Sunday, December 12, 2010

Educating the public ... but don't tell them the wrong info

The Belgian media is covering the Wikileaks story like in every other country. One of the things on our national television news website that caught my attention was the spectacular title "IT Security Expert: Cyber war is actually very simple".

You can't hear the question to the IT security specialist but what he basically explains is a DDoS attack. What he explains is correct but I am quite disappointed in the journalist. I personally think that it is a good thing to make the public aware of what is happening in the world and how attacks are carried out but choosing this title was over the top.

Saturday, October 23, 2010

Fun with SSL

I am working on a project where mutual authentication with SSL has to be done between a Apache mod_proxy and some proxy server at a third party.

I personally did not designed or built the system and after doing an upgrade of httpd one of the instances did not restart when I told it to. It went down and said SSL is already loaded ... fail.

The idea of this server is to listen to tcp/443 and based on the URI redirect to a virtual host running on a specific port. These virtual hosts do some mod_rewrite magic and inject the SSL certificate and then connect to the third party. According to the project manager this can only be done with mod_proxy and no other proxy would allow you to do this.

I tried to restart the other virtual hosts and they went down and up without any problems. So it was just the httpd listening on port 443 that was not coming up.

Since Google is your friend when you got an error message that basically just tells you "sorry, SSL is already in use". I looked at a couple of forum posts and it was pretty clear immediately that it had something to do with the http.conf file.

In the httpd.conf file there was an include directive to load all .conf files from a conf.d directory. So analyzing them one by one I figured out that one of them contained the instructions to load the and of course there was the mod_ssl configuration file which loads as well.

Once I commented out the lines in the other file everything was back up and running.

The RedHat Network

This week I was asked to upgrade RedHat Enterprise server for a customer. I personally use Ubuntu, and not being part of my company's linux group, it was totally new to me. The reason I blog about this is not because it was technically challenging but it took me quite some effort to figure out how it worked.

When you order a license at RedHat, you need to provide an e-mail address. In my case this was the one of the CIO of my customer. The next thing that happens is that the reseller (my company) receives an e-mail with the confirmation of the purchase and the customer receives an email with a link.

It is very important that the customer clicks this link and fills out the form. During this registration he must choose a customer name and password. Once the account is created you have to run the rhn_register command as root.

This takes you through a script where your server connects to the RHN asks for your customer name and password and gathers information about your system. Once your system is registered you can use the yum package manager to actually upgrade the system.

Wednesday, October 6, 2010


Today I discovered the existance of bleachbit. Bleachbit is a nifty little tool that helps you clean up personal info in linux.

Tuesday, September 28, 2010


This weekend it was BruCon again :) and just like last year it was a very nice con.

The first talk I went to see was the keynote "Memoirs of a Data Security Street Fighter" by Mikko Hypponen. I saw Mikko presenting at OWASP this year and I was not so happy about that presentation but this one was much better.

Next talk I went to see was "You Spent All That Money And You Still Got Owned..." by Joseph McCray. I went to see this talk before and it was worth watching it for a second time. Joe explains the things in a very comprehensive way. The talk was a little different and I personally liked it, not that it was better, but it was just a slightly different angle to explain it. But bottom line is still to quote him "fix your shit".

I went to a workshop by Didier Stevens. It was of course about pdf and he took us at a very nice tempo through a bunch of pdf's he prepared on a BackTrack4 VM. Bit by bit we learned to analyze them with the tools (pdfid and pdf-parser) he wrote. If you like to read about this, after BruCon he published a document about this on his blog.

In the afternoon I went to see Cyber[Crime|War] by Ian Amit. It was not a technical talk but it made you think, and I liked it.

Then it was Paul Asadoorian aka Paul from Pauldotcom his turn. I was eager to see his talk about Embedded System Hacking and his plot to take over the world. I've been listening to the Pauldotcom podcast from the very beginning and even in his presentation the world famous 'Bob' stories where present :). The content of the presentation was not that new if you listen to the podcast but still it was cool. Besides giving this presentation Paul also gave a nice presentation during the powerpoint karaoke (a game where you present a random deck of slides you have never seen before in you life).

