August 30, 2016

ipSpace.net Blog (Ivan Pepelnjak)

Network Automation in Enterprise environments: pipe dream or reality?

When I talk about network automation with enterprise engineers I usually get responses along the lines of “That’s interesting, but it will never happen in my organization. That’s what startups or cloud providers do.

They couldn’t be more wrong: Thomas Wacker from UBS (one of the top 20 global financial services companies in case you don’t recognize the name) will describe how UBS uses network automation in new data center deployments during our Network Automation DIGS SDN event on September 1st, and we’ll spend the rest of the afternoon focusing on how you could get started and what your first network automation project should be.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at August 30, 2016 05:03 AM

Networking Now (Juniper Blog)

New threats in July 2016

(This post is the first in a monthly series highlighting some of the new threats detected by Sky ATP's deep analysis engines.)

 

In July, Sky ATP detected tens of thousands of malicious applications and documents as they passed through SRX firewalls. While most of these were known threats, Sky ATP also detected new malware strains, including multiple forms of ransomware as well as assorted trojans, droppers, spyware, and other potentially unwanted programs. In this post, we'll look at two new ransomware variants, plus an old threat that has evolved into highly-evasive (almost) fileless malware.

 

Early in the Sky ATP analysis pipeline, we run each new sample against a suite of anti-virus engines. AV engines are a fast and efficient way to catch and filter out known threats and their close variants. Removing these known threats from the analysis pipeline as early as possible reduces the load on the more computationally-expensive parts of the pipeline, which includes static analysis engines and full sandbox detonation. But for new threats, hashes and signatures are not enough. In this post, we’ll look at some of the threats we saw in July, which were undetected by numerous AV engines but caught by Sky ATP’s deep analysis.

 

Zepto ransomware

We discussed Locky in previous posts. Zepto is a new variant, but looks and behaves much like Locky, except it uses ".zepto" as the file extension for the encrypted files:

 

zepto_files.pngAs with Locky (and most other ransomware), the victim is notified by pop-up images, text files, and a new desktop background with instructions on how to convert the ransom payment to bitcoin and deliver it via a site on the dark web.

 

zepto_desktop.png

 

Cerber ransomware

Sky ATP’s deep analysis detected a number of variants of the Cerber ransomware that evaded traditional antivirus engines. The ransom process includes an automated voice announcing the infection.

 

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="394" src="https://www.youtube.com/embed/Asd4kXpksms" width="525"></iframe>

 

Kovter's (almost) fileless malware

Some of the most interesting samples detected by our deep analysis pipeline in July were several variants of the Kovter click-fraud malware. This malware strain has become increasingly evasive and maintains almost fileless persistence on a victim’s machine.


Kovter’s foothold begins with obfuscated Javascript and binary content saved in the Windows registry.

 

kovter_registry1.png

 

Kovter's authors use a clever trick to achieve persistence without leaving any of their malware on the actual Windows filesystem. The malware drops a randomly generated file with an arbitrary (but important!) file extension, along with a batch file and a shortcut.

 

kovter_files.png

 

The batch file "opens" the garbage .fcb676eie file with the start command

 

kovter_batch.png

 

Instead of opening the file, a registry key associated with the .fcb676eie extension instructs Windows to execute an altogether different command.

 

kovter_registry2.png

 

This uses Microsoft's mshta engine to execute the obfuscated Javascript stored in the registry. The bulk of the payload is a 5000+ character hexadecimal string, with is decoded and executed with the Javascript eval() function. This produces another Javascript program, this time with a very long string encoded in Base64

 

kovter_js2.png

 

This, in turn, is decoded to form a Powershell script containing raw shellcode that is injected and launched to create a malicious Windows process, using a technique taken from an old Metasploit template.

 

kovter_powershell.png

 

With this convoluted process, the malware can remain on the victim's computer without leaving anything on the filesystem besides the garbage file and its associated batch file and shortcut. Its malicious behavior, however, is still detected by Sky ATP's deep analysis techniques.
 

Until next month...

