erik vanderhasselt

Nitro

2012-01-25T21:40:00.001+01:00

It has been more than 2 months at the cert. My first task was making a report about what was by Symantec called the Nitro case.

Usually I will not blog about this but I learned a couple of valuable lessons.

The first thing about this case was that social engineering was used and this is a real life proof that it is used out there. Awareness training is a hard but necessary thing. I admit I have no easy solution but I guess that starting with explaining to people what it is might be a good thing. I listen to the SE podcast and one of the items they had on the show is actually ITsec setting up a fake website and sending out email with a link and see how many people can be tricked. It is something worth considering I think.

The next thing I learned is that the modus operandi was that all data was gathered and staged on internal servers. It made me think of a DBA problem. A lot a the customers were not monitoring their servers and network. When you know your hard disk space changed over a couple of nights from x% to z% when you were expecting y% a series of bells should go off. The same thing on the network, the traffic on systems should be predictable. Although we have this technology it is not easy to implement and it will not stop the attack, you will only discover it.

Finally I think the most important lesson is that it can happen to everyone.

Kids vs Adults 1-0

2011-12-07T18:11:00.001+01:00

Since a while now we have these subway access gates. The main idea is that everybody would pay for their ride. Pretty soon you saw people piggy backing with people that did pay.

Not so long ago I saw a couple of 8 year olds outsmart the adults :). Instead of all, one by one, forcing themselves through the little gate only one did it. He went to the exit gate that opens without any verification. The kid let his friends in and off they were to discover the world.

I personally think it is wrong not to pay for public transport but I must say that I liked the fact that adults got outsmarted by 8 year olds.

IPv6 talk at BNC 2011

2011-11-26T10:12:00.001+01:00

A couple of weeks ago I was at the Belnet Network Conference 2011 and there were a couple of interesting talks but I want to write in particular about some advise that was given during the talk of Andy Davidson about implementing IPv6.

This was his advise:

1. Buy only IPv6 enabled hardware and software. Since quite a number of people had to do this a kind of template called the Ripe501 template http://www.ripe.net/ripe/docs/ripe-501
came into existence.

I personally think that the remark of paying attention to software too is quite correct. Thinking about hardware is very normal, but one has too take into account you have to manage the hardware.

2. Make sure you have connectivity.
This is pretty obvious, if you want to have a connection to the Internet, you need connectivity.

3. Make sure you train your staff.
It seems normal to the outside world that IT people have knowledge about IT stuff so you have to train them.

4. Do trails
Ok, it seems dumb to put a car on the market before doing crash tests but the same thing applies to you IT infrastructure. If you don't make sure you have done your tests you will regret it.

5. Take it to the users
Once you've done your tests, take it to your users. Some trouble might come up but it should be minimal.

6. Dual stack some of your services.

7. Dual stack all of your services.

Fun with Adito VPN

2011-05-17T22:51:00.007+02:00

I once saw a demo of Adito VPN on Hak5 and I was pretty impressed by it. Recently I had to install one and although it didn't go as smooth as in the video the install was still easy.

The first step was preparing the OS. In my case it was a Ubuntu. I needed to adapt my /etc/apt/sources.list so I could install partner repository software.

Our first part in preparing the OS is installing Sun Java

$sudo apt-get update

$sudo apt-get install sun-java6-bin sun-java6-jdk

$export JAVA_HOME=/usr/lib/jvm/java-6-sun

$export PATH=$PATH:$JAVA_HOME/bin

To test if java works correctly:

$java -version

The second step in preparing the OS is installing ant.

$sudo apt-get install ant

Now we come to the phase where we can install Adito.

$cd /opt

$wget http://downloads.sourceforge.net/project/openvpn-als/adito/adito-0.9.1/adito-0.9.1-bin.tar.gz (note: at time of writing this was the latest version.)

$sudo tar zxvf *.gz

$cd adito-0.9.1/

$sudo ant install

At a certain point in the installation you'll get the request to open a browser and open a session to http://server:28080/

This web-based wizard helps you configuring Adito. First I had to create a new certificate and choose a nice passphrase for it. The following page where the details of the certificate. After creating the certificate I created the administrative user and configured on which port the server has to listen for which interfaces. If you use a proxy, you can also configure this.

The last step was less easy to figure out. The normal procedure is:

$ant install-service

$ant start

The output to screen said that the start dynamically created a wrapper but eventually I got the following message back:

[exec] exec: 370: install/platforms/linux/x86/wrapper: not found

The solution to this problem was to have a look at /etc/init.d/adito in an editor.

The new script looks like this:

#!/bin/bash
#
export WRAPPER_CONF="/opt/adito-0.9.1/conf/wrapper.conf"
#exec /opt/adito-0.9.1/install/platforms/linux/adito $*
cd /opt/adito-0.9.1
ant start-using-java &

To start Adito VPN:

$sudo /etc/init.d/adito start

A nice resource for more information is http://www.8layer8.com

Privacy is not an option

2011-03-22T21:46:00.002+01:00

Yesterday there was an ISSA-BE event about IT and privacy. Marc Vael gave a very good presentation on what privacy is and what laws do apply.

The first thing to know is that the European directive, 1995/46/EC, is according to Marc one of the better ones on this planet. Each European country made it part of its law but some countries like Germany and Italy are more severe than others. Another interesting fact is that the directive applies to the EEA, the European Economic Area.

I asked Marc the question how to handle these differences as an organization. The best way to handle this is creating a baseline valid for all members of the EEA and make sure that you add the specific requirements for the more severe states.

An interesting fact is that if you for instance visit a website in South-Africa, it is the South-African law that applies to the personal data. The reasoning is that the law applies where the company owning the website is located. This creates very interesting situations, Google is a global company with sites all over the EEA but if you log in over their web servers in the USA, it would be the American law that applies.

One of the nice remarks that the presentor made was that personal information and sensitive data are not the same thing.

Since we were talking about dealing with international privacy we discussed the US safe harbor frameworks.

Mounting XFS

2011-02-23T09:55:00.003+01:00

Somebody I know recently had troubles with his NAS and needed to turn in the NAS device but wanted to recover his data. According to the information he was able to gather it was an XFS file system.

He had little to no linux knowledge but to recover he made a Ubuntu machine and asked my help to mount his drive. I didn't have any previous experience with XFS so here is how we did it:

The device showed up in the system as sdb3.

1. sudo mkdir /media/nadisk
2. sudo mount -o inode64 -t xfs /dev/sdb3 /media/nadisk

After this he was able to get his data back and bring his NAS device back to the store :)

Symantec Endpoint Protection 11.0.6 MR2 and the internal database

2011-02-14T14:29:00.004+01:00

I had the case where I did an implementation of SEP 11.0.6 MR2 and the internal database grew too big. Thanks to my pervious life as a DBA I was able to interprete the logs and discovered a couple of problems:

1. The cache size for the database was set to 65536K as well for the lower as upper limit.

The cache size for a database varies on the size, but there is no direct parameter where you can influence this.

2. No unique index or primary key for table "a_table_in_the_database" in database "sem5".

3. Performance warning: Database file "...\Program Files\Symantec\Symantec Endpoint Protection Manager\db\sem5.db" consists of 9468 disk fragments.

Just for info, the internal database of Symantec is a Sybase database, so it is very similar to MS SQL 2000.

I openend a case at Symantec Support and after the classic "gather the logs" round we finally concentrated on the database.

Step zero was of course run dbvalidator.cmd ("...\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools") and this showed that the database was still ok to use.

The first step was making a backup with the "Backup and Restore" tool that comes with the installation. The next step was to open "services.msc" and stop the Symantec Endpoint protection Manager services and stop/start the Symantec database service. The database backup was written as a zip file to "...\Program Files\Symantec\Symantec Endpoint Protection Manager\data\backup\"

To shrink the database I needed to execute the following command:

'...\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\Win32\dbunload -c "uid=dba;pwd=your_install_db_pwd" -ar '. The -c specifies the connection parameters and the -ar means rebuild and replace.

I asked the engineer if the shrink tool is possible to use on the MS SQL database but according to the engineer this was not the case.

The database was back to a normal size and the server disk was happy again.

Error 404 ... we are watching you.

2011-01-12T22:33:00.005+01:00

The other day I helped out with the coding of a php page for error 404 handling in a Joomla framework. The idea was that when a 404 is generated the event would be logged for analysis.

The results where pretty boring, GoogleBot who scanned the website for pages that didn't exist anymore ... so nothing special to report until I got this one:

Page:/[a path on the server]/index.php
Browser:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de;rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Request Method: GET Request
Request URI: /en/components/com_oziogallery2/imagin/scripts_ralcr/filesystem/writeToFile.php

The remote IP addresses where 188.61.137.55 and 195.191.54.46. A lookup on MaxMind Geoip shows us that 188.61.137.55 is an IP address in Aarau, Switzerland (ISP: Bluewin) and 195.191.54.46 is an IP in Latvia (ISP:Sia Venditore).

It was clear that this scan was part of some scanner but why the website on which my code is running is targetted is still unclear to me. The ozio gallery2 was never installed on this joomla installation.

A google search for the websites with a url containing the string "/en/components/com_oziogallery2" gave me a list of 13.500 possible exploitable sites. A look at exploit db gave us immediately an insight what the attacker was up to.

So my lessons learned from this is :

1. Modify the error 404 page in any framework so you can find interesting data.

2. I have proof that any website is scanned and there has not to be any particular reason. This was an eye opener to the person who asked me to code the page.

Educating the public ... but don't tell them the wrong info

2010-12-12T20:30:00.003+01:00

The Belgian media is covering the Wikileaks story like in every other country. One of the things on our national television news website that caught my attention was the spectacular title "IT Security Expert: Cyber war is actually very simple".

You can't hear the question to the IT security specialist but what he basically explains is a DDoS attack. What he explains is correct but I am quite disappointed in the journalist. I personally think that it is a good thing to make the public aware of what is happening in the world and how attacks are carried out but choosing this title was over the top.

