Friday, December 28, 2012

18.330 Introduction to Numerical Analysis (MIT)

On its, the MIT has published the new version of the undergraduate course 18.330 Introduction to Numerical Analysis, dated of Spring 2012.

A good grasp of calculus, differential equations and linear algebra is required to fully enjoy it.

The topics covered are:
  • Series expansions: from calculus to computation
  • Integrals as sums and derivatives as differences
  • Interpolation, splines, and a second look at numerical calculus
  • Numerical methods for ODE, initial-value problems
  • Root finding, Newton's method, boundary-value problems
  • Fourier transform, Fourier series, Shannon sampling theory
  • Bandlimited interpolation, spectral methods
  • Least-squares approximation
  • Principal component analysis

Numerical Analysis is the underpinning of modelisation and simulation ,  at the heart of modern physics and engineering fields.

Wednesday, December 26, 2012

Blogger's death stirs political hornet's nest in Iran

In Iran, like in any non-democratic country, criticizing the party in place can lead to serious troubles. However, reporters and citizens continue to bravely write about the lies and fallacies of officials. The result is often a tragic end, tortured and killed.

Sattar Beheshti is not different: he started a personal blog, which became more and more critic toward Ayatollah Ali Khamenei, the controversial "supreme leader" of Iran. The idea of having a religious figure leading the country is already unsettling for me, and in many non-corrupt countries his past actions would make of him a wanted criminal and a terrorist

The apex was the criticism of a public speech given by the ayatollah (persian version). Soon after was he arrested, tortured and his body given back to his family. Iran officials, prompted by the international community, investigated the death, fired a few people - probably for not being discrete enough, and concluded that the "intent" of his "treatment" was not to kill him.

I hope that the international community will, this time, react with all the needed severity, and flag all the members of the Iranian government as what they really are: murderers.

Monday, December 24, 2012

Cisco Security Part II - Security at the port level

2. Security at the port level

A switch is used to interconnect different devices: desktops, laptops, servers, printers, other switches and so forth. By granting access to a network, an administrator increases the likelihood of a security breach as well as the vulnerability landscape. Here are three actions that can be performed:

  • Connection a non-approved device. Particularly nowadays with BYOD being teh buzzword, the proliferation of personal devices that can be connected to the network has exploded.
  • Abuse of the port, for example by creating a trunk that allows a device to have access to networks not supposed to be accessed directly.
  • Injection of control frames into the network, for example modification of the spanning-tree topology.
Of course, there are many, many more possible attacks. However, the purpose of this document is not to enumerate everything known to mankind, as by the time this document hits the web, there will already be things to be added.

2.1 Trunk/access

When interconnecting two switches, the need to transmit frames that belong to different virtual LAN (VLAN) may arise. In order to do so, network device vendors came up with different solutions, such as ISL from Cisco. Later, the protocol to transmit multiple VLAN over a single physical connection was standardized by the IEEE as 802.1Q.

Trunking is also used in IP Telephony: the usual setup is to have the PC piggy-back on the phone, which acts as a small switch. The “normal” data traffic is sent and received as-is and the voice traffic is encapsulated within 802.1Q. This gives the ability to separate both traffics and to use additional fields in the 802.1Q header to prioritize the voice traffic over other forms of traffic.

However, if not restricted, this ability can also be a recipe for disaster. For example, if all the ports carry all the VLANs or have the ability to create a trunk, an attacker could leverage that to gain access to other networks by sending tagged frames back to the switch.

In Cisco terminology, a trunk is called a “trunk” port (obvious, isn’t it?) and a non-trunk port is called an “access” port. An access port won’t send any 802.1Q encapsulated frame to the connected device. In the receive direction, the frame will be dropped.

In order to configure a port as an access or a trunk, the command "switchport" needs to be used within the interface:

interface GigabitEthernet 0/10
 switchport mode access

This will instruct the switch to treat the port Gi0/10 as an access port.

Once a port's mode has been set, further configuration is possible. For instance, if the port is an access port, the VLAN on which that port resides can be set with:

switchport access vlan 20

Likewise, a trunk port with native VLAN (defined later) 10 and with tagged VLAN 20 and 30 is configured with:

interface GigabitEthernet0/11
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,30

The native VLAN on a trunk is the VLAN in which all the untagged frames received will be placed, and that will be sent untagged. Numerous documents refer to the danger of native VLAN in regard to VLAN hopping or the abuse of Q-in-Q. A good practice is to make sure the native VLAN of all your inter-switch trunks are not assigned to any user VLAN.

2.2 Negotiation of a trunk (DTP)

Cisco switches allow a trunk to be dynamically formed. This means that if you don't force the mode, the connected device can announce itself as a switch and negotiate a trunk. The protocol responsible for this is Dynamic Trunking Protocol or DTP.

With the mode forced to access, the negotiation is automatically stopped. If set to a trunk and if the negotiation is left on, the switch will use DTP to inform its peer it can form a trunk.

To disable the trunk negotiation, the command is

switchport nonegotiate

2.3 Spanning-tree

Spanning Tree is the protocol responsible for negotiating a loop-free topology, even if the physical infrastructure has loops, for example for redundancy. It works by electing a root switch, which will then send specific frames called BPDU (Bridge Protocol Data Unit) that all switches in the topology have to forward following certain rules.

Based on the BPDU and the port it was received, each switch designs a port leading to the root, possibly through other switches, a set of ports that can be used for other connected switches to reach the root, and a set of blocked ports. These are ports the switch could use to reach the root, but with a higher cost.

These BPDUs have multiple roles: they can announce a better path to the root, they are used to hold the root election and they can influence the whole topology.

From what precedes, an attacker can abuse this protocol to either perform a DoS against the network, or forward all the traffic to a specific machine.

When designing a network, it is important to minimize the role of spanning-tree by using other techniques, such as bonding multiple interfaces into a single logical interface called a port-channel or an etherchannel.

When a port comes up, the default behavior is to wait for a certain amount of time, that depends on the version of spanning-tree used, to determine what the status of the port should be (root, designated, blocked). Cisco invented a mechanism to permit the port to start forwarding before that time, called "portfast".

With that came the risk of creating short network loops,until the port got the first BPDU and adopt the relevant state.

2.3.1 bpduguard

Cisco developed a security feature to force a port to go immediately down if a BPDU is received. The BPDU will be dropped as well.

If a port is connected to a phone or a computer, there is no valid reason why a BPDU should be received. On the other hand, if a BPDU is received from a port connected to a user device, this could indicate:

  • an attempt to inject BPDUs into the network, regardless of the reason;
  • an temporary loop in the network due to incorrect network settings on a computer or a connectivity issue;
  • a replay of a previous network capture;
  • and possibly other reasons.
In such an event, a reasonable thing to do is to drop the port to the down state, to prevent further incidents. This is configured on a device interface with:

interface GigabitEthernet 0/12
 spanning-tree bpduguard enable

Upon reception of a BPDU on the port, the state will be err-disable. To correct this,the port needs to be reset (shutdown/no shutdown) or the error recovery mechanism needs to be activated. This latter is not recommended as it will put the port back in service, possibly allowing the activity to resume.