As mentioned above, these threats are just a few of many detected by Sky ATP's deep analysis engines. Thanks for reading, and please check back next month for another installment in this series!

by AsherLangton at August 30, 2016 01:00 AM

August 29, 2016

Internetwork Expert Blog

CCIE DCv2 Beta Rack Rentals Now Available

Our CCIE Data Center version 2.0 Rack Rental system is now in beta testing phase.  Click here to submit a request for beta access and I will contact you directly with more details on timing and availability.

Our CCIE DCv2 Rack Rentals consist of the following:

  • Nexus 9300 ACI Spines
  • Nexus 9300 ACI Leafs
  • Application Policy Infrastructure Controller (APIC)
  • Nexus 7000s with F3 line cards
  • Nexus 5600s
  • Nexus 2300 & 2200 10GigE Fabric Extenders
  • UCS C series rack servers
  • UCS B series blade servers
  • UCS 6248 Fabric Interconnects
  • Nexus 1000v virtual switch
  • Dual 10GigE attached hosts for application testing
  • Fibre Channel SAN
  • iSCSI SAN

The visual topology topology diagrams are as follows:

by Brian McGahan, CCIE #8593, CCDE #2013::13 at August 29, 2016 02:33 PM

ipSpace.net Blog (Ivan Pepelnjak)

Scaling L3-Only Data Center Networks

Andrew wondered how one could scale the L3-only data center networking approach I outlined in this blog post and asked:

When dealing with guests on each host, if each host injects a /32 for each guest, by the time the routes are on the spine, you're potentially well past the 128k route limit. Can you elaborate on how this can scale beyond 128k routes?

Short answer: it won’t.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at August 29, 2016 05:17 AM

XKCD Comics

August 27, 2016

Ethan Banks on Technology

Connecting Python To Slack For Testing And Development

The scripting language Python can retrieve information from or publish information into the messaging app Slack. This means you can write a program that puts info into Slack for you, or accepts your queries using Slack as the interface. This is useful if you spend a lot of time in Slack, as I do.

The hard work of integrating Slack and Python has been done already. Slack offers an API, and there are at least two open source Python libraries that make leveraging these APIs in your Python code a simple task. I chose slacker after a bit of googling, but it’s not a preference borne of experience. The community seems to be behind slacker as opposed to Slack’s own python-slackclient, so I went that direction.

Steps

  1. I’ll assume you’ve got Python installed already. My environment is Ubuntu Server 16.04 with Python 2.7.12.
  2. Install the python package manger pip, if you don’t already have it.
    sudo apt install python-pip
  3. Install the slacker python library.
    pip install slacker
  4. Generate a testing and dev token at the Slack API web site.
    https://api.slack.com/web
    Slack_Web_API___Slack
  5. The token will be everything required for authentication to your Slack group. Protect it like a password.

Armed with the token and slacker library, your Python installation is now Slack-capable.

Example

I took this code right from the slacker github page to make sure things were working without having to read any documentation. I created a channel called #exp to run my test in.

from slacker import Slacker

# Replace abcd-etc. with your testing and dev token
slack = Slacker('abcd-*****-*****-*****-*****')

# Send a message to #exp channel
slack.chat.post_message('#exp', 'Python was here.')

I ran the test using python slack-test.py.

The result looked as follows.

slacker-test

by Ethan Banks at August 27, 2016 10:40 PM

My Etherealmind

Unregenerate 20160827 – The Week Gone By or To Come

Looking backward at last week or forward into next week.  unregenerate – adj. not reformed, unreconstructed, obstinate, stubborn —- Current Status Arrived in Las Vegas VMworld early for Vmworld as press/media. I’m presenting on the big stage at Future:Net – an [invitation only conference on the future of networking – on Thursday Morning “Breakfast With […]

The post Unregenerate 20160827 – The Week Gone By or To Come appeared first on EtherealMind.

by Greg Ferro at August 27, 2016 04:50 PM

August 26, 2016

Honest Networker
ipSpace.net Blog (Ivan Pepelnjak)

Software-Defined Navel Gazing

Software Gone Wild podcast is well into its toddler years and it was time for a teambuilding exercise. Just kidding – we wanted to test new tools and decided to discuss the vacation experiences and podcast ideas while doing that.

