Friday, December 28, 2012

18.330 Introduction to Numerical Analysis (MIT)

On its, the MIT has published the new version of the undergraduate course 18.330 Introduction to Numerical Analysis, dated of Spring 2012.

A good grasp of calculus, differential equations and linear algebra is required to fully enjoy it.

The topics covered are:
  • Series expansions: from calculus to computation
  • Integrals as sums and derivatives as differences
  • Interpolation, splines, and a second look at numerical calculus
  • Numerical methods for ODE, initial-value problems
  • Root finding, Newton's method, boundary-value problems
  • Fourier transform, Fourier series, Shannon sampling theory
  • Bandlimited interpolation, spectral methods
  • Least-squares approximation
  • Principal component analysis

Numerical Analysis is the underpinning of modelisation and simulation ,  at the heart of modern physics and engineering fields.

Wednesday, December 26, 2012

Blogger's death stirs political hornet's nest in Iran

In Iran, like in any non-democratic country, criticizing the party in place can lead to serious troubles. However, reporters and citizens continue to bravely write about the lies and fallacies of officials. The result is often a tragic end, tortured and killed.

Sattar Beheshti is not different: he started a personal blog, which became more and more critic toward Ayatollah Ali Khamenei, the controversial "supreme leader" of Iran. The idea of having a religious figure leading the country is already unsettling for me, and in many non-corrupt countries his past actions would make of him a wanted criminal and a terrorist

The apex was the criticism of a public speech given by the ayatollah (persian version). Soon after was he arrested, tortured and his body given back to his family. Iran officials, prompted by the international community, investigated the death, fired a few people - probably for not being discrete enough, and concluded that the "intent" of his "treatment" was not to kill him.

I hope that the international community will, this time, react with all the needed severity, and flag all the members of the Iranian government as what they really are: murderers.

Monday, December 24, 2012

Cisco Security Part II - Security at the port level

2. Security at the port level

A switch is used to interconnect different devices: desktops, laptops, servers, printers, other switches and so forth. By granting access to a network, an administrator increases the likelihood of a security breach as well as the vulnerability landscape. Here are three actions that can be performed:

  • Connection a non-approved device. Particularly nowadays with BYOD being teh buzzword, the proliferation of personal devices that can be connected to the network has exploded.
  • Abuse of the port, for example by creating a trunk that allows a device to have access to networks not supposed to be accessed directly.
  • Injection of control frames into the network, for example modification of the spanning-tree topology.
Of course, there are many, many more possible attacks. However, the purpose of this document is not to enumerate everything known to mankind, as by the time this document hits the web, there will already be things to be added.

2.1 Trunk/access

When interconnecting two switches, the need to transmit frames that belong to different virtual LAN (VLAN) may arise. In order to do so, network device vendors came up with different solutions, such as ISL from Cisco. Later, the protocol to transmit multiple VLAN over a single physical connection was standardized by the IEEE as 802.1Q.

Trunking is also used in IP Telephony: the usual setup is to have the PC piggy-back on the phone, which acts as a small switch. The “normal” data traffic is sent and received as-is and the voice traffic is encapsulated within 802.1Q. This gives the ability to separate both traffics and to use additional fields in the 802.1Q header to prioritize the voice traffic over other forms of traffic.

However, if not restricted, this ability can also be a recipe for disaster. For example, if all the ports carry all the VLANs or have the ability to create a trunk, an attacker could leverage that to gain access to other networks by sending tagged frames back to the switch.

In Cisco terminology, a trunk is called a “trunk” port (obvious, isn’t it?) and a non-trunk port is called an “access” port. An access port won’t send any 802.1Q encapsulated frame to the connected device. In the receive direction, the frame will be dropped.

In order to configure a port as an access or a trunk, the command "switchport" needs to be used within the interface:

interface GigabitEthernet 0/10
 switchport mode access

This will instruct the switch to treat the port Gi0/10 as an access port.