Fun with SSL

2010-10-23T11:05:00.004+02:00

I am working on a project where mutual authentication with SSL has to be done between a Apache mod_proxy and some proxy server at a third party.

I personally did not designed or built the system and after doing an upgrade of httpd one of the instances did not restart when I told it to. It went down and said SSL is already loaded ... fail.

The idea of this server is to listen to tcp/443 and based on the URI redirect to a virtual host running on a specific port. These virtual hosts do some mod_rewrite magic and inject the SSL certificate and then connect to the third party. According to the project manager this can only be done with mod_proxy and no other proxy would allow you to do this.

I tried to restart the other virtual hosts and they went down and up without any problems. So it was just the httpd listening on port 443 that was not coming up.

Since Google is your friend when you got an error message that basically just tells you "sorry, SSL is already in use". I looked at a couple of forum posts and it was pretty clear immediately that it had something to do with the http.conf file.

In the httpd.conf file there was an include directive to load all .conf files from a conf.d directory. So analyzing them one by one I figured out that one of them contained the instructions to load the mod_ssl.so and of course there was the mod_ssl configuration file which loads mod_ssl.so as well.

Once I commented out the lines in the other file everything was back up and running.

The RedHat Network

2010-10-23T10:50:00.003+02:00

This week I was asked to upgrade RedHat Enterprise server for a customer. I personally use Ubuntu, and not being part of my company's linux group, it was totally new to me. The reason I blog about this is not because it was technically challenging but it took me quite some effort to figure out how it worked.

When you order a license at RedHat, you need to provide an e-mail address. In my case this was the one of the CIO of my customer. The next thing that happens is that the reseller (my company) receives an e-mail with the confirmation of the purchase and the customer receives an email with a link.

It is very important that the customer clicks this link and fills out the form. During this registration he must choose a customer name and password. Once the account is created you have to run the rhn_register command as root.

This takes you through a script where your server connects to the RHN asks for your customer name and password and gathers information about your system. Once your system is registered you can use the yum package manager to actually upgrade the system.

Bleachbit

2010-10-06T20:52:00.002+02:00

Today I discovered the existance of bleachbit. Bleachbit is a nifty little tool that helps you clean up personal info in linux.

BruCon2010

2010-09-28T21:16:00.006+02:00

This weekend it was BruCon again :) and just like last year it was a very nice con.

The first talk I went to see was the keynote "Memoirs of a Data Security Street Fighter" by Mikko Hypponen. I saw Mikko presenting at OWASP this year and I was not so happy about that presentation but this one was much better.

Next talk I went to see was "You Spent All That Money And You Still Got Owned..." by Joseph McCray. I went to see this talk before and it was worth watching it for a second time. Joe explains the things in a very comprehensive way. The talk was a little different and I personally liked it, not that it was better, but it was just a slightly different angle to explain it. But bottom line is still to quote him "fix your shit".

I went to a workshop by Didier Stevens. It was of course about pdf and he took us at a very nice tempo through a bunch of pdf's he prepared on a BackTrack4 VM. Bit by bit we learned to analyze them with the tools (pdfid and pdf-parser) he wrote. If you like to read about this, after BruCon he published a document about this on his blog.

In the afternoon I went to see Cyber[Crime|War] by Ian Amit. It was not a technical talk but it made you think, and I liked it.

Then it was Paul Asadoorian aka Paul from Pauldotcom his turn. I was eager to see his talk about Embedded System Hacking and his plot to take over the world. I've been listening to the Pauldotcom podcast from the very beginning and even in his presentation the world famous 'Bob' stories where present :). The content of the presentation was not that new if you listen to the podcast but still it was cool. Besides giving this presentation Paul also gave a nice presentation during the powerpoint karaoke (a game where you present a random deck of slides you have never seen before in you life).

There was a second workshop I took and that was Damn Vulnerable Web App by Ryan Dewhurst and ethicalhack3r. A nice way to get you in touch with all security problems of a web app. Personally, I think that it should become part of any school training where you make a website.

The last talk I went to see is Chris Nickerson's "top 5 ways to steal the company". I knew Chris from the Pauldotcom podcast. Chris is absolutely correct that companies don't care about how you can own their boxes. Management doesn't understand our technical mumbo-jambo and unless we are not changing our ways of presenting them what it means they will never listen to you.

The best lightning talk I saw was the one by Wicked Clown. Not only just for his cool leather jacket (with the image of a wicked clown on it), but also the RDP vulnerability he demonstrated.

Chris John Riley's totally pimped up his presentation about a tool he wrote in Python called UA-tester. Although his 5 minutes where up, it was amazing to see the difference in results switching between user agents. Something to definitely play around with.

Thanks to everybody involved, it was great.

Google Safebrowsing Webtest

2010-08-09T09:56:00.003+02:00

Ever wondered how to check if a website has a record for being infected? Well Google can help you. When they scan the Internet for websites they scan also for malware. When you type in your browser:

http://google.com/safebrowsing/diagnostic?site=/

You will get a page back with how many pages where scanned and how much malware it found.

For facebook.com I got these results:

Of the 131,557 pages we have in the past 90 days on the site have been tested, have 31 page (s) without user consent malicious software downloaded and installed. The last time Google visited this site was on 08/08/2010. The last time suspicious content was found on this site was on 08/08/2010. Malicious software includes 132 scripting exploit (s), 3 trojan (s), 2 exploit (s)

It also mentions a bunch of domains like abeermahmoud.jeeran.com, albetaqa.jeeran.com, imageshack.us, rmooosh.net, textstream.co.za, freedesignlogo.com, and a bunch of URLs like facebook.com/dogswxeunck, facebook.com/pages/samra-iraq/imam-medhi-/85996831974/, and pdashmedia.com

I personally think it might be a good idea to have a look at which domains your users are going to, look it up and use this information to filter out the bad stuff.

Get a website as a pdf

2010-08-04T23:50:00.001+02:00

http://pdfmyurl.com/ turns your url into a pdf.

Bit.ly url - show the real deal

2010-07-30T21:51:00.002+02:00

This week I've found out through a post in one of my RSS feeds how to figure out what url is behind a bit.ly url. You've probably seen them, short urls going bit.ly/somehash. You can figure it out by just adding a + after the hash.

When you do this you get a an overview of the number of clicks, when they where clicked, who tweeted about it, wan where the people are from who clicked on it.

We all know that this service has been abused for spreading malware, but I see this info come in handy for a social engineering purpose.

Welcome to big hotel

2010-07-14T15:55:00.003+02:00

I recently had to visit the office of a customer just outside of Brussels. I knew approximatly where it was. Since I didn't get any GPS signal, I had to ask for directions and I stopped at a hotel near by my destination just to ask for final directions.

The hotel where I stopped is part of a big international chain. I walked up to the front desk where a lovely young lady called Marielle (Dutch accent, the ring on her left hand on the ring finger indicated that she is most probably married) according to her name tag greeted me. I explained my problem. She didn't knew where my customer was located so I social engineered her by simply asking if she had Internet access on her computer and if she had access to a website like Google maps. While she was typing I noticed that on every screen in the left corner there was a post-it with the magic words user: username, password: password.

Suddenly my mind started working in a different way and just for fun I asked if I could come behind the desk to have a look at the Google map and by looking at the screen I noticed that it was an Internet Explorer.

So lets have a look at what we got:
- a name for name dropping
- a target who is susceptible to social engineering
- a browser, which has a good track record of being vulnerable
- a user name and password for something which will be most probably the application for managing the rooms

To say it with the words of Louis Armstrong ... What a wonderful world.

From Russia with love - asprox

2010-06-30T20:07:00.006+02:00

Tonight i found in my RSS reader that a large amount of websites (some very popular ones in Belgium) are infected with ru/js.js.

It appears that this would come from a trojan call asprox. Originally it was spreading through spam via the Pushdo botnet but the attack vector seemed to have changed.

The new attack vector was possible thanks to SQL Injection. Rondel Mendez wrote an excellent piece about it for M86 security. It explains what de malware does.

The syscolumns xtypes it abuses are, 35 which is text, 99 which is ntext, 167 which is varchar, and 231 which is sysname. As you can see all of which can contain a string which in this case is a url to the botnet.

How to solve this? Simple fix your code, never trust user input, normalize it and check it if the values are acceptable.

Career change

2010-06-30T20:04:00.002+02:00

Howdy,

I will you no longer bore you to death with SQL. I have made a career change and since this week I am working in our IT security department (Still the same company).

Cheers,

Erik

SQLCMD and the tempdb adventure

2010-06-18T17:00:00.003+02:00

I had a call today from a colleague to help her out with an issue. Some customer had moved their tempdb and now she had to fix it because the SQL server instance did not come up. Since I handled such a case in the past she asked me to tell her how I've fixed it. I write this blog post because I had already forgotten a couple of things.

1. Make sure the SQL instance is stopped.

2. Activate the named pipes protocol.

3. Start the SQL instance with the -m option

4. Open a sqlcmd connection with the -e option. Sqlcmd is case sensitive so lookout when you type in the instance name (server\instance).

5. alter the file location

Meet Joe McCray

2010-06-17T16:35:00.003+02:00

Yesterday there was a last minute OWASP chapter meeting and 2 presentations by Joe McCray of learnsecurityonline.com. The intro was great: Joe loves hacking, swearing and drinking rum and coke (a.k.a Cuba Libre).

The first presentation was about SQL Injection. Most things Joe talked about where things I already knew but it is always interesting to hear somebody explain how he or she does it, and yes, I've learned new things. I have been to presentations where they had prepared a VM with a vulnerable webapp but not Joe. He did his demo on a live website and enumerated all databases on the webserver. He explained in great detail what kind of injections there are and the conclusion was "Fix your shit". He demonstrated how IDS can help you but is not a silver bullet.

