Tuesday, March 10, 2009

An Oldie But a Goodie

Yeah, back during the 01 layoffs at Cisco (or was it afterwards, during one of the never-ending reorgs can't recall) I had a DIVX of Office Space that I would watch while I worked to remain productive and we'd take lots of orbits around the parking lot and watch for this old guy with a beard down to his knees that would get off his shift at 3:30 at the Tyco fab next door and walk to his Corvette. Happy days!

Time to leave the SBUX and get to work...

Wednesday, March 04, 2009

"Cyber Katrina" or "Digital Pearl Harbor" (which is a more loathsome term?)

Every time you hear 9/11 or Cyber Katrina you should reach for your wallet.  

Does anyone find this sort of hyperbole rhetorically effective?


House Permanent Select Committee on Intelligence

Washington, D.C.

RE: Establishment of North American Urgent Radiological Information Exchange

Madame Chairperson:

While we do not believe that this is a matter that rightfully falls under the province of your Committee, in the interest of cooperation, this letter will address the events leading up to the establishment of the North American Urgent Radiological Information Exchange (NAURIE).

As you know, on the 10th year anniversary of 9/11, all of our nation’s nuclear power plants were targeted in a massive distributed denial of service attack orchestrated by the Conficker III botnet which had grown to a heretofore unheard of 30,000,000+ infected PCs.

While US CERT teams as well as regional DOE cyber security personnel were focused on combating this external threat, each plant’s internal firewall separating the Command and Safety System Networks from the Site Local Area Network was breached from the inside due to the use of pirated hardware with malicious embedded code that passed server control to external users.

Of even more concern is the fact that all of these plants were targets of a carefully planned, longterm social engineering attack which relied on human error and the broad-based appeal of Social Network sites. As DOE employees broke protocol and downloaded phony social software apps, malicious code worked its way into secure networks and lay dormant until activated by the attacking force.

This led to a number of consecutive failures in our safety mechanisms resulting in partial to complete core meltdowns at 70% of our plants. When these plants went offline, the nation’s power requirements couldn’t be met. Grids were overwhelmed and blackouts began occurring in our most heavily populated urban areas. Once criminal gangs realized that overburdened police departments were unable to respond to every 911 call, looting of businesses began in earnest as did home invasions in the wealthier neighborhoods.

One year later, we still do not have a final count on the number of deaths and casualties but most responsible estimates place them in the tens of thousands. If we extrapolate out for the as yet unknown future effects of radiation poisoning on the victims, the count goes into six figures.

While this is clearly a tragedy on every level, I feel I must point out that the NNSA, as late as 2009, in a letter to the Los Alamos National Laboratory, did our part in improving security by determining that the loss of 83 LANL laptops should no longer be considered just a “property management” issue, but a cyber security issue as well.

Also, that our G3 physical security model (Gates, Guards, Guns) was not compromised, and that cyber security compliance has never been a mandatory policy; that instead it was an ongoing negotiation among various other considerations.


Director, National Nuclear Security Agency
(BTW, this is far less salacious than the scenario we came up with for CyberStorm 2005 in the Energy sector)

So. Am I just a reactionary? Is this sort of FUD a necessary evil to make "progress on cybersecurity" or just another boondoggle.

Sunday, March 01, 2009

ASA5505 SSLVPN Port Forwarding

So as I've been chronicling over on @frednecksec I've been pleasantly surprised with the new ASA5505 I got for my classroom network. Although I'm looking forward to replacing iptables the main reason for the purchase was the WebVpn. In particular the ability to do port forwarding. Yes this is just like SSH local port forwarding.

Here is config snippet for ASA 7.2(4) to allow you to get port forwarding working.

Enable WebVPN

enable outside

Actually if you stop here you would be able to do URL redirection and get to web servers behind the ASA, although this doesn't show up anymore now that port forwarding is setup.

port-forward SSH 2223 ssh

group-policy first internal
group-policy first attributes
vpn-tunnel-protocol webvpn
functions port-forward auto-download
port-forward value SSH

Some gotchas here. "port-forward" and "auto-download" have to be on the same line together. It wasn't immediately obvious to me that I had to do the "port-forward value" line. My general approach for Cisco CLI work is to just brute force it to find the minimal config. But this was the key thing I ran across. Unless you had this line, the session won't show up in the UI (see above) although the applet will download.

The steps below are pretty straightforward once you have the group-policy created (above)

username vpnuser password ... encrypted
username vpnuser attributes
vpn-group-policy first
tunnel-group test type webvpn
tunnel-group test general-attributes
default-group-policy first

This works on Ubuntu 8.10 (Java6) and Firefox 3.x, OSX 10.4 with Safari 3, and Windows XPSP3 both Firefox 3.x and IE (who knows what versions).