Once a port's mode has been set, further configuration is possible. For instance, if the port is an access port, the VLAN on which that port resides can be set with:

switchport access vlan 20

Likewise, a trunk port with native VLAN (defined later) 10 and with tagged VLAN 20 and 30 is configured with:

interface GigabitEthernet0/11
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,30

The native VLAN on a trunk is the VLAN in which all the untagged frames received will be placed, and that will be sent untagged. Numerous documents refer to the danger of native VLAN in regard to VLAN hopping or the abuse of Q-in-Q. A good practice is to make sure the native VLAN of all your inter-switch trunks are not assigned to any user VLAN.

2.2 Negotiation of a trunk (DTP)

Cisco switches allow a trunk to be dynamically formed. This means that if you don't force the mode, the connected device can announce itself as a switch and negotiate a trunk. The protocol responsible for this is Dynamic Trunking Protocol or DTP.

With the mode forced to access, the negotiation is automatically stopped. If set to a trunk and if the negotiation is left on, the switch will use DTP to inform its peer it can form a trunk.

To disable the trunk negotiation, the command is

switchport nonegotiate

2.3 Spanning-tree

Spanning Tree is the protocol responsible for negotiating a loop-free topology, even if the physical infrastructure has loops, for example for redundancy. It works by electing a root switch, which will then send specific frames called BPDU (Bridge Protocol Data Unit) that all switches in the topology have to forward following certain rules.

Based on the BPDU and the port it was received, each switch designs a port leading to the root, possibly through other switches, a set of ports that can be used for other connected switches to reach the root, and a set of blocked ports. These are ports the switch could use to reach the root, but with a higher cost.

These BPDUs have multiple roles: they can announce a better path to the root, they are used to hold the root election and they can influence the whole topology.

From what precedes, an attacker can abuse this protocol to either perform a DoS against the network, or forward all the traffic to a specific machine.

When designing a network, it is important to minimize the role of spanning-tree by using other techniques, such as bonding multiple interfaces into a single logical interface called a port-channel or an etherchannel.

When a port comes up, the default behavior is to wait for a certain amount of time, that depends on the version of spanning-tree used, to determine what the status of the port should be (root, designated, blocked). Cisco invented a mechanism to permit the port to start forwarding before that time, called "portfast".

With that came the risk of creating short network loops,until the port got the first BPDU and adopt the relevant state.

2.3.1 bpduguard

Cisco developed a security feature to force a port to go immediately down if a BPDU is received. The BPDU will be dropped as well.

If a port is connected to a phone or a computer, there is no valid reason why a BPDU should be received. On the other hand, if a BPDU is received from a port connected to a user device, this could indicate:

  • an attempt to inject BPDUs into the network, regardless of the reason;
  • an temporary loop in the network due to incorrect network settings on a computer or a connectivity issue;
  • a replay of a previous network capture;
  • and possibly other reasons.
In such an event, a reasonable thing to do is to drop the port to the down state, to prevent further incidents. This is configured on a device interface with:

interface GigabitEthernet 0/12
 spanning-tree bpduguard enable

Upon reception of a BPDU on the port, the state will be err-disable. To correct this,the port needs to be reset (shutdown/no shutdown) or the error recovery mechanism needs to be activated. This latter is not recommended as it will put the port back in service, possibly allowing the activity to resume.

It is also worth to notice that the default for this command has changed between IOS and NX-OS: a show configuration all will display these values.

2.3.2 bpdufilter

In situations where bpduguard is not welcome, for instance on uplinks to a provider, another mechanism exists: bpdufilter. Instead of shutting the port down, bpdufilter drops all bpdus, incoming and outgoing. This has the side effect of splitting the spanning-tree domain in two.

In my past, I had to help an ISP configure it: his switch connected to his clients' frequently had issues. It was found that on some occasions, the spanning-tree root role changed from his internal network to a client's.

However, it needs to be understood that, as spanning-tree is no longer working, topology loops in this situation have to be manually addresed, for instance in the form of a manual activation, or by using techniques that negate the need for spanning-tree, such as etherchannel, or unique VLANs with a L3 redundancy solution.

The configuration looks like bpduguard's:

interface GigabithEthernet0/12
 spanning-tree bpdufilter enable

2.3.3 portfast / port type edge

The spanning-tree protocol mandates that a port goes through various states before being able to forward traffic. During these state, no traffic is received or emitted besides BPDUs.