On a more serious note: we’re always looking for cool projects, implementations and ideas. Contact us at podcast (-the weird sign-) ipspace.net.

by Ivan Pepelnjak (noreply@blogger.com) at August 26, 2016 12:11 PM

XKCD Comics

August 25, 2016

ipSpace.net Blog (Ivan Pepelnjak)

Automation Gone Wild

My “this is why you need automationblog post triggered numerous comments and tweets. I loved this one:

What if the mistake was embedded into the automation process/tool (designed by humans) in the first place? Now you have a video series titled "Automation Gone Wild".

I guess this tweet is a priceless answer to that question:

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at August 25, 2016 07:02 AM

August 24, 2016

The Networking Nerd

Cisco vs. Arista: Shades of Gray

CiscoVArista

Yesterday was D-Day for Arista in their fight with Cisco over the SysDB patent. I’ve covered this a bit for Network Computing in the past, but I wanted to cover some new things here and put a bit more opinion into my thoughts.

Cisco Designates The Competition

As the great Stephen Foskett (@SFoskett) says, you always have to punch above your weight. When you are a large company, any attempt to pick on the “little guy” looks bad. When you’re at the top of the market it’s even tougher. If you attempt to fight back against anyone you’re going to legitimize them in the eye of everyone else wanting to take a shot at you.

Cisco has effectively designated Arista as their number one competitor by way of this lawsuit. Arista represents a larger threat that HPE, Brocade, or Juniper. Yes, I agree that it is easy to argue that the infringement constituted a material problem to their business. But at the same time, Cisco very publicly just said that Arista is causing a problem for Cisco. Enough of a problem that Cisco is going to take them to court. Not make Arista license the patent. That’s telling.

Also, Cisco’s route of going through the ITC looks curious. Why not try to get damages in court instead of making the ITC ban them from importing devices? I thought about this for a while and realized that even if there was a court case pending it wouldn’t work to Cisco’s advantage in the short term. Cisco doesn’t just want to prove that Arista is copying patents. They want to hurt Arista. That’s why they don’t want to file an injunction to get the switches banned. That could take years and involve lots of appeals. Instead, the ITC can just simply say “You cannot bring these devices into the country”, which effectively bans them.

Cisco has gotten what it wants short term: Arista is going to have to make changes to SysDB to get around the patent. They are going to have to ramp up domestic production of devices to get around the import ban. Their train of development is disrupted. And Cisco’s general counsel gets to write lots of posts about how they won.

Yet, even if Arista did blatantly copy the SysDB stuff and run with it, now Cisco looks like the 800-pound gorilla stomping on the little guy through the courts. Not by making better products. Not by innovating and making something that eclipses the need for software like this. No, Cisco won by playing the playground game of “You stole my idea and I’m going to tell!!!”

Arista’s Three-Edged Sword

Arista isn’t exactly coming out of this on the moral high ground either. Arista has gotten a black eye from a lot of the quotes being presented as evidence in this case. Ken Duda said that Arista “slavishly copied” Cisco’s CLI. There have been other comments about “secret sauce” and the way that SysDB is used. A few have mentioned to me privately that the copying done by Arista was pretty blatant.

Understanding is a three-edged sword: Your side, their side, and the truth.

Arista’s side is that they didn’t copy anything important. Cisco’s side is that EOS has enough things that have been copied that it should be shut down and burned to the ground. The truth lies somewhere in the middle of it all.

Arista didn’t copy everything from IOS. They hired people who worked on IOS and likely saw things they’d like to implement. Those people took ideas and ran with them to come up with a better solution. Those ideas may or may not have come from things that were worked on at Cisco. But if you hire a bunch of employees from a competitor, how do you ensure that their ideas aren’t coming from something they were supposed to have “forgotten”?