It is also worth to notice that the default for this command has changed between IOS and NX-OS: a show configuration all will display these values.

2.3.2 bpdufilter

In situations where bpduguard is not welcome, for instance on uplinks to a provider, another mechanism exists: bpdufilter. Instead of shutting the port down, bpdufilter drops all bpdus, incoming and outgoing. This has the side effect of splitting the spanning-tree domain in two.

In my past, I had to help an ISP configure it: his switch connected to his clients' frequently had issues. It was found that on some occasions, the spanning-tree root role changed from his internal network to a client's.

However, it needs to be understood that, as spanning-tree is no longer working, topology loops in this situation have to be manually addresed, for instance in the form of a manual activation, or by using techniques that negate the need for spanning-tree, such as etherchannel, or unique VLANs with a L3 redundancy solution.

The configuration looks like bpduguard's:

interface GigabithEthernet0/12
 spanning-tree bpdufilter enable

2.3.3 portfast / port type edge

The spanning-tree protocol mandates that a port goes through various states before being able to forward traffic. During these state, no traffic is received or emitted besides BPDUs.

A way to speed that process is to declare the port as "portfast" or "type edge". It means that spanning-tree will take a shortcut in the states and be able to forward quickly after being turned on.

However, this has to be gauged: on the one hand, this means that a user device will have access to the network sooner, but on the other hand, it permits the creation of temporary loops - until the next BPDU is seen, the link will be up. As soon as a BPDU arrives on the port, the normal spanning-tree decision concerning the port role (root, designated etc) is taken and one end of the loop will be blocked.

An attacker could leverage this fact to create temporary, short lived loops to disrupt the switch operations. If successful, this can create either a switch or topology wide outage.

Other ways of dealing with the timers are possible: one could use rapid spanning-tree and shorten the timers from 2 seconds to 1 for the <Hello> BPDU - as more BPDUs are sent, the expected life of a loop is cut down, limiting the risk or the possibility of perpetrating such an attack. This, however, has to be evaluated as a shorter timer may also increase the risk of instabilities on the network: a transient frame drop on a link can result in flapping between that link and a backup link, possibly amplifying the problem.

2.4 Mac address learning on a port

The role of a switch is to build a table of what mac address resides on what port, and forward frames accordingly. This allows for point-to-point communications between two devices within the same VLAN, without impacting the other connected devices. A way of describing this is to state that the collision domain is limited to the port and the device connected to it.

As the switch has to consult that table binding a MAC to a port for every frame, the memory dedicated is called CAM (Content Addressable Memory), a special type of memory which is in limited quantity in any device.

An attack of the "old days" was to generate many frames with random source MAC address. This caused the switch to learn these in its CAM, filling it to the point that no new entry could be created. Any new MAC would not be learned, and the forwarding process would be for the switch to broadcast a frame to these legit but unknown addresses to all port, transforming the switch into a hub and allowing an attacker to sniff the corresponding traffic.

2.4.1 Number of permitted mac addresses

The first line of defense offered by a switch is to limit the number of MAC addresses permitted on a given port - past the number, the switch will either drop the frame or even shut the port down. MAC address counting works with the VLAN ID included in the learning: the same address seen on the same port but on two different VLANs count as two entries, one per VLAN. This is important to understand when using devices such as IP phones that may start in a VLAN and jump to a different VLAN afterwards.

The question now is: what about forgetting the known addresses? Should the switch keep them forever? Or forward these entries after a certain time?

2.4.2 Sticky Learning

In a static world, a machine is always connected to the same port, and thus the MAC address will always be seen on the same port. In that case, a sticky learning is possible, meaning that the switch will permanently - even across reboots - remember the association.

A nice - or annoying, it depends what your goals are - feature of this memorization is that if a MAC address known on a given port is seen somewhere else as source, the frame will be dropped and a security violation logged.

2.4.3 Aging considerations

However, the world is not static: laptops move from offices to meeting rooms, workstations are installed and reused and so forth. So the concept of sticky learning doesn't work well, or one needs an army of network administrator to prune the entries as machines are being moved.
Another possibility is to enforce a certain time after which the entry will be forgotten. This time is either an idle time (no frame exchanged for a certain period) or absolute (the address is removed even if traffic is seen, leading to a renewal of the learning if need be). 

2.4.4 Actions for violations

As said, the action can be the simple drop of the frame, the drop of the frame plus logging or even to shut the port completely down.

Deciding which one is a matter of policies and will of surfacing the issues - if the only thing happening is the frame being dropped, the event may go unnoticed until a user complains he has a problem. On the other hand, if the port is shut down, a visible trace exists of the event, that can be investigated and acted upon.

2.4.5 Putting it together 

Now, time to show some configurations. Basic port security, 3 MAC addresses, no sticky learning, drop-and-log upon violation, portfast and bpduguard, mac address forgotten after 5 minutes. 

This configuration is almost a "this is your average mileage": it will work okay in many situations.

interface gigabitEthernet 0/12
 switchport port-security
 switchport port-security maximum 3
 switchport port-security violation restrict
 switchport port-security aging time 5
 spanning-tree portfast
 spanning-tree bpduguard enable
 [rest of the configuration] Sticky learning, 2 MAC addresses, drop-and-log upon violation, portfast and bpduguard.

This could be used for a server. The first two mac addresses seen on the port are learnt.

interface gigabitEthernet 0/12
 switchport port-security
 switchport port-security maximum 2
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 [rest of the configuration]

2.5 Recommended configurations

2.5.1 Workstation

We consider this machine to be installed at a desk and will never be moved, no phone

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.2 Laptop/meeting room

That machine may be moved between ports.

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security aging time 5
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.3 Phone with computer attached

The phone starts in a VLAN and moves to the new one (voice), workstation attached

Note: the phone negotiates its voice vlan using either CDP or LLDP, but this will not be discussed in this document.

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport voice vlan YY
 switchport port-security
 switchport port-security maximum 3
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.4 Server / router

This considers that there is not virtual or cluster IP.

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.5 Network provider / external party

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 spanning-tree portfast
 spanning-tree bpdufilter enable
 switchport nonegotiate

Friday, December 21, 2012

Data breach: Beware of the side channels

Let's start with the news that prompted this entry: "Swiss spy agency warns U.S., Britain about huge data leak" on Reuters.

A side-channel is a way of transferring data that is "out of the usual path". In today's world of e-mail, google Drive, Dropbox and Microsoft SkyDrive, a USB thumb drive looks like yesterday's jam. A modern hard drive can store 3TB enough to store approximately 125,000 A4 pages scanned in high resolution. That's quite a lot of secrets ...

