Ads 468x60px

31 de julio de 2017

Five years ago …



Five years ago I opened this blog to write about networking and security, and because I wanted to improve my writing skills and this was a good idea to be updated about technologies, standards, protocols, attacks, etc. In addition, I’ve been writing in English language for two years and I want to keep writing in English language because I don’t want to forget this language. Who knows if I’m going to be writing in French language in the future because I really love languages and I've started to learn French as well.

What have I done in the last year? I’ve done many things, as always, and I like it. I’ve been reading, studying, testing and teaching new datacenter technologies like Shortest Path Bridging (SPB), Virtual Extensible LAN (VXLAN) and Software-Defined WAN (SD-WAN). On the other hand, I’ve also installed, configured and/or supported load balancer appliances, SIEM appliances and firewall appliances, even I’ve been at FortiXpert (again) and ForoCiber conferences. Everybody has heard about WannaCry, which was just another cyberattack, and the Apache Struts Vulnerability, that I analysed and read about them to know how they work. Troubleshooting network performance issues and improving SSL VPN performance with DTLS are another two things which are improved my knowledge about networking, as well as studying the DTLS protocol for configuring SSL VPN over UDP. In addition, I’ve also been reading a lot about CIA hacking tools, the Security Directives for the EU, the cyber rights from the new GDPR, or books like the Steve Jobs biography and the truth about you future. So much reading and studying have done that I achieved the level of F5 Certified BIG-IP Administrator. What’s more, once again, I’ve been abroad in a workcamp for two weeks, working for free, in a small town of Czech Republic where I met interesting and kind people. Finally, I would also like to highlight the speech at CUM University where I returned to speak about security.

An overview about the most widely read posts in the last five years is the next:


With regard about from where the blog is visited, we can find the statistics next:


Last and not less important, I would like to thank to everybody who read this blog and support me because they are the main reason why I have already written 244 posts with almost 180000 views. If someone has something to say for improving this blog, it is welcome.

Regards my friends and I hope to see you again back in September after a great holiday.

24 de julio de 2017

Throw away your firewalls!!



I usually install firewall appliances with UTM (Unified Threat Management) features to protect the network and the information of our customer against virus, malicious websites, spam, attacks, etc. Most of these firewalls are installed in the perimeter of the network and most of them have VPN capabilities as well. Therefore, SSL VPN or IPSec VPN are used to connect to the organization from untrusted networks like coffee shops, airports, hotel, etc. Actually, this is a good way to give to remote users access to internal services.

However, Google wants to break the schemas, architecture and design that we are used to seeing with a new concept called BeyondCorp. They are working with a new approach to enterprise security where everything is untrusted, also called Zero Trust, and where access control are shifted from the perimeter to individual devices and users allowing employees to work securely from any location without the need for a traditional VPN. As a result, employees don’t have to install any VPN client, which is a great benefit, and internal services are no longer internal services but they are accessible from any location, even from Internet.

BeyondCorp components and access flow
 
As we can see, this new approach has many components. As it trusts in individual devices and users instead of networks, there are two important databases, device inventory database and user/group database, where trustworthy users and devices are stored. However, the trust of a user or device can change over the time, for example if the device doesn’t have applied the last OS patch, the device doesn’t have the last antivirus signatures or the certificate is in the blacklist, that device is not trustworthy and it’s moved to untrusted network. All of these tasks are done by the trust inference component, the certificate issuer and the pipeline. On the other hand, the access control engine along with the access proxy provides service-level authorization to enterprise applications on a per-request basis. This new security model also has a Radius component to move users and devices from one VLAN to another inside Google buildings, and a Single Sign-On component for user authentication to all applications.

This new security approach of protecting our corporate security perimeter without firewalls has to publish all our internal services to Internet. As we can see, Google has resources like codereview.corp.google.com domain name registered in public DNS with a CNAME pointing to the access proxy:

DNS Intranet resources

Moma is the Intranet of Google employees and lots of resources are accessible from Internet through the access proxy with BeyondCorp:

MOMA Single Sign-On

From my point of view, firewalls aren’t going to disappear yet but we’ll go to the 4th generation of firewalls where we’ll configure firewall policies by users and devices easily instead of networks because any location and network will be untrusted. In addition, we’ll have better integration between all IT devices (servers, desktops, BBDD, WiFi, switches, mail, web, firewall, etc) for better security protection such as Fortinet is doing with his Fortinet Security Fabric.