There was a second workshop I took and that was Damn Vulnerable Web App by Ryan Dewhurst and ethicalhack3r. A nice way to get you in touch with all security problems of a web app. Personally, I think that it should become part of any school training where you make a website.

The last talk I went to see is Chris Nickerson's "top 5 ways to steal the company". I knew Chris from the Pauldotcom podcast. Chris is absolutely correct that companies don't care about how you can own their boxes. Management doesn't understand our technical mumbo-jambo and unless we are not changing our ways of presenting them what it means they will never listen to you.

The best lightning talk I saw was the one by Wicked Clown. Not only just for his cool leather jacket (with the image of a wicked clown on it), but also the RDP vulnerability he demonstrated.

Chris John Riley's totally pimped up his presentation about a tool he wrote in Python called UA-tester. Although his 5 minutes where up, it was amazing to see the difference in results switching between user agents. Something to definitely play around with.

Thanks to everybody involved, it was great.

Monday, August 9, 2010

Google Safebrowsing Webtest

Ever wondered how to check if a website has a record for being infected? Well Google can help you. When they scan the Internet for websites they scan also for malware. When you type in your browser:

You will get a page back with how many pages where scanned and how much malware it found.

For I got these results:
Of the 131,557 pages we have in the past 90 days on the site have been tested, have 31 page (s) without user consent malicious software downloaded and installed. The last time Google visited this site was on 08/08/2010. The last time suspicious content was found on this site was on 08/08/2010. Malicious software includes 132 scripting exploit (s), 3 trojan (s), 2 exploit (s)

It also mentions a bunch of domains like,,,,,, and a bunch of URLs like,, and

I personally think it might be a good idea to have a look at which domains your users are going to, look it up and use this information to filter out the bad stuff.

Friday, July 30, 2010 url - show the real deal

This week I've found out through a post in one of my RSS feeds how to figure out what url is behind a url. You've probably seen them, short urls going You can figure it out by just adding a + after the hash.

When you do this you get a an overview of the number of clicks, when they where clicked, who tweeted about it, wan where the people are from who clicked on it.

We all know that this service has been abused for spreading malware, but I see this info come in handy for a social engineering purpose.

Wednesday, July 14, 2010

Welcome to big hotel

I recently had to visit the office of a customer just outside of Brussels. I knew approximatly where it was. Since I didn't get any GPS signal, I had to ask for directions and I stopped at a hotel near by my destination just to ask for final directions.

The hotel where I stopped is part of a big international chain. I walked up to the front desk where a lovely young lady called Marielle (Dutch accent, the ring on her left hand on the ring finger indicated that she is most probably married) according to her name tag greeted me. I explained my problem. She didn't knew where my customer was located so I social engineered her by simply asking if she had Internet access on her computer and if she had access to a website like Google maps. While she was typing I noticed that on every screen in the left corner there was a post-it with the magic words user: username, password: password.

Suddenly my mind started working in a different way and just for fun I asked if I could come behind the desk to have a look at the Google map and by looking at the screen I noticed that it was an Internet Explorer.

So lets have a look at what we got:
- a name for name dropping
- a target who is susceptible to social engineering
- a browser, which has a good track record of being vulnerable
- a user name and password for something which will be most probably the application for managing the rooms

To say it with the words of Louis Armstrong ... What a wonderful world.

Wednesday, June 30, 2010

From Russia with love - asprox

Tonight i found in my RSS reader that a large amount of websites (some very popular ones in Belgium) are infected with ru/js.js.

It appears that this would come from a trojan call asprox. Originally it was spreading through spam via the Pushdo botnet but the attack vector seemed to have changed.

The new attack vector was possible thanks to SQL Injection. Rondel Mendez wrote an excellent piece about it for M86 security. It explains what de malware does.

The syscolumns xtypes it abuses are, 35 which is text, 99 which is ntext, 167 which is varchar, and 231 which is sysname. As you can see all of which can contain a string which in this case is a url to the botnet.