Arista most likely did what any other company in that situation would do: they gambled. Maybe SysDB was more copied that created. But so long as Arista made money and didn’t really become a blip on Cisco radar. That’s telling. Listen to this video, which starts at 4:40 and goes to about 6:40:

<iframe allowfullscreen="true" class="youtube-player" height="359" src="https://www.youtube.com/embed/wK06VHnwatg?version=3&amp;rel=1&amp;fs=1&amp;autohide=2&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;start=280&amp;wmode=transparent" style="border:0;" type="text/html" width="584"></iframe>

Doug Gourlay said something that has stuck with me for the last four years: “Everyone that ever set out to compete against Cisco and said, ‘We’re going to do it and be everything to everyone’ has failed. Utterly.”

Arista knew exactly which market they wanted to attack: 10Gig and 40Gig data center switches. They made the best switch they could with the best software they could and attacked that market with all the force they could muster. But, the gamble would eventually have to either pay off or come due. Arista had to know at some point that a strategy shift would bring them under the crosshairs of Cisco. And Cisco doesn’t forgive if you take what’s theirs. Even if, and I’m quoting from both a Cisco 10-K from 1996 and a 2014 Annual Report:

[It is] not economically practical or even possible to determine in advance whether a product or any of its components infringes or will infringe on the patent rights of others.

So Arista built the best switch they could with the knowledge that some of their software may not have been 100% clean. Maybe they had plans to clean it up later. Or iterate it out of existence. Who knows? Now, Arista has to face up to that choice and make some new ones to keep selling their products. Whether or not they intended to fight the 800-pound gorilla of networking at the start, they certainly stumbled into a fight here.


Tom’s Take

I’m not a lawyer. I don’t even pretend to be one. I do know that the fate of a technology company now rests in the hands of non-technical people that are very good and wringing nuance out of words. Tech people would look at this and shake their heads. Did Arista copy something? Probably? Was is something Cisco wanted copied? Probably not? Should Cisco have unloaded the legal equivalent of a thermonuclear warhead on them? Doubtful.

Cisco is punishing Arista to ensure no one every copies their ideas again. As I said before, the outcome of this case will doom the Command Line Interface. No one is going to want to tangle with Cisco again. Which also means that no one is going to want to develop things along the Cisco way again. Which means Cisco is going to be less relevant in the minds of networking engineers as REST APIs and other programming architectures become more important that remembering to type conf t every time.

Arista will survive. They will make changes that mean their switches will live on for customers. Cisco will survive. They get to blare their trumpets and tell the whole world they vanquished an unworthy foe. But the battle isn’t over yet. And instead of it being fought over patents, it’s going to be fought as the industry moves away from CLI and toward a model that doesn’t favor those who don’t innovate.


by networkingnerd at August 24, 2016 06:35 PM

My Etherealmind

Intel IDF: Convergence Is Everything

Reflections on lessons learned from Intel Developer Forum

The post Intel IDF: Convergence Is Everything appeared first on EtherealMind.

by Greg Ferro at August 24, 2016 02:53 PM

Ethan Banks on Technology

Chicagoans: TECHunplugged Is Coming October 27, 2016

TECHunplugged is a one-day event where end users, influencers and vendors come together to talk shop. At the Chicago event on October 27, 2016, I’ll be speaking on the following big idea.

How The Network Automation War Might Soon Be Won

Here’s the abstract I proposed to the TECHunplugged team.

Automation in the virtualization world is a long-established feature. A plethora of excellent tools exist to help stand up server infrastructure, operating systems, and applications. This has helped bring much of the IT stack together in a way that makes system deployment a repeatable, predictable task. By contrast, network automation is a struggling, emergent technology. Why is it that the automation of network provisioning has proven so challenging?

Ethan Banks, 20 year IT veteran and co-host of the Packet Pushers podcasts, will explain the network automation challenge from a practitioner’s point of view. He’ll also discuss recent advances in network automation tooling from both the open source and commercial software worlds. Network automation might feel rather behind other IT silos, but there’s significant progress that will change network operations sooner rather than later.

To set context, I’ll explain why automating the network is so hard.

