Paul Stewart, CCIE 26009 (Security)

Author Archives: Paul Stewart, CCIE 26009 (Security)

Spearphishing Attacks Against Hostmonster Customers

I tend to see a lot of phishing emails. The message I received this morning caught my eye. It was fairly well crafted and obviously targeted. After searching the Internet, I found that some GoDaddy customers have received something similar. This seems to be making its way around the internet to website administrators. The most curious thing to me is how someone associated the email address with a Hostmonster account.

Phishing Email Message

Screen Shot 2015-11-18 at 6.58.02 AM

As can be seen above, the message read–

Your account contains more than 4035 directories and may pose a potential performance risk to the server. Please reduce the number of directories for your account to prevent possible account deactivation.

In order to prevent your account from being locked out we recommend that you create special temp directory.

The link goes to kct67<dot>ru.

Message headers also suggest a Russian origin–

Received: by 10.140.27.139 with SMTP id 11csp1084546qgx;
        Tue, 17 Nov 2015 20:25:39 -0800 (PST)
X-Received: by 10.25.161.211 with SMTP id k202mr1408853lfe.161.1447820739327;
        Tue, 17 Nov 2015 20:25:39 -0800 (PST)
Return-Path: <[email protected]>
Received: from bmx1.z8.ru (bmx1.z8.ru. [80.93.62.39])
        by mx.google.com with ESMTPS  Continue reading

Merchant Processes and CID/CVV2

I recently received a letter from the company that monitors my home alarm. It basically stated that to avoid a $3US surcharge that I must opt out of receiving bill in the mail (which is fine) and that I must set up automatic transactions.  I also found this form attached.

Merchant Form

This is not the first time that I have seen a payment option that includes a requirement for the CVV2  or CID value from my credit card. However with a little knowledge of PCI, I have to ask myself the following question, “What exactly are they going to do with this information?” According to PCI-DSS, this information must not be stored (even in an encrypted format) after authorization.

That raises the following questions for the merchant requiring this information–

  1. Is this truly only for the first transaction authorization and the physical form will be securely destroyed?
  2. In this particular case, this is for a monthly transaction. So their relationship with their provider is such that CID/CVV is optional (and not used) for secondary transactions?
  3. Or is this information being stored, electronically or physically, allowing for the possibility of later transactions?

In this Continue reading

OSX, Outlook 2011 and Evernote

If you are using Outlook and Evernote on the Mac, check out the article below. It outlines an AppleScript that allows the user to press Command+E to add an email, or selected portion of an email to Evernote.

As I implemented this, I did run into a couple of caveats. My suggestion is to make sure to read the comments in the script and to relaunch Outlook between changes. Thanks to Justin Lancy for a great tip.

I’d love to hear from you, so share your thoughts by commenting below.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

No related content found.

The post OSX, Outlook 2011 and Evernote appeared first on PacketU.

VLAN Bridging with FirePOWER

Although not immediately obvious, the FirePOWER Series 3 devices can do a form of IPS on a stick. This means that the capability described here should be available to the current appliance versions of the FirePOWER managed devices. The premise involves connecting broadcast domains (VLANs) to bring the managed device inline between the initiator and responder of a flow. Configuration is fairly straightforward but does have some caveats.

Caveats

  • Even though only a single port is required, a virtual switch must be configured (this cannot just be an inline pair)
  • BPDUs being bridged between VLANs are detected and will render the switchport(s) in an inconsistent state
  • The FirePOWER physical interface will not activate until it is also bound to a Virtual Switch

FirePOWER Bridge VLANsThe diagram shows two devices in the same VLAN (we will assume /24 for the configuration). The device on the top is in VLAN 100. The FirePOWER managed device bridges VLAN 100 to VLAN 101 and allows the two devices to communicate directly with one another. The connection to the FirePOWER device is a single 802.1q trunk.

Frames arriving on VLAN 100 will be processed and egress with a VLAN tag of 101. This configuration is similar to a Continue reading

Are You an ACKer?

There are lots of differences in the way that individuals communicate and interact. One difference I often notice is whether a given individual does or does not respond. Using myself as an example, I will typically respond to a text message or email even if no question is posed. Often I will either Thank the sender or provide some unnecessary comment.

My wife on the other hand almost never responds to an information only message. If nothing is being requested, don’t expect a response. I find that lots of people exhibit this behavior and there’s nothing wrong with it. The lack of a response doesn’t necessarily mean the information isn’t appreciated. It is important to realize that just because you do something a certain way, don’t expect others to do the same.

I’d love to hear from you, so share your thoughts by commenting below.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

No related content found.

The post Are You an ACKer? appeared first on PacketU.

