Cybersecurity Event Mauritius: Firewalls: back, now, then

Have you missed one of the most important cybersecurity event which recently took place in Mauritius ? I wrote a blog post to announce the event. Well, in case you miss it, you might be interested in this article to catch up with the event. It was publicly announced on the Facebook group as well on Twitter account. It was held on the 10th of September 2017 at Voila hotel conference room at Bagatelle, Mauritius. Several students from University of Mauritius, professionals and members of MOSS – Mauritius Open Source Society were also present on that day.

Philipp Buehler During his presentation.
Philipp Buehler During his presentation.

The team which is the first group of Linux and BSD developers in Mauritius invited Philipp Buehler, an international cybersecurity expert. He spoke about his experience in cybersecurity and gave recommendations for people interested by the the field or just want to learn new skills in that area. He also emphasised heavily on Network and Security infrastructure, Firewalls, IPS, IDS and several other components. You can view the slide here :

Mru2017 Talk by P.B of OpenBSD for event by Anonymous olxMjXje4 on Scribd

It was an open talk. Several topics such as Fragmentations and Protocol issues were tossed from the audience. One of the interesting topic was on IPS – Intrusion Prevent System. Philipp explain how most of the time if wrongly configured the system does not prevent any attack but instead legitimate packets. Typically, since it is an automated system and usually we have Crons which run at night and based upon some patterns by the IPS, same is interpreted as an attack and finally several IPs are banned and finally we land in a debug session. He pointed out about putting it back to an IDS – Intrusion Detection System. Support of IPV6 to several IDS were proposed as one example for University projects. It was amazing how Philipp re-drew the OSI diagram in a practical way and mentioned the “8th layer”. Another interesting diagram explaining how the Kernel interacts with the CPU, Memory and Disk to illustrate the Userland, the Kernel and the hardwares.

In case you are looking forward for more security events in Mauritius, please keep in touch on our Twitter Page and Facebook group. The also credits the PHP User Group of Mauritius for its kind sponsorship of the event and credits to Akasha Lilith for the nice pictures taken during the event  🙂


Pervasive Monitoring and Security in Africa

If you think about the number of attacks on the rise in the world, statistics and figures would proved you all. For example, if you think about preventing attacks such as, Man-in-the-Middle attacks, guidance in implementing the right TLS Protocol, formerly called SSL is important. TLS is the security protocol that underlies the web. Passive attacks such as tapping – Monitoring of unencrypted communications, Encryption – Intercepting encrypted information flows, Scanning – Scanning ports connected on the Internet and Traffic analysis – building  and processing of information from data analysis are surely on the rise. The RFC 7258 as described emphasised on pervasive monitoring mitigations where possible. Pervasive monitoring is also described as an attack and therefore it is an offence.

In 2017, we had so many cybersecurity disasters – Active attacks such as the Shadow Brokers which claimed to have breached the spy tools of the elite NSA-linked operation known as the Equation Group. We had also the WannaCry which netted almost 52 bitcoins, or about $130,000. The Wikileaks CIA Vault 7 which contains alleged spying operations and hacking tools. The team, clearly reacted on this issue under the Operation Crypto Redemption and submitted several patches and encouraged many Open Source organisations to patch up those vulnerabilities. According to Africa News, only South Africa seem to be impacted. It can clearly be seen that the attackers know which country they are aiming during mass phishing. 

AFRICA least hit by WANNACRY - Photo credits

AFRICA least hit by WANNACRY – Photo credits

But hey! If you give a thought about it. Did the attackers really aimed Africa? Why Africa was not really impacted? I highly doubt that there was a pervasive monitoring prior to the attack. It may also not be the case due to phishing as it depends who got trapped with the malware. Still phishing on large scale can be behind the intelligence of Pervasive monitoring! On the other hand, Checkpoint demonstrated how the risk is high in Africa with a map below displays the risk index globally (green – low risk, red- high risk risker, white – insufficient data), demonstrating the main risk areas around the world.

Photo Credits:
Photo Credits:

Several countries were listed as white due to insufficient data which could account to reliable data about the risk index in the African continent. Of course, it describe active attacks risks in the African continent. Attacks over countries are now evolving. What I mean is that there could be first a pervasive monitoring system which help attackers to move further towards their target for example: When to perform a mass phishing to get more money!

The fundamental of pervasive monitoring remain mostly about building profiles of a person. It is clear that many are vulnerable to these type of attacks due to presence on social media and social networks. A nation can be a target! Staffs from a particular company can be a target! But what is most sensible is when the data from pervasive monitoring has already been processed into meaningful information, attackers can sell those information which cost millions and may be billions of dollars.

