Posted in Uncategorized | Leave a Comment »
Enterprise networks are already blocking messenger applications are actively engaged in monitoring P2P traffic and tweaking application firewalls to capture valid patterns of disruptive, noisy freeware applications such as Skype. I know some of the companies that uses Skype as an alternative medium for internal communication and some believe Skype traffic brings misery to their networks. Many people have done numerous testing to understand mysterious behavior of Skype traffic. Its encryption is indecipherable because it is a closed source, not shared for public, many argue this is vulnerable for Man-In-the-Middle (MITM) attacks although no one knows how the keys are exchanged. Skype traffic characteristics are dynamically changes and work through almost any NAT based firewall. UDP and TCP ports it uses differ randomly; even length of the packet and voice sample sizes vary in each time.
Some argue, neither Skype VoIP nor Skype IM poses any readily exploitable security threat, none of the black hat websites nor hacker forums so far mentioned a single incident of Skype being exploited for sinister security attacks. Bandwidth also not a huge concern (unless you become a SuperNode – explained later) A Skype voice session uses 32K to 46kbps of traffic in each direction and that is not a huge, but few dozen of internal users concurrently uses Skype calls could even fill up a T-1 worth of pipe.
Skype calls are routed through the Skype-network via other Skype running systems, these are called SuperNodes. Any PC running Skype risks becoming a SuperNode, why? Let’s say you have fast internet connection (cable / ADSL2+) with a high end system with higher CPU/Memory with a direct IP connection to the internet, then my skype calls may end up routing through your PC! SuperNode can generate a considerable noise by opening a large number of concurrent connections for other systems, it doesn’t matter you stop using Skype on your PC, it will still route calls. In order to stop this behavior you literally need to bounce your computer.
Irony is, before you install skype literally you have to agree upon being a SuperNode.
Quote from EULA:
4.1 Permission to utilize Your computer. In order to receive the benefits provided by the Skype Software, you hereby grant permission for the Skype Software to utilize the processor and bandwidth of Your computer for the limited purpose of facilitating the communication between You and other Skype Software users.
Countries like EU, US and Australia, there are very restrictive traffic caps, for 6GB monthly download, residential ADSL customers in Australia would pay around $50 per month. Excess traffic will cost far more. So cost of being a SuperNode is an expensive proposition! In an enterprise network it will be hugely disruptive and causes damn too much noise by disrupting legitimate applications.
So far there is no pragmatic way of blocking this undetectable, untraceable Skype traffic but very soon IPS vendors will work a way out. At this juncture, there is no such solution commercial or / open source solution that stops Skype calls permanently.
Posted in Security | Leave a Comment »
Couple of weeks ago, I finished reading Mariane Pearl’s Mighty Heart, poignant true story behind the Wall Street Journal reporter Daniel Pearl’s kidnapping and murder by Pakistani fundamentalists in 2002. Author, Daniel’s widow, Mariane introduces `Danny` as he was alive while also providing a heart-breaking first person account of his eventful disappearance and death. Bok was well written with plenty of endearing details about Danny, his insistence on moving his favorite chair with him around the world, his love of playing mandolin, his private conversations with his unborn son, detail events of kidnapping, captivity and the events of brutal murder –but the more remarkable portrait that emerges is one of extraordinary bravery. Danny placed himself in post 9/11 Pakistan, knowing well those regions inherent with high risks, because of his gutsy commitment to getting the truth out of terrorist activities.
When Danny’s kidnappers e-mailed pictures of his captivity along with their demands, his very pregnant wife, author, was left to try to manage the search effort along with Pakistani police and US intelligence, she let events unfold as they happened, complete with their frustrating dead ends and dealing with Karachi’s bureaucracy. From the date of kidnapping to receiving of a videotape containing undeniable confirmation that the Danny had been killed, she revealed unflinchingly every emotional detail with such candor that to call the book heart wrenching.
Michael Winterbottom directed the movie “A Mighty Heart” based on the true events of the unfortunate event which just being released in US. Angelina Jolie gives a remarkable, restrained performance to the life of Mariane Pearl.
Posted in Personal | 3 Comments »
The Government of Sri Lanka (GoSL) faces a severe security threat, which it has a legitimate right to mitigate. However, its controversial policies are doing small to enhance security and are fuelling animosity among moderate Tamils and other minorities towards the state. Politically motivated anti-government propaganda machines including opposition party and their allies working really hard to convince International Community that Sri Lankan government failed to respect basic human rights. The latest report from the International Crisis Group, examines abuses committed by both the GoSL and the Liberation Tigers of Tamil Eelam (LTTE) since they resumed their unclaimed war in 2006. While the LTTE has continued its deliberately provocative attacks on the military and Sinhalese civilians as well as its violent repression of Tamil dissenters and forced recruitment of adults and children, the government is allegedly involve with rights abuse as part of a counter-insurgency campaign. I find their report is an excuse or legitimize violence of non-state actors in democratic societies.