Citizens of Tech 001 – Knuckle Cracking Felt Animals

I have a new podcast recommendation to share. The title is Citizens of Tech and is a product of our good friend Ethan Banks and Eric Suthphen. Although it is part of the PacketPushers ecosystem, it is a very different type of podcast. As opposed to typical network-centric topics, this show seems to include all things tech (and things that tech people are interested in).

Check out the first episode here–

Readers of this article may also enjoy:

  1. Everyone’s Favorite Topic–Bring Your Own Device

The post Citizens of Tech 001 – Knuckle Cracking Felt Animals appeared first on PacketU.

CLN 2015 Designated VIPs

I wanted to take a moment and give a well-deserved congratulations to the 2015 Cisco Learning Network Designated VIPs. These fine folks spend a ton of time giving back to the community by helping others in their learning process.

New VIPs for 2015

  • Aref Alsouqi
  • Darren Starr
  • Joshua Johnson
  • Milan Rai

Returning from Previous Year(s)

  • Alain Cadet
  • Chandan Singh Takuli
  • Daniel Dib
  • DelVonte Deary
  • Elvin Arias
  • Erick
  • Jared Hainline
  • Jon K. Johnson (Jay)
  • Riikka Sihvonen

Again, a very warm welcome and congratulations to this group. Your contribution to the community is much appreciated.

Bios and more information for the 2015 VIPs can be found here–

 

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

Readers of this article may also enjoy:

  1. Learning Network VIPs for 2013
  2. Cisco VIRL – The Virtual Internet Routing Lab
  3. Cisco Announces 2014 VIPs for CLN and CSC
  4. Using Cisco’s DevNet “All-in-One VM” as a Free Router Lab
  5. Congrats to Chandan Singh Takuli, CCIE Voice

The post CLN 2015 Designated VIPs appeared first on PacketU.

Discard Routing for RFC1918 Addresses

While working with firewalls for the last few years, I’ve seen many logs polluted with scanning traffic. Obviously this is the type of thing that I want to see when someone is legitimately scanning, or attempting to scan, through the firewall. However, there are a few cases that seeing this traffic is simply an indication of some other issue in the network.

An example I have seen on several occasions is someone configuring a network management station to discover 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8. If not properly handled in the routed network architecture, the associated traffic could make its way to the firewall or even to the ISP. An ASA might block the traffic due to policy, reroute it back toward the internal network, drop it due to the intra-interface hairpin configuration, or forward it onward. In most cases, this traffic will cause a lot of “noise” in the syslogs produced by the firewall.

To fully understand the problem, the diagram below can be used for discussion–

DiscardRouting

In this example, R1 has a static default route that points to the IP address of FW1. R1 advertises this via EIGRP to its internal neighbors. If a networked host attempts to reach Continue reading

The Longest Match Rule

One of the the concepts that comes up occasionally is that of precedence. For example, one might consider the following routing table entries.

ip route 0.0.0.0 0.0.0.0 1.1.1.1              //default route
ip route 192.168.0.0 255.255.0.0 1.1.1.2      //supernet/cidr route
ip route 192.168.1.0 255.255.255.0 1.1.1.3    //network route
ip route 192.168.1.0 255.255.255.128 1.1.1.4  //subnet route
ip route 192.168.1.20 255.255.255.255 1.1.1.5 //host route

Questions often arise around which path a packet would take when it matches more than one entry. For example, a packet may have a destination address of 192.168.1.20. In this case it matches every single route entry.

The logic is actually simple, even straightforward. A packet will follow the most specific route entry that it matches. So a packet destined to 192.168.1.20 would be routed to a router at 1.1.1.5. If the destination happened to be 192.168.1.21, it would be routed over to 1.1.1.4.

Continue reading

IRS Banner Fail

So I go to the IRS Page that allows taxpayers to check status of a refund. This is under the number “3” at the following URL–

http://www.irs.gov/Refunds

The following banner pops up prior to setting a browser cookie.

IRSBanner

I’m not a lawyer, so I have some questions regarding how to interpret this–

  1. Should this be read as–
    1. Use of this system constitutes consent to monitoring, interception, recording, reading, copying or capturing by authorized personnel of all activities. (or)
    2. Use of this system constitutes consent to monitoring, interception, recording, reading, copying or capturing by authorized personnel of all activities.
  2. And what does authorized personnel of all activities mean. If I use the system, I have to be authorized, or I’m breaking the law (as identified two sentences later–Unauthorized use is prohibited).
  3. So based on #2 above (authorized user). When I use that definition of authorized user in #1, the IRS isn’t accepting responsibility if I somehow happened to perform the following on another user’s information –  monitoring, interception, recording, reading, copying or capturing. (doesn’t exclude my accountability, but it certainly alleviates the IRS accountability)
  4. There is no right to privacy in this system“?
    1. Continue reading

Native TFTP and FTP Server in OSX

As a System Engineer, I do occasionally have to do real field work. When that happens, having access to a TFTP and FTP server is sometimes required. Although the [lack of] UI makes the use counterintuitive, these tools are available in OSX. This post includes the commands required to enable, confirm, and disable both TFTP and FTP in the native Mac environment.