This is not, however, the only way of taking data off of a secret network: what about printouts? Or screen hardcopies? Taking a picture of the screen? Even memorizing documents?

Controlling side channels is not easy: it would be impractical to ask all and each employee to strip down and change clothes before entering the data sensitive areas, and even so: there are possible ways out. (No pun intended)

That's were data sensitive agencies need to put statistical controls in place: is it normal that employee A accessed around 1 million documents ranging from 2000 to 2012? Or employee B has accessed a certain document 20 times during the last week, but is not supposed to be working on that case?

Behavioral statistics can also indicate a change in a person: arrival and departure times, repetition of late lunches and so forth can help track someone whose habits have changed either abruptly or over time.

Wednesday, December 19, 2012

Data Breach Avoided By Encryption

Once in a while, there is a news that doesn't make me feel like IT Security is hopeless.

Rossendale's Rising Bridge Business and Enterprise Village was victim of a burglary: yet unidentified thieves entered the newly built premises and stole computer equipment, including several laptops, containing data about vulnerable children. 

However and to the credit of the staff, these were encrypted and the data most likely not accessible: the community is down for its money, but won't have to explain to anxious parents why their children are now at risk of being abducted or falling victim to identity thief.

Again: kudos to the staff for implementing disk encryption.

Even for a personal laptop, disk encryption is important: everything done is stored and there could be information about various accounts (think "Google", "Facebook", "Amazon") that can be leverage to steal hard money.

Monday, December 17, 2012

Microbial life at -13C

Was Arthur C. Clarke right in his 2010: Odyssey 2? Biologists have found a life form that thrives in a cold sealed lake that would be toxic for us.

Friday, December 14, 2012

They Cracked This 250-Year-Old Code, and Found a Secret Society Inside

This is a really cool article - A linguistic tool was used to decipher a 250-year old code from a secret society.

The tool, actually a translation tool, works by considering that the input is a "code" to be broken - it makes hypothesis on the meaning of input symbols and checks whether the deciphering looks legit in the destination language, based on rules such as grammar, word frequency or word sequences. For some fun with the latter, visit Google Ngram Viewer. People interested in the underlying theory will find a good approach in the chapter 22 of Russell&Norvig's "Artificial Intelligence: A Modern Approach"

Wednesday, December 12, 2012

Forensic report on SCDOR breach

Mandiant helped the South Carolina Department of Revenue with an incident response. The executive summary can be found here.

While this is not the first government network to be breached, nor the last one, this is worth the reading. I hope the longer, more detailed report will be posted as there are some open questions I have regarding the phishing attack, the types of traffic seen and the general sophistication of the overall attack.

The SCDoR was informed by an unnamed agency of the potential breach, at which point Mandiant was engaged.

A few interesting and salient points:
August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password. This theory is based on other facts discovered during the investigation; however, Mandiant was unable to conclusively determine if this is how the user’s credentials were obtained by the attacker.
The original intrusion was done through a phishing e-mail. From my personal observation, some campaigns are currently being executed, with a level of sophistication that's quite impressive: I helped with a case recently in which the initial e-mail presented a lot of characteristics of a company's internal communications.

August 27, 2012: The attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials. The credentials used belonged to one of the users who had received and opened the malicious email on August 13, 2012. The attacker used the Citrix portal to log into the user’s workstation and then leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials.
The remote access was defeated by the lack of one-time password authentication.

September 1, 2012: The attacker executed a utility to obtain user account passwords for all Windows user accounts. The attacker also installed malicious software (“backdoor”) on one server.
This usually requires administrator privileges. Unfortunately, the exec report doesn't mention whether the attacker got these from the user he hacked into or if he ran an exploit to elevate his privileges.

The attacker compressed the database backup files into fourteen (of the fifteen total) encrypted 7-zip1 archives. The attacker then moved the 7-zip archives from the database server to another server and sent the data to a system on the Internet. The attacker then deleted the backup files and 7-zip archives.
A database or backup server containing valuable information - at least valuable enough to be dumped and sent outside - was leapfrogged onto. It also had access back to other systems.

Overall, it took a bit more than 2 months to detect the attack and start the incident response process. No less than 514 server interactions were counted from the report. Some good practices were apparently not followed:

  • Outside systems should not use the internal authentication to allow access - So if you are using Active Directory, use something else to authenticate your remote access/VPN/Citrix, such as RSA Authentication Manager or One-Time Password;
  • Database and Backup servers need to be strictly isolated and not reachable BUT from a few selected networks, on a few, selected ports/applications;
  • In Windows Domains, all static passwords with elevated privileges _have to be_ strictly longer than 14 characters: even in the latest incarnations of the Microsoft Operating Systems, NT-LM is still in use [see below].
To the SCDoR's credit, part of the information was encrypted and is most likely to be useless to the attacker.

Microsoft Windows OS still store passwords in two forms: 
  • The weak NT LanMan (NTLM), which is limited to a maximum of 14 characters, but split it into two strings of 7 bytes;
  • The relatively stronger MD4, which encrypts passwords of all length.

It is important to realize that none of these use salts, making the use of Rainbow Tables very efficient.

Cracking the NTLM, even for a password of 14 characters is a matter of a few hours. If your administrative users have passwords of length 14 or shorter, your whole network can be compromised in less than a few days.

Monday, December 10, 2012

Fedora 17, Google Chrome and Citrix

Until recently, I have been using Firefox when I had to connect to a Citrix Desktop presented through HTTPS (CAG or other). Not anymore. I can now use my favorite Google Chrome.

In your home directory, go to .local/share/applications. Add a file - i will call it ica.desktop - containing:

[Desktop Entry]
Name=Citrix ICA Viewer
GenericName=Citrix ICA Viewer
Comment=Access to Citrix Desktop

The Exec line should reflect where your binary is installed. Now, modify mimeapps.list and add the line


Under [Added Associations].

Voila! Next time you will connect to a Citrix server through HTTP/HTTPS, it will automatically open the Citrix Viewer on your machine.


Friday, December 7, 2012

Mathematical proof reveals magic of Ramanujan's genius

A cool article on the Indian mathematical genius Srinivasa Ramanujan. It seems some of his contributions could lead to a better understanding of black holes, a celestial body not even known during his time.

Wednesday, December 5, 2012

CSO: 4 factors for avoiding cyber espionage attacks

A few pointers (nothing that will blow your mind though) on how to prevent a cyber espionage attack.

Monday, December 3, 2012

Dr Coole's scary stories

An interesting article from Dr. Eric Coole, three cases that will curdle your blood. The first one is about an APT attack, the last two about full disk encryption failure.

Enjoy the reading!