A way to speed that process is to declare the port as "portfast" or "type edge". It means that spanning-tree will take a shortcut in the states and be able to forward quickly after being turned on.

However, this has to be gauged: on the one hand, this means that a user device will have access to the network sooner, but on the other hand, it permits the creation of temporary loops - until the next BPDU is seen, the link will be up. As soon as a BPDU arrives on the port, the normal spanning-tree decision concerning the port role (root, designated etc) is taken and one end of the loop will be blocked.

An attacker could leverage this fact to create temporary, short lived loops to disrupt the switch operations. If successful, this can create either a switch or topology wide outage.

Other ways of dealing with the timers are possible: one could use rapid spanning-tree and shorten the timers from 2 seconds to 1 for the <Hello> BPDU - as more BPDUs are sent, the expected life of a loop is cut down, limiting the risk or the possibility of perpetrating such an attack. This, however, has to be evaluated as a shorter timer may also increase the risk of instabilities on the network: a transient frame drop on a link can result in flapping between that link and a backup link, possibly amplifying the problem.

2.4 Mac address learning on a port

The role of a switch is to build a table of what mac address resides on what port, and forward frames accordingly. This allows for point-to-point communications between two devices within the same VLAN, without impacting the other connected devices. A way of describing this is to state that the collision domain is limited to the port and the device connected to it.

As the switch has to consult that table binding a MAC to a port for every frame, the memory dedicated is called CAM (Content Addressable Memory), a special type of memory which is in limited quantity in any device.

An attack of the "old days" was to generate many frames with random source MAC address. This caused the switch to learn these in its CAM, filling it to the point that no new entry could be created. Any new MAC would not be learned, and the forwarding process would be for the switch to broadcast a frame to these legit but unknown addresses to all port, transforming the switch into a hub and allowing an attacker to sniff the corresponding traffic.

2.4.1 Number of permitted mac addresses

The first line of defense offered by a switch is to limit the number of MAC addresses permitted on a given port - past the number, the switch will either drop the frame or even shut the port down. MAC address counting works with the VLAN ID included in the learning: the same address seen on the same port but on two different VLANs count as two entries, one per VLAN. This is important to understand when using devices such as IP phones that may start in a VLAN and jump to a different VLAN afterwards.

The question now is: what about forgetting the known addresses? Should the switch keep them forever? Or forward these entries after a certain time?

2.4.2 Sticky Learning

In a static world, a machine is always connected to the same port, and thus the MAC address will always be seen on the same port. In that case, a sticky learning is possible, meaning that the switch will permanently - even across reboots - remember the association.

A nice - or annoying, it depends what your goals are - feature of this memorization is that if a MAC address known on a given port is seen somewhere else as source, the frame will be dropped and a security violation logged.

2.4.3 Aging considerations

However, the world is not static: laptops move from offices to meeting rooms, workstations are installed and reused and so forth. So the concept of sticky learning doesn't work well, or one needs an army of network administrator to prune the entries as machines are being moved.
Another possibility is to enforce a certain time after which the entry will be forgotten. This time is either an idle time (no frame exchanged for a certain period) or absolute (the address is removed even if traffic is seen, leading to a renewal of the learning if need be). 

2.4.4 Actions for violations

As said, the action can be the simple drop of the frame, the drop of the frame plus logging or even to shut the port completely down.

Deciding which one is a matter of policies and will of surfacing the issues - if the only thing happening is the frame being dropped, the event may go unnoticed until a user complains he has a problem. On the other hand, if the port is shut down, a visible trace exists of the event, that can be investigated and acted upon.

2.4.5 Putting it together 

Now, time to show some configurations. Basic port security, 3 MAC addresses, no sticky learning, drop-and-log upon violation, portfast and bpduguard, mac address forgotten after 5 minutes. 

This configuration is almost a "this is your average mileage": it will work okay in many situations.

interface gigabitEthernet 0/12
 switchport port-security
 switchport port-security maximum 3
 switchport port-security violation restrict
 switchport port-security aging time 5
 spanning-tree portfast
 spanning-tree bpduguard enable
 [rest of the configuration] Sticky learning, 2 MAC addresses, drop-and-log upon violation, portfast and bpduguard.

