Super-Networking Blog

I ran across a pretty sweet product today. It is called Yoggie Pico and it is a security suite for your laptop that is based off of a USB stick. It is a hardened Linux box running off a 520MHz processor is a USB stick. It is supposed to provide all of the security you need on your laptop and you can move it from PC to PC.

Features:

Yoggie Pico combines best-of-breed enterprise-class software with proprietary patent pending developments to provide a comprehensive security solution. With its stateful inspection firewall and NAT, Yoggie hides the laptop�s IP address from the outside world and closes any unnecessary network connection. In addition, the hardware design and hardened OS prevents any tampering on the Firewall (a common Spyware, Viruses behavior). Deep packet inspection is performed by a robust intrusion detection/prevention solution to detect attacks as they begin their operation.

The application layer includes four transparent proxies, two for web traffic (HTTP, FTP) and two for email traffic (SMTP and POP3). Using a powerful true-type detection engine, the proxies can deal with any content type, including decompiled elements such as compressed class and file attachments. These elements are analyzed by seven security agents:

• Adaptive Security Policy�
• Multi-Layer Security Agent�
• Layer-8 Security Engine�
• URL Categorization & Filtering
• Anti-Spam
• Anti-Phishing
• Antispyware
• Antivirus
• Transparent Email Proxies (POP3; SMTP)
• Transparent Web Proxies (HTTP; FTP)
• Intrusion Detection System / Intrusion Prevention System
• VPN Client
• Stateful Inspection Firewall

There are two major Denial-of-Service (DoS) advisories out today.

Cisco IOS SSL Vulnerability

Affects:

Cisco Crypto Library Vulnerability

Affects:

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:

http://www.kb.cert.org/vuls/id/739224

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.

This response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

The Cisco IOS FTP Server feature contains multiple vulnerabilities that can result in a denial of service (DoS) condition, improper verification of user credentials, and the ability to retrieve or write any file from the device filesystem, including the device’s saved configuration. This configuration file may include passwords or other sensitive information.

The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.

This vulnerability does not apply to the IOS FTP Client feature.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.

I ran across a pretty sweet article on how to access most blocked websites from places that use website filtering software.

Quick Breakdown:

-Use a website anoymizer

-Access the Website by IP instead of URL

-Use a service like tinyurl.com

-Use Google Mobile Search

-Search for Page in Google then go to the cached copy

-Use Google language tools service to wash pages through Google

-Surf Via Proxy server

Full Article

So AOL doesn’t really have a password monster but they will effectively eat part of your password. It turns out that even though AOL lets you put up to a 16 character password in for your AOL.com account it only reads the first 8. So if you put in password$&355# thinking that is a strong password you are actually only putting in password. If someone tries to login to your account with just password bingo they in.

Shame Shame AOL

Full Article from the Washingtonpost

Cisco confirms the memory exhaustion vulnerability as per the advisory published by CERT/CC and confirms this vulnerability impacts the PIX and ASA appliance for system software 7.2 only. Exploitation of the vulnerability may lead to a Denial of Service condition against the appliance.

The Firewall Services Module (FWSM) is not affected by this vulnerability.

PSIRT would like to thank Grant Deffenbaugh and Lisa Sittler from the CERT/CC for reporting this vulnerability to Cisco.

We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in security vulnerability reports against Cisco products.

Full Article

I have been seeing some “Critical Syslog Events” coming through lately from my Cisco FWSM (Firewall Switch Module). The event number is FWSM-2-106017 or if you have a PIX it would be PIX-2-106017.

When you go to Cisco’s site for the explanation this is what they give you:

Error Message    %FWSM-2-106017: Deny IP due to Land Attack from IP_addr to IP_addr

Explanation    This message indicates that the module received a packet with the IP source address equal to the IP destination and the destination port equal to the source port. This indicates a spoofed packet that is designed to attack systems. This attack is referred to as a land attack. If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.

Recommended Action    None.

This is fine and dandy but doesn’t help me track down what the problem is. I don’t believe this is truly a lan attack since it only seems to happen when the Sysadmins are working on this box. The IP it is coming from is a web server and this web server has an internal IP and a natted external IP. When changes are made you want to test the website. So you go the website on the server it resolves to the natted IP which goes out through the firewall hits the router then is converted back to the internal IP and sent back through the firewall. This is where the Land attack comes in because the traffic is coming from  the same IP it is going to and on different interfaces on the firewall.

I haven’t seen a fix for this, you could probably disable this rule in the firewall or just make sure you got to the internal IP instead of the natted IP when testing from the web server itself.

If you are giving away a hard drive, selling it, or even disposing of a hard drive that you have had your data on you are going to want to wipe the drive clean.

Just because you have “deleted” your data doesn’t mean that someone can’t recover it. There is a utility called Secure Erase that you can use to erase all the tracks on your hard drive. This product has been approved by National Institute for Standards and Testing (NIST).

Download it for free here.

Promqry

Kind of a sweet little tool my buddy sent me. I installed it and ran it, doesn’t do you much good if you aren’t an Administrator of the boxes you are scanning but it is an easy to use tool. Good program to have in your toolbelt if you are paranoid like me.