Friday, November 30, 2012

Solving Sudoku with Python

Probably not the most exciting thing for the common people, but I love to solve Sudokus. And after going through a few books, I asked how I would solve them using a python script.

First, I had to learn Python. Approaching the language is really easy, but I suspect that mastering it is a different story. Anyways, after a few hours of practice, I was able to run a few things.

Now solving the sudokus. I basically took a number of different grids and started looking not at the resolution, but at the process behind the resolution. I found I use four techniques.

  1. Pruning - that's the basic: if a value is known, remove that from the possibilities for each cell on the same row, column and square.
  2. Only occurence findingin a line, it may occur that a single cell contains a given digit. For example, if in a line you need a 2, a 4 and a 5, and the first cell allows [2,4], the second [2,4,5] and the third [2,4], 5 goes into the second. 
  3. Values in a row (or column) - in a square, it may happen that 1 or more values are on a single row (resp. column), which means that that or these values can be removed from the same line (resp. column) on the square-line (resp. square column).
  4. Pair pruning - if two cells contain a pair of values that appear only in these two cells plus additional values that also appear on other cells, the other values can be removed. 

So far, I was able to solve all the grids I could lay my hands on. If you have a grid (okay, let's specify a grid that can be solved!) that defeats my script, feel free to send it.

How to use it?

There is nothing fancy: it's a CLI script (as of now). Download the two files from my repository, and in the same folder, type at the prompt "python", then:

import sudoku as s
A=['...1...6.', '5.9.....7', '.....3..5', '...58.7..', '13..7..54', '..7.42...', '6..8.....', '9.....6.2', '.8...9...']

solvesudoku() takes a list containing 9 strings each of 9 characters. Each non digit or null digit character is treated as an unknown cell in the grid.

It will solve the following grid:

|       | 1     |   6   |
| 5   9 |       |     7 |
|       |     3 |     5 |
|       | 5 8   | 7     |
| 1 3   |   7   |   5 4 |
|     7 |   4 2 |       |
| 6     | 8     |       |
| 9     |       | 6   2 |
|   8   |     9 |       |
And it will return the solution:

| 3 2 4 | 1 5 7 | 9 6 8 |
| 5 1 9 | 2 6 8 | 3 4 7 |
| 7 6 8 | 4 9 3 | 2 1 5 |
| 4 9 6 | 5 8 1 | 7 2 3 |
| 1 3 2 | 9 7 6 | 8 5 4 |
| 8 5 7 | 3 4 2 | 1 9 6 |
| 6 7 1 | 8 2 4 | 5 3 9 |
| 9 4 3 | 7 1 5 | 6 8 2 |
| 2 8 5 | 6 3 9 | 4 7 1 |
The function solvesudoku() returns True if the grid has been solved and False otherwise: cannot solve, not enough lines or characters and so forth.

Have fun!

Wednesday, November 28, 2012

NASA to encrypt its data after last laptop loss

It is about time! NASA decided to encrypt the hard drive of its laptops containing sensitive information such as the "international sale or transport of weapons, nuclear equipment or other materials that fall under the US's export administration regulations", "information about NASA's human resources" or "other sensitive but unclassified data".

Given that any laptop contains a lot of private information, I would suggest that ALL laptops have their hard drive encrypted: the technology is present - usually for free - in most of the modern operating systems. This will prevent a laptop loss becoming a security nightmare: even if there is no actual sensitive document on the laptop, the browser cache, page file, e-mail store and cached credentials can provide a lot to an attacker.

I even suggest that everybody's laptop and mobile device be encrypted: better regret the loss of your precious tablet than regret the loss of your precious tablet AND of all your money on your bank account.

Under Windows 7, that's BitLocker, Mac OS X has FileVault and Linux offers ecryptfs. You may also look into Bruce Schneier's TrueCrypt. And if it's not enough, some vendors have commercial offerings.

But beware: encrypting your disk is only part of the solution. In no way is it a silver bullet that will solve all your security problems.

Monday, November 26, 2012

Steelie Neelie admits laptop hack during IGF

Okay, so what was Neelie Kroes thinking? I think it is common sense that if you are catalogued as an activist or at least as advocating freedom of speech and you go to a country with a record of violation of that fundamental right, things are going to happen.

China agents were known to get into foreigner's hotel rooms to hack into computers, but in no way this is limited to that country. It seems Azerbaijan is now on the list too. However, Mrs. Kroes should have been smarter and suggest her advisers not to take work or personal laptops, but "one-use" laptops, that would contain no other data or software than what was needed for the forum and that would have been forensically analyzed after the trip back.

That kind of problem is not new and will get worse in the future.

My favorite part from the article is the azerbaijani's reply of "open a complain with us and we will investigate." No comment on that one.

Friday, November 23, 2012

Swarm Robots Cooperate with AR Drone

This is really top cool! The principle behind the election is simple but elegant. And I can see a ton of applications in SAR missions, with a drone that has a global view of the terrain, while rescuer bots can evolve and negotiate obstacles.


Wednesday, November 21, 2012

Australia's biggest Telco sold Routers with hardcoded Password

Talking of an epic fail ... this article on Slashdot:
"Hardcoded usernames and passwords have been discovered in a recent line of Telstra broadband routers that allow attackers access to customer networks. The flaws meant customer unique passwords could be bypassed to access the device administrative console and LAN."
The security researcher Roberto Paleari found that vulnerability and informed BigPond's technical support. However, due to the lack of response, he made it public on October 12, 2012. 

The sad thing is we are trying to educate the base users to security, to not open anything they get in e-mails, to choose decent passwords and to keep their systems up-to-date, to end up with a supposedly knowledgeable ISP doing that kind of major screw-up.

In this case, no matter how complex the user password is, that hardcoded one can be used to get into the customer's router, permitting an hostile party  the access to the customer's network and computers. 

My question: if someone is accused of piracy, I wonder whether BigPond may get some heat and be considered as responsible for all the damages.

Monday, November 19, 2012

Astrophysicists spot the earliest galaxy yet

Very interesting: astrophysicists from the Hubble Team used the massive galaxy cluster MACSJ0647.7+7015 as a gravitational lens to detect a very early galaxy. This hit the jackpot and the team got a glimpse at the earliest galaxy yet, which appeared a mere 425 million years after the Big Bang.

You may find the official paper from the Hubble Team here.

Friday, November 16, 2012

zBox4 Construction: a supercomputer in 24 hours

What happens when you have a herd of turbonerds, 24 hours and the need to crunch lots of numbers? You get a cool video of a number crunching cluster being built!

The Institute for Theoretical Physics in Zurich needed an upgrade to the existing zBox cluster and the decision was taken to built the zBox4. Several details on the construction can be found here.

This monstrous beast is running Scientific Linux, a distribution oriented towards labs and universities and specially designed for clusters. With a theoretical value of 282 GFLOPS per CPU, this has a peak performance around 108 Teraflops, an impressive number that would be a candidate for the top500 list.

