Cisco Data Center security – the highlights

“Cisco TechWise TV – Data Center Security” highlights

http://www.cisco.com/web/learning/le21/onlineevts/offers/twtv/twtv120port/reg.html?PRIORITY_CODE=000143256

  • IPv6 – is the future
  • Cloud – is happening
  • Security must be enabled in every Cisco SW, HW and ASIC component (architecture)
  • Cisco Security budget for research – more than CheckPoint + Juniper + HP

ASA 9.0

  • Cloud Security integration
  • TrustSec embedded – when you ‘enter’ you are tagged and this tag will be with you once you reach inner layers
  • ASA multiscale, multiplied in clusters.
  • A single appliance is already reaching 40Gbps on FIREWALL and 10Gbps on IPS inspection.
  • High Availability is now session-based. Not chassi-based anymore.

IPS 4510 / 4520

  • Signatures updated 2x a week + reputation every 15 minutes from SIO
  • Cisco still view IPS as a bastion host

Multiple Form Factors for ASA

  • Blades (up to four blades per 6500 catalyst chassis)
  • Appliances
  • Virtuals (ASA 1000V supports vMotions)
  • 70% of Internet infra is Cisco-based
  • Same base code for all ASAs

Cloud Web Security

  • Must follow employee whatever he/she is.
  • Security must be invisible. If users realize it’s there, that’s not good for security teams.

Business class email security

  • Encrypts the message once it has a confidential label after passing the border.
  • Even if it was sent from an android phone.
  • by RLM

A glance at Percoco’s Lifecycle of cyber crime – RSA 2013

Watching Trustwave’s VP Nicholas Percoco speak at RSA 2013.

To be honest, I’m having problems on linking his speech to the proposed theme. Yes, it touches it, but it’s kind of something else.

The text below is my tentative on writing about the highlights. [SPOILERs Alert below!!!]

In the first two minutes, you learn about how the world is 7Bi populated, but “only” 1Bi has some kind of IT device, plus information hosted on 25Mi databases. Oh, and of course, criminals don’t want single victims. They need profit and they only can get it if they “fish all around”.

BTW, you can definitely skip from 1’45” to 3’10”, his story about family fishing (real fish). That’s really something not necessary for a RSA conference.

Until minute 4′ you will also learn about which countries have potential victims (a lot of 1st world countries plus some BRIC etc)

On 4’03”, a good info. Companies (in average) take 210 days until they realize they had a breach and start doing something to stop the problem. 5% of companies (good at security) realize a problem in 10 days. But 20% of companies could take TWO YEARS to detect they have been hacked (wtf).

At minute 5′ some jibber-jabber. The “attackers” can be anywhere. Ok, let’s skip that too.

So, jump to minute 6′ and we will hear APT + Zero Days versus common mistakes used by attackers to get in. He’s now talking about how not a single investigation performed by Trustwave found an attack using advanced tech attacks (one very good and impressive conclusion). Investigated actions were actually based on:

– Remote Access

– SQL Injection

– Legitimate Account usage (yeah, people still publish webportals with admin / admin as user / password) – some people beg to be hacked…

– Web-based attack (Java, browser, flash vulnerabilities)

– Malicious files

– Remote file inclusion

– Remote code execution

– Authorization flaw

– Physical theft

We are now close to minute 8′ and we hear that “six major cyber gangs” are running the main crimes around the globe. Well, can I have some names here?

Now, what is really bonded to speech’s title, the life cycle. The process starts with “greed, good living..” and go on like this:

Greed –> Victim identification –> Infiltration –> Propagation –> Aggregation –> Exfiltration –> Buyer identification –> Data Liquidation –> Recycling.

We are now close to minute 13′ and things start to really move away from the process described above.

The attack demo is indeed interesting, but I don’t saw it as a cyber crime life-cycle. Plus, the path to folder “Work” seems different from what was found at destination FTP’s rar file. I sense some BS here.

At minute 17′, he brings Erik Rasmussen from US Secret Service to answer questions sent from people on twitter. Now, I can say, the theme is really gone (the questions & answers are not even interesting…).

Sith Cat not amused

Ok, it was a 30 minutes (pretty quick) presentation, but this should be used to actually cover the cyber crime’s process explained above in a deeper way. In the end, it was a sum of screens from different subjects.

Plus, I have always a foot behind when a presentation includes a Secret Service or CIA agent. This may sound obvious, but they are not going to tell you the good stuff. They will speak about public statistics, numbers, what happened on big investigations already covered by news and blah blah blah.

The real good new strategies of attacks or investigation methods will always be classified information and SS / CIA are not going to tell you, no matter how much you have spent on RSA, Def Con or Black Hat credentials.

For me, some aspects served as inspiration to other ideas (will write about them in the future), but thinking about the whole video, it could have added more value.

Kali Linux 1st impressions

Kali Linux is (or will be or is going to be) the new Backtrack, a Linux distribution dedicated to Security tests, hacking, forensics, or for dummies to realize they really need more study before using a Linux system to wrong behaviors.

Here, the first Metasploit / Kali webcast provided by Rapid7 and Offensive Security.

Kali has an advertising video, something amazing for an open source / non commercial tool. Congrats to Offensive Security guys.

I was able to download the 2Gb iso this week and here are my first impressions.

The first thing I noticed is the live CD options include a Forensic Boot, so one of the great Backtrack features was kept. \o/

The live mode detected my installed Windows 7 was hibernating, so it refused to mount it (at least it explained the reason to me).