How to solve this? Simple fix your code, never trust user input, normalize it and check it if the values are acceptable.

Career change


I will you no longer bore you to death with SQL. I have made a career change and since this week I am working in our IT security department (Still the same company).


Friday, June 18, 2010

SQLCMD and the tempdb adventure

I had a call today from a colleague to help her out with an issue. Some customer had moved their tempdb and now she had to fix it because the SQL server instance did not come up. Since I handled such a case in the past she asked me to tell her how I've fixed it. I write this blog post because I had already forgotten a couple of things.

1. Make sure the SQL instance is stopped.
2. Activate the named pipes protocol.
3. Start the SQL instance with the -m option
4. Open a sqlcmd connection with the -e option. Sqlcmd is case sensitive so lookout when you type in the instance name (server\instance).

Thursday, June 17, 2010

Meet Joe McCray

Yesterday there was a last minute OWASP chapter meeting and 2 presentations by Joe McCray of The intro was great: Joe loves hacking, swearing and drinking rum and coke (a.k.a Cuba Libre).

The first presentation was about SQL Injection. Most things Joe talked about where things I already knew but it is always interesting to hear somebody explain how he or she does it, and yes, I've learned new things. I have been to presentations where they had prepared a VM with a vulnerable webapp but not Joe. He did his demo on a live website and enumerated all databases on the webserver. He explained in great detail what kind of injections there are and the conclusion was "Fix your shit". He demonstrated how IDS can help you but is not a silver bullet.

The most important thing I took home from this presentation is that he experienced that not everybody terminates SSL connections, normalized the input and then feeds it to the IDS ... and of course "Fix your shit" :). At the end of the evening we discussed what is the easiest way to get the stuff fixed and his experience was to get vulnerabilities classified as bug by the Quality Assurance people. I think this is a trick I will apply in the future :)

The second presentation was about Web Application Firewalls. I have no experience with application firewalls. I saw some presentations in the past and Joe confirmed what I was thinking about it. It is something to give you some time to "fix your shit" but not the solution.

Joe is coming to BruCon in September 2010 to give a session titled "You Spent All That Money And You Still Got Owned".

Tuesday, June 8, 2010

Wait a second in batch - the ping hack

If you have to wait a couple of seconds in a batch script you can use the following trick:

PING -n 11 >NULL

This will make 11 pings and by chance this takes approximately 11 seconds. If you have a better system let me know.

Monday, May 24, 2010

Lock picking basics

Recently the lock of my mailbox fell into my hands (yes, it is junk but the mailbox is temporary). Now to your regular Joe out there this is usually an inconvenience but I was happy about it because now I could study the lock and try to understand what the good people of Toool where demonstrating at HAR2009.

First we have a look at the lock how it fell into my hands.
If we take out the pins, we see the little, tiny, springs that give the resistance when you put your key into the lock.
This is a detail of a pin. The key goes through the little hole.
If we have a look at the key we notice the pointy and flat parts.
If we put the key into the lock we see that the pins move into their positions. The pins move up and down when the key goes trough it.
If you have a good look you will recognise the flat parts of the key. They are exactly positioned where the pins are.

The picking is done with fine picks you slide into the lock and put gentle pressure on the pins so that they line up. It is easier said than done but it is fun to see a lock pop open without a key and not damaging it ... do you have a mailbox?

Wednesday, May 12, 2010

Even a 10 year old would guess it

Recently I was somewhere in a data center in Belgium where the local administrator password was written down on a post-it and was next to the screen of the console. I don't say I would approve but I could understand if you put it there and the password was complex. This was absolutely not the case, it was the company name.

Some people wonder how those evil hackers can get into their systems even if they have the latest antivirus updates and a firewall ... there is no patch for HumanOS.

My first SQL 2008 cluster on vSphere

Recently I had to install a SQL 2008 cluster on Windows 2008 cluster which was virtualized. I learned some valuable lessons I want to share with you.

First of all there is this new feature in the VM Tools called shared folders. Make sure it is off. It causes an error message and the description has nothing to do with the cause.