The most important thing I took home from this presentation is that he experienced that not everybody terminates SSL connections, normalized the input and then feeds it to the IDS ... and of course "Fix your shit" :). At the end of the evening we discussed what is the easiest way to get the stuff fixed and his experience was to get vulnerabilities classified as bug by the Quality Assurance people. I think this is a trick I will apply in the future :)

The second presentation was about Web Application Firewalls. I have no experience with application firewalls. I saw some presentations in the past and Joe confirmed what I was thinking about it. It is something to give you some time to "fix your shit" but not the solution.

Joe is coming to BruCon in September 2010 to give a session titled "You Spent All That Money And You Still Got Owned".

Wait a second in batch - the ping hack

2010-06-08T16:24:00.001+02:00

If you have to wait a couple of seconds in a batch script you can use the following trick:

PING -n 11 127.0.0.1 >NULL

This will make 11 pings and by chance this takes approximately 11 seconds. If you have a better system let me know.

Lock picking basics

2010-05-24T20:15:00.022+02:00

Recently the lock of my mailbox fell into my hands (yes, it is junk but the mailbox is temporary). Now to your regular Joe out there this is usually an inconvenience but I was happy about it because now I could study the lock and try to understand what the good people of Toool where demonstrating at HAR2009.

	First we have a look at the lock how it fell into my hands.
	If we take out the pins, we see the little, tiny, springs that give the resistance when you put your key into the lock.
	This is a detail of a pin. The key goes through the little hole.
	If we have a look at the key we notice the pointy and flat parts.
	If we put the key into the lock we see that the pins move into their positions. The pins move up and down when the key goes trough it.
	If you have a good look you will recognise the flat parts of the key. They are exactly positioned where the pins are.

The picking is done with fine picks you slide into the lock and put gentle pressure on the pins so that they line up. It is easier said than done but it is fun to see a lock pop open without a key and not damaging it ... do you have a mailbox?

Even a 10 year old would guess it

2010-05-12T22:27:00.003+02:00

Recently I was somewhere in a data center in Belgium where the local administrator password was written down on a post-it and was next to the screen of the console. I don't say I would approve but I could understand if you put it there and the password was complex. This was absolutely not the case, it was the company name.

Some people wonder how those evil hackers can get into their systems even if they have the latest antivirus updates and a firewall ... there is no patch for HumanOS.

My first SQL 2008 cluster on vSphere

2010-05-12T22:09:00.006+02:00

Recently I had to install a SQL 2008 cluster on Windows 2008 cluster which was virtualized. I learned some valuable lessons I want to share with you.

First of all there is this new feature in the VM Tools called shared folders. Make sure it is off. It causes an error message and the description has nothing to do with the cause.

The second thing is if you want to install service pack 1 for SQL Server, slipstream it. There is a bug that crashes your installation and you can't actually remove it. The term slipstream is a not really the correct term but it works.

First you unpack the service pack with the /x option and then you need to run /x64/setup/1033/sqlsupport.msi and run it. The next step is to start the SQL Server setup and start it from the command line with the parameter /PCUSource=

More info on slipstream can be fount at http://support.microsoft.com/kb/955392.

Kind of grep in your dos-prompt

2010-03-04T16:04:00.004+01:00

Do you recognise the situation where you wish that you are on a windows box and grep would be handy to go logs and other text files. There is something called findstr, and it can handle regular expressions.

password or pa$$w0rd?

2010-02-13T11:42:00.006+01:00

This week I had 2 cases where I had the "what!? You 're kidding me, right?" feeling. Both were password related.

I had to give some remote support on a CRM system and the password for the administrator account was pa$$w0rd. I guess the people administrating this systems don't have a clue about what it would mean to loose this asset.

Since I am a MSSQL DBA people automatically assume that I have no clue about linux systems. The other day I got agitated in a meeting because somebody said that linux was not important. I apparently reacted in a way which got the attention of some people because suddenly I got a request to look at a postfix server. When I connected over SSH to the server I had to use an account called administrator and I'll let you get the password ... yep, it was password. I needed root to access some files but my contact was not absolutely sure about the password so I tried my luck and yes, it was password.

Security is not something simple, but some basics like a good password policy and auditing for weak passwords are simple. There are no excuses for these mistakes.

GreenSQL

2010-02-08T13:06:00.006+01:00

On the first of February I went to a talk by Yuli Stremosky about GreenSQL at OWASP. Yuli gave a very nice talk. He started explaining that shared hosting is not an option for the security aspect since you can be hacked through another website. He quickly explained SQL injections and SQL tautologies.

GreenSQL is a firewall that has to protect you from SQL injection. Basically it works on a reverse proxy-principle. Your application/webserver connects to the GreenSQL Proxy which verifies the query and gets the data from the database.

There are 4 modes to run GreenSQL in:

database IDS (intrusion detection system)
database IPS (intrusion prevention system)
Learning mode
database firewall

The IDS mode uses a risk matrix engine that scores the incoming queries and blocks the suspicious queries. The IPS mode uses an heuristics engine to find suspicious queries. If a query is considered illegal, it is checked against a white list. An illegal query results in an empty result set.

GreenSQL uses a pattern matching engine to analyse the SQL queries. The following queries automatically are considered illegal:

database administrative commands
commands that change a database structure
commands that access the file system

I had contact before this talk with the GreenSQL people to see what there plans are for commercial databases like Oracle, DB2 an MS SQL. I got an answer and they are working on it.

Phishers steal CO2-emission certificates

2010-02-08T10:30:00.003+01:00

When I was looking through my RSS feeds this morning I came across an article from WebWereld where they talked about the fact that phishing is also used for stealing CO2-emmision certificates.

These certificates are issued for free by the EU and companies trade them between each other, just to be able to pollute more. The day price at the moment they where stolen was 2,5 EUR a piece.

It makes makes no sense to me at all. If I understood the article correctly the certificate does not impose CO2-emission limitations to companies. So basically it is normal that the EU would ask nothing for this certificate, because it does not give you any privileges.

Isn't it kind of weird then that a company is ready to pay 2,5 EUR for something that actually doesn't do anything for your company? The funny part is then that people start stealing these things. It kind of remind me when I was at school and saw kids fight over little plastic disks called flippo's.

OpenVPN workshop

2010-01-16T19:37:00.006+01:00

Today there was an OpenVPN workshop at the Hackerspace Brussels. The workshop was given by Christophe Vandeplas. The first part of the workshop was the theoretical part. The nice thing about the setup was that you did not need any knowledge about networking or VPN.

Christophe took us all through the basics, starting with "how 2 systems talk over a switch" over "how to machines talk over a router" and then going to firewalls, NAT and of course VPN and everything that goes with it.

The second part of the workshop was actually setting up an OpenVPN system. It was really a step by step walktrough.

It was was a great afternoon where I learned a lot. The presentation can be found here. Christophe has also a how-to about the Belgian eID and OpenVPN.

Airport security, you are kidding, right?

2009-12-26T20:54:00.004+01:00

I have not posted anything in a while because I was sometimes not inspired to write anything, sometimes too busy or sometimes just on holiday. My latest holidays were in Spain and while going trough airport security here in Charleroi Airport (a.k.a Brussels South) I declined the metal detector alarm. I was absolutely sure that I had removed any of the non-permitted objects and had no clue what declined the alarm.

The classic procedure then started ... please step through Sir. The security staff member asked me if I had anything on me that could have triggered the alarm. I replied no and than I assumed the position for a check. The guy did it reasonably correct but he forgot to check the lower part of the abdomen. I know most people would not be comfortable about this.

Since the procedure had no result, a hand detector was the next procedure. Funny because the only thing it found was the metal parts that every jeans has so with some logic everybody wearing jeans would have triggered the alarm. This was not the case so in my mind that was not what triggered it but I was cleared and off to catch my flight.

When I had my flight home I was dressed exactly the same way but I made sure that my clothes did absolutely not have any metal parts. You guess it ... I triggered the alarm again :). Yes I was very happy because I was consistent.

The guy started his search, he didn't find anything so I had to put each foot in some kind of sniffer machine (too bad I forgot to look at the brand) . When I got cleared it suddenly became clear to me the only thing I had on me and was made of metal is the frame of my glasses.

If I was really up to no good I would not have made such a 'mistake' but it is clear to me that those security people have no procedure in place for the cases that don't fit the procedure and actually I personally think that is scary.

Belgian national infrastructure client

2009-10-22T22:13:00.004+02:00

The last couple of days I was on site at a customer that is one of the big players in the Belgian national infrastructure. I am just there to help out roll out some systems, not as a DBA or a security guy but ... I had my little fun.

The first thing I noticed when I got in was that with just a name drop and telling that I am an IT guy the friendly guy at the front desk opened the doors. No calling to verify my story, just walked on the site to the other buildings. Always be polite and ask for directions smiling :).

Then I got to the building of the IT department and first thing I noticed where all the print outs on the walls, one of them was a procedure with a password on it ... sweeeet.

Later that day I got an email with my login credentials. Yes my dear reader, plain text passwords emailed over the dhcp network. I was asking my new colleagues if I was the only one thinking that it shouldn't be that way but apparently they did not understand the problem.

Now I have access badges and can come in through the employee entrance. At the entry point there is a security guard to open the gate for the cars and verify the people walking in. The only problem is, the guy is about 6 meters from you when you show your badge. The badge is a classic (white) RFID card with the company logo and your name printed on it. Just by curiosity I showed the guy a membership card of something else that is red and blue and got in smiling.

But the customer is security-aware ... they are doing an audit of their email system at the moment, they have firewalls, anti-virus and VPNs.

Python workshop at HSB

2009-09-27T09:06:00.005+02:00

Yesterday I went to a python workshop organized at the hackerspace Brussels. We gathered at the void*pointer around 14 hours. fs111 gave us a very nice introduction to python.

There where programmers and people who who had not programmed in ages but it was ok. You could ask any question you had and there were some exercises, classics like the number guessing games, to get you up and programming.

We have a home work assignment, writing a very simple port scanner :). Have a look at the hackerspace website if you want to join for the follow up.