This could be used for a server. The first two mac addresses seen on the port are learnt.

interface gigabitEthernet 0/12
 switchport port-security
 switchport port-security maximum 2
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 [rest of the configuration]

2.5 Recommended configurations

2.5.1 Workstation

We consider this machine to be installed at a desk and will never be moved, no phone

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.2 Laptop/meeting room

That machine may be moved between ports.

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security aging time 5
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.3 Phone with computer attached

The phone starts in a VLAN and moves to the new one (voice), workstation attached

Note: the phone negotiates its voice vlan using either CDP or LLDP, but this will not be discussed in this document.

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport voice vlan YY
 switchport port-security
 switchport port-security maximum 3
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.4 Server / router

This considers that there is not virtual or cluster IP.

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.5 Network provider / external party

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 spanning-tree portfast
 spanning-tree bpdufilter enable
 switchport nonegotiate

Friday, December 21, 2012

Data breach: Beware of the side channels

Let's start with the news that prompted this entry: "Swiss spy agency warns U.S., Britain about huge data leak" on Reuters.

A side-channel is a way of transferring data that is "out of the usual path". In today's world of e-mail, google Drive, Dropbox and Microsoft SkyDrive, a USB thumb drive looks like yesterday's jam. A modern hard drive can store 3TB enough to store approximately 125,000 A4 pages scanned in high resolution. That's quite a lot of secrets ...

This is not, however, the only way of taking data off of a secret network: what about printouts? Or screen hardcopies? Taking a picture of the screen? Even memorizing documents?

Controlling side channels is not easy: it would be impractical to ask all and each employee to strip down and change clothes before entering the data sensitive areas, and even so: there are possible ways out. (No pun intended)

That's were data sensitive agencies need to put statistical controls in place: is it normal that employee A accessed around 1 million documents ranging from 2000 to 2012? Or employee B has accessed a certain document 20 times during the last week, but is not supposed to be working on that case?

Behavioral statistics can also indicate a change in a person: arrival and departure times, repetition of late lunches and so forth can help track someone whose habits have changed either abruptly or over time.

Wednesday, December 19, 2012

Data Breach Avoided By Encryption

Once in a while, there is a news that doesn't make me feel like IT Security is hopeless.

Rossendale's Rising Bridge Business and Enterprise Village was victim of a burglary: yet unidentified thieves entered the newly built premises and stole computer equipment, including several laptops, containing data about vulnerable children. 

However and to the credit of the staff, these were encrypted and the data most likely not accessible: the community is down for its money, but won't have to explain to anxious parents why their children are now at risk of being abducted or falling victim to identity thief.

Again: kudos to the staff for implementing disk encryption.

Even for a personal laptop, disk encryption is important: everything done is stored and there could be information about various accounts (think "Google", "Facebook", "Amazon") that can be leverage to steal hard money.

Monday, December 17, 2012

Microbial life at -13C

Was Arthur C. Clarke right in his 2010: Odyssey 2? Biologists have found a life form that thrives in a cold sealed lake that would be toxic for us.

Friday, December 14, 2012

They Cracked This 250-Year-Old Code, and Found a Secret Society Inside

This is a really cool article - A linguistic tool was used to decipher a 250-year old code from a secret society.

The tool, actually a translation tool, works by considering that the input is a "code" to be broken - it makes hypothesis on the meaning of input symbols and checks whether the deciphering looks legit in the destination language, based on rules such as grammar, word frequency or word sequences. For some fun with the latter, visit Google Ngram Viewer. People interested in the underlying theory will find a good approach in the chapter 22 of Russell&Norvig's "Artificial Intelligence: A Modern Approach"

Wednesday, December 12, 2012

Forensic report on SCDOR breach

Mandiant helped the South Carolina Department of Revenue with an incident response. The executive summary can be found here.

While this is not the first government network to be breached, nor the last one, this is worth the reading. I hope the longer, more detailed report will be posted as there are some open questions I have regarding the phishing attack, the types of traffic seen and the general sophistication of the overall attack.