Wednesday, November 14, 2012

Security Talks on Youtube

Believe or not, there are plenty of super interesting talks on Youtube. As one of my favorite topics is computer security - and more precisely network security - I created a playlist with these talks.

Feel free to comment or contact me if you know of any good talks on Youtube in that domain.

Monday, November 12, 2012

Slashdot post: how to deal with a DDoS attack?

A Slashdot reader posted an article about an attack his company recently suffered. The summary is a criminal from Lebanon contacted him asking for a "fee" not to attack, the company initially said no and was taken offline by a DDoS, the company paid and the attack ceased.

A DDoS is an attacked aimed at exhausting a resource: a compute resource (CPU, Memory, HDD space) or a network resource (Router/Firewall CPU or memory, number of sessions, bandwidth). The most important is to understand what your systems are vulnerable too.

For instance, an attacker could perform a DDoS of an application by requesting abnormally long calculations in a loop, let's say computing pi to the 20 billionth decimals. If the system has at its heart only a single application server, it may be busy processing the request while delaying all the other queries. In the same way, the attacker could also request something that's abnormally large, for example generating a picture that is 10 million per 10 milllion pixels.

The most important is to know what you can act upon and what you can: there are things you can change - the architecture of the applications, the way parameters are validated, if you distribute the front-end load across multiple servers and so forth - and things you can't change: the number of sessions coming from the Internet and the rate at which they come in. For the latter, it is important to understand what your business is, who you are doing business with and what level of degradation/loss of service you accept: an american company may consider that dropping all requests from South America, Africa and Asia is acceptable if this helps maintaining its business with the USA, and thus may negotiate with their provider that upon request, an ACL allowing only the networks assigned to the ARIN and RIPE are to go through. Other companies may find this unacceptable and will have to find other solutions, such as geo-location for the access to the application.

Sunday, November 11, 2012

Iran Parliament to investigate death of Blogger during his detention

It is important to keep saying that in certain countries, using one's right to free speech may be punished by death or a lengthy jail time.  

Sattar Beheshti was arrested because of his criticisms toward the corrupt and non democratic government of Iran. He was arrested on 10/30 and he never left custody alive. 

The iranian Parliament has ordered an investigation of that accident. Too little, too late. And one may be suspicious of what that "investigation" will come out in a country where arbitrary arrests, vanishing prisoners and violations of basic human rights are every day's facts. 

Here is the full article on Reuters.

Friday, November 9, 2012

Adobe Reader 0-day exploit sold for $50,000

Talking of commoditizing IT, here is something that gets it full swing: Adobe Reader 0-day exploit sold for $50,000. More and more, that kind of stunt will appear, with rogue security researchers selling these. My question is: how long before we see underground auctions for 0-days?

Also, don't miss this video of the exploit being run.

Thursday, November 8, 2012

"You received a voice mail" leads to malware

I have a few colleagues who got an e-mail with a page saying "You received a voice mail", followed by a link pretending to be a wave file.

The first link leads to a page with a table of three items on different servers, called js.js. These are basic redirectors. Out of the three, only two works and return the exact same javascript code, a redirection to a PHP page on a website.

That second URL returns an obfuscated massive Javascript: the author took some time to correctly do the work: a few tautologies such as "if(document.body) {}" and others add some weight, certains function names are split in different string variables, pieced together and eval'd into other variable to be used as functions. And that's only the decoding portion.

A massive i tag contains a 112 attributes, all identified by integers. In the HTML code, they are not in order, but the code re-order everything and builds a large string, which is passed to a second function whose role is to:

  • if the first character of the current pair of character is "=", go to the next pair;
  • decode the value as a base-23 integer, convert into a character and add it to the decoded string.   

The result is another javascript script which is evaluated. Its exact role is not yet known, but here are a few notes:

  • it detects the OS and browser;
  • it searches for a number of Adobe, MS DOMXML and others plugins and gets the versions;
  • there is a mention of a PDF file in the code;
  • two URLs are mentioned, one was taken down already and was used to download a file called "update_flash_player.exe", confirming that it may be trying to exploit some flash vulnerabilities, the other one was still live at the moment of the analysis and was used to serve an executable (Info on VirusTotal). Yesterday at around 6PM EST, the detection rate was 4/44.

Once that object executed, it contacted a forum, then attempted a download from three different sites, which returned the same executable. My only guess at this time is the author planned for some redundancy should some of the sites be taken down. The additional download was also submitted to VirusTotal (info). As of yesterday, around the same time, the detection rate was 6/44.

When executed, these additional did nothing during the analysis period. They may be dormant or waiting for some condition to be met.

The analysis continues!

Wednesday, November 7, 2012

On not proving the twin prime conjecture with AutoCAD

A nice hack with AutoCAD on visualizing prime numbers.

On not proving the twin prime conjecture with AutoCAD:

As an HVAC engineer by trade, [Carlos Paris] spends a lot of time in AutoCAD designing all those hidden pipes, tubes, and ducts hidden in a building’s rafters. One day, [Carlos] read of an open contest – the prize was over a million dollars – to generate a prime number with a billion digits. [Carlos] misheard this as, ‘a prime number greater than one billion’ and of course said this was a trivially easy task and opened up his favorite tool – AutoCAD – in an effort to discover the largest prime ever. [Carlos] never generated a remarkably large prime, but he did come up with a very, very cool visualization of prime numbers on a number line, as well as a great justification of the twin prime conjecture, a problem in mathematics that has remained unsolved for several generations.
[Carlos] started his investigations into the properties of prime numbers by drawing a series of circles on a number line in AutoCAD. These circles were of diameters of all the integers, and going down the number line, these circles started to have an interesting, chaotic pattern (see above picture). [Carlos] found that whenever two circles intersected, that position was a prime number. It’s really nothing more than a Sieve of Eratosthenes, but it’s a very cool-looking visualization nonetheless.
Looking deeper into his graph, [Carlos] discovered there were certain primes that had another prime number just two places down the number line. For example, the numbers 3 and 5, 29 and 31, and 41,and 43 are twin primes, as the difference between the primes is only 2. The idea there are infinitely many twin primes is a famous unsolved problem in mathematics – it’s obvious it must be true, but no mathematician has yet come up with a proof of this conjecture.
[Carlos] looked at his number line and simplified it to a generic prime number. By taking a generic number line and overlaying the multiples of other prime numbers on this graph, [Carlos] had a very, very clever way of understanding exactly how twin primes come into existence.
In the end, [Carlos] is no closer to proving the twin prime conjecture than anyone else. We’ve got to hand it to him, though, for nerding out with an engineer’s favorite tool – AutoCAD – and managing to derive some fairly obscure mathematics on his own.
After the break you can see [Carlos]‘s videos describing the though process that went into his creation. Very, very cool work.