  • No standard way to describe a desired outcome.
  • Proprietary interfaces.
  • Snowflake architectures.
  • Unpredictable ways of measuring results.
  • A surfeit of choice.

And then we’ll talk about what’s being done to enable network automation.

  • Intent.
  • Abstraction.
  • Telemetry.
  • OpenConfig.
  • The simplicity movement.
  • Vendors like Anuta, Apstra, and Glue.

If you’re in the Chicago area, register. You’ll hear me speak along with several other folks. I’ll also be at an “ask me anything” roundtable.

by Ethan Banks at August 24, 2016 12:43 PM

ipSpace.net Blog (Ivan Pepelnjak)

Why Would I Attend the Virtual Firewalls Workshop?

One of my subscribers considered attending the Virtual Firewalls workshop on September 1st and asked:

Would it make sense to attend the workshop? How is it different from the Virtual Firewalls webinar? Will it be recorded?

The last answer is easy: No. Now for the other two.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at August 24, 2016 06:52 AM

XKCD Comics

August 23, 2016

Ethan Banks on Technology

For Your Ears: Citizens of Tech Podcast 40

<iframe data-name="pd-iframe-player" frameborder="0" height="100" scrolling="no" src="http://www.podbean.com/media/player/audio/postId/6400448?url=http%3A%2F%2Fcitizensoftech.podbean.com%2Fe%2F040%2F%3Ftoken%3Dfed30b95ac08ff388a3140dd35ccd117" width="100%"></iframe>

In this show, we get into what expiration dates on packaged food and drugs really mean. How should you react when the date expires? If you assume, “Throw it out to be safe,” you’d be wrong.

We also chat about dealing with password expiration policies. They must be super complex and changed frequently, right? Maybe not. Super complex and frequently changed means hard to remember, which studies show can lead to less security, not more.

IBM has manufactured an artificial neuron, which isn’t so interesting by itself. We’ve been here before. The interesting bit is the material used to behave like a neuronal membrane. A genuine advance.

Microsoft has announced a smaller XBoxOne S, now with 4K capabilities. Just not gaming 4K capabilities.

Blackberry is on permanent deathwatch now, as they have begun the, “All else has failed, so let’s litigate,” phase of operations.

All that, plus our regular “Content I Like” and “Today I Learned” features.

Expiring Stochastic Passwords – Citizens of Tech 040

<iframe class="wp-embedded-content" data-secret="dwjDGAkHVJ" frameborder="0" height="338" marginheight="0" marginwidth="0" sandbox="allow-scripts" scrolling="no" security="restricted" src="https://www.citizensoftech.com/expiring-stochastic-passwords-citizens-tech-040/embed/#?secret=dwjDGAkHVJ" title="“Expiring Stochastic Passwords – Citizens of Tech 040” — Citizens of Tech" width="600"></iframe>

by Ethan Banks at August 23, 2016 03:59 PM

My Etherealmind

Why Google Slows Fibre Rollout

Laying fiber is, it turns out, pretty expensive. That’s one reason why expansion of Google Fiber’s ambitious project to bring ultrafast internet to U.S. cities around has been placed on hold. The company has spent spent hundreds of millions of dollars laying fiber-optic cablesto bring Internet service as much as 100 times faster than average high-speed wireless […]

The post Why Google Slows Fibre Rollout appeared first on EtherealMind.

by Greg Ferro at August 23, 2016 11:25 AM

ipSpace.net Blog (Ivan Pepelnjak)

Another Long Gone Crazy Project: Build Your Own File Server OS

Decades ago I got involved in another interesting project: let’s build our own file server operating system on top of Z80 CPU. Yes, I was at university (how did you guess?) and No, it never really took off.

by Ivan Pepelnjak (noreply@blogger.com) at August 23, 2016 10:38 AM

August 22, 2016

SNOsoft Research Team
My Etherealmind

Response: Arista Market Share

I was looking quickly through slides presented at Arista's financial results for Q2 -2016 and this slide jumped out at me.