Regards my friends and remember, the world is changing very fast and the IT security as well.

17 de julio de 2017

Reverse Engineering Malware



I’m used to work with network devices and security systems to improve network performance and protect the information. However, it seems I’m specialized to the networking and security fields but, in fact, there are lots of subfields inside network and security like forensics, reverse engineering, laws, pentesting, auditing, etc. Therefore, I’m not specialized yet to any field but I would like to write about reverse engineering this week, which is an amazing and very technical field that only few people know how to do it very well. Of course, I’m not one of them. I’m newbie in this field.

Reverse engineering is a field mainly for researches and antivirus companies who are interested in finding exploitation techniques, discover new encryption methods or finding encryption keys. They are also interested in finding new de-obfuscation techniques and investigating C&C communications. Therefore, they know how to do a completely reverse engineering with techniques such as static analysis, dynamic analysis, automated analysis, even manual analysis as well. Thus, knowing and picking the right tools is very important for reverse engineering.

There are many reverse engineering tools, some free and others commercials. For instance, the most popular static analysis tool for reverse engineering is IDA Pro, which is useful for Hex rays decompiling, but if we are newbies, we can use Radare2 for free and Linux commands like strings, file or otool. However, there are many more static analysis tools like PeiD, PEStudio, PE32, etc. On the other hand, there are many dynamic analysis tools like Immutiny debugger, OllyDbg, Sysmon, Regshot or the popular Wireshark/TCPdump.

IDA PRO
 
Sandboxing is another kind of dynamic analysis tool very popular and useful today. There are free online sandboxes like Malwr, Hybrid-analysis, DeepViz or VirusTotal, and there are also commercial sandboxes like FortiSandbox in the cloud or as an appliance on-site. Of course, local sandboxes, or on-premise, are better than online sandboxes because it is faster to upload the file to the sandbox and, as a result, we’ll have the results faster too. In addition, local sandboxes are more customized than online sandboxes because we can choose the language of the operating system and other kind of variables for better analysis.

FortiSandbox

If we don’t have a deep knowledge about malware analysis and we don’t have enough resources either, we can use Cuckoo Sandbox for reverse engineering malware. It is an automated malware analysis system which is able to analyse any malicious file under Windows, OS X, Linux and Android. Cuckoo is a free sandbox and 100% open source that easily integrates with our existing frameworks and storages with the data we want, in the way we want, with the format we want. Therefore, it’s highly recommended to have a Sandbox in our infrastructure then Cuckoo Sandbox is better than nothing. It’s another barrier for better security.

Cuckoo Sandbox

There are many others tools which help us to know what is happening in our infrastructure like OTX, which is the Collective Intelligence Framework of Alienvault and where we can subscribe to Pulses to exchange indicators of compromise with our USM or OSSIM. On the other hand, we can also search for IP or domain reputation in online services like FortiGuard.

OTX

Regards my friends and remember, reverse engineering malware is a subfield inside the security field which should be taken into account to protect our information.

10 de julio de 2017

Decrypting DTLS traffic with Wireshark



I’ve written about Improving SSL VPN performance with DTLS recently thus I would like to write about how-to decrypt this traffic with Wireshark. DTLS is a protocol used for encrypting traffic over UDP, which is often used for SSL VPN tunnels, whereas TLS is a protocol used for encrypting traffic over TCP, which has worse performance for SSL VPN tunnels because it encapsulates TCP over TCP and, as a result, we can often encounter retransmissions and packet loss. Therefore, cryptographic knowledge is important to understand the steps needed to decode DTLS traffic.

First, we have to ensure the use of a Diffie-Hellman Ephemeral (DHE/EDH) or RSA Ephemeral cipher suite is not negotiated between server and clients because Wireshark isn’t able to decrypt data where ephemeral ciphers are used. Accordingly, I’ve disabled DH, DHE, ECDH and ECDHE cipher suites from my SSL VPN server to be able to decrypt user traffic.

Control the cipher suites that can be used by an SSL VPN
 
The cipher suite negotiated between SSL VPN server and clients can be checked in the initial DTLS session establishment. In other words, the Client Hello and Server Hello exchange into the handshake protocol. In addition, these initial packets are needed for Wireshark to get the public key used by clients for data encryption.