Monday, November 5, 2012

A cool article on Oliver Heaviside

Most of us know Oliver Heaviside through the function that bears is name. There is a nice article on the man behind that function on Physics Today.

Saturday, November 3, 2012

Discrete FPGA will probably win the 7400 logic competition

This is a mega hack!

Discrete FPGA will probably win the 7400 logic competition:

For this year’s 7400 logic competition, [Nick] decided to build an FPGA out of logic chips.
Perhaps a short explanation is in order to fully appreciate [Nick]‘s work. The basic component of an FPGA is a slice, or cell, that performs boolean operations on its input and sends the result on its output. The core of these slices is a lookup table – basically a truth table that stores the result of every possible input combination.
One very easy way to implement a lookup table is to use a RAM or EEPROM chip. By tying the address lines of an EEPROM to the input and the data lines to the output, it’s possible to create a single slice of an FPGA very easily.
Unfortunately for [Nick], 74-series memories have long been out of production. There is another option open, though: shift registers. A shift register is basically an 8-bit memory chip with parallel inputs, so combining a shift register with an 8-input multiplexer is a very simple way to implement a 3-input, 1-output FPGA slice.
After figuring out how to tie these slices to bus lines, [Nick] needed a way to program them. Verilog or VHDL would border on insanity, so he wrote his own hardware description language. It’s certainly not as powerful or capable as the mainstream solutions to programming an FPGA, but it’s more than enough.
In the video after the break, you can see [Nick]‘s overview of his very large 8-slice FPGA while he runs a combination lock and PWM program. All the code, schematics, and board layout are up on [Nick]‘s git if you’d like to build your own.

Filed under: hardware

Tuesday, October 23, 2012

Exploring the Mandelbrot set in real time

This is truly a beautiful hack! From Hack-a-day.

Exploring the Mandelbrot set in real time:

The Mandelbrot set – the fractal ‘snowman turned on its side’ seen above – has graced the covers of magazines, journals, and has even been exhibited in art galleries. An impressive feat for what is nothing more than a mathematical function, and has become something of an obsession for [Chiaki Nakajima].

Even on modern computers, generating an image of a portion of the Mandelbrot set takes a good bit of time. When [Chiaki] discovered this fractal in the mid-1980s, the computers of the day took hours to generate a single, low-resolution image. Real-time zooming and scrolling was impossible but [Chiaki] made the best of what he had on hand and built Pyxis, a Mandelbrot set generator made entirely out of TTL logic chips (Google Translate here).

The original Pyxis connected to a desktop computer via a breakout box. while a special program toggled the bits and registers inside the Pyxis to generate pictures of the Mandelbrot set a thousand times faster than the CPUs of the day could muster.

Time marches on, and the original logic chip Pyxis is can be easily surpassed by even the slowest netbooks. There is, however, another way to build a hardware Mandelbrot set generator: FPGAs.
A few years ago, [Chiaki] began work on the Pyxis2010 (translation), an FPGA-based Mandelbrot set generator able to dynamically zoom and pan around the world’s most popular fractal. Built around an Altera Cyclone III FPGA he picked up from Digikey for $600 (no, not a dev board, just a bare chip), [Chiaki] began deadbugging his circuit directly onto the pins of the hugely expensive FPGA. A man with a steady hand and no fear if there ever was one.

Instead of connecting his Mandelbrot generator to a computer and using it as a co-processor, [Chiaki] decided he wanted something more portable. He found an old Sony PSP, removed the LCD screen, and integrated it into his circuit. After a careful bit of dremeling and fabrication, [Chiaki] had a hand-held Mandelbrot generator that is able to display images of the world’s most famous fractal faster than any desktop computer.

It goes without saying this build is incredible. The technical skill to build an insanely fast Mandelbrot generator on an FPGA is astonishing, but basing it off a logic-chip based build reaches into the realm of godliness. You can check out a video of this amazing build after the break.
Props to [Ian Finder] for sending this one in.

Filed under: hardware, misc hacks

Tuesday, October 16, 2012

John the Ripper rules!

And I mean that both as a verb and as a noun. For those who don't know, John the Ripper is a password cracking program. It supports various formats natively and the community-enhanced version brings it to an insane level.

It can run attacks based on the login name itself, a wordlist and variations (called "rules") and, last resort, a brute force.

Here are a few rules I usually add:

# Try with 2 prefixing digits
l ^[0-9]^[0-9]
# Try prefixing with possessives
l A0"My"
l A0"Your"
l A0"His"
l A0"Her"
l A0"Our"
l A0"Their"
# Try with 1, 2, 3 and 4 digits at the end, and the same with punctuation
l $[0-9]
l $[0-9]$[0-9]
l $[0-9]$[0-9]$[0-9]
l $[0-9]$[0-9]$[0-9]$[0-9]
l $[0-9]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]
# Try with 1 or 2 digits and 2 punctuations symbols
l $[0-9]$[(){},?;.:/=+<>%$*-_]$[(){},?;.:/=+<>%$*-_]
l $[0-9]$[0-9]$[(){},?;.:/=+<>%$*-_]$[(){},?;.:/=+<>%$*-_]

If you have your own killer rules, feel free to drop the URL in the comment section.

Saturday, October 13, 2012

Bananas have gone nuclear!

So it seems that potassium-40 (40K) is naturally occurring in bananas and that it can undergo a disintegration, emitting a positron in the process. This positron can then interact with an electron, emitting 2 photons around 511 keV, in the gamma ray portion of the EM spectrum. This is of course assuming that the pair electron-positron have a low kinetic energy.

As said, bananas have gone nuclear!

Friday, September 21, 2012

Sunday, September 16, 2012

Mandelobrot and Octave

It's a slow Sunday morning, so I popped out the Octave console and did some fractals.

while and(n < 10000,sameM < 10)
  n = n+1;
  Z=(M.*Z).^2 + M.*C+(1-M).*Z;
  M=(abs(Z) <= 2);
  I = I +M;
  if (OLDM == M)
    sameM = sameM+1;

Tuesday, September 11, 2012

Mac Ports and Octave - failure to read images

Some time ago, while looking for something totally unrelated I found a paper by Scott Acton from the IEEE on multigrid anisotropic diffusion, for processing images.

Whenever I try to use the imread() function, I have the following error message:
octave:1> T=imread('/Users/jean-francoisgobin/Desktop/Columbia 02-gray.jpg')
Assertion failed: (semaphore_info != (SemaphoreInfo *) NULL), function LockSemaphoreInfo, file magick/semaphore.c, line 531. panic: Abort trap -- stopping myself... warning: unable to open `octave-core' for writing...
I tried to install the octave-image port, but it depends on ImageMagick and libpng 1.4, where octave depends on GraphicsMagick and libpng 1.5. Deactivating libpng 1.5 and activating libpng 1.4 resulted in octave completely failing. Uninstalling and recompiling octave failed as libpng 1.5 is a dependency.