The post Response: Arista Market Share appeared first on EtherealMind.

by Greg Ferro at August 22, 2016 02:06 PM

ipSpace.net Blog (Ivan Pepelnjak)

Networking Is Infrastructure – Get Used to It

Jeff Sicuranza left a great comment to one of my blog posts:

Still basically the same old debate from 25 years ago that experienced Network Architects and Engineers understood during technology changes; "Do you architect your network around an application(s) or do you architect your application(s) around your network"

I would change that to “the same meaningless debate”. Networking is infrastructure; it’s time we grow up and get used to it.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at August 22, 2016 10:33 AM

XKCD Comics

August 20, 2016

Aaron's Worthless Words

QoS? Really?

I wrote this post during Cisco Live and said “I’ll just give it a once-over tonight and publish it.”  That was something like 6 weeks ago now. What a loser I am.


Yes, really. QoS has actually gotten some attention this year. After how many years of living in the dark and being feared by junior and senior engineers alike, we’re seeing some really cool technologies coming out for it.

I was honored to be invited to Tech Field Day Extra this morning while I’m at Cisco Live.  If you don’t know about TFD, you’re missing out.  A group of influencers gather in a room and get very deep and very technical presentations from vendors.  Today, Cisco came and talked about a couple of topics including branch security and QoS.  Obviously, the QoS was the big hitter for me.

Tim Szigeti (@tim_szigeti) kicked off the QoS conversation by talking about some of the recent advancements in QoS in both hardware and software. In hardware, he discussed the programmability of the new ASICs that Cisco is using in their switches and routers.  These ASICs are dumb out of the box, but they are very willing to learn.  Want it to do IP? Program it to understand IP.  Want to add QoS?  Program it to add QoS.  We’ve seen programmable ASICs in devices for quite a while, but having these in your switches and routers opens a lot of doors.

How about software, then?  IOS-XE 16.5 takes advantage of these hardware advancements and simplifies the configuration.  When I say simplies, I’m not joking.  In older code, for example, a standard QoS config using MQC that takes 1622 lines of code is now only 2 lines.  That’s all.  How’s that for simplified?

The drop-the-mic moment, though, came during the APIC-EM discussion with Ramit Kanda. Now, I knew absolutely nothing about APIC-EM going into the session, but I’m going to make it a point to learn more.  This device is a VM that provides programmability, automation, and abstraction for your network gear.  In this case, it provides abstraction for QoS.  Read that again.  Abstraction for QoS.  That means you don’t need log into each devices in the path and configure each one.  More importantly, though, you don’t have to generate configs for your different switch and router models.  You just say “make QoS like this,” and everything is configured end-to-end.  EasyQoS is the name of that technology, and, boy, is it named appropriately.

The moral of the story today is that QoS has been a bastard step-child for years (decades?) and is finally getting some attention.

Thanks to Tom Hollingsworth and Stephen Foskett for hosting TFD today.  It was my first time and quite a blast.  If you get the oppotunity to participate, do it.


Since it took so long to publish the post, the videos for the TFD session have long been available.  You can see the EasyQoS video here.  The others are readily available from there.

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="https://www.youtube.com/embed/JNSL_s2qiIM?feature=oembed" width="560"></iframe>

by Aaron Conaway at August 20, 2016 01:12 AM

August 19, 2016

ipSpace.net Blog (Ivan Pepelnjak)

Sample Ansible Networking Playbooks on Github

I spent the last week creating numerous scenarios using Ansible networking modules for my upcoming Network Automation workshop. The scenarios use Cisco IOS and Nexus OS modules as I used VIRL for network simulation, but you could easily adapt them to other networking devices.

All the scenarios I’m covering in the workshop are available in my Github repository; to get the them explained you’ll have to attend the workshop. Enjoy!

by Ivan Pepelnjak (noreply@blogger.com) at August 19, 2016 11:17 AM

XKCD Comics
Potaroo blog

IPv6 Performance - Revisited

Every so often I hear the claim that some service or other has deliberately chosen not to support IPv6, and the reason cited is not because of some technical issue, or some cost or business issue, but simply because the service operator is of the view that IPv6 offers an inferior level service as compared to IPv4, and by offering the service over IPv6 they would be exposing their clients to an inferior level of performance of the service. But is this really the case?