Cipher Suite
 
Once we have, or Wireshark has, the public key, we also need to get the private key to decrypt data traffic. If we manage the SSL VPN server, there are many ways to get it. For instance, next, we can see how-to get the private key from a SSL certificate of a FortiGate appliance, which should be saved as a file from -----BEGIN PRIVATE KEY ----- till -----END PRIVATE KEY-----.

Exporting private key from a SSL certificate

We should save the private key, for instance as private.key, for importing it into the DTLS RSA keylist of Wireshark. Besides, we’ll have to write the IP address of the SSL VPN server, what server port is listening for DTLS traffic, and what kind of traffic is being encapsulated into DTLS.

DTLS RSA Keylist
 
We already have almost everything, we just have to test it and check if DTLS traffic is decrypted. Next, we can see how DTLS traffic is decrypted when I visit a webpage like www.davidromerotrejo.com from a client connected to a SSL VPN server with DTLS support. Actually, we’ll be able to decrypt everything inside the SSL VPN tunnel and not only HTTP traffic but everything else.

Decrypting DTLS packets
 
If we work as security engineers of a company and we manage SSL VPN servers or firewall appliances, we can use this technique to decode encrypted traffic for troubleshooting propose. On the other hand, there are SSL Inspection architectures where firewall appliances are able to decrypt and encrypt traffic, like a Man-In-The-Middle (MITM) attack, with the aim of analysing everything to block malwares and attacks. This can be a big responsibility, and a powerful tool, for security engineers, who should be monitored.

Regards my friends and remember, encrypted traffic can be decrypted if you are in the middle; be careful with your responsibilities.

3 de julio de 2017

Improving SSL VPN performance with DTLS



Networks are increasingly faster, mainly, because the method of access to the medium is faster than ever with up to 100 Gigabit Ethernet today. However, protocols are improving too as we saw with Multipath TCP or Moving the Web from TCP to UDP but, today, I would like to highlight how to improve VPN (Virtual Private Networks) because I've already written about VPN Security, Overlay Technologies like PBB, SPB or VxLAN, and Metro Ethernet Services as well like E-Line VPWS and E-LAN VPLS, but I've never written about performance and improvements in Dial-up VPN for remote users.

Using TCP for making SSL VPN isn’t already a good idea because TCP was design for running over unreliable or slow base connection where it is useful with segment retransmission and flow control through windowing. However, if we configure a SSL VPN over TCP and we send TCP traffic to the remote side, we could get a poor performance due to the fact that we are encapsulating TCP over TCP and, as a result, there will be mismatching timers between the upper and the lower layer TCP connection, which will increase retransmission and losing packets.

SSL VPN over TCP with TLS - Stack

How can we improve SSL VPN performance? As TCP over TCP is a bad idea, we can use UDP for VPN tunneling with the DTLS protocol for security. In this way, traffic is protected like the traditional SSL VPN with TLS but, this time, we’ll use DTLS for communications security and UDP for improving networking performance. As a result, the lower layer doesn’t worry about segment retransmission and flow control, because this task is carried out by the upper layer, thus the throughput and performance of the SSL VPN will be much better.

SSL VPN over UDP with DTLS - stack

FortiOS 5.4 and the new FortiOS 5.6 already support SSL VPN over UDP with DTLS to improve SSL VPN performance. If we want to configure it, we need to run the next commands by CLI.

Using DTLS to improve SSL VPN performance
 
Once we’ve enabled dtls-tunnel, the FortiGate opens the UDP port, as well as the TCP port, for SSL VPN.

Local In Policy of FortiGate
 
However, we’ll have to configure the FortiClient as well for using DTLS becuause it only uses TCP by default. If we want to use DTLS tunnels from FortiClient, we’ll have to download a backup configuration from FortiClient and change the parameter preferred_dtls_tunnel to 1. After changing this parameter, we’ll have to upload the configuration to FortiClient. Once this configuration is done, FortiClient will connect to SSL VPN using UDP with DTLS first and if it fails, FortiClient will connect to SSL VPN using TCP with TLS.

FortiClient Configuration
 
Next, we can see a traffic capture using TCP with TLS for SSL VPN.

SSL VPN over TCP with TLS

We can also see a traffic capture using UDP with DTLS for SSL VPN, which offers better performance for remote users.

SSL VPN over UDP with DTLS
 
Regards my friends. I hope you’ve enjoyed with this how-to and you’re planning to migrate to DTLS your SSL VPN.