Over the past decade, the billion people who live in Africa have experienced the fastest growth the continent has ever seen, and many of its countries (Nigeria, Ethiopia, Mozambique, Guinea) are among the fastest growing in the world. A growing body of evidence backs our view that as Africa’s population doubles to two billion over the next several decades, its GDP will increase from $2 trillion today to $29 trillion in today’s money by 2050.  What has changed? Many governments have learnt from their mistakes and seen the positive reform examples not just in Asia, but more importantly in Africa itself, from Mauritius to Botswana and Cape Verde, and now Ghana to Rwanda. In most countries there has been no single reform miracle, like China’s in 1978 or India’s in 1991, but rather a series of small steps which taken together have been just as powerful. –

Photo Credits:
Photo Credits:

Since Africa is on the edge of a rich economy boom, passive attacks will be on the rise probably from many other countries which will want to invest heavily. But where to invest? How much to invest? The information will be on sale probably from a cheap pervasive monitoring instead of an expensive survey!

We all knew that it is difficult to detect pervasive monitoring. However, I believe that data which had been processed from pervasive monitoring can still be analysed again to understand how it was used. For example: Pervasive data gathered during a previous election campaign comparison with a new election campaign. The dark web is not just being used by individuals. According to Corregedor, private organisations and governments are increasingly using it as a source of threat intelligence.With the threat of cybercrime comes the threat of cyberwarfare, and state-sponsored attacks on multinational corporations or other countries. South Africa, as with any other country, is equally at risk from this kind of threat, Corredegor says, because it is difficult to monitor the dark web for national threat intelligence. –

As first defence, it would be better to adopt TLS to prevent eavesdropping. The use of DNSSEC, SMTP Strict Transport Security and various other security protocols should be taken into consideration. Bear in mind that DNS tells all about you, from where you shop, what you shop online, what web pages you looked out and what you purchased! ISPs should enforced security protocols such as PKIs (Public Key Infrastructure), DANE (DNS Authentication of Named Entities) and DKIM (Domain Keys Infrastructure Mails). Improving internet infrastructure must progress before it is too late. Emails that are not digitally signed are also a good source of data to be processed anew. A simple example of dead.letters can be a source of getting gathering data on the internet.

According to The New York Times, the NSA is monitoring approximately 100,000 computers worldwide with spy software named Quantum. Quantum enables the NSA to conduct surveillance on those computers on the one hand, and can also create a digital highway for launching cyberattacks. A Proof of Concept explained by NetreseC how to detect “Quantum Insert” in the network environment.



One of the various reasons we don’t have much privacy in the online world is that people simply don’t realised the amount of information they leak daily. Worst is when companies leak information of staffs. To resolve such scenarios, since computer today are fast enough, norms to ensure that companies are implementing the use of tcpcrypt can be made mandatory.




Cybersecurity Event in Mauritius

International cybersecurity expert Philipp Buehler is coming to Mauritius. He will be speaking about his experience in security and what recommendations he has for people who wants to get into the field or just wants to learn new skills in that area.

It is a cybersecurity event, with an international speaker that is organising on the 10th of September 2017 at 15:00 hrs at Bagatelle Conference room. Several topics will be discussed! If you have any questions to ask, this will be the right time for you guys to do it. E.g, what skills do I need to learn or ideas which can potentially lead to my final year project ? 

Feel free to join the Facebook event page  or scan the event QR code in case you are attending the event.

Photo Credits: pfSense
Photo Credits: pfSense

Getting acquainted with PfSense

One of the topic that will be discussed will be on pfSense. For educational and testing purpose, pfSense can be installed on a Virtual Box.

Bio: Philipp Buehler, Co-founder and consultant at Sysfive has designed and implemented firewall technology which is used by many products such as Apple Macbook Pro, smart phones and firewalls which protect many large enterprises around the world.

VMware vSphere High Availability Basics

VMware vSphere HA is one of the core feature in a cluster. So let’s bring some more precision about it. High Availability – HA enables a cluster of ESXi hosts to work together so that they can provide high levels of High Availability for virtual machines rather than just an ESXi host by itself. In brief, the High Availability feature is provided by pooling virtual machines and the ESXi hosts in the cluster for protection. Some examples could be host failures, host isolations and application crashes. The requirements for HA is a minimum of two hosts, vCenter Server and Shared Storage.

Photo Credits:
Photo Credits:

One ESXi goes down

By default, HA uses management network (Service Console/Management Network VMkernel connections). Let’s take a scenario where there are three ESXi hosts in a cluster. In the event where a physical server (ESXi hosts) goes down, the VM machines will be restarted on the other ESXi hosts. We can also set up applications to be started on the other physical server. From the three physical servers in the cluster one is going to be elected as master. The master server is going to keep track of other ESXi hosts through the heartbeat of other servers. This is done at the management network level. The master server will always expect to have heartbeat responses from other ESXi hosts.

