Thursday, January 29, 2009

SPAN, RSPAN and Network TAPS

According to Richard Bejtlich and to my past experiences I also prefer Network TAPS to R/SPAN technology. When someone ask to me why I prefer TAPS I start a long discussion with examples and sensations. I never though to 5 schematic points to resume all the security and non security issues in aid of TAPS. For this reason I think his words are really clear and concise.

I'm (Richard) using the following points when discussing the situation.

1) Taps free SPAN ports for tactical, on-demand monitoring, especially intra-switch monitoring. Many switches have only two ports capable of SPAN, and some offer only one. If you commit a SPAN port for permanent monitoring duties, and you need to reassign it for some sort of troubleshooting on a VLAN or other aspect of the traffic, you have to deny traffic to your sensor while the SPAN port is doing other work. Keep your SPAN ports free so you can do intra-switch monitoring when you need it.

2) Taps provide strategic, persistent monitoring. Installing a tap means you commit to a permanent method of access to network traffic. Once the tap is installed you don't need to worry about how you are going to access network traffic again. Taps should really be part of any network deployment, especially at key points in the network.

3) Selected taps do not permit injected traffic onto the monitored link. Depending on the tap you deploy, you will find that it will not be physically capable of transmitting traffic from the sensor to the monitored link. This is not true of SPAN ports. Yes, you can configure SPAN ports to not transmit traffic, and that is the norm. However, from my consulting days I can remember one location where I was told to deploy a sensor on a box with one NIC. Yes, one NIC. That meant the same NIC used for remote SSH access also connected to a switch SPAN port. Yes, I felt dirty.

4) What taps see is not influenced by configuration (as is the case with SPAN ports); i.e., what you see is really what is passing on the link. This is key, yet underestimated. If you own the sensor connected to a SPAN port, but not the switch, you are at the mercy of the switch owner. If the switch owner mistakenly or intentionally configures the SPAN port to not show all the traffic it should, you may or may not discover the misconfiguration. I have seen this happen countless times. With a network tap, there's no hiding the traffic passing on the monitored link. Many shops have been surprised by what is traversing a link when the finally take a direct look at the traffic.

5) Taps do not place traffic on a switch data plane, like a SPAN port does. This point is debatable. Depending on switch architecture, SPAN ports may or may not affect the switch's ability to pass traffic. By that I mean a SPAN port may not receive all traffic when the switch is loaded, because forwarding may take precedence over SPANning.

Making a Network Tap is also really cheap and very easy. Network Tpas have not the hardware capability to send signal on the cable so what you need to build a tap is to extract the RD cables from you network following this patter:

At the end of the day, if you wanna put on your home network two taps (one for security monitoring and one for statistical monitoring) what you see is something like this one.

Anyway, I don't wanna write about how to build a tap, for this you can find a great guide right here,today I have learned how to support my "taps thesis" using only 5 observations. 

Sunday, January 25, 2009

Microsoft Songsmith ... ... Is it real ??

Hi folks, today I watched this video ... it looks pretty cool !

Saturday, January 24, 2009

Watching HULU through BOXEE outside US.

Hello everybody, today I resolved a very old problem on my multimedia center (boxee) : watching hulu outside the US. 
As you probably know, HULU is a website that offers commercial-supported streaming video of TV shows and movies from NBC, Fox and many other networks and studios. Hulu videos are currently offered only to users in the United States.Hulu provides video in Flash Video format, including many films and shows that are available in 480p. In addition, some TV shows and movies are now offered in high-definition. Hulu also provides web syndication services for other websites including AOL, MSN, MySpace, Yahoo! and Comcast's Hulu offers over 100 motion pictures that range from classic to modern films. The movie content is provided by studios such as Universal Pictures, 20th Century Fox, MGM, Lionsgate Entertainment and Sony Pictures among others. Hulu also offers trailers for new and upcoming movies. R-rated and TV-MA content is available unedited but only for registered users. 
Boxee is definitely my favorite "social" multimedia center.
Boxee is a free cross-platform media center and entertainment hub with social networking features that is a fork of the open source XBMC media center software. As a "'Social Media Center", Boxee enables its users to view, rate and recommend content to their friends through many social networking features.

Watching hulu outside the US' land sounds pretty easy by adding to your connection a free US's proxy. This might works but how long your proxy will be up ? Moreover, how do you know what is the best (the fastest) proxy available during your connection time ? Some time ago I tried, using the free proxy's lists but when, you find the right proxy you are too tired to watch the desidered movie :P. The "proxy finding process" took too many time . So after a deep google search and after having tried many different solutions I can suggest the HotSpotShield solution . It searches dynamically the fastest proxy building a VPN by changing your internet connections, everything for free. What you need is to download and install HotSpotShield. After the installation process (it requires the administrator's password) you get a red/green icon on the top bar like this :

By clicking over it you decide if you want to connect to the free VPN or if you don't .

After the connection has been made correctly, open your boxee media center and open the HULU plugin. The starting is quite slow but after that, everything goes faster !

Thursday, January 22, 2009

Working Time, Manarola ITALY

Hey Guys, it's not fantasy it's just Italy.

Tuesday, January 20, 2009

Common Passwords

This morning looking on the floor under my desk I picked up a yellow post-it. There was written:
Password: "qwerty". Suddenly came in my mind a site read some time ago with the top 500 worst passwords. I started a deep google search and I found the password "qwerty" in the top ten !

Since people don't care about password's security how can security researcher increase security ? You can add all the security systems that you want, but if the root password is "qwerty" it's pretty much difficult to guarantee the security of the system .

Wednesday, January 14, 2009

Huge XTERM vulnerability.

Hi folks, today I found around the corner a huge XTerm code injection.
DECRQSS Device Control Request Status String "DCS $ q" simply echoes
(responds with) invalid commands.

Exploitability is the same as for the "window title reporting" issue
in DSA-380: include the DCS string in an email message to the victim,
or arrange to have it in syslog to be viewed by root.

So for example:
perl -e 'print "\eP\$q\netstat\n\e\\"' > bla.log
cat bla.log ; would run the "netstat" command.

Saturday, January 3, 2009

iPhone BLuetooth good progresses

Hi folks, finally the iBluetiitProject 's team make some progresses on the iPhone Bluetooth !

Some comments directly from the forum .

The teaser app called “bluesn0w” does a 10 second scan for near-by bluetooth devices and displays each of their MAC addresses. Their goal is to bring to the iPhone the bluetooth services a smart mobile phone should have.
Final app deets:
1. Ultimately this application will probably be Free and Open Source,
2. It obviously will look a lot more flashy, with a clean and easy to use GUI,

3. (We think) the app will be able to complete your wildest dreams. (Nothing in the ‘requests’ section I don’t see cannot be done for the most part!)
4. Did I hear something about Bluetooth Super Hack? You can bet your bottom dollar we’re working on it!
5. The MAC address can be spoofed, and we will possible add this ability to the final release.

Amazing guys, hope to see some more news soon .