26 de junio de 2017

French language A1 level passed



I'm here writing in English, once again, once a week. Recently, I've written about Spanglish & Frañol where I highlighted what was the main reason why I started to study English language at Official School of Languages, mainly, because my DNI was stolen in London and I didn't know to explain, by myself, my situation to the Police, which was mandatory if I wanted to return to Spain. This situation was a tipping point in my life and my career because I can now speak and write properly in English language, which is useful for travelling, reading and studying English books, speaking with support engineers, watching webinars and conferences in English languages for learning new technologies, etc, etc.

Currently, I'm studying French language at Official School of Languages, and who knows if I'm going to be writing in French language within 5 years but what it's a fact is I passed the exam of the first level (A1) of French language last week, and I have a good score, I'm proud of it. However, there is not a tipping point this time but I started to study French language because I like languages and it is the language spoken at the main institutional headquarters of the European Union such as the European Parliament, European Commission or European Council in Brussels, as well as other institutional headquarters in Strasbourg and Luxembourg.

Preliminary level - scores

I still remember when I was at High School and I was studying English language, which was mandatory, and French language, which was optional. Those years I studied lots of grammar and vocabulary, and I read books as well but skills like speaking and listening weren't studied enough. Therefore, I think I was studying many years to learn a little bit. However, I have to admit that I've learnt a lot of French language in just one year at Official School of Languages because teachers emphasize active skills such as writing and speaking as well as passive skills such as reading and listening. The method of the Official School of Languages is much more efficient than the method of the High School, although active skills like writing and speaking are still the most difficult to pass, maybe, because they are more difficult to study.


I think learning a new language, to be bilingual or trilingual, is something mandatory today because it has many advantages. For instance, we'll delay diseases like Alzheimer, we'll improve creativity, we'll have better ability to concentrate, we'll get better agility and flexibility into our cognitive system, we'll made better decisions, etc, etc. These are just some advantages but there are many others in the globalization era we are living like travelling, jobs opportunities, etc.

I'm going to keep studying French language next year. I hope to improve my language skills to be speaking French language someday, who knows!!

Regards my friends. Enjoy, read, study!

19 de junio de 2017

Steve Jobs BIO



Reading is a good way to stimulate our brain and reduce the stress. I don't know if these are the reasons why I read but I really love reading quietly about technology, business, psychology or history. Last books I've read are The Century Trilogy, Countdown to Zero Day, Creativity, La Corporación and Crush it!, and this time I would like to write about Steve Jobs because I've just finished reading his biography.

Was Steve Jobs a good leader? He had skills to be a good leader like visionary, good speaker, positive thinker, enthusiastic, intelligent or decision maker but he also had skills to be hated by his employees and colleagues because he didn't want to be realistic sometimes and he didn't respect people many times. It seems he wanted to do something great and big, like Apple, and no one cared, just his aim. Be rude isn't a skill needed to make something great as we have seen with Bill Gates, Mark Zuckerberg or Larry Page. What is my opinion? He could have been a much better leader.

Steve Jobs in the Apple Worldwide Developers Conference (WWDC) 2010

Steve Jobs was a businessman who loved design, marketing and business, where he was always worried about design and marketing but not about money. First, he founded Apple Computer to build personal computers, which got the name of his strict diets about apples. After he was fired on his own company, he bought a small company about graphics and founded Pixar to produce animated films for Walt Disney, like Toy Story, and he also founded NeXT Computer to build personal computers. At the end, Apple Computer bought NeXT Computer and Steve Jobs returned to Apple to make it great again.

Companies founded by Steve Jobs

He wanted to bring closer the technology to consumers and he got it with reliable, beautiful, innovative and easy to use devices like iMac, iTunes, iPod, iPhone and iPad. As a CEO of Apple, even he was always worried about small details like colours or shape of devices, in addition to the business strategy. Therefore, he wanted to manage everything to build consumer devices where hardware and software were integrated at the same device and nobody could modify anything.

Apple devices

I don't use Apple devices and I don't have Apple shares either but last ten years are being amazing for the company and for the stock market because shares are increasing since the first iPhone was released. Today, Apple is a company with more than 40 years old and shares are about 142$ thanks to his innovate devices for consumers.

Apple shares

Sadly, Steve Jobs isn't already here with us because a pancreatic cancer took all his forces till to death. He was Buddhist and vegetarian, and he thought alternative medicine was going to treat his disease, but after 9 months, he had to change to conventional medicine because he was getting worse with alternative medicine. It was late and his cancer was expanded in his body that it took him to death. Today, Steve Jobs is dead but his profitable company is still with us with Tim Cook in charge.