I have received a copy of latest Economic and Market analysis done by City group, according to the report, Sri Lanka’s economy remains resilient. Its economic growth is likely to remain around 6% in 2007 despite the ongoing spending on war, political issues and a devastating tsunami in 2004. Moreover, Sri Lanka is the first South Asian economy with a per-capita income of over US$1000; besides, country has the highest inflation and fiscal deficit in the sub-continent…, (see the below graph), since countries Rupee was allowed to float since early 2001, following the removal of administrative controls., under the present exchange rate system, forces of demand and supply in the market determine the rate. Central bank only intervenes to prevent excessive volatility and maintain a comfortable level of reserves. Anyone can weigh these statistics and come to their own conclusions, people live in the country have a better judgment than living aboard. Arguably, countries development is moving forward with more than an acceptable level with a huge military expenditure. In other hand corruption and criminal influence on the political system have increased, some argue government is attacking moderates who are critical of its approach and has given room to nationalist extremists, who incite further communal strife.
In reality LTTE is struggling to survive both militarily and politically, yet most of the media remain far from realism primarily after the censorship. After supply routes being cut off, eastern administration being toppled, EU and Canadian ban on the terrorist outfit, dishearten Diaspora; tigers working hard with their propaganda machinery to bring their lost face. Politically bankrupt tigers in a tenuous situation to come forward for negotiation. After the death of their chief strategist they pushed into a corner with no other choice, since `80’s LTTE never came to the negotiation table with a weak position and they will never ever. Million dollar question is will tigers ever compromise with the Prabakaran’s leadership? Will he ever agree for a second best? But governments APRC is pushing for a political solution with power devolution, anyhow with a majority agreed solution, will there be a trust and goodwill between these two groups where LTTE to drop their arms and come to democratic stream and get elected by the people? Highly unlikely with the current climate especially after GoSL vowed to defeat LTTE militarily within 2-3 years. Majority of the country may support that coz that is the fastest route to end this ongoing bloodshed. However, moderates worried about the impact to the economy, international isolation, rising inflation etc., as a developing country, can Sri Lanka cope with this war for another couple of years without international support? I would say YES only if we unite as Sri Lankans, Synergistic power is a vital tool at this crucial juncture, but in reality power hungry opposition and other rebellious parties and their allies trying t0 fish in the troubled waters.
Posted in Crisis and Politics | 1 Comment »
I have the delight (rather no choice) of having to be in contact with the office 24 hours a day, 7 days a week to ensure that any InfoSec aspects are dealt with in a timely manner and that in the event of a telecom meltdown, I can start the spin process immediately so that any form of possible downtime that impacts to customer SLAs or minimize any potential risk to an acceptable level or in a best possible scenario, mute any possible noise. I find my newest, sexy and sleek Smartphone, quite possibly the smallest yet most functional multimedia device I’ve laid my hands on to date, extremely handy. Thanks to e-bay, I got a very good deal.
The Blackberry Pearl is no different from the standard Blackberry range but has some interesting software and hardware additions whilst at the same time being radically reduced in size. After the initial change, I attached the Pearl via the USB cable provided and then make a number of selections to synchronize phones e-mail inbox to that of my laptop. Once the Pearl and the PC have been synchronized, every change to my e-mail inbox, contacts list and diary using the Pearl or PC will be reflected on the other device and ready to go.
After installation, when I kept the pearl on my palm I realized how incredibly small, slim and lightweight in comparison to even some of the newer Blackberry devices. It is clearly aimed to attract more users purely from the ever growing mobile phone market rather than appealing only to business users. Blackberry isn’t a household name until now; they have done a similar strategic u-turn like CISCO did. Anybody thought why did CISCO invested $800M for re-branding? Simply coz John Chamber wants his new gadgets to end up in your living room. By the way, with the battery, Pearl weighs only 89.5g and size wise it is only 10.7cm (H) X 5cm (W) X 1.4cm (D). Call quality on the Pearl is exceptional. Instant Messenger feature enables you to sign into Yahoo Messenger or Google Talk and exchange instant messages and browsing also exciting with the bigger screen.
