Wednesday, August 19, 2015

Import and Export Data (ldif file) to IBM Tivoli Directory Server

It is recommended to import and export groups and users separately. To make this;

On Source:

     A: Exporting groups

          idsdb2ldif -o groups.ldif -k CryptoSeed -t CryptoSalt -s cn=groups,dc=...,dc=com

          This process must finish with something like "62 entries have been successfully exported from the directory."

     B: Exporting users

          idsdb2ldif -o users.ldif -k CryptoSeed -t CryptoSalt -s cn=users,dc=...,dc=com

          This process must finish with something like "35304 entries have been successfully exported from the directory." *number of entries can vary.

After creating, transfer groups.ldif and users.ldif files to the target directory server.

On Target:
     1- Stop ldap server: 
          idsslapd -k

     2- Import groups:
          idsldif2db -i groups.ldif

     3- Import users:
          idsldif2db -i users.ldif

          This process must finish with something like "35304 entries have been successfully added out of 35304 attempted."

     4- Start back ldap server:

* It d be nice to check ibmslapd.log file at this point to see whether there is an error on ldap server, and check the replication status.  

Monday, April 13, 2015

IP - Hostname Converter - Getting IP Address or Hostnames from A List

When I check the statistics of my blog, I see that the most popular blog is about getting hostnames from a given IP address list. I published "Getting hostname from an IP address list with PowerShell" blog in April, 2012 and it took hundreds of visitors since that time. So I want to share an application that I created before.

IP - Hostname Converter is a very tiny application. Just paste a hostname list to the "Hostname" text box and press  ">>>" button to solve the IP Addresses or paste an IP Address list to the IP Address text box and press "<<<" button to solve the hostnames.

It is available for download:

Tuesday, November 4, 2014

Creating Scheduled Backup in CheckPoint Smart Center on Windows

If your CheckPoint Smart Center environment is not high available, you might be sure that you have a running backup of the Smart Center server. Meanwhile, I think it is still important even if you have a high available setup.

 It is very easy to schedule daily backup in Check Point Splat and it can easily send the backup to an ftp server to keep. However, Windows Smart Center environment does not have this backup scheduling option. Backup command also does not work in Windoes solutions. So you have to keep using upgrade/export.exe to get backup. In Windows Smart Center, upgrade/export.exe is placed in the installation folder of Check Point. You can manually start this exe and create the backup file but here I explain how to schedule this upgrade/export tool and how to send the backup file to an ftp server.

 The script I share below starts with deleting the existing *.tgz files in the "E:/daily_backup" directory. I delete these file at the beginning because as you can see in the code, the created backup file is a .tgz file and named with the day that it created in, and the code is sending all .tgz files to the ftp server after creating. If we do not delete the existing files, the same files are being sent to the ftp again and again.

del "E:\daily_backup\*.tgz"
set dd = %date%
E:\FW1\R70\fw1\bin\upgrade_tools\upgrade_export.exe E:\daily_backup\fw_backup%date%.tgz <E:\daily_backup\line.txt
ftp -i -s:ftp.txt <ftp_server_IP_address>

ftp.txt file is holding the authentication information for the ftp server.

mput *.tgz

The last thing to do here is to create a scheduled task for this batch file.

Tuesday, March 11, 2014

Phishing Technique and Its Success

Phishing is a social engineering technique that manipulating people to perform some actions as the attacker wants. The attacker prepares an e-mail as if it was sent from a known individual or organization, and leads the victim to click on a link that will take the user to a malicious website or download some malicious file, or to a fraudulent website that appears legitimate so the victim enters his username and password or some more individual information about himself.
Phishing is a very successful technique because people do not visit websites carefully or they do not have much time to be more careful, to investigate about the website or e-mail. One of the reasons may be that they did not become a victim before, or maybe they do not know even if they were. People easily trust brands and/or logos and influential texts. There is a lack of information assurance knowledge.

How Phishing Works

Phishing Examples
As I explained before, phishing is a very successful attack technique. These lines will prove this assertion.
In 2011, RSA, one of the biggest security firms was hacked. It was an attack against SecureID two factor authentication product of RSA. In this case, the attackers sent some phishing e-mails that has a subject as “2011 Recruitment Plan” and after an employee opened the attached excel file, they used a zero-day exploit of Adobe Flash.
As a newer story, just a few days ago, Forbes Magazine was hacked by Syrian Electronic Army with a phishing mail. You can read all the story minute by minute directly from Forbes;
Another story is from Turkey. Attackers send an e-mail  that has an attachment of electronic billing of a telco company. When the victim opens the attached file, the malicious code encrypts all usable files in the PC and pops up a warning that he has to pay money for decrypting the files. This malicious software is called FatMal.
The most effective defense against phishing is creating user awareness. I will not touch the things how users beware of phishing on here but all companies should improve the awareness. RSA and Forbes are very good examples about that. One employee that you do not improve his awareness can cause to be hacked.
“You are as strong as the weakest link in your defense system” Sun Tzu
As a security admin, there are also some precautions that you can do. A proxy that has a dynamic scanning feature can decrease the possibility to be hacked by phishing. Even if the user opens the link in the e-mail, the proxy would not let him to enter the website.
Even if it is not enough for your security, ensure that all employee’s PCs, and antivirus agents are up to date. It is not enough because in the case lived in Turkey – I defined above, antivirus vendors did not have the signature of the malicious software and Trend Micro two, and Symantec five days later released the signature. 

Tuesday, January 28, 2014

"Additional forensics data is not available" error in Websense DLP

Sometimes, while DLP is working fine, you can encounter "Additional forensics data is not available" error in the "Forensics" tab of the incident. This means you cannot see the details of the incident.

It has a very simple solution;

1-  Stop the DSSManager service and rename the following folders:
  1. %DSS_HOME%\tomcat\work > work.old
  2. %DSS_HOME%\tomcat\logs > logs.old
  3. %DSS_HOME%\tomcat\temp > temp.old
2- Create a new %DSS_HOME%\tomcat\temp folder and restart the DSSManager service.

Websense says that you should not lose any incident in this scenario, and I have tried a few times, I really did not lose any incident.