Regards my friends. Enjoy, read, study!

12 de junio de 2017

Overview of tools and frameworks of the CIA



It seems an action film where a man connects a memory stick to a computer for stealing confidential information or getting remote access to computers and databases but intelligence services seem to work like this. It's not just an action film but the real world where hackers develop hacking tools and malware frameworks to fight against terrorism and crime.

This week, I'm going to leave an overview of the last hacking tools and malware frameworks developed by the CIA and published by WikiLeaks. I think, all of these tools and frameworks are interesting to know how intelligence services work:

Pandemic: This malware is able to replace genuine files to trojaned files on-the-fly in Microsoft Windows File Servers to infect targeted machines over the LAN.

Athena: This is another malware for Microsoft Windows where it's able to retrieve files or sending files to target systems and also to unload/load malicious payloads into memory.

After Midnight: This is a malware framework for Microsoft Windows which is able to upload exploits to infected machines from a C&C system via HTTPS.

Archimedes: This is a malware for Microsoft Windows where infected systems are pivot systems to perform man in the middle attacks for monitoring and logging HTTP requests, as well as redirecting requests to the desired destination.

Scribbles: This is an interesting project to track who has opened, copied or modified confidential or secret information inside the CIA. This was done for identifying insiders and whistleblowers.

Weeping Angel: This is a powerful tool to turn on the built-in microphone of Samsung Smart TV to record voices and send it to a remote server.

HIVE: This is a project to design and configure a back-end infrastructure to hide the real communication between infected systems and C&C servers.

Grasshopper Framework: This is a framework to develop malware easily. We can choose modules to develop our own malware without a deep knowledge about developing malware. It sounds great, just for CIA operators.

Marble Framework: This framework is used by CIA for hiding and changing their text fragments written in English language to another language like Chinese, Russian or Korean with the aim of hampering forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.

Project Dark Matter: This is a project to infect Apple devices like Macs and iPhones that it's even able to gain persistence into re-installed devices because the malware is able to persist in the EFI firmware, kernel-space and user-space.

These are only some hacking tools and malware frameworks. I'm sure we are going to see more of this stuff soon.

Regards my friends. Enjoy and profit!!

5 de junio de 2017

More hacking tools and malware frameworks



It's amazing how the media speaks about WannaCry and cyberattacks again and again on TV, radio and news but it seems to forget other kind of cyberwar that we have today. The Athena project, After Midnight and Assassin, Archimedes and the Scribbles project are just some hacking tools and malware frameworks developed by the CIA to exploit Microsoft operating systems for surveillance and gathering foreign intelligence. This week, I'm going to write again about more astonishing hacking tools developed by the US government which deserve to read and study for realising how they have been developing tools to get into our system for years.

Last Thursday, June 1st 2017, WikiLeaks published documents of another hacking tool from the Pandemic project of the CIA. This new project is able to compromise target machines in a local area network from Microsoft Windows File Servers. How this hacking tool works? A Windows File Server, which is sharing files with users, are going to replace the shared files on-the-fly with a trojaned version without changing the original stored file on the file server. Therefore, the file server infected with the “Pandemic” implant are going to modify/replace files from the server to target machine in transit over the LAN.

Pandemic Project: The same file is copied twice from the remote file share to the user's local disk. The file size Windows reports is vastly different, even if the user only gets the smaller replacement file

It's not only for enterprise networks and servers but the CIA, along with MI5 of the United Kingdom Intelligence Agency, is also developed tools to record audio from the built-in microphone of Samsung F Series Smart TV and send this audio to the CIA server by WiFi or store it into a memory stick. This tool, called Weeping Angel by CIA and Extending by MI5, was even going to record audio in a fake-off recording mode where the Smart TV seems to be off but actually was on because it keeps recording voices for surveillance purpose. I'm wondering if new version of this tool was able to record images from the webcam as well. Maybe yes.

Fake-off recording mode

How to control all of these malware? Where are the Command & Control servers? Maybe, this question is answered by the HIVE project of the CIA. This project was to design and configure a back-end infrastructure to hide the real communication between target machines and C&C servers, where the CIA has configured a complex infrastructure with commercial VPS (Virtual Private Servers), a custom cryptographic protocol, VPN and SSL sessions to hide the real communication between infected machines and CIA operators.