My conclusion is simple python is a very powerful language, easy to learn (that is the credit of the instructor) and it is worth to sit down an afternoon and learn it. It will be certainly become a weapon of choice to handle some of my day-to-day admin problems.

BiLE - finding out relationships

2009-09-06T17:37:00.007+02:00

BiLE is a Bi-directional Link Extractor, a tool suite of Perl scripts create by Sensepost. It uses HTTrack and Google to give you a view on what websites have a strong relationship with the website of your target.

The first interesting script is is called BiLE.pl when you run it against a target website it starts HTTrack to get the target website and all websites to which it can find hyperlinks. BiLE will also query Google using the "link:" directive. Using this Google hack it can find all websites linking to the target website.

BiLE.pl produces 2 output files. The first one is a .mine file the other one is a .walrus file. If you have a look at the .mine file you'll see that the output is of the form source:destination.

Here is a sample of the output when I tested it:
www.target.org:jaxb.dev.java.net
www.target.org:jbind.sourceforge.net
www.target.org:jigsaw.w3.org
www.target.org:lists.w3.org
www.target.org:lists.xml.org
www.target.org:lucas.ucs.ed.ac.uk

This file only tells you that there is a link from your target website to a destination website. So there is a relationship between target and destination but you can't tell how important it is. This is why you have the script BiLE-weigh.pl.

BiLE-weigh.pl uses the output file of BiLE.pl and uses a weighing algorithm to determine the importance of the relationships between the target and the destinations. In the readme is a little description how it works.

To get the BiLE-weigh.pl up and running I had to alter the code since I got the error "BiLE-weigh.pl gives sort: open failed: +1: No such file or directory – error".

Change this line from:
`cat temp | sort -r -t “:” +1 -n > @ARGV[1].sorted`;
to:
`cat temp | sort -r -t “:” -k 1 -n > @ARGV[1].sorted`;

I found the solution on the minimalistic transparent x-desktop blog.

The output of BiLE-weigh.pl is something like this:
www.somesite.com:6.6
www.anothersite.com:4.02439024390244
subdomain.yetanothersite.com:75

The value at the end is the weight. It is a meaningless value, we are only interested in the rate of decay. To get this done in a reasonable easy way, you copy the content of the .sorted file (This is the output file of BiLE-weigh) and paste it into a spreadsheet. In OpenOffice Calc a wizard pops up asks you how it should handle the data. Your delimiter is a semicolon (:). Once you got the data in your spreadsheet the last action is to sort it by the weight descending.

Now you have a nice little list that tells you what relationships exist between your target website and other websites.

My output was:
www.target.com: 298.62
sub1.target.com: 165
target.wordpress.com: 165
tools.emailgarage.com: 75
www.mapsonline.be: 75

The next website has a weight of 6.6, so it drops dramatically and therefore you can assume that the interesting part stops here.

So these 5 lines of output will allow you to assume that the target organization has real life relations with wordpress.com, emailgarage.com and mapsonline.be

Don't toss away the offline copies you have now from your targets website and the website which have a relationship with it because source code analysis can may be tell us more about their systems.

Getting to know your target: find a job

2009-08-31T09:13:00.004+02:00

Introduction
There are 2 ways of gathering information. You can go for passive reconnaissance or active reconnaissance. Recon can be done online but there is no reason that it can't be done offline.

During passive recon you go after the information that is out there? It is either out there intentionally or leaked. You do not engage any contact with the other party. You try to discover information about the organization, the employees, the third parties, the systems, naming conventions, ... anything that you can lay your hands on.

The active form of information gathering is the part where you engage a limited form of contact. Nothing intrusive but just enough to get a better view on the other party.

I don't know who you are and if the knowledge in this article can get you in trouble with the law but I suggest you only try these techniques on your own infrastructure or one for which you have the necessary (written) permissions.

The idea behind this articles is to get feedback, so give me your side on the story. If you think I am wrong, tell me and if you agree or want to add something let me know too.

Relations
Organizations do not exist on their own. In the real world you got suppliers, customers, users, ... you get the idea. One of the ways to reveal this is just visit the website of your target and look for company info.

To look for an example I got on one of the large ISP's in Belgium their website and found this out:
- The members of the different boards: names and functions
- The have a daughter that is a hosting company
- Locations of different company locations
- Their logos and for what they are used
- Customer service, communication department info
- Phone numbers
- The use of webeventservices.com for communication
- The email address of the VP Corporate Counsel is firstname.lastname@staff.companyname.be
- The list of the different analysts in all major financial institions that follow the company and conviently their email addresses
- subdomains
- department names
- Jobs and these contain information about the systems they use

They use:
Cognos (7, Series 8, Powerplay, BCM), BO, SPSS, SAS, MS Outlook, MS Office, Salesforce.com (CRM), IBM Ascential Datastage, Oracle databases, Java, J2EE, MS Sharepoint 2007, Windows 2000 Server & Advanced Server, Windows 2000 Professional, Windows 2003 Server, Windows Vista, VMWare, Juniper & Alcatel backbone routers, linux, solarix, AIX, DNS, DHCP, POP3, SMTP, http, LDAP, IBM & Sun application servers (java), ...

This information was gathered just by looking around on their website, but the next step I use is by looking at jobsites if I can find anything on that company. For this example I used one of the most popular job sites in Belgium called vacature.com and it returned 12 job openings. On another jobsite called monster.be I found other information and stuff like what the interim offices they use.

To manage all the information I gather I use mind-mapping software. Since I like open source I looked for a good open source one and personally I like Freemind.

Next post will be about BiLE from Sensepost. A nice tool suite to get more info about relations between websites.

HAR2009

2009-08-17T20:38:00.003+02:00

I've been to HAR2009 and it was the first security conference I've ever been to. It was great, it was on a camping site and there where 2000 tickets sold. I met a lot of interesting people and went to quite some cool presentations. Not all topics where technical infosec topics, but that was okay. Next conference will be BruCon and I'm looking forward to it.

I've your in the neighborhood of Brussels and want to meet nice people at a hackerspace make sure to drop by the Hackerspace Brussels (HSB). For those who don't know what a hackerspace is, just come. The people you'll meet are not the ones who'll break into your bank.

My struggle with VMWare server

2009-05-10T21:58:00.010+02:00

Like so many of my fellow IT collegues I run VMWare server on my laptop to do tests. I had my laptop scratched by our internal IT a couple of days ago and when I installed the latest VMWare Server (2.0.1) it worked fine and suddenly I got this.

The first thing I got was this error message:
Failed to Connect
The connection was refused when attempting to contact :8333.
Though the site seems valid, the browser was unable to establish a connection.
* Could the site be temporarily unavailable? Try again later.
* Are you unable to browse other sites? Check the computer's network connection.
* Is your computer or network protected by a firewall or proxy? Incorrect settings
can interfere with Web browsing.

When I had a look at the services I noticed that the VMWare Host Agent service was down.
I tried to start it but no luck. It stayed down. In the Windows System Event log mentioned
"The VMware Host Agent service terminated with service-specific error 4294967295 (0xFFFFFFFF)." I googled it and found in the VM communities that my datastores.xml file was corrupted.

The way to repair this is to go to "C:\Documents and Settings\All Users\Application Data\VMware\VMware Server\hostd" and rename the old datastores.xml and make a copy of the datastores.xml.default and rename that copy to datastores.xml. I started the service and the service started without any problem.

But I was still not at the end of the tunnel. The error message in my browser was still the same. Next thing I tried was to change the computername by localhost. I got a message to tell me the SSL certificate was not installed. So I installed it and it loaded the login interface :).

The situation is now that I can open it through localhost but not via computername nor through the IP-address. Interestingly enough I tried the loopback IP address 127.0.0.1 and got the message again that the certificate was not installed. I added my hostname to the hosts file with no success. So I wonder how the name resolution is done, I thought the first place where Windows looks to resolve a name is in the hosts file. I talked to a VMWare specialist at my job and although he is only familiar with ESX he thinks that I should look at the implementation of the tomcat. If anybody has a clue about this, please contact me.

On my linux box at home I run the same VMWare server and there I did not have the same problem since I made the shortcut in my browser myself and pointed it to localhost :). I guess there are just some bugs in it.

Quick format or regular format?

2009-05-05T08:12:00.001+02:00

Yesterday I worked side by side with a collegue specialized in storage (SAN) and when he presented the disks to the Windows Operating System I mounted the drives and told Windows to start formating.

After a while my collegue asked me how far the formatting was and when I said X %, he told me I should have taken quick format to go quicker. Always willing to learn something I asked him what the actual difference is. The guy said that when you do a quick format, you actually don't do a format but the formatting will be done when you need the space. Quick format only defines the beginning and the end of the partition. Whereas the full format does a real format and goes through every sector on the partition. By doing this you will gain I/O performance my storage specialist said. This is interesting since one of the classic bottlenecks is the disk I/O.

So, OK it takes time to format 300GB but if I gain some I/O performance and in the best of cases I can do it at night while sleeping it is worth I think considering it.

Big Brother

2009-04-23T07:45:00.002+02:00

Ok, it has happend. I was toughed I live in a democracy and now the Belgian State has given the ISPs the order to block a certain website. I don't care about the content on that website. I know people can have their proper opinion about it but the fact that my governement limits my freedom on the internet looks to me that the so called democracy is evolving into a totalitarian system. What will be next? Blocking google because you can find "bad" things as well on the internet or editing Wikipedia because there are some dark pages in the history of Belgium.

Conficker

2009-04-16T11:50:00.004+02:00

This website is a very nice. The information about Conficker is research from the University of Bonn.

The Dude

2009-04-08T14:23:00.001+02:00

The Dude is a nice little tool from Microtik that I love to use if I need to see what boxes are on a subnet and I want to see it graphically. It is nothing spectacular and I know there are other tools out there but I simply like it.

According to Microtik you can run it under Wine but I tried a couple of times following their instructions and it failed each time.

