known security holes is critical to stay secure. The longer you take to patch a known security hole the more you’re exposed to attacks.

3. Changes

There’s a nice saying about the change — “Change is the only constant”. I think that’s true for life, and for systems, and networks. We make changes all the time, change firewall rules, add users, delete users, install security patches and so on. The system and network environment keeps changing. It is very important to keep a backup of the last known working configuration of everything, and maintain a change document. So, if suddenly after changing a firewall rule everyone in the network complains about not being able to access a server in DMZ, we should be able to fall back to the previous rule-set easily. If you’ve made some manual changes to a config file to improve the performance of a linux server, you should note it down because after few months you won’t remember the exact changes you’ve made. Knowing what changes you’ve made and being able to fall back keeps you and your environment productive and secure.

4. Stop unnecessary services
Most of the Operating Systems and security devices come with a lot of services installed and running by default. The more services that are running, the more your system is exposed to attack. So, you need to identify all the services running in the system and stop the unnecessary ones. If it’s a firewall, explicitly deny everything first, and start allowing the necessary connection and services. If it’s an operating system, find and stop all the unnecessary services.

By following these 4 simple measures you’ll be able to keep your system and network secure and stable. I’m not saying that just these measures would be enough in all environments, but they’re the basic foundation. I think not only admins but normal users should be following these 4 measures to keep themselves secure in todays wild internet.

Any other simple measures that you take to keep your system and network secure? Comments and emails are welcome.

Snort captures enormous amount of data from the network and generates alert based on the rules and signatures. There’re currently 3 excellent and relatively user friendly ways to manage and analyze the snort data:

1. ACID (Analysis Console for Intrusion Databases)

The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.

ACID: Installation and Configuration

2. BASE (Basic Analysis and Security Engine).

It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

Snort, Apache, SSL, PHP, MySQL, and BASE Install on CentOS 4, RHEL 4 or Fedora Core (pdf)

3. Sguil (Snort GUI for LamerZ)

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures.

Sguil on RedHat HOWTO

If you’re asking what’s the difference between them, then here’s five reasons why Sguil is different from ACID, BASE, and similar products.

Currently I’m trying Sguil to see how good it is. I’ve installed Sguil Server and Sensor in CentOS 4.x and Sguil-Client in my Mac OS X. The server installation was not that easy but once installed, it runs smoothly. I must say that there are many good features in Sguil, among them I like: alerts in near real-time, escalation and accountability features, collection of session data using SANCP and summaries of conversations.