I’m not sure if for the same reason (existing / sleeping OS in the hard drive), but terminal icon did not work in Live Mode. It gave me a “gnome-terminal” input / output error. I was able to shut Live Mode down using the upper-right corner icon “root”.

Installing:

You can’t use “disk partitioning” to shrink your current installed O.S. and deploy Kali side by side with other systems if you have your current O.S. hibernating (it was a shot in the dark, I’ve discovered this like that guy whose head was hit by an apple and thought about gravity Isaac Newton).

If you don’t boot your original OS, and shut it down properly (no hibernation!!!!), Kali will offer only install options that would erase the entire disk.

To be honest, I could have erased this win7, but I wanted to see how Kali was going to treat existing systems, so I took some minutes to completely shut down Win7 and got back to Kali install screens.

One great thing: I was able to shrink my Windows 7 using percentage instead of choosing how many Gb I wanted to my original partition (I’ve chosen 60% for my fat windows).

After shrinking it, Kali offered me to install all linux partitions in the same free space or redivide the free space to separate /home, /usr, /var and /tmp.

I’ve decided to go “all in one” and my 80Gb hard drive was sliced in win7 (48Gb), ext4 (30.7Gb) and swap (1.3Gb).

Configuring a network mirror to download updates: good luck on filling the proxy credentials in that format http://user:password@proxy_IP:port. I’ve skipped it and later I edited /etc/bash.bashrc to include that info.

Testing GRUB Boot Loader with Windows 7 – first time after Kali installation.

1st, Mr Grub, it’s not a “Vista system”, it’s a Win7…

2nd. Invalid argument? What?! Ok, continue it… loading win7…

Of course, Windows 7 detected inconsistency in my NTFS partition and it asked for a check up (using the good’ol CHKDSK). I allowed it. Win7 finally loaded up and I’ve shut it down, after all, this should be a post about KALI!! LoL. Going back to it now.

Top 10 Security Tools division. For those with no real clue about where to start. Easiness is the word!

Here’s the list:

1 – Aircrack-ng (I would replace it for Gerix, since it’s more complete and user-friendly tool)

2 – burpsuite

3 – john the ripper

4 – Maltego

5 – Metasploit framework

6 – nmap

7 – sqlmap

8 – webscarab

9 – wireshark

10 – “zaproxy” – a.k.a Owasp Zap

Others:

– No more Ubuntu. Now, it’s Debian!! 🙂

– No more red background? Should be kept. After all, this kind of distro still represents the HELL for sysAdmins;

– Arduino IDE – for electronic components programming. Inclusion may have been inspired by latest Black Hat challenges or fuzzer presentations;

– Hardware Hacking, where you can find android tools. The next target for security researchers, indeed;

– Gerix is really not found. Am I missing something? Is it obsolete already? Or it was removed because it has those disgusting graphic mouse/click screens?

Anyway, there’s a lot to test before a new post. But I’m glad everyday more & more tools are being created or reorganized.

Bottom line is: Kali Linux replaced Backtrack, which now can be considered RETIRED. Kali is improved, reorganized, with more tools and some (at least one) removed, for some reason I still intend to understand better.

Edit 2: Be careful when installing outside packages from Debian resources. It can screw your Kali tools menu.

Useful commands:

http://docs.kali.org/live-build/customize-the-kali-desktop-environment

apt-get install git live-build cdebootstrap

vim config/package-lists/kali.list.chroot

service postgresql start

service metasploit start

Vulnerability Monster Reports? You are a Tool!

If you have a scanner to search your entire network for problems, know this:

1 – The scanner is not the Oracle. No matter how much you trust the vendor, you can’t just send 16.000 “high” vulnerabilities to your IT department, without any kind of relevance classification, expecting they are going to read;

Dr Scanner Evil

2 – If you do this, you are just “washing your hands” and preparing an idiot line like “my last report had this warning to you and nothing was done!” in case something bad happens. Plus, if a breach really does happen, you are not likely to be informed, because the CIO is not going to feed you with rocks to break his own window;

3 – Scanners have some kind of False Positives list. USE IT. This could reduce a lot of that 500 Mb pdf you intend to send;

4 – If you are too coward to pick a vulnerability out of 16.000 and classify it as bullshit not relevant, then everybody else in your company will know you have Zero Knowledge to do vulnerability management;

5 – Choose an application with real severe problems, not those with “too many problems in the report” before asking IT for an action. People will know you are being driven by numbers and they will put almost no effort on testing a new package to minimize amounts in a report;

6 – Don’t use Pivot Tables or Count functions to determine which problem you want to attack first, otherwise, again, you are a slave for numbers. This is not vulnerability management;

7 – If you can’t read blogs and research sites looking for exploits, and when you do, you can’t figure which exploit is suitable for your environment, then you will never be able to call a problem as relevant or classify anything;

8 – Bring the IT teams to your side by explaining with technical details why you would like to test and install that patch to all computers. Be ready to defend your idea with real arguments, not using F.U.D;

9 – If after all of the above tips, you are still planning to keep your way of work, be sure your network is about to be or is already exploited;

10 – Finally, if you think breaches are an IT problem as long as you reported all possible holes with your monster list, you should really start to consider another career away from Information Security.

Did I say anything wrong or obtuse? Write your thoughts below. I’ll be happy to read your ideas!