Common Weakness Enumeration

2009-04-01T14:15:00.001+02:00

At Mitre you can find these nice definitions on common weaknesses in software. I think this is handy if you are trying to do risk management.

The great cryptographic demolition derby

2009-03-24T21:34:00.010+01:00

Tonight ISSA-BE was hosting a talk by Bruce Schneier.

The talk was in two parts. The first part was about cryptography and actually about a thing called the great cryptographic demolition derby. NIST has organised a first crypto contest and the winner was AES. Bruce was a participant with the blowfish algorithm.

Currently there is another contest for hash algorithms to replace SHA2. At the start there were 64 algorithms and this summer 16 will go through to the next round. Next year the top 5 will be anounced and in 2011 the winner will be announced and be called SHA3.

The big advantage of such contests is that the top minds in the industry participate and everybody in the world can enter and try to crack algorithms.

One thing that I thought was interesting is that according to Bruce most cryptographic research happens in Europe and in some Asian countries. He thinks that the reason why in the US is not so overwhelming represented is that the funding in the US is dependent of the DoD and the National Science Foundation and there not so happy that we could make things the goverment is not able to read.

The second part of the talk was about security in general. Security is a trade off. The trade off can is not always about money. It can be time, ease of use, ...

A very clear example to illustrate this was about a bulletproof vest. They are very efficient in stopping bullets and there are many bullets in this world but nobody at the talk wore a bulletproof vest. Why? Simply because the risk of being shot at the talk was acceptable to those who attended it.

Security is always a trade off between benefits and costs and that is the only economic perspective according to Schneier. To illustrate this he made an example of the way we pick out a restaurant. If you are in a town and don't know any good restaurant you pick one based on unclear biased criteria that make sense to you. The same goes for security, we make decisions based on what we know but actually there is no way for us to proof that the decision is correct.

All we want is adequate security at a reasonable cost. It seems that somewhere in security the trade off is more difficult that in real life (see the restaurant example)

There is a theoretical 'right' answer to the question "what is adequate security and a reasonable cost?" but things like cultural differences, regulatory environment and the amount of data we have about the risk influence the right answer and so it will be different each time.

Bruce also talked about the mandatory breach disclosure law in some US states. I think this would be a good idea to have this all over the world. At least we would know what happens. I am aware of the fact that this could do serious image damage to a company but comming clean is to me the first step in repairing the damage the company caused. I asked if there is a list on which we could check which companies suffered from which attacks, but Bruce wasn't aware of an existing list.

Another point that came up was the European data protection act. One of the illusions we have is that we own our private data but if you actually if you think about it your data is owned by your governement and companies. In Europe we have some protection due to this act but in most places on this planet this is not the case.

The reason why we have e-crime is simply because there is money to be made. Actually it is simple, if you can make a profitable business model for something people will do it. The same idea goes for e-crime and so it is clear that we haven't seen the end of it. One thing is very clear, there is no specific law that can protect you since the Internet has no nation bouderies and laws are bound to territorial boundries.

!exploitable

2009-03-22T13:45:00.002+01:00

Microsoft has announced at CanSecWest the release of !exploitable (pronounced as bang exploitable). This tool is still in beta phase but a RC is publicly available. !exploitable is an extension on Windbg, the well known Windows Debugger.

Foxit Reader & JBIG2

2009-03-16T09:24:00.003+01:00

I made a post about Didier Stevens a while ago who found vulnerabilities in Adobe pdf. But not only Adobe made mistakes. In the SANS newsbite newsletter is an article that the popular alternative Foxit Reader has vulnerabilities in the JBig2. (JBig2 is an image compression standard.)

I am not a programmer but I know from the little programming experience at school I have that every code has bugs and the main goal of a programmer is to make things work. Therefore it is important that professional programmers get educated about common problems and mistakes. Once the code is written I think the code has to go through a peer revision system. I know there are things called deadlines but still QA of code is not something that can be skipped because the impact (Foxit has a user base of 50 million users) can be enormous.

Even if you are somebody that likes to write code on your own make sure you have a kind of
QA and practice secure programming.

Nice website

2009-03-12T22:47:00.003+01:00

Today I want to share http://www.ss64.com/nt/ with you. It is a simple website. You have a list of commands, next to it is written what it does and if you click on the command you get more details about the syntax.

Bastille

2009-03-11T19:53:00.005+01:00

I was just configuring a box an used for the first time bastille linux (a project from Jay Beale) and I have to say it is a nice tool. It helps you configure a linux box in a safe and easy way. It is asks you a bunch of questions and explains you the impact of the choices.

Some people might think there box is 100% secure after running this but it isn't the case. You still have to do some additional steps (use hardening guides to help you) but is a nice and simple start :).

Keeping documentation

2009-03-11T19:34:00.005+01:00

Yesterday I was talking with Christophe and he saw that I have a wiki on my system just to keep track of all the info I gather about almost any subject. For those interested it is a simple wampserver and a simple mediawiki. Wampserver has this cool feature that gives me the option to set the access and I restricted it to localhost.

Another tool I use was pointed out to me by the main programmer of phpcompta. He showed me that there were wikis that were file based and I personally use wiki on a stick to document my own systems at home. I keep track of what is installed, how I installed it, configuration, ect. Most people think this might be overhead but is a way for me to keep track of things because sometimes I have memory gets corrupted ;-)

Didier Stevens did it again

2009-03-05T13:35:00.003+01:00

Didier Stevens did it again :). He found some nice vulnerabilities related to pdf documents. To make things clear he created a nice video to demonstrate his findings.
http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/

L0phtcrack is back

2009-03-05T08:28:00.002+01:00

Howdy,

Going through my RSS feeds I got some great news. L0phtcrack the world famous Windows password auditing tool will be back.

On l0phtcrack.com is an announcement that version 6 will be released on the Source conference in Boston.

How long do I need to keep logs?

2009-02-25T22:59:00.004+01:00

Today I talked to a guy at an ISP where I do the SQL maintenance and I asked him what they keep in their logs about what people do with their services (telephony and Internet access for companies and private persons).

For the telephony part, the law in Belgium asks them to keep which number called which number and matching them with the contracts of the customers of the telephony providers the law officers can trace your calls. I asked him if this is still the case if you use something like Skype out and according to him there is no way to trace this for the telephony provider, the cops have to have an agreement with Skype (who are based in Luxembourgh).

For the internet behavior he told me that they just keep the IP address leases for the dynamic IP customers and they don't care to what websites you go or what chatrooms you frequent. The only thing that the law requires them to do is to give the name and address of who owned that IP at that particular point in time.

I asked him what the most common case for requesting the users identity and he said that it is usually a case of copyright violation.

He wasn't aware of the TOR network and when I explained to him how it works, he said that it becomes a very difficult task for the cops to trace your particular visit to a website back to you.

One particularity he told me is that the public (companies and private persons) are responsible for keeping their own router logs and should be able to show them to the men of law in case of an investigation. For how long you have to keep them if your not an ISP he couldn't tell me.

If anybody can tell me more about this subject please post a reaction. I think that it is important for the public to know this.

Fosdem 2009

2009-02-23T18:37:00.005+01:00

Hello,

A couple of weekends ago I went to Fosdem 2009. This is my report of the talks I went to. I choose to go to the security track and to go to the mysql developer room.

The first talk I went to was OWASP Testing guide v3 given by Matteo Meucci. The OWASP testing guide is basically a must read for everybody these days. Back in the good old days when the internet used to be static it was easy to make a website and then things suddenly got more complicated which added nice features that have lead up to web 2.0. Like most of us know everything has a price. As websites get more "layers" of complexity, the more layers that will require you to look into to secure them. The OWASP Testing guide v3 does this. It is a nice example of structured knowledge about what there is to know about making a secure web app.

The other security talk I went to was Fusil by Victor Stinner. I just know what a fuzzer is but never played with one and learned a lot from it :). I asked Victor why he coded Fusil since he clearly states that there are other fuzzers out there. He answered me by telling me he is a hacker and wanted to write a fuzzer. You just got to love such an answer :)

The rest of my day I sat down in the dev room of MySQL. I am not a developer myself (although I write my own code occasionally when I need something). It was very interesting. The first talk that I went to was about mysql clustering. Geert Vanderkelen introduced us to the basics of database clustering and I learned a lot. The following MySQL-talk wasn't actually a talk. It was Kaj Arnö, who asked us what we liked, disliked and how we would like things to be. It is nice to know that MySQL still is listening to its non-commercial user base.

I 've seen some strange partitioning at customers in Microsoft SQL and was curious about Giuseppes Maxia talk. He gave the best explaination about partitioning there is and I will use his example to explain the advantage to those customers who need it and those who implemented it in that 'not so efficient' manner. He showed us the map of Brussels and tore it appart and showed us visually that it was far more efficient to find something on only a part of the map than on the big map. He got an applause for this.

The last talk I went to was about database sharding. I never heard the word before and it was Jurriaan Persyn who gave that presentation. It is still not clear to me how it works but it seems to me that is not the easiest thing to accomplish. There were some guys in the room who were asking a lot of questions and their questions were not actually about sharding but about availability issues and at a certain point it became annoying that Jurriaan wasn't talking anymore about his subject.

It was a long but very interesting day and I look forward to do stuff with all the new knowledge I gained and was happy to meet so many interesting people.

There is a new samourai in town

2009-02-09T14:15:00.000+01:00

The Samurai Web Testing Framework is a LiveCD focused on web application testing.
http://sourceforge.net/project/showfiles.php?group_id=235785

hackerscenter.com

2009-02-05T15:37:00.001+01:00

Howdy readers,

I found this nice website http://www.hackerscenter.com .

Security Media

2009-02-05T10:27:00.004+01:00

Everybody knows youtube. The other day I stumbled upon securitytube. A site with currently more than 165 video's about security and related items. Yes, I like video as a format. I enjoy reading but if a video is as it should you can learn a lot. I learned quite a lot from Irongeek his website too. And of course on youtube you can find some interesting stuff. If you like to watch a nice tech-show check out Hak5.