August 19, 2016 12:00 AM

August 18, 2016

SNOsoft Research Team

How these dirty scammers tried to use LinkedIn to steal our customer’s passwords

Earlier this morning one of our more savvy customers received an email from noreply@linkedin.com. The email contained a “New Message Received” notification allegedly sourced from CEO Tom Morgan. Contained in the email was a link that read, “Click here to sign in and read your messages”. Fortunately we had already provided training to this particular customer that covered Social Engineering and Phishing threats. So, rather than click on the link they forwarded the email to Netragard’s Special Project Team, which is like throwing meat to the wolves. The actual email is provided below in figure 1.

Figure 1

Figure1

The first step in learning about who was behind this threat was to follow the “click here” link. The link was shortened using the URL shortener ow.ly and so we used curl to expand it. While we were hopeful that the URL would deliver some sort of awesome zeroday or malware, it didn’t. Instead it served up a fake LinkedIn page (Figure 2) designed to steal login and password information.

Figure 2

figure2

The server hosting the phishing site was located in Lebanon and of course was not maintained or patched properly. Quick reconnaissance showed that directory listing was enabled, that the server was using an outdated and very exploitable version of cPanel, and that the server had been breached by at least four other parties (there were at least 4 backdoors installed). We used one of the backdoors to gain access to the system in the hopes of learning more (Figure 3).

Figure 3figure3

 

Our team quickly zeroed in on the “linkd.php” file that was used to generate the phishing page shown in Figure 2.   We explored the file looking for information related to where stolen passwords were being kept. Initially we expected to see the passwords logged to a text file but later found that they were being emailed to an external Gmail account. We also looked for anything that might provide us with information about who was being targeted with this attack but didn’t find much on the system.

We were able to identify the victims of the campaign by making hidden modifications to the attackers phishing platform. These modifications allowed us to track who submitted their credentials to the phishing site. When studying the submission data it quickly became apparent that the attackers were almost exclusively targeting Luxembourg based email addresses (.lu TLD’s) and were having a disturbingly high degree of success. Given that people often reuse passwords in multiple locations this campaign significantly increased the level of risk faced by organizations that employ the victims. More directly, chances are high that organizations will be breached using the stolen passwords.

The LinkedIn campaign was hardly the only campaign being launched from the server. Other campaigns were identified that included but may not be limited to DHL, Google, Yahoo and DropBox. The DropBox campaign was by far the most technically advanced. It leveraged blacklisting to avoid serving the phishing content to Netcraft, Kaspersky, BitDefender, Fortinet, Google, McAfee, AlienVault, Avira, AVG, ESET, Doctor Web, Panda, Symantec, and more. In addition to the blacklisting it used an external proxy checker to ensure page uptime.

Finally, we tracked the IP addresses that were connecting to the system’s various backdoor.  Those IP addresses all geolocated to Nigeria and are unfortunately dynamic.

Screenshot 2016-08-18 10.24.57

 

 

 

Summary

This phishing campaign highlights two specific issues that can both be countered with careful planning.  The first is that employees are easy to phish especially when they are outside of the office and not protected by spam filters.  This is problematic because employees often reuse the same passwords at work as they do outside of work.  So stealing a LinkedIn password often provides attackers with access to other more sensitive resources which can quickly result in a damaging breach and access to an organizations critical assets.   The solution to this issue is reasonably simple.  Employees should be required to undergo regular training for various aspects of security including but not limited Social Engineering and Phishing.  Second, Employers should require employees to use password management tools similar to 1Password.  Using password management tools properly will eliminate password reuse and significantly mitigate the potential damages associated with password theft.

As for our Nigerian friends, they won’t be operating much longer.