TFTP Server

//load the TFTP daemon (typically starts automatically)
sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist

//confirm that TFTP is listening (netstat)
netstat -atp UDP | grep tftp
--output--
udp6       0      0  *.tftp                 *.*   //IPv6 Listening                         
udp4       0      0  *.tftp                 *.*   //IPv4 Listening     

//unload the TFTP daemon
sudo launchctl unload -F /System/Library/LaunchDaemons/tftp.plist

//confirm that TFTP is no longer listening (netstat)
netstat -atp UDP | grep tftp
--no output--

TFTP Caveats

  • Default Directory is /private/tftpboot
  • Copying a file from a device to the TFTP server requires it be “pre” created (Hint: sudo touch /private/tftpboot/<filename>)
  • File permissions typically need to be modified (Hint: sudo chmod 766 /private/tftpboot/*)
  • I just use my TFTP directory for transient file transfers

FTP Server

//load the FTP daemon (typically starts automatically)
sudo launchctl load -w /System/Library/LaunchDaemons/ftp.plist

//confirm that FTP is listening (netstat)
netstat  Continue reading

Forming a Local User Group

I just read a short post by Lindsay Hill titled Doing Community Programs Right. I think the points made are accurate and well-founded. Prior to working for Cisco, I was part of the “CLN Designated VIP Program”. I had the opportunity to connect with others in and around the industry. I think these online communities are great and there is a wealth of knowledge sharing that happens. During key conferences many of our paths cross and even more interesting conversations happen.

I’d personally like to bring some of those concepts into the local communities I work in. I think many of the same tenants would be important. I wouldn’t want a local group to be about any single vendor (even Cisco) or partner. It would be really interesting to just get a bunch of people together that wanted to share their technology challenges and how they are addressing them.

If you have started such a group, I’d love to hear what worked and what didn’t. Were you able to get attendance even in smaller or rural communities? Maybe you are located in Central Kentucky or East Tennessee and would like to work together in such an effort? If so, reach out to Continue reading

Verdict’s In, Size Does Matter…

I just wanted to take a moment and make a new podcast recommendation. This recommendation is the handiwork of several of our industry friends. The premise is around the unique use of technologies by small and medium business. This podcast should server as a good listen for everyone interested in SMB tech!

No related content found.

The post Verdict’s In, Size Does Matter… appeared first on PacketU.

Securing Your Connection Anywhere You Go

We all know that there are a lot of incomplete security models. Firesheep made this fact painfully obvious to those who regularly work from public hotspots. Although this issue extends beyond insecure wireless deployments, unencrypted hotspots are an easy target. When network traffic isn’t secured in the application layers AND that same traffic is not secured in the network or datalink layers, bad things can and do happen.

TLDR–This article solves this problem by utilizing a Meraki MX60 and the VPN client Native on OSX. To skip to the good stuff, click here.

One approach that some people decide to employ is utilizing a VPN connection for their Internet traffic when connected to untrusted networks. For years, enterprises have utilized these controls to allow secure access to corporate resources. A common trend to day includes utilizing “the cloud” for sensitive enterprise and personal data. While these systems *should* be appropriate resilient, we know that is not always the case. In addition to that, federated authentication schemes and password reuse can also pose additional risk to broken systems and less security conscious users.

Having easy access to some gear, I have been using a Meraki MX60 for a few months. This device makes the configuration Continue reading

Validation Testing Matters

A couple of weeks ago, a CLN Member Posted a question with the heading Does ASA drop active session.

The specific question was as follows–

I have a time based ACL configured on a Cisco ASA. I need to know if the active sessions are dropped by the ASA when the time limit is over.

For example, users are allowed to connect between 12 and 1 PM. If there are any active connections just before 1 PM then will they be dropped at 1 PM?

Many network and security administrators would blindly assume that a time-based ACL would block or allow traffic based on the time-range attached to the individual ACE. Having quite a lot of experience with the ASA, I was skeptical and assumed that any ongoing connections would continue to allow the flow of traffic. I decided to do a little testing and here is what I found.

  1. Viewing the ACL, the time based ACE (line in the ACL) switched from active to inactive about 60-70 seconds after I expected it to
  2. When testing with sessionized ICMP (fixup protocol icmp–to enable ICMP inspection), ICMP Echoes were blocked as soon as the ACE switched to inactive
  3. Testing with TCP, a connection through Continue reading

Risky Business #349

There’s nothing like taking a 12 hour road trip to help get caught up on podcasts. Even though I have a few more to go, I am feeling pretty accomplished with my progress.