I like to listen to podcasts as well, one of my favorite security podcasts is PaulDotCom.

If you have interesting websites, podcasts, RSS feeds, ... share them with me :)

Securing a LAMP Server ... follow up

2009-02-02T22:45:00.002+01:00

Recently I've been working on a LAMP Server. I learned a lot and got an interesting pointer from Christophe Vandeplas. The center for Internet Security has a collection of nice scoring tools/benchmarks to verify if a system is correctly implemented.

I recommend this exercise to everybody. You make a VMWare server on machine (or use a virtual box if you like open source). Set a box up and do the homework :).

Next Wednesday I'll be joining our Belgian OWASP chapter. On the agenda:

Best Practices Guide Web Application Firewalls
Research on Belgian bank trojan attacks

I hope to meet you there. If you can't be there I'll make a post with my impressions.

No backup and the database in suspect mode

2009-01-28T13:54:00.010+01:00

This week, I got a call to help out with a database in suspect mode. I tried the usual MS SQL arsenal of tricks to get the CRM-database of that customer back. After more than 20 hours of repair commands (those included a night of sleep) I had to give an negative answer to the customer.

In the afternoon I had another call to ask if we could try to extract the data and dump it into another database or flat file. I had no clue how we could do this since everything in the last 20 hours failed. My collegue Gert Lievens found a technique on the Internet that we never tried before but worked :). We got everything back except for a primary key on 1 table and 1 index on that same table.

This is how it works:
First you change the database from suspect mode to emergency mode. Next you make sure you're the only one using it by forcing it in single user mode (with no wait of course). Then you make a DTS package where you use the copy database component. We configured the package to work in small steps (tables, views, functions, ....) and finally we found that the error was on the primary key and index for that table. So we told the DTS package to make a copy of that specific table but leave the primary key and indexes out. At the end of the day we had an identical copy of the database and a happy customer.

There are some lessons to be learned here:
1. Make sure your backups are ok if you manage a database.
2. There is another technique to get data back that I learned about.

Enter at own risk (follow up story)

2009-01-20T12:33:00.002+01:00

In the month of November 2008 I had a bad restaurant expirience (
http://erikvanderhasselt.blogspot.com/2008/11/enter-at-own-risk-dont-go-eat-there.html) and filed a complaint at our federal agency for food safety.

I got an e-mail today from the agency telling that their inquery has finished and that my complaint was grounded and the necessary measures will be taken. What that means isn't in the text but I am happy with the result.

Undelete Plus : data recovery tool

2009-01-07T20:20:00.004+01:00

We all know that situation, you get a call from a friend to tell you the data on his usb stick or hard disk has gone. I have some recovery software but recently Christophe Vandeplas has told me about UndeletePlus.

It is a free little tool, I've played around with it and I hope it will help me when I get that call again.

Securing an LAMP server ... intro

2009-01-07T20:00:00.006+01:00

I've been given the opportunity to secure an LAMPserver. I 've never done this before but there is a first time for everything.

This is the layout of the system:
First of course there is OS hardening. I mention it since I've noticed that it isn't done by everyone. It is an Ubuntu server and google was my friend :). There are tons of info out there.

All ports except port 80 will be closed towards the Internet and port 80 will be connected to the web server by using NAT. On the web server the only ports open are HTTPS and SSH.

The server has a firewall and 3 rules:
1. Close every port
2. Allow the HTTPS traffic from the internal network and the Internet
3. Allow SSH trafic from the internal network and the Internet.

I am not happy with the last one, I will change it so that only the admin has access from his laptop but right now it is not my primary concern.

In my next post about securing the a LAMP, I'll be talking about the apache web server. Meanwhile if you have any suggestions or questions just give me a reaction.

Happy New Year ! ... hang on a second

2008-12-31T15:02:00.002+01:00

Hello,

It is only matter of a couple of hours here in Brussels. Yesterday they said on the Belgian news that worldwide the atomic clocks will be stopped for one second at midnight since the earth is slowing down.

So before you jump up and shout Happy New Year take a second for yourself. You've deserved it :).

Happy New Year folks!

Netstumbling WiFi APs

2008-12-09T20:40:00.004+01:00

A couples of evenings ago at I had to drive through a nicely populated area just outside Brussels. I wanted to see for my self what my build-in WiFi could find. I used netstumbler to see what was in the air.

I've found 1228 WiFi connections of which were 349 wide open with no form of protection. I looked at netstumbler and it picked up more signals each time I approached the center of a town. It is probably correct to say that there are more chances to find concentrations of networks in towncenters but I have to tell you as well that you drive slower so the laptop had more time to pickup signals.

In the 1228 WiFi connections there were 8 peer-to-peer connections of only 1 had a form of protection. There were 2 hpsetup, this is usually an SSID for an HP printer. One other peer-to-peer was also a printer according to the SSID.

The majority of connections were either 11 Mbps or 54 Mbps. (The maximum my card does is 54 Mbps). The brands I encountered were 3Com, Apple, bbox2 (Belgacom), Belkin, D-link, Hercules, Philips, Linksys, Mobistar, Netgear, Sagem, Thomson, Sweex, Topcom, US Robotics, ZyXel, Nokia.

Lessons learned ... clustering SQL 2005 on a Windows 2008 (x64) cluster

2008-12-03T17:55:00.024+01:00

Last couple of days have been verry stressful. I've just finished a clustered install of SQL2005 on a Win2008. I'll be talking in this post about the issues i had.

The first problem I had was getting to know Win2008. I know according to Microsoft that everything has improved but the challenge for us professionals is to keep up with the fact that some things don't have the same name or are completely on a different location. So I lost quite some valuable time on calling around asking a Windows system engineer with the questions "where can I find ..." and "How do I do ...". Yes, I felt like a complete idiot.

First I had to set up the MSDTC cluster resource, in Win2008 there is a wizard for that. I used it and it worked fine.

Then I had to add my clustered disks ... formatting took like eternity. No I 'm kidding but it took a while and was very impatient to go on.

Once all that was done I organised the cluster resources and started the SQL Server install. It went as planned. I ticked the box to tell it was a cluster install and continued on my quest.

The first error message I got was this one

It is actually the full-text search service that is down and it is simply solved by installing SQL 2005 SP2. After clicking ok I ran into a next error.

It is stupid but I needed to install Visual Studio 2005 SP1 (I only found x86) to solve this one. I think this happens because the SQL Server Managament Studio is written in 32-bit and I was working on x64. I know in Windows 2003 this is no issue but appearently on Windows 2008 it becomes one.

After fixing this I installed SQL 2005 SP2 and that has a problem on its own. I noticed that I was not able to make maintenance plans. I got these nice screenshots:

This is what happend: for some reason, don't ask me why it seems that the resource database had trouble to update in SP2. SP2 appearently changed some things ...

If you run in to this, you can verify the version of your resource databases with this query:

SELECT SERVERPROPERTY('ResourceVersion');

When I ran that query It answered me 9.00.1399 which is the RTM version (RTM is how it is shipped the first day your version is sold). Okay, that was usefull info but how to solve this was a mystery to me. I crused around on the information high way and found out that all it took wat to manually run the queries that are located in the "sysdbupg" script. This script can be found in "C:\Program Files\Microsoft SQL Server\MSSQL\Install". I ran it and got the maintenance plans back.

The last issue i had was an issue with database mail. Luckely for me there are nice people who blog and at Jean-Pierre Paradis' Blog I found what I was looking for. I got an activation failure.

I just copied Jean-Pierre's solution and it worked. I repeat it here if for some reason you would not be able to get to his blog.

First create the text file DataBaseMail90.exe.config in the \MSSQL\Binn folder of your SQL Instance (ex: \Program Files\Microsoft SQL Server\MSSQL.1\MSSQLSERVER\MSSQL\Binn). with the following content :

Next thing to do is to load this in SSMS:

USE msdb;
GO
INSERT INTO [msdb].[dbo].[sysmail_configuration]
(
[paramname]
,[paramvalue]
,[description]
)
VALUES
(
N'ReadFromConfigurationFile'
,N'1'
,N'Send mail from mail server in configuration file'
);

Then I replaced this stored procedure:

USE [msdb]
GO
/****** Object: StoredProcedure [dbo].[sp_sysmail_activate] Script Date: 12/01/2008 15:41:40 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER OFF
GO
-- sp_sysmail_activate : Starts the DatabaseMail process if it isn't already running
--
ALTER PROCEDURE [dbo].[sp_sysmail_activate]
AS
BEGIN
DECLARE @mailDbName sysname
DECLARE @mailDbId INT
DECLARE @mailEngineLifeMin INT
DECLARE @loggingLevel nvarchar(256)
DECLARE @loggingLevelInt int
DECLARE @parameter_value nvarchar(256)
DECLARE @localmessage nvarchar(max)
DECLARE @rc INT

EXEC @rc = msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'DatabaseMailExeMinimumLifeTime',
@parameter_value = @parameter_value OUTPUT
IF(@rc <> 0)
RETURN (1)

--ConvertToInt will return the default if @parameter_value is null or config value can't be converted
--Setting max exe lifetime is 1 week (604800 secs). Can't see a reason for it to ever run longer that this
SET @mailEngineLifeMin = dbo.ConvertToInt(@parameter_value, 604800, 600)

--Try and get the optional logging level for the DatabaseMail process
EXEC msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'LoggingLevel',
@parameter_value = @loggingLevel OUTPUT

--Convert logging level into string value for passing into XP
SET @loggingLevelInt = dbo.ConvertToInt(@loggingLevel, 3, 2)
IF @loggingLevelInt = 1
SET @loggingLevel = 'Normal'
ELSE IF @loggingLevelInt = 3
SET @loggingLevel = 'Verbose'
ELSE -- default
SET @loggingLevel = 'Extended'

SET @mailDbName = DB_NAME()
SET @mailDbId = DB_ID()