Only the management network went down

If at any moment, the master server detects that a host is down, it will report that to the vCenter server and all servers will be powered on the other ESXi hosts. What is more interesting is that if only the management network goes down, and other network such the datastore network is still working, that would be referred as an Isolation incident. In that case, the vSphere will communicate to the master server and will claim that the ESXi host is still active is through the datastore heartbeat. In that case, the VMs will not be powered onto other ESXi host because it is an Isolation incident.

Only the Datastore network went down

Now, what if only the Datastore network went down and not the Management network? The master server will still receive heartbeat messages from other ESXi hosts, but no data communication is being sent to the datastore. Another element that is included in HA is VMCP – VM Component Protection which is a component that detects that if a VM is having access to the datastore. In the event of failure messages from the datastore heartbeat, the VMs will be powered onto other ESXi hosts where the datastore is sending alive heartbeat messages.

In all three scenarios, HA implies downtime as servers will be restarted in other ESXi hosts, but same is usually done within minutes. Another point to keep in mind is that HA applies only to physical host. For example, if a particular VM encounter a BSOD or Kernel Panic, HA will not know about it because the Physical server (ESXi host) is still communicating with the master server.

How the election process takes place to become the master?

When HA gets activated in the vSphere, the election process takes around 10-15 seconds. In that process (Enabling HA) an agent gets installed to activate HA which is called FDM – Fault Domain manager. Logs can be checked at /var/log/fdm.log. The election process is defined by an algorithm with two rules. For the first, the host with access to the greatest number of datastores wins.

Now, what if all ESXi hosts see the same number of datastores ? There will be a clash. This is where the second rule kicks in i.e; the host with the lexically-highest Managed Object ID (MOID) is chosen. Note that in vCenter Server each object will have a MOID. For example, objects are ESXI servers, folders, VMs etc.. So the lexical analyzer is a first component where it takes a character stream as input, outputs a token which goes into a syntax analyzer and the lexical analysis is performed. Care must be taken when attempting to rig this election because lexically here means, for example, that host-99 is in fact higher than host-100.

What IF …. ?


So what if vCenter Server goes down after setting up HA? 

The answer is HA will still work as it now the capacity to power on the vCenter Server. FDMs are self sufficient to carry on the election process as well as to start the vCenter Server. FDMs are inside the VMs but not inside the vCenter Server.

Enable and Configure vSphere HA
I will be using the free labs provided by VMware to set up HA.
1.The first action is to choose the Cluster then click on ‘Actions‘  then ‘Settings‘.
Photo Credits:
Photo Credits:

2. Choose ‘vSphere Availability‘ on the left -> then click on ‘Edit‘.

Photo Credits:
Photo Credits:

3. Click on ‘Turn ON vSphere HA’.

Photo Credits:
Photo Credits:

4. Choose ‘Failures and Responses‘ option and click on -> and enable ‘VM and Application monitoring‘.

Photo Credits:
Photo Credits:

5. On the ‘Admission control‘ -> check the ‘Cluster resource percentage‘ option.

Photo Credits:
Photo Credits:

6. Click on ‘Heartbeat Datastores’ and select ‘Automatically select datastores accessible form the host‘.

Photo Credits:
Photo Credits:
7. From the ‘Summary’ tab click on ‘vSphere Availability‘, it should mentioned vSphere HA: Protected.
Photo Credits:
Photo Credits:
1.VMware Tech Plus:
2.VMware White paper:
3.VMware Labs:
4.Other Links:

ESXi installation on my Dell Laptop and hands on VMware Labs

If you are thinking why i should install a bare metal hypervisor on a laptop, i assure you its just for educational and testing purpose only. I noticed that it was quite difficult for me to get this done. However, after some research it looks that my Dell Inspiron n5110 motherboard will not authorised me to install ESXi 6.x. Probably, it looks like there are some drivers missing or the motherboard does not support it.

Here is what my processors looks like from the configuration menu on VMware vSphere Center

Anyway, i have been able to inject some network drivers – VIB files into the ESXi5.0 which allowed me to install the ESXi 5.0 on the laptop. You can follow the instructions at the link how to make your unsupported NIC work with ESXi. Once installed, VMware will provide you with a two months free trial before you purchase the license.

Another way of messing around VMware Vsphere is to deploy a lab from That’s so easy to deploy labs and access the VMware vSphere web client. All credentials will be available on the readme.txt file found on the desktop. Also a lab manual will be shown alongside whilst working on the environement labs.

I am sure this would help anyone to get into hands on lab quickly and it would be a nice start for beginners.