First Blackberry phone with a camera is much better than older models. Using a trackball it is very easy to grip and move around selecting icons from the menu with a gentle press. My view is further reinforced by the fact that the keys used to type have been placed together in the same way as a mobile phone so that each number also represents 3 letters of the alphabet rather than older Blackberry models that had a full QWERTY keyboard.
I love the Pearl (so far), but too sleekly for my hands, might easily slip off; in fact I’m worst when it comes to usage.
Posted in Personal | 1 Comment »
We started house hunting last August. It’s been a while now. We started from Sydney’s North West side coz we’re pretty much used to west side of Inner NSW. Ever-growing Sydney house prices are now par with London and NY yet affordability isn’t the same; the rise and fall of Sydney house prices over the past decade has inflicted lopsided damage on the most vulnerable parts of the city. In Sydney’s west and south-west With the rising rental market, smartest would think it is worth paying a manageable mortgage rather than higher rent.
When comparing options we tried to find the location that best suits to our lifestyle. Most important factors for me are distance from work and also need to be located close to specific amenities. We looked through the following list and prioritize accordingly; Work place close, Access to public transport, Family/friends nearby, Shopping facilities, Medical facilities, Childcare, Pre-school, Primary school, Parks, Sporting facilities (e.g. sports grounds, gyms, tennis courts, pools, etc.), Libraries, Entertainment, Appealing streetscape, Low noise area (away from traffic, plane paths and industry), Clean air are just a few. We knew that we wouldn’t find the all aligned with one property yet prepared for a reasonable compromise.
When developers offer a home packaged with the land it is to be built on, this is often termed a ‘house and land’ package. To purchase a house and land package, it is vital to research the location and developer, select a display home, decide upon the type of package you’ll purchase, and understand the building process. It is a never ending process.
According to the reports, housing demand remains solid. Sustained growth in household incomes and employment, combined with increased immigration, is expected to support new dwelling investment growth in 2007-08.
Posted in Personal | 2 Comments »
The number of websites spreading badware (spyware, malware, and deceptive adware) is rising in an alarming rate; in many cases, the websites are otherwise victims of malicious hacking. Badware is malicious application that tracks your online behavior and pumps that information back to insincere marketing groups so that they can assail you with targeted ads. stopbadware.org is an education nonprofit backed by Google, Lenovo, Sun Microsystems – “neighborhood watch” campaign aimed at fighting badware while providing reliable yet objective information about downloadable applications to help web users make better choices about what they download onto their computers.
In other had spybye.org which is a low interaction client honeypot developed by Niels Provos allows to determine whether a web site is malicious by a set of heuristics and scanning of content against the ClamAV engine. This tool is comes very handy for web masters to determine if their web pages are carrying browser exploits that can infect visiting users with malware. It functions as an HTTP proxy server and intercepts all browser requests. SpyBye uses a few simple rules to determine if embedded links on your web page are harmlesss, unknown or maybe even dangerous.
SpyBye operates as a proxy server and gets to see all the web fetches that your browser makes. It applies very simple rules to each URL that is fetched as a result of loading a web page. These rules allows us to classify a URL into three categories: harmless, unknown or dangerous. To try SpyBye, configure your browser to use www.spybye.org:8080 as proxy server and then go visit http://spybye.org/. If you see that a URL is being fetched that you would not expect, it’s a good indication you have been compromised
Posted in Security | Leave a Comment »
“In the end, we will remember not the words of our enemies, but the silence of our friends.” — Martin Luther King, Jr.
Sometimes in April – One of the emotional yet disquieting movies I have ever watched; based on true events of gruesome Rwanda genocide which compliments Terry George’s Hotel Rwanda (Nominated for 3 Oscars – Another 12 wins & 26 nominations).
It happened in April 1994, arguably what happened within 100 days from April is one of the most heinous genocides in world history began in the African nation of Rwanda. Over the course of 3 months, close to 900,000 to one million people were slaughtered in a terrifying cleanse by Hutu majority against their Tutsi minority.
After watching both movies I was compelled to dig more about facts regarding the unfortunate event.
After the arrival of Belgian colonists in 1916, they separated Hutus and Tutsis in to distinct entities, and even produced identity cards classifying people according to their ethnicity. Belgians considered the Tutsis as superior to the Hutus and empowered them as well as given jobs and educational opportunities than Hutu’s. Resentment started among majority, culminating series of riots in 1959 – more than 20,000 Tutsi’s killed, many more fled to neighboring countries. Three years later Belgium relinquished power and granted independence and Hutus took their place.