Hive Beacon Test Infrastrucgture
 
Developing malware is something difficult for most developers because they must have a deep knowledge about persistence mechanisms, encryption, exploits, etc. Therefore, the CIA has also developed the Grasshopper framework to build customized malware payloads for Microsoft Windows operating systems in an easy way. For example, they can build a simple malware, or a complex one, choosing components like building a malware for a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.

Using Grasshopper
 
As we can see, there are lots of hacking tools and malware frameworks from United States Agencies, and UK as well, for cyberattacks, cyberwar, cyberwhatever … are we ready?

29 de mayo de 2017

CIA hacking tools and malware frameworks



WannaCry ransomware attacks were just other cyberattacks that it took advantage of systems unpatched. However, I think the leaks published by WikiLeaks are more important than WannaCry because they allow governments, not our government but US government, to have access to our devices. Sixteen leaks have already been published this year by WikiLeaks where we can find hacking tools, malware frameworks, etc that if they are stolen by someone and they are used with malicious intentions, something dangerous can happen worldwide. This week, I want to write about latest leaks published by WikiLeaks.

Last leak was about the Athena project where the CIA, along with Siege Technologies, developed a system to get into Microsoft Windows operating systems (from Windows XP to Windows 10 and including Windows Server 2012) for retrieving files or sending files to target systems and also to unload/load malicious payloads into memory. Two versions were released, Athena and Hera, last one for new operating systems like Windows 8.1 and Windows 10. It means, CIA can have access to most of the Windows devices because there haven't been any Windows update since then.

Athena Concept of Operation
 
Another and recently interesting leak is the two CIA malware frameworks for the Microsoft Windows platform, called After Midnight and Assassin. Both are designed as a backdoor malware which are able to download “Gremlins” into target systems via “Octopus”. Gremlins are Windows exploits for particular tasks that CIA operators upload to target systems on demand, for instance to search certain personal data. While the Octopus system is the HTTPS server or C2 system (Command and Control) for deploying Gremlins and retrieving information. Again, these two malware are for Windows machines.

AfterMidnight malware
 
Man in the middle attacks are well-known by most security engineers and CIA are also developed a tool to attack computers using this technique. This tool is called Archimedes and it is for Windows XP, Vista or 7, while the target machine can be whatever operating systems running on the same Ethernet LAN. Therefore, Windows machines with Archimedes are pivot systems which are able to perform man in the middle attacks to monitor and log HTTP requests from the target machine and even redirect those requests to desired IPs and domains.

ARP SPOOF
 
There are many leaks lately but I would like to highlight too the Scribbles project. It is a document-watermarking preprocessing system that allow CIA to track and identify who has opened or copied a file with the aim of tracking and identifying insiders or whistleblowers. Once a Microsoft Office document is opened, there is an interaction between the tracking server and the file to know if the document is a new one, the same or have been modifications. As a result, the tracking server has records with the IP address of the PC, the files opened, copied, modified, etc.

Scribbles tracking system
 
From time to time we don't know if these projects are for surveillance or espionage but what we do know is that an malicious use of these tools grant a great power.

Be careful, take care my friends!

22 de mayo de 2017

Troubleshooting network performance issues



Lately, I've come across with network performance issues in some data centers, which is usually a head breaker for networking engineers because when you see the bandwidth is enough but the throughput reached isn't what you expected, something is wrong. This is the time when solid networking knowledge is needed for the troubleshooting process and concepts like checksum, Frame Check Sequence (FCS) or overruns are required to analyse network performance issues and fix them.

Obviously, we can also have performance issues due to the fact that applications and services aren't configured properly or they've had a poor development process but I would like to highlight in this post what we can check with regard to networking.

