Monday, April 13, 2015

IP - Hostname Converter - Getting IP Address or Hostnames from A List

When I check the statistics of my blog, I see that the most popular blog is about getting hostnames from a given IP address list. I published "Getting hostname from an IP address list with PowerShell" blog in April, 2012 and it took hundreds of visitors since that time. So I want to share an application that I created before.

IP - Hostname Converter is a very tiny application. Just paste a hostname list to the "Hostname" text box and press  ">>>" button to solve the IP Addresses or paste an IP Address list to the IP Address text box and press "<<<" button to solve the hostnames.

It is available for download:

Tuesday, November 4, 2014

Creating Scheduled Backup in CheckPoint Smart Center on Windows

If your CheckPoint Smart Center environment is not high available, you might be sure that you have a running backup of the Smart Center server. Meanwhile, I think it is still important even if you have a high available setup.

 It is very easy to schedule daily backup in Check Point Splat and it can easily send the backup to an ftp server to keep. However, Windows Smart Center environment does not have this backup scheduling option. Backup command also does not work in Windoes solutions. So you have to keep using upgrade/export.exe to get backup. In Windows Smart Center, upgrade/export.exe is placed in the installation folder of Check Point. You can manually start this exe and create the backup file but here I explain how to schedule this upgrade/export tool and how to send the backup file to an ftp server.

 The script I share below starts with deleting the existing *.tgz files in the "E:/daily_backup" directory. I delete these file at the beginning because as you can see in the code, the created backup file is a .tgz file and named with the day that it created in, and the code is sending all .tgz files to the ftp server after creating. If we do not delete the existing files, the same files are being sent to the ftp again and again.

del "E:\daily_backup\*.tgz"
set dd = %date%
E:\FW1\R70\fw1\bin\upgrade_tools\upgrade_export.exe E:\daily_backup\fw_backup%date%.tgz <E:\daily_backup\line.txt
ftp -i -s:ftp.txt <ftp_server_IP_address>

ftp.txt file is holding the authentication information for the ftp server.

mput *.tgz

The last thing to do here is to create a scheduled task for this batch file.

Tuesday, March 11, 2014

Phishing Technique and Its Success

Phishing is a social engineering technique that manipulating people to perform some actions as the attacker wants. The attacker prepares an e-mail as if it was sent from a known individual or organization, and leads the victim to click on a link that will take the user to a malicious website or download some malicious file, or to a fraudulent website that appears legitimate so the victim enters his username and password or some more individual information about himself.
Phishing is a very successful technique because people do not visit websites carefully or they do not have much time to be more careful, to investigate about the website or e-mail. One of the reasons may be that they did not become a victim before, or maybe they do not know even if they were. People easily trust brands and/or logos and influential texts. There is a lack of information assurance knowledge.

How Phishing Works

Phishing Examples
As I explained before, phishing is a very successful attack technique. These lines will prove this assertion.
In 2011, RSA, one of the biggest security firms was hacked. It was an attack against SecureID two factor authentication product of RSA. In this case, the attackers sent some phishing e-mails that has a subject as “2011 Recruitment Plan” and after an employee opened the attached excel file, they used a zero-day exploit of Adobe Flash.
As a newer story, just a few days ago, Forbes Magazine was hacked by Syrian Electronic Army with a phishing mail. You can read all the story minute by minute directly from Forbes;
Another story is from Turkey. Attackers send an e-mail  that has an attachment of electronic billing of a telco company. When the victim opens the attached file, the malicious code encrypts all usable files in the PC and pops up a warning that he has to pay money for decrypting the files. This malicious software is called FatMal.
The most effective defense against phishing is creating user awareness. I will not touch the things how users beware of phishing on here but all companies should improve the awareness. RSA and Forbes are very good examples about that. One employee that you do not improve his awareness can cause to be hacked.
“You are as strong as the weakest link in your defense system” Sun Tzu
As a security admin, there are also some precautions that you can do. A proxy that has a dynamic scanning feature can decrease the possibility to be hacked by phishing. Even if the user opens the link in the e-mail, the proxy would not let him to enter the website.
Even if it is not enough for your security, ensure that all employee’s PCs, and antivirus agents are up to date. It is not enough because in the case lived in Turkey – I defined above, antivirus vendors did not have the signature of the malicious software and Trend Micro two, and Symantec five days later released the signature. 

Tuesday, January 28, 2014

"Additional forensics data is not available" error in Websense DLP

Sometimes, while DLP is working fine, you can encounter "Additional forensics data is not available" error in the "Forensics" tab of the incident. This means you cannot see the details of the incident.

It has a very simple solution;

1-  Stop the DSSManager service and rename the following folders:
  1. %DSS_HOME%\tomcat\work > work.old
  2. %DSS_HOME%\tomcat\logs > logs.old
  3. %DSS_HOME%\tomcat\temp > temp.old
2- Create a new %DSS_HOME%\tomcat\temp folder and restart the DSSManager service.

Websense says that you should not lose any incident in this scenario, and I have tried a few times, I really did not lose any incident. 

Monday, January 27, 2014

Advantages and Disadvantages of Reputation-Based Anti-Spam Services

One of the most efficient anti-spam techniques is IP reputation filtering. It is also the least costly technique for the anti-spam gateway and can block around %80 (or more) of spam before they reach your server. Firstly, I want to explain what “Reputation Service” is for those who don’t know, and the positive and negative effects of it.

IP reputation services based on gathering information about IP addresses. When someone is trying to send you an e-mail, during the first connection, your reputation service that already installed on the e-mail security server checks blacklists around the world and gathers information about the sender’s IP address. If the sender’s IP address is in the blacklist – it means “this IP address sends mostly spam”, it directly blocks the message. So the message is blocked before it reaches to your server, and this provides a better system usage over this server.

In most situations, IP reputation service can block around %80 of spam as I explained before. What it means that if you do not use IP reputation service, %80 more messages come to your server and use CPU and memory. So, according to the calculation, you may have to use two times more servers to process all these e-mails. Additionally, the tests say that when an IP reputations service is used properly, false positives amount is very little compared to typical content filtering.

Although IP reputations service provides such advantages as explained, there can be also negative effects on messaging in company. Assume that you have contacts that usually e-mailing to hundreds of their customers or using their ISP’s smtp service to send e-mail. It is very normal that the IP address they use is signed as spammer and gets in a blacklist. At this situation, you can do nothing to get e-mail from this contact. You cannot add it to a white list because filtering is happening during the first connection, so the reputation service does not know the domain of the sender. It just knows the IP address. It also will not work that you add its IP address to the white list because it is blocked before the message reaching to your content filtering rules. The only thing to do is the sender must remove its domain or IP address from the blacklists. You can think that it is not your problem. If they cannot send e-mail to you, they cannot send to someone else too. Yes, that is true but in the business, sometimes it does not work that way. At this point, it becomes a very critical decision to activate the IP reputation service.

As the result, it is very critical to try the critical business processes during the PoC. As I state before, if you do not test the critical business that has to get e-mail messages even if the sender is in the blacklist, you have to try it before you buy or enable the service.