EXEC @rc = master..xp_sysmail_activate @mailDbId, @mailDbName, @mailEngineLifeMin, @loggingLevel
IF(@rc <> 0)
BEGIN
SET @localmessage = FORMATMESSAGE(14637)
exec msdb.dbo.sysmail_logmailevent_sp @event_type=3, @description=@localmessage
END
ELSE
BEGIN
SET @localmessage = FORMATMESSAGE(14638)
exec msdb.dbo.sysmail_logmailevent_sp @event_type=0, @description=@localmessage
END

RETURN @rc
END

with this one

USE [msdb]
GO
/****** Object: StoredProcedure [dbo].[sp_sysmail_activate] Script Date: 08/13/2008 11:59:49 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
-- sp_sysmail_activate : Starts the DatabaseMail process if it isn't already running
--
ALTER PROCEDURE [dbo].[sp_sysmail_activate]

AS
BEGIN
DECLARE @mailDbName sysname
DECLARE @mailDbId INT
DECLARE @mailEngineLifeMin INT
DECLARE @loggingLevel nvarchar(256)
DECLARE @loggingLevelInt int
DECLARE @parameter_value nvarchar(256)
DECLARE @localmessage nvarchar(max)
DECLARE @readFromConfigFile INT
DECLARE @rc INT

SET NOCOUNT ON
EXEC sp_executesql @statement = N'RECEIVE TOP(0) * FROM msdb.dbo.ExternalMailQueue'

EXEC @rc = msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'DatabaseMailExeMinimumLifeTime',
@parameter_value = @parameter_value OUTPUT
IF(@rc <> 0)
RETURN (1)

--ConvertToInt will return the default if @parameter_value is null or config value can't be converted
--Setting max exe lifetime is 1 week (604800 secs). Can't see a reason for it to ever run longer that this
SET @mailEngineLifeMin = dbo.ConvertToInt(@parameter_value, 604800, 600)

EXEC msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'ReadFromConfigurationFile',
@parameter_value = @parameter_value OUTPUT
--Try to read the optional read from configuration file:
SET @readFromConfigFile = dbo.ConvertToInt(@parameter_value, 1, 0)

--Try and get the optional logging level for the DatabaseMail process
EXEC msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'LoggingLevel',
@parameter_value = @loggingLevel OUTPUT

--Convert logging level into string value for passing into XP
SET @loggingLevelInt = dbo.ConvertToInt(@loggingLevel, 3, 2)
IF @loggingLevelInt = 1
SET @loggingLevel = 'Normal'
ELSE IF @loggingLevelInt = 3
SET @loggingLevel = 'Verbose'
ELSE -- default
SET @loggingLevel = 'Extended'

SET @mailDbName = DB_NAME()
SET @mailDbId = DB_ID()

EXEC @rc = master..xp_sysmail_activate @mailDbId, @mailDbName, @readFromConfigFile,
@mailEngineLifeMin, @loggingLevel
IF(@rc <> 0)
BEGIN
SET @localmessage = FORMATMESSAGE(14637)
exec msdb.dbo.sysmail_logmailevent_sp @event_type=3, @description=@localmessage
END
ELSE
BEGIN
SET @localmessage = FORMATMESSAGE(14638)
exec msdb.dbo.sysmail_logmailevent_sp @event_type=0, @description=@localmessage
END

RETURN @rc
END

Start the procedure with the follwing SQL command :

EXEC msdb.dbo.sysmail_start_sp;

Finally that was the last issue I had. Thanks to everybody who helped me, like always in our business it is a matter of looking at a problem with as many as possible.

Mounting usb-drives with a NTFS lock on it.

2008-11-29T16:51:00.002+01:00

Everybody has come across it, your in a hurry and unplug the usb drive before Windows releases the disk. This is how to solve it when you have a linux (or a bootable linux cd) machine.

First you make a directory on which you will mount the disk. For people new to linux this is just a simple directory to which you will attach the disk.

Open yourself a shell prompt and type the following:
mkdir ~/mydisk

This will make your directory in your home directory.

The type the following:
mount -t ntfs-3g /dev/sdg1 ~/mydisk -o force

This will mount the disk presented at the device /dev/sdg1 and attach it to the folder ~/mydisk. For people new to linux I recommend to do some further reading about devices.

My system answers me with :
$LogFile indicates unclean shutdown (0, 0)
WARNING: Forced mount, reset $LogFile.

And I find the disk mounted under ~/mydisk

FOSDEM 2009 and HAR2009

2008-11-29T10:38:00.004+01:00

I want to tell you about 2 upcoming events: fosdem and HAR2009.

Fosdem is according to their website a free and non-commercial event organized by the community, for the community. Its goal is to provide Free and Open Source developers a place to meet. (http://www.fosdem.org/2009/). Fosdem will take place the 7th and 8th of February 2009 in Brussels. There are every year people comming from all over the world. One of the things I like is the open idea. If you want to talk to somebody and exchange ideas, you just walk up to that person and start a conversation. If you go back to the previous years you'll see that they managed to get some important speakers in the open source community.

HAR is totally something else. HAR's website is http://har2009.org/. It is an international technology & security conference. It will take place in August 2009 from the 13th till 16th near Vierhouten, NL. It is something like Rock Wechter but for people who are into technology and security.

I plan to go to fosdem to a couple of talks and I would like to go to HAR if it is possible.

Enter at own risk ... don't go eat there!

2008-11-29T10:16:00.003+01:00

This week when I went to a customer with my colleague and we went out for lunch. Since we were in the Matongé area (a part of Brussels where a lot of African people live) we went to an exotic restaurant.

The name of the place is KAZI Surprise and it is located at the Chaussée de Wavre 46 in 1050 Brussels. We asked what the day special was it was goat with saka-saka or tilapia (fish) with fried bananas. We ordered the fish.

The fish had an odd tasted, clearly it was not fresh. Everybody knows that all fresh fish has a taste that is distinguishable from the not so fresh one.

Luckely in the hours that followed the experience my colleague and me didn't get the signs of food poison (although our stomachs were making some noises). I spoke to a doctor that evening and he told me that you would see the effect of food poisoning within the 4 hours.

I filed a complaint at the Federal Agency for Food Safety.

So my dear blog readers, don't go out to eat there.

Database mirroring on SQL 2005 SP2

2008-11-29T09:52:00.002+01:00

Howdy folks,

This week I went together with a colleague to a customer where there were some troubles with the database mirroring on SQL 2005. It a high available mirror and the problem was it didn't work 100% of the time. Some times something like a split brain occurs. The database is recovering as well on the mirror as on the principal.

The thing we noticed was in the mirroring monitor that the server who had the principal role didn't have a successful connection to the witness server.

First thing we checked was the network. The situation goes as follows. The servers are in workgroup mode and there is a dedicated Gigabit connection between those server to sent the transactions to both servers. All servers were also defined in the host file so even when the DNS goes down it should work.

After crusing down the Internet I found a post in a forum of somebody with the same problem. The problem was solved for this guy by rebooting the system. So we restarted the SQL service of the witness server and it worked.

So that needed some further investigation. We created a new database, made it mirror and the same scenario ... no witness on the principal, only for that database. We restarted the SQL service on the witness and it worked :-)

Then we did the ultimate test, we stopped the endpoint on the server for which the server was mirror for the databases in production and principal for our test database. (So there was no impact for production). First time we tested it, everything went fine and the test database failed over (and we wrote a record in it). The second time we tried it, it failed and a split brain like situation occured. Okay, there was no problem to bring the test database online and since it is in sync mode no transaction could have been written to one side and not to the other.

The odd thing is that the production server had to be turned off that evening and the automatic fail over worked without any problems.

So some further investigations will be required. Currently we are thinking in the direction of cummulative updates. When we find it I'll make a post about it.

Converting a disk from FAT32 to NTFS

2008-11-24T16:11:00.003+01:00

Today I had to convert my external disk form FAT32 to NTFS. I was confronted with the problem that an ISO file was 9GB and FAT32 couldn't handle that.

Convert is a tool that is part of your Windows OS.

Here is the syntax to convert the disk:

>convert diskletter: /fs:NTFS [enter]

After starting the convert tool you'll have to enter the disk label and the conversion starts. First it checks the disk for errors and than the actual conversion starts.

A usefull trick used at our customers

2008-10-31T14:23:00.004+01:00

Everybody in IT knows it CLI is your friend :)

A little trick used at our customers to get a CLI with sufficient rights is:

runas /user:username@domain /netonly cmd

This gives you your little box executed with the rights of that user in that domain.

OWASP

2008-10-24T09:30:00.004+02:00

The 23th of October I went to a OWASP meeting. If you're thinking about going to one, don't hesitate it is worth your time.

The first talk was "Building a tool for Security consultants: A story of a customized source code scanner" by Dinis Cruz. Even when you are not immediately going to audit code, it is worth to go and listen to Dinis. Although I just program for me, I still like to do it secure and the ideas I picked up are surely going to help me doing so.

The second talk was "Logging: not just a good idea" by Eddy Vanlerberghe. I didn't know what to expect from this talk and it wasn't the greatest presentation ever but it was ok. The fact is that we have to think about our logs, the way we store them and do the exercise to correlate logs of different systems to present as proof in a court of law. It is not so easy since you have to prove that your logs are genuine before you can use them and then there is the correlation.

If you're intrested in OWASP presentations you can go to the website www.owasp.tv there you can find up to 40 hours of presentations.

Doing some research

2008-10-22T14:03:00.004+02:00

Howdy,

It has been a while since my last post but i have been busy. I've found a SQL injection vulnerabilty in a product and I am researching it. It is quite a major problem when you inject it returns login, password, server.

I will post more details later but now I have to contact the vendor.

2nd Tuesday of the month @ microsoft

2008-09-09T22:47:00.003+02:00

Howdy,

It is the second Tuesday of the month so a new series of patches have been released. I'll guess I'll be testing this one tomorrow:

http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx

Since the rating is critical I'll guess we'll see some nice exploits for it.