At this time, I am a bit stuck: nothing I can think of works. If you had more luck, feel free to comment or contact me.

Tuesday, September 4, 2012

Cisco Switch Security - Section 1 - Management Interface

1. Management port and Interface

The management interface permits an administrator to configure the switch, check different operational parameters and alter the way frames are treated or forwarded.

There are multiple types of management interfaces:

  • Direct or local interactive session, for example through a serial console
  • Remote or network interactive session, for example through a SSH connection
  • Management protocol, for example SNMP

1.1 Authentication

This is the act by which someone connecting will assume a specific identity, using a personal piece of information. This can be a password, a token code or one time password, a fingerprint etc. The important part is that that piece of information is sufficient to ascertain the requested identity, i.e. that no one else could have provided it.

In order to establish traceability and accounting, it is important that each administrator be given his/her own username and password.

1.1.1 Local and enable authentication

I won't talk about the old "line" passwords.

Cisco allows one to create a database of usernames using the command username. Its syntax is
username user secret password 
Where user is the given username, priv the privilege level (0 to 15, more on this below) and password the clear text password. By using the keyword secret, the password will be stored as a salted MD5 hash, which is stronger than the default password 7 based on a Vigenere Cipher.

Cisco users know the famous enable command: it grants level 15 access to the system if no other level is provided. When user tries to increase his/her privilege level, a special password is requested, that needs to be set with
enable secret password
Again, the secret keyword forces the storage to be salted and hashed using MD5.

1.1.2 Centralized authentication

Opposed to the local authentication, on which all the accounts need to exist on all the devices, there is a central authentication: the accounts exist in one location and a device has to check the credentials against that repository. In turn, the repository may send back additional information along the ACCEPT or REJECT response, such as the privilege level or a list of permitted commands.

I have seen two major centralized authentication deployed with Cisco devices: radius and tacacs. While other methods, such as LDAP or KERBEROS, are possible, I haven't seen them widely used. Remote Authentication Dial-In User Service (Radius)

For a description of radius, look here. By no standard is RADIUS a recent protocol. It was originally developed in 1991 to allow the central authentication of dial-in users. Over the years, its use cases have grown to include not only dial-in, but also console authentication, OS login authentication and so forth.

On Cisco devices, two types of radius server exist: private (limited to a group) or global (accessible to all groups). The difference is that if a radius server is used by more than a single group, a global definition will force all the parameters (ports, key, timeouts) to be the same. A private server exists only within the scope of a group, and has its own parameters: if the same server is defined in another group, different parameters can be specified.

The authentication process with Cisco is as follow:

  • A server exists within a group (there is also a default global group called radius)
  • A group is used in an authentication method
  • An authentication method is used to perform the authentication process attached to a management interface

Configuration steps:

Activate the aaa code
aaa new-model 

Define a group and its private servers:
aaa group server radius my-group-name 
server server1 key key1
server server2 key key2

Define an authentication method using the group and local if none of the servers is reachable:
aaa authentication login my-auth-name group my-group-name local

Bind the authentication to the remote management interface
line vty 0 15 
login authentication my-auth-name
It is important to understand the notion of "backup authentication". In the aaa authentication statement, I specified local after the group name. This means that the local authentication database will be used only and only if the servers in the group fail to reply. If a server replies with a rejection, the authentication process stops there and returns an authentication failure, and denies the login.

The backup authentication allows an administrator to gain access to the device even if the radius servers are down or unreachable. However, this opens the potential for misuse. Let's assume Alice is a disgruntled employees and is about to be fired. Her account was just disabled in radius. Decided to leave in a blaze of glory, she runs a DoS against the radius servers and use the local credentials to access the switch... Terminal Access Controller Access-Control System (TACACS)

For more information on tacacs/tacacs+, read the wikipedia page.

Tacacs/Tacacs+ has some advantages over radius: encryption of the whole communication instead of just the password field, authorization of individual commands. However, if radius is an open protocol, Tacacs is proprietary.
The authentication process is the same as for radius.

Configuration steps:

Activate the aaa code

aaa new-model

Define the server group

aaa group server tacacs+ my-group-nameserver server1server server2

Define an authentication method using the group and local if none of the server is reachable:

aaa authentication login my-auth-name group my-group-name local 

1.1.3 Putting the authentication together

aaa new-modelusername myuser secret MySecretPassword 
aaa group server radius my-group   
server key ThisIsMyRadiusKey
aaa authentication  login my-auth-login group my-group local
line vty 0 15 
login authentication my-group

1.2 Authorization

After a user has proven who he/she is to the system, he has to get his/her authorization to perform tasks. For instance, is the user allowed to "show" certain parameters? The configuration? Is he/she allowed to alter the system configuration? 

The authorization process for Cisco devices has two different options.

  • Privilege level based: the user will be assigned to a privilege level, which has a number of commands allowed. All users at the same privilege level have the right to execute the same commands.
  • Command based: when a user enters a command, the device will check with the authorization server whether this is permitted. If the answer is "yes", the command is allowed, otherwise the command fails. 
The latter depends on the authorization server and will not be described in this text. 

1.2.1 Local database

To authorize a user against the local database, two components are needed: a user entry defining the privilege level, and the aaa statement to instruct the device to enforce the privilege level. I will describe the process of defining what command is available to a privilege level later.  Of course, this presumes the user has been authenticated prior to be authorized!

To assign a privilege level to a user, the command is username.
username user privilege priv 
To instruct the device to apply the privilege level.

aaa authorization exec <my list> local

To apply the authorization to the user sessions.

line vty 0 15authorization exec <my list>

1.2.2 Radius authorization

Radius authorization works in almost the same way: the Radius server returns an A/V pair the device interprets as the privilege level. 

Configuring the A/V pair depends on your Radius server. The information that needs to be returned is

shell:priv-lvl=<priv level>
In order to configure the radius authorization, either a group of radius servers or all the radius servers can be selected through the definition of a list-name.

aaa authorization exec <my list> group <my radius group>
- OR -
aaa authorization exec <my list> group radius
As for the authentication, a second method can be added as a failover if the first method fails. 

1.2.3 Tacacs+

This is the same as for the radius authorization: an A/V pair is defined on the server and returned. Instead of creating a group of radius servers, one would create a group of tacacs+ servers.

1.2.4 Allowing commands based on the privilege level

Now that each user is assigned a privilege level, we can restrict the commands used. 

An important point to remember: a privilege level allows access to all the commands listed for that privilege, but also for all the commands allowed for the privileges below! For instance, if "ping" is allowed at privilege level 3,  all users at level 3 and up can use it. 

Privilege levels start at 0, which allows only 5 commands (disable,enable,help,exit,logout), and up to 15, which is the equivalent of "root" in the Unix world, and accessible through the enable command without parameter.