The SCDoR was informed by an unnamed agency of the potential breach, at which point Mandiant was engaged.

A few interesting and salient points:
August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password. This theory is based on other facts discovered during the investigation; however, Mandiant was unable to conclusively determine if this is how the user’s credentials were obtained by the attacker.
The original intrusion was done through a phishing e-mail. From my personal observation, some campaigns are currently being executed, with a level of sophistication that's quite impressive: I helped with a case recently in which the initial e-mail presented a lot of characteristics of a company's internal communications.

August 27, 2012: The attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials. The credentials used belonged to one of the users who had received and opened the malicious email on August 13, 2012. The attacker used the Citrix portal to log into the user’s workstation and then leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials.
The remote access was defeated by the lack of one-time password authentication.

September 1, 2012: The attacker executed a utility to obtain user account passwords for all Windows user accounts. The attacker also installed malicious software (“backdoor”) on one server.
This usually requires administrator privileges. Unfortunately, the exec report doesn't mention whether the attacker got these from the user he hacked into or if he ran an exploit to elevate his privileges.

The attacker compressed the database backup files into fourteen (of the fifteen total) encrypted 7-zip1 archives. The attacker then moved the 7-zip archives from the database server to another server and sent the data to a system on the Internet. The attacker then deleted the backup files and 7-zip archives.
A database or backup server containing valuable information - at least valuable enough to be dumped and sent outside - was leapfrogged onto. It also had access back to other systems.

Overall, it took a bit more than 2 months to detect the attack and start the incident response process. No less than 514 server interactions were counted from the report. Some good practices were apparently not followed:

  • Outside systems should not use the internal authentication to allow access - So if you are using Active Directory, use something else to authenticate your remote access/VPN/Citrix, such as RSA Authentication Manager or One-Time Password;
  • Database and Backup servers need to be strictly isolated and not reachable BUT from a few selected networks, on a few, selected ports/applications;
  • In Windows Domains, all static passwords with elevated privileges _have to be_ strictly longer than 14 characters: even in the latest incarnations of the Microsoft Operating Systems, NT-LM is still in use [see below].
To the SCDoR's credit, part of the information was encrypted and is most likely to be useless to the attacker.

Microsoft Windows OS still store passwords in two forms: 
  • The weak NT LanMan (NTLM), which is limited to a maximum of 14 characters, but split it into two strings of 7 bytes;
  • The relatively stronger MD4, which encrypts passwords of all length.

It is important to realize that none of these use salts, making the use of Rainbow Tables very efficient.

Cracking the NTLM, even for a password of 14 characters is a matter of a few hours. If your administrative users have passwords of length 14 or shorter, your whole network can be compromised in less than a few days.

Monday, December 10, 2012

Fedora 17, Google Chrome and Citrix

Until recently, I have been using Firefox when I had to connect to a Citrix Desktop presented through HTTPS (CAG or other). Not anymore. I can now use my favorite Google Chrome.

In your home directory, go to .local/share/applications. Add a file - i will call it ica.desktop - containing:

[Desktop Entry]
Name=Citrix ICA Viewer
GenericName=Citrix ICA Viewer
Comment=Access to Citrix Desktop

The Exec line should reflect where your binary is installed. Now, modify mimeapps.list and add the line


Under [Added Associations].

Voila! Next time you will connect to a Citrix server through HTTP/HTTPS, it will automatically open the Citrix Viewer on your machine.


Friday, December 7, 2012

Mathematical proof reveals magic of Ramanujan's genius

A cool article on the Indian mathematical genius Srinivasa Ramanujan. It seems some of his contributions could lead to a better understanding of black holes, a celestial body not even known during his time.

Wednesday, December 5, 2012

CSO: 4 factors for avoiding cyber espionage attacks

A few pointers (nothing that will blow your mind though) on how to prevent a cyber espionage attack.

Monday, December 3, 2012

Dr Coole's scary stories

An interesting article from Dr. Eric Coole, three cases that will curdle your blood. The first one is about an APT attack, the last two about full disk encryption failure.

Enjoy the reading!