An interesting phone call

2008-09-09T22:17:00.006+02:00

Yesterday was an interesting day I had a teleconference with two gentlemen who gave me a rather interesting insight in the inner workings of a big ISP who is hosting the website of one of our customers that I'll be auditing in the near future.

These two man wanted to talk to me about what my colleague and I will be testing for our customer. Since my colleague is on holiday I answered what I'll be doing on the servers and for the network part I answered that I was not the person to speak to.

They have apparently an issue with the fact that we would login as administrator on to the network appliances to check the configuration. Since it is not my call to make we agreed that they would send us some print outs and it is up to my colleague to decide if it is possible to do audit work on this. I personally think it is not acceptable since we are an independent party and have to obtain the information by our selves.

There is a second problem with this. The ISP is prepared to send me, a stranger they have never met, information about their firewalls and such by e-mail. Yes, this is something that will be in the end report to our customer, it is my due dilligence.

Just to see how far they go in the management of our customers environment I asked if they kept logs for each time they tested the clustered loadbalancers. Apparently they only tested their cluster once before it was put into production. They monitor it and have a spare ready in case one goes down. I asked them if they didn't test it on regular basis to see if it functions correctly but this was not necessary according to them since it is monitored in case it goes down.

It is for me the same problem as the guy who makes his back ups but never does a test on regular basis to see if they are any good.

It is a small world (no not the Disney kind)

2008-08-26T18:44:00.002+02:00

Dolmen is a large company and today christophe vandeplas because we will be working on a project together. Check out his blog, it has some fine reading material on it :).

Interesting case - part 2

2008-08-26T18:25:00.003+02:00

In my previous post I told you about the medical institute having problems. Yesterday their server has crashed again. One could wonder why some of us consider this a good thing, well a problem that repeats it self has a better chance to be solved than one that occurs only once.

I was out of office so my colleague got the dump file and the output was exactly the same. Then we compared the cause and the configuration (sorry to stay vague but I think it is bad practice to name customers and their configuration on my blog) and it seems that Windows has only 2 GB and everything else was dedicated to SQL.

It is fine to dedicate a whole lot of memory to your database server process but the OS has got to breath too.

One of the other problems is that they have only one server and every database in the institute is on it and they expect it to be high available. I proposed that they contacted their sales contact and he would come by with a specialized sales since databases that are high available and the rest is strictly useless.

Interesting case

2008-08-19T20:39:00.005+02:00

Today I had to be in a medical instituate where there has been a server crash a week ago and now I had to look at the server.

The SQL server has produced a minidump so a post about the SQL minidump will be in the near future on this blog :).

There are a huge amount of errors, i'll have to analyse them and will write about something about them as well.

The third topic i'll have to do some research on is windows 2003 (64-bit) paging, since their crash there is a huge amount of paging.

A night at an ISP

2008-08-07T22:32:00.004+02:00

Recently I've spent the night at one of Belgium's bigger Internet service providers. The ISP had had some trouble with their databases last December and I had to implement database mirroring.

In the beginning of July I had created a test database for their IT people so they could play with it. And now, the time had come to implement it for all their databases as a test to adapt their programming and make it fail-over aware.

There were some specifics as the mirror had to be synchronous and encrypted and it had to be the same port on each server.

So here are my findings:

Use 2005 SP2, it figures but I prefer to mention it ;)
You need the database to be in full recovery mode
Watch out for the auto close option, it runs the fun
You need a full backup and a transaction log backup

It actually went pretty smooth since everything (mirror endpoints, encryption and witness) was already there from the previous month.

The mirror wizard doesn't use the full qualified network name for the principal server so at the end it proposes to start mirroring but it fails because you have to manually adapt the principal server.

The only thing that was a real problem was 1 database. For some reason it failed time after time and the error message was that it was unable to connect to the witness or mirror server.

The cause was one app that writes constantly in the database and since it took about 15 minutes to move the backup and restore it with no recovery on the witness it was not possible to create the mirror.

To work around this I made the full backup, restored it with no recovery and then I made the transactional backup. I had the permission to take the database offline once I made the transaction log backup had finished and restored it on the mirror . Once I had put the database back online the mirroring was no problem at all.

We ran some tests and everything went fine. The only thing my customer still has to do is create maintenance plans on the mirror (for some weird reason you can't mirror those) and alter his apps.

At the break of rush hour we all went home for some sleep :).

An update: 10 days later and something went wrong, for some reason one database went suspect on the principal.

Disable 8.3 short-name generation

2008-08-03T13:16:00.002+02:00

One of the things that is still a remainder of the past is the 8.3 short-name. You know it can be a pain to access somethings in program files. Well you can have solve this by editing the registry.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
add the dword value NtfsDisable8dot3NameCreation and set the value to 1.

Disable updating last access update

2008-08-03T13:11:00.003+02:00

If for some reason you don't need the NTFS file system to keep track of when a file was last accessed you can disable this with a registry key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Add dword value NtfsDisableLastAccessUpdate and set the value to 1. This works when you have rebooted your system.

From a security standpoint it might be a bad idea to do this since it will make it impossible to tell you if someone did or did not access a file.

Where is that procedure?

2008-08-03T12:43:00.002+02:00

Last week after the power outage at the medical facility where I was doing a project I noticed that one phrase came back often "Where is that procedure?".

Apparently there were 2 problems, all procedures were word documents saved on a file server but the network was down and after the network was back it seemed quite a struggle to find the correct procedure.

In a previous job I organized a 24/7 IT-standby team to give support. I started out just like this customer but realized quite fast that managing a document library wasn't going to do the trick. I tried to identify what I wanted and what the problems were with the document library.

I wanted a system that was easy to maintain and where everybody of the IT team (15 people) could add the necessary info since gathering the information was dull and usually was the information nearly outdated when a document was "ready". One of the conserns was of course that the system should be accessible only to the IT department and that even when the network and servers in the server room failed the data was accessible.

The solution was simple, I took 1 ordinary desktop and putted a wamp server on it with a mediawiki. The wiki access was restricted and if the system went down, you just had to go and sit at that particular computer.

It was not the best system and it would probably have been better to use a wiki on a stick of a xampp since these can be used on a USB dongle but I wasn't aware of those solutions at the time.

The point is, that people should give thought to the documentation and not just ask documentation for the sake of have a document. Another thing is test that documentation because you can have a procedure and a company who does it for you but in the end you are responsable for your systems.

Business and procedures

2008-08-03T12:17:00.003+02:00

Last week I was working in a public medical facilty and there was a power outage at 11:20 AM. This gave some interesting insights. There was no recovery plan so it was stressy for the IT departement of the hospital.

Some backup power system powered the computers but the network was down. The server room should have had 2 backup systems (the emergency room's and the hospital's) according to one of their IT guys but once the network was back I saw that all VM's were restarting and the ESX cluster had been down during the outage because the network connections were down.

They were lucky and lost no data but it is frightening that something like causes panic since it is quite obvious that these things will happen even in 2008 in Belgium.

I have written some technical procedures, like backup and restore, for their SQL Server but when it all comes down to it the basic needs are not fullfiled and I know by experience that this is the case in many companies.

May be some questions should be asked like What are business critical systems?" and do the proper risk management for each asset in the organisation.

Historic data

2008-08-03T12:04:00.003+02:00

One of the things I notice over and over again is that many applications clutter databases with historic data. It is actually no that hard for a programmer to make a maintenance plan as a part of his application.

Lets consider a real life situation. Most organizations have accountants and they generate quite some data year after year. Today were in 2008 and honestly, I still haven't figured out why the data of 2005 should be on the system. It is valuable to the organization and law demands to keep it but why keep it on a production system?

To consolidate something ... not the same thing in every language

2008-07-20T22:13:00.005+02:00

My native tongue is Dutch and I am fluent in French too. Lately I noticed something funny. Some people make a quite odd translation to Dutch of the verb consolidate.

The first time I heard it I thought that I was mistaking but it was repeated a couple of times during the conversation. Just to be sure I looked on Wikipedia where it is explained as the act of merging many things into one. So in the context of virtualization this would make sense.

If we have a look at the explanation that the Dutch dictionary VanDale gives we see as result "bestendigen" which means to continue, to remain in force.

So as you can tell not quite the same thing. I did some more research and noticed that google translate makes the same mistake.

cp- i and mv -i are not so interactive

2008-07-12T22:49:00.006+02:00

I've build a DHCP-server today on a VM using Ubuntu 8.04 just to play around with. As part of the exercise is hardening the system I found some odd behaviour.

To protect me from my own mistakes I thought it would be nice to alias the commands rm, mv, and cp and each time ask for interaction. This is when I noticed that the commands mv -i and cp -i actually ignore the -i. I've tested it with --interactive but the same here. There is no problem for rm.

I've reported the bug at launchpad and it is now known as Bug 247973.

First post

2008-07-11T23:42:00.006+02:00

Hello and let me welcome you to my blog. Here you'll find a little intro about me.

Who is Erik Vanderhasselt?
I am a Belgian IT guy, born in 1981 and my fascination with computers started really to take off when I got my first and broke it in 48 hours ... the good old days :).

What do I do and where?
Currently I work for a Belgian IT company called Dolmen Computer Applications where I work as a system engineer DBA on MS SQL. My job consists of either doing projects or solving problems at our customers.

What can you find on this blog?
I'd like to talk about pretty much anything that comes to mind. Mostly IT related I am into more things than just MS SQL as you'll find out. Other interests are martial arts, cooking and so much more.

Most people ask my 1 question and that is why I like open source work on Ubuntu machines and work with MS SQL server for a living. Let me answer that for you. I enjoy working with open source and a database is just a database. The basic idea is just the same on Oracle, MS SQL, MySQL ... you want to store data and how it is done is facinating on each platform. It just happens that this job opportunity presented itself when I was looking for a new job.

Who is my targeted public?
Well I know that there are hundreds of blogs out there specialised in some topic and this is something I want to avoid. So my public are people who are into technology and like to exchange ideas.