Of course, all the privilege levels don't have to be used. But the planning needs to be adequate, otherwise you may have to shift levels and change a fair amount of configuration.

 As a privilege level inherits all the commands from below, the command definition can have "holes", and for instance, you may configure privilege levels 1, 7, 9, and13. Levels 2 thru 6 will have the same commands as level 1, 8 as level 7, 10 thru 12 as level 9 and 14 as level 13. This allows for future definitions if needed.

In IOS, commands come in two flavors: exec and configuration. The exec mode is basically the shell in which you type all non configuration commands, including reloading the device, pinging other devices, saving the configuration and displaying information. The configuration mode, as its name indicates, is to alter the configuration of the device. 

Example: to allow privilege level 7 to save the configuration and to configure SNMP parameters

privilege exec level 7 write memory 
privilege exec level 7 configure 
privilege exec level 7 configure terminal 
privilege configure level 7 snmp-server

1.3 Accounting

Accounting allows one to review "what" was done by "whom". This is often overlooked but is an extremely important feature to have, both from a compliance perspective and from the company's ability to quickly find the origin of an issue. 

There are two options for command accounting: logging and aaa accounting. The logging part will be addressed in a later chapter.  

The aaa accounting is only possible with radius and tacacs+. No local aaa accounting is possible. To activate aaa accounting, as for authentication and authorization, a group must exist. A quick note: there is no named-list available for system accounting, all the accounting needs to be done as default.

aaa accounting exec default start-stop group <my group> 
aaa accounting command <my level> default start-stop group <my group>
The first command logs all accesses to the exec shell, recording the time started and stopped. The second logs all commands executed at level <my level>.

1.4 Consoles

A Cisco device has multiple types of console: local serial and remote (network) consoles. A console is a way to interact with the management plane of the device, i.e. to execute commands to get some information about the device's status or to modify its configuration.

1.4.1 Serial consoles

These are physical console ports on the device. Usually, they are RJ45 (ethernet-like) ports, but nowadays, they also come as USB miniports. In order to connect to it, one needs to have a physical access to the equipment. 

As physical ports, they don't support any fancy features such as encryption or access-list, but they provide access to the rommon during the boot sequence. 

There could be one or two console ports, denoted "con" and "aux". The latter can be configured as a console port to connect a modem and gain a remote access should the device lose access to the network. 

1.4.2 Network consoles

These are virtual consoles - denoted by vty - that emulates a serial port over a network connection. They are accessible from anywhere as long as a TCP connection is possible to the device. Specifying the protocol

Network consoles support different protocols: telnet, rlogin, ssh. These define what service will be bound to the vty. For instance

line vty 0 4 
transport input telnet 
line vty 5 15 
transport input ssh 

defines that telnet sessions will be allocated a vty from 0 to 4 and the ssh ones will get a number between 5 and 15.

Administering a network device is a sensitive task: whoever gets access to yours can deeply affect your operations by creating issues, monitoring traffic or redirecting packets. As such, it is important that all remote management connections are encrypted.  

SSH was designed as a VPN technology. The best known feature is the replacement for telnet. As telnet sends the password plaintext, it is susceptible to being intercepted by an attacker. All modern devices support configuring SSH for remote administration, and Cisco is no exception.

ip ssh version 2
This will force SSH version 2 to be used. Version 1 is afflicted by a series of issues that can be used to compromise a device.
ip domain-name <your domain-name>
Next, we have to define the domain-name for the system. This is not extremely important to have something resolvable or meaningful.
crypto key generate rsa
Next we generate the encryption keys using the default settings. There are options to specify whether the keys are exportable, the modulus size (or key length) and so forth.
line vty 0 15
transport input ssh
Last but not least, we apply this to all vtys. Starting now, the device is only accessible through ssh. A word of caution: SSH requires some authentication, it is important to have that configured and working prior to enabling SSH. Limiting the sources

Now that we can authenticate, authorize and trace, and that all the sessions are encrypted, let's look further: how can we restrict the access to the management console to certain sources.

An important point in any secure design is "segregation": segregation of networks and machines based on roles - network operators or engineers, system administrators, non technical personnel and so forth. The requirements for each are different, and it makes sense to have them in different subnets. 

Using an access-list, it is possible to restrict the access to any Cisco device to a group of subnets. The following example uses a standard access-list and supposes that:

  • The local subnet for the network operators is
  • The remote access subnet for the network operators is

  The commands are

access-list 10 permit
access-list 10 permit

line vty 0 15
access-class 10 in

1.5 More control over the login process

There are now a few things left we can do. 

1.5.1 Limiting the number of failed attempts in SSH

First, we will put some obstacles in an attacker's path. Let's assume the attacker wants to brute force some credentials and has access to a machine with access to the device. A common attack is to create a session and start trying combinations of username/password.

An important step is to make sure this takes as long as possible by severing the connection after a few failed attempts. That way, the attacker will spend a fair amount of time re-establishing the session to the device, which will give some more time for the security team to notice the events and react.

ip ssh authentication-retries 2
This gives two attempts, if the first one fails, the second must succeed or the session will be interrupted. 

1.5.2 In case of (repeated) failures ...

Also, we may want to enforce a delay in the login process if too many authentication failures are encountered in a brief period of time. Cisco offers a mechanism for this in the login enhancements.

login block-for 30 attempts 5 within 60
The previous command instructs the router to suspend the login process for 30 seconds if 5 failed attempts are detected within 60 seconds or less. This is a powerful way of delaying an attack, but at the same time, it offers a side-effect of enabling an attacker to DoS a network device and prevent legitimate access.

In order to mitigate that, an access-list can be applied to provide a list of IPs that have access, even during the quiet-period (the period during which the login process is suspended).

access-list 11 permit host
login quiet-mode access-class 11
Again, this has another side effect: if the compromised machine is, there will be no enforcement of the quiet-mode for the attacker. The emphasis is on making sure the host(s) allowed are perfectly secure. 

The team may want to log failed attempts, but maybe not EVERY failed attempt. For instance, we may not need to know whenever a colleague (or self) fat fingers his/her password.

login on-failure log every 3
This logs the failure only after 3 unsuccessful attempts. 

1.5.3 But if successful ...

We may want, however, to keep track of all successful logins. Even though we have the accounting in place, we may want to have a specific message for each successful created session. 

login on-success log
That last command will generate a log entry for each successful login to the device. 

1.5.4 More delays during login!

Yes, there is a way to add some delay between the login attempts. Again, using the login enhancements, a delay between two login attempts can be enforced.

login delay 3

After this, there will be three seconds between two login attempts. With all the previous configuration in place, an attacker would spend around 72 seconds - not including the session re-establishment - for every 5 attempts. This will considerably slow down his effort and give that time to be detected.