From that point Tutsis were portrayed as the scapegoat for every disaster. Tutsis who fled to Uganda as refugees – supported by moderate Hutus formed Rwanda Patriotic Front (RPF) to overthrow the Hutu president `Habyarimana` and to secure their place in the homeland. After collapse of scattered peace accord things continued in disarray.
In April 1994, president Habyarimana’s plane was shot down by a rocket resulting complete unrest and the consequence was both instant and catastrophic. Within hours of the president’s death, presidential guard mobilized a militia group backed by radio propaganda, 8,000 Tutsis including moderate Hutus were slaughtered. By the early July nearly one million were butchered. Rwandans were largely left alone by the international community after the murder of 10 UN soldiers. In the movie, militia leader was talking to UN head regarding international community intervention – he said “In Rwanda we don’t have Oil nor Diamonds why do you have to come down and involve?” Arguably in most places US-UN intervention backed by huge political interest. Classic example is Iraq; would US search for mass-destruction in Iraq if they’re just another developing country with lower GNP? Norwegians intervened to mediate Sri Lankan conflict after inhaling oil from un-cleared Mannar Sea. Why do they find it difficult to differentiate freedom-fighters Vs. Terrorists? Isn’t it amusing that there is no internationally recognized definition for Terrorism?
I will leave it for another post…anyways after 100 day massacre (from April to July), RPF captured Kigali (Capital of Rwanda) and declared ceasefire. As soon as it became RPF was victorious, an estimated 2 million Hutus fled to Republic of Congo (then Zaire). In Rwanda UN troops and iNGOs arrived to restore the normalcy. On july 19, new multi-ethnic government was formed and majority of cabinet posts were assigned to RPF members.
Long and arduous search for justice went on and on; about 500 people have been sentenced to death and more than 100,000 are still in prison but some of the ring leaders managed to escape. Still today many who lost their loved ones are still waiting for justice.
Posted in Uncategorized | 1 Comment »
My favorite bootable Linux live-systems are KNOPPIX and BlackTrack, both pretty handy and I would recommend to any Security aficionado. Both primarily designed to be used as a live CD, but to run hard disk or a flash disk is a quite a messy task. But not until now…
I really want to carry a secure OS where I can whack in to any public computer and run all my SecTools. It is always handy whenever you travel without your laptop; imagine you could carry your operating system, files, e-mail, personal settings, and favorites in your pocket – all you need to do is just whack the USB in a Windows PC and run your favorite Linux in a Window!
Let’s fold the sleeves; it’s pretty straight forward. All you need to do is download Qemu and a copy your favorite Linux CD (ISO) Image. Qemu is a generic and open source machine emulator and virtualizer. You can find all supported CPUs here. Extract the downloaded .zip file to a folder on your flash drive and copy your favorite Linux ISO image to the same. Typically an ISO image is big as 700MB, so you may need minimum of 1GB flash drive. But don’t be disheartened if you got a 128MB one, try Damn Small Linux - everything is in a 50MB ISO. Once you have the ISO image it’s only a mouse click away, run the StartLinux.bat file – you will be surprised.
I found the booting up process is bit slow and also found a driver allowing a Qemu to run x86 code in a Virtual Machine. It’s called Qemu Accelerator. That’s bonus and surely will speed up your Linux on XP experience. Extract all files in tar.gz file in to your Qemu folder and right click on the kqemu.ini file and select Install. Once you install the accelerator as a windows service, make sure you start it by ` net start kqemu` prior to running StartLinux.bat.
Have fun!
Posted in Tech Bits | 2 Comments »
I received a SMS from Duminda around 5ish in the morning saying “Thanuja gave a Birth to a Baby Boy.” I jumped off the bed with excitement and called my friend to pass on my good wishes. During the last week I called him twice to confirm the expected date of confinement, when I rang I seldom felt any excitement yet ordinary as usual. That’s him! He told me that both Thanuja and new born are doing well. I was so touched when he told me that I’m the first person to know about the great news! I was overwhelmed and went speechless for a moment….I deeply wanted to be there with him.
I first met him as a vendor in late `99 while I was working at Dialog, since then he became a trusted and close friend of mine. Duminda is a smart yet successful, witty IT/Telco salesman with a very good self esteem and a warm heart. He was always just phone call away whenever I need him….
We have already decided to spend lots of time in SL on our December trip, so I will be meeting all my (few) friends…..first time after being away for 2 years from loved ones.
Posted in Personal | Leave a Comment »