One podcast episode jumped out at me as particularly interesting. This was the Risky Business 2014 [year] in review episode. This episode has the most interesting excerpts and commentary for breaches throughout this year. Have a listen by following the link below.

Risky Business #349 — 2014 in review | Risky Business

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may not reflect the position of past, present or future employers.

Readers of this article may also enjoy:

  1. My Podcasts
  2. Cisco VIRL – The Virtual Internet Routing Lab
  3. Google and Cloudflare: Encrypting the WWW
  4. #WhoIS – My Newest Technical Podcast Recommendation
  5. Vulnerable OMA-DM Implementations and Over the Air Hacks

The post Risky Business #349 <– Wow, a LOT Happened in 2014 appeared first on PacketU.

Don’t Let Wireshark’s Assumptions Mislead Your Troubleshooting

In an effort to educate myself on the inner workings of WebEx, I recently looked at a session with Wireshark. Knowing that WebEx audio has the ability to use UDP or TCP, I wanted to isolate the protocol being employed in my configuration. I watched for a new stream of traffic as I enabled the audio portion of a meeting. I found that the audio was using UDP port 9000.

I next applied a filter to see only this traffic. What immediately jumped out at me was what appeared to be malformed and fragmented packets. I also noticed a lot of strange IP addresses like 1.0.0.0, 1.0.0.1, 0.0.0.30, 0.0.0.31 and so on.

WebExUDP9000Knowing that the audio was working perfectly, I could have easily concluded that my eyes were deceiving me. When I looked closer, I quickly realized that Wireshark was recognizing and decoding this as if the packets were Lawful Intercept.

Changing the Decode TypeDecodeAs

This is a common scenario and the solution is straightforward. In Wireshark, right-click any of the packets and choose Decode As…

TransportAt this point, a new window will appear. Make sure the Transport tab is selected then choose Do Continue reading

Merry Christmas to the PacketU Community

I wanted to take a moment to wish all PacketU readers a Merry Christmas and a Happy New Year. With that, I leave you with a short video clip of my son playing Silent Night at a church program last week. Longtime friends know that we had a pretty serious health scare with him 5 years ago and we count ourselves very blessed to have him in our lives.

No related content found.

The post Merry Christmas to the PacketU Community appeared first on PacketU.

My Podcasts

Since taking a new role at Cisco, my drive time is less consistent. As a result, finding opportunities to listen to podcasts is more of a challenge. Earlier this week, a road trip I took provided some time to start getting caught up on my listening. Using iCatcher allows me to easily tweet what I’m listening too. As a result of sharing what I listened to, I received some requests regarding the podcasts I listen to. I wanted to share this ever changing list with the PacketU community.

Technology Podcasts

  • Cisco Champion Radio
  • Cisco TAC Security Podcast Series
  • No Strings Attached Show
  • Packet Pushers Podcast
  • Risky Business
  • Software Gone Wild by ipSpace.net
  • The Class-C Block
  • The IPv6 Show
  • The Southern Fried Security Podcast
  • VUPaaS – Virtualization as a Service

Business and Leadership

  • Freakonomics Radio
  • Home Work
  • The EntreLeadership Podcast

Also beyond the technology focus of this audience, I often listen to Cold Case Christianity–a Christian Apologetics podcast and Focus on the Family–a faith based podcast focused on strengthening families.

I’m always looking for new sources for good information. If you have podcasts that you enjoy listening to, please share them by sending them to @packetu or commenting below.

Disclaimer: This Continue reading

Forming a Thought Process for Troubleshooting

Periodically, I get a message from someone asking for troubleshooting help. The most recent of these went something like the following (paraphrasing)–

I have the following routers, R1 through R5, and I cannot ping R5 from R1. Please tell me what the problem is.

In these cases, I could review the configuration or import them into my lab. Inevitably, that might solve the problem for the individual. However, it doesn’t really help the individual solve problems in the future. I prefer to try to help others think through the problem and reach the solution on their own.

R1throughR5

 

Given the symptom of R1 not being able to ping R5, what could that mean? My initial thoughts are–

  1. R1 isn’t producing packets destined to R5
  2. R5 isn’t producing packets destined to R1
  3. One of the routers between R1 and R5 doesn’t know how to reach R5
  4. One of the routers between R5 and R1 doesn’t know how to reach R1
  5. Traffic is being filtered somewhere along the way

The first step in troubleshooting this is to understand that there should be two flows being produced. The first flow is a series of echo requests from R1 to R5 and the other flow is a Continue reading

1 5 6 7 8 9