 
We should look at networking interfaces and looking for the next attributes:
  • Errors: This is the first thing we should look for because it counts when there are CRC errors, or we have frames too-short or too-long (CRC, checksum mismatch).
  • Dropped: It counts when interfaces receive unintended VLAN tags or are receiving IPv6 frames when it isn't configured for IPv6.
  • Overruns: This is another important attribute to look for because it counts when buffer FIFO gets full and the kernel isn't able to empty it. For example, if the network interface has a buffer of X bytes and it is filled and was exceeded before the buffer could be emptied, then we have overruns.
  • Frame: It counts only when there are misaligned frames, it means frames with a length not divisible by 8. Therefore, that length isn't a valid frame and it is discarded. For instance, packets are going to fail if they are not ended on a byte boundary.
  • Carrier: When we have loss of link pulse, it counts. Sometimes is recreated by removing and installing the Ethernet cable. Therefore, if this counter is high, the link is flapping (up and down), the Ethernet chip is having issues or the device at the other end of the cable is having issues.
  • Collisions: This is another typical issue when we can't reach a good performance. Collisions may count when an interface is running as half duplex and the other end is running as full duplex. Therefore, the half duplex interface is detecting TX and RX packets at the same time and the half duplex device will terminate transmission. As a result, there are collisions, mismatch duplex, and we get very bad throughput. It is important to remember that switched environments always operate as full duplex and collision detection is disabled by default.
Next, we can see a mismatch duplex laboratory where Fa 0/1 of ASW1 is working as full duplex and it has FCS-Errors, which means “Frames with valid size with Frame Check Sequence (FCS) errors but no framing errors”. Consequently, throughput between PC1 and SRV1 is too bad.


And we can also see that Fa 0/1 of CSW1 is working as half duplex and it has Late-Collision, which means “Number of times that a collision is detected on a particular port late in the transmission process”. This is a big clue to realise that we have a duplex mismatch which should be fixed to have a good networking performance.


This post is being too long, I'm sorry, but I would like to leave some Linux commands as well like ethtool -S eth0 , netstat -s , netstat -i for troubleshooting network performance:

 
Regards my friends and remember, sometimes we have to go down to the physical layer to fix networking performance issues.

15 de mayo de 2017

Just another cyberattack



Today, I was thinking to write about errors, overruns, collisions, etc that we could have in network interfaces which are a mess for network engineers and, most times, these issues are difficult to resolve without a good troubleshooting process. However, this weekend has been a little bit interesting because we have seen how big companies like Telefonica, and many others, has been hit by Ransomware and it has been published to the media. Therefore, I must write about this issue.

First, I think it has been another spam and malware campaign, just another, but this time, many Spanish companies have been affected, which some of them are from the stock market IBEX35, and this has been the reason why the media has been speaking about cyberattacks. However, it's a pity that big companies like Telefonica hadn't applied the patch on time. Maybe, they didn't have enough time to test the patch MS17-010 published by Microsoft and they would rather take the risk to be infected. Unfortunately, this time, their internal desktops were compromised.

We are always speaking that small companies doesn't have enough resources to fight against cyberattacks but we can also see that big companies, with lots of resources, have the same issues but on a large scale.

Meantime, we have seen how shares were without any lost, which means investors don't mind this kind of news.

Telefonica shares
 
There are many Microsoft products affected in these cyberattacks like IE10, IE11, Edge, Microsoft .NET Framework, Adobe Flash Player, etc, etc and most of them are installed by default in most of the Microsoft Windows Operating Systems.


Due to the high risk of these vulnerabilities, if you don't want to be infected by HydraCrypter, which is a variant of WannaCry, you should applied next measures to your organization:
  • Limit the user connection to Internet and mail while your are applying patches and upgrading systems.
  • Upgrade signatures of your security systems like AntiSpam, IDS/IPS and Antivirus.
  • Apply security policies to Internet access with IPS and Antivirus profiles.
  • Install security monitoring sensors to analyse traffic on the wild.
  • Apply patches to fix the bugs published by Microsoft to desktops and servers.
  • Make sure you have backups.
More specific recommendations could be:
  • We can disable file execution with .WNCRY extension by GPO.
  • Isolate UDP 137/138 and TCP 139/445 communication inside the network.
  • Disable macros and scripts to mail received. We can use Office Viewer instead of Microsoft Office to open attachments.
If we have done the homework, we shouldn't be worried about this Ransomware anymore. Why? Because most security systems have already published signatures to block and detect this malware like, for instance, Fortinet or OTX from Alienvault.

WannaCry Indicators from OTX
 
Many people are wondering about why last Friday was the day when these vulnerabilities were exploited massively. Maybe, because last Friday was when WikiLeaks published “After Midnight” and “Assasin”, two CIA malware frameworks for the Microsoft platform and, maybe, the attackers have taken advantages of these frameworks to develop this new malware.

Two CIA malware frameworks

Regards my friends, pay attention, protect your assets and keep calm!!

More info:
Related Posts Plugin for WordPress, Blogger...

Entradas populares