The second thing is if you want to install service pack 1 for SQL Server, slipstream it. There is a bug that crashes your installation and you can't actually remove it. The term slipstream is a not really the correct term but it works.

First you unpack the service pack with the /x option and then you need to run /x64/setup/1033/sqlsupport.msi and run it. The next step is to start the SQL Server setup and start it from the command line with the parameter /PCUSource=

More info on slipstream can be fount at

Thursday, March 4, 2010

Kind of grep in your dos-prompt

Do you recognise the situation where you wish that you are on a windows box and grep would be handy to go logs and other text files. There is something called findstr, and it can handle regular expressions.

Saturday, February 13, 2010

password or pa$$w0rd?

This week I had 2 cases where I had the "what!? You 're kidding me, right?" feeling. Both were password related.

I had to give some remote support on a CRM system and the password for the administrator account was pa$$w0rd. I guess the people administrating this systems don't have a clue about what it would mean to loose this asset.

Since I am a MSSQL DBA people automatically assume that I have no clue about linux systems. The other day I got agitated in a meeting because somebody said that linux was not important. I apparently reacted in a way which got the attention of some people because suddenly I got a request to look at a postfix server. When I connected over SSH to the server I had to use an account called administrator and I'll let you get the password ... yep, it was password. I needed root to access some files but my contact was not absolutely sure about the password so I tried my luck and yes, it was password.

Security is not something simple, but some basics like a good password policy and auditing for weak passwords are simple. There are no excuses for these mistakes.

Monday, February 8, 2010


On the first of February I went to a talk by Yuli Stremosky about GreenSQL at OWASP. Yuli gave a very nice talk. He started explaining that shared hosting is not an option for the security aspect since you can be hacked through another website. He quickly explained SQL injections and SQL tautologies.

GreenSQL is a firewall that has to protect you from SQL injection. Basically it works on a reverse proxy-principle. Your application/webserver connects to the GreenSQL Proxy which verifies the query and gets the data from the database.

There are 4 modes to run GreenSQL in:
The IDS mode uses a risk matrix engine that scores the incoming queries and blocks the suspicious queries. The IPS mode uses an heuristics engine to find suspicious queries. If a query is considered illegal, it is checked against a white list. An illegal query results in an empty result set.

GreenSQL uses a pattern matching engine to analyse the SQL queries. The following queries automatically are considered illegal:
  • database administrative commands
  • commands that change a database structure
  • commands that access the file system
I had contact before this talk with the GreenSQL people to see what there plans are for commercial databases like Oracle, DB2 an MS SQL. I got an answer and they are working on it.

Phishers steal CO2-emission certificates

When I was looking through my RSS feeds this morning I came across an article from WebWereld where they talked about the fact that phishing is also used for stealing CO2-emmision certificates.

These certificates are issued for free by the EU and companies trade them between each other, just to be able to pollute more. The day price at the moment they where stolen was 2,5 EUR a piece.

It makes makes no sense to me at all. If I understood the article correctly the certificate does not impose CO2-emission limitations to companies. So basically it is normal that the EU would ask nothing for this certificate, because it does not give you any privileges.

Isn't it kind of weird then that a company is ready to pay 2,5 EUR for something that actually doesn't do anything for your company? The funny part is then that people start stealing these things. It kind of remind me when I was at school and saw kids fight over little plastic disks called flippo's.

Saturday, January 16, 2010

OpenVPN workshop

Today there was an OpenVPN workshop at the Hackerspace Brussels. The workshop was given by Christophe Vandeplas. The first part of the workshop was the theoretical part. The nice thing about the setup was that you did not need any knowledge about networking or VPN.

Christophe took us all through the basics, starting with "how 2 systems talk over a switch" over "how to machines talk over a router" and then going to firewalls, NAT and of course VPN and everything that goes with it.

The second part of the workshop was actually setting up an OpenVPN system. It was really a step by step walktrough.

It was was a great afternoon where I learned a lot. The presentation can be found here. Christophe has also a how-to about the Belgian eID and OpenVPN.