The post How these dirty scammers tried to use LinkedIn to steal our customer’s passwords appeared first on "We protect you from people like us.".

by Adriel Desautels at August 18, 2016 02:50 PM

ipSpace.net Blog (Ivan Pepelnjak)

Inter-VRF NAT in DMVPN Deployments

One of my users couldn’t get the inter-VRF NAT to work after watching the DMVPN webinars (no real surprise there, the VRF lite concept is covered in more details in the Enterprise MPLS/VPN webinar) so I decided to write a short document describing the details.

by Ivan Pepelnjak (noreply@blogger.com) at August 18, 2016 11:12 AM

Network Design and Architecture

Free Webinar : Introduction to Mobile Broadband Technologies

You are invited to attend the one hour Technical Webinar “Introduction to Mobile Broadband Technologies”. The essential Mobile Broadband Concepts and principles are illustrated with the below Agenda 1- The Mobile Broadband Journey (2G,3G,4G,LTE,5G) 2- Meet the Packet Switched Core 3- Training Review This webinar is recommended to : Network Professionals who are interested to […]

The post Free Webinar : Introduction to Mobile Broadband Technologies appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

by Orhan Ergun at August 18, 2016 07:47 AM

August 17, 2016

ipSpace.net Blog (Ivan Pepelnjak)

New Webinar: Docker Networking Fundamentals

After the fantastic Docker 101 webinar by Matt Oswalt a few people approached me saying “that was great, but we’d need something more on Docker networking”, and during one of my frequent chats with Dinesh Dutt he mentioned that he already had the slides covering that topic.

Problem solved… and Dinesh decided to do it as a free webinar (thank you!), so all you have to do is register. Hurry up, there are only 1000 places left ;)

by Ivan Pepelnjak (noreply@blogger.com) at August 17, 2016 04:59 PM

The Networking Nerd

Repeat After Me

callandresponse

Thanks to Tech Field Day, I fly a lot. As Southwest is my airline of choice and I have status, I tend to find myself sitting the slightly more comfortable exit row seating. One of the things that any air passenger sitting in the exit row knows by heart is the exit row briefing. You must listen to the flight attendant brief you on the exit door operation and the evacuation plan. You are also required to answer with a verbal acknowledgment.

I know that verbal acknowledgment is a federal law. I’ve also seen some people blatantly disregard the need to verbal accept responsibility for their seating choice, leading to some hilarious stories. But it also made me think about why making people talk to you is the best way to make them understand what you’re saying

Sotto Voce

Today’s society full of distractions from auto-play videos on Facebook to Pokemon Go parks at midnight is designed to capture the attention span of a human for a few fleeting seconds. Even playing a mini-trailer before a movie trailer is designed to capture someone’s attention for a moment. That’s fine in a world where distraction is assumed and people try to multitask several different streams of information at once.

People are also competing for noise attention as well. Pleasant voices are everywhere trying to sell us things. High volume voices are trying to cut through the din to sell us even more things. People walk around the headphones in most of the day. Those that don’t pollute what’s left with cute videos that sound like they were recorded in an echo chamber.

This has also led to a larger amount of non-verbal behavior being misinterpreted. I’ve experienced this myself on many occasions. People distracted by a song on their phone or thinking about lyrics in their mind may nod or shake their head in rhythm. If you ask them a question just before the “good part” and they don’t hear you clearly, they may appear to agree or disagree even though they don’t know what they just heard.

Even worse is when you ask someone to do something for you and they agree only to turn around and ask, “What was it you wanted again?” or “Sorry, I didn’t catch that.” It’s become acceptable in society to agree to things without understanding their meaning. This leads to breakdowns in communication and pieces of the job left undone because you assume someone was going to do something when they agreed, yet they agreed and then didn’t understand what they were supposed to do.

Fortississimo!

I’ve found that the most effective way to get someone to understand what you’ve told them is to ask you to repeat it back in their own words. It may sound a bit silly to hear what you just told them, but think about the steps that they must go through:

  • They have to stop for moment and think about what you said.
  • They then have to internalize the concepts so they understand them.
  • They then must repeat back to you those concepts in their own phrasing.

Those three steps mean that the ideas behind what you are stating or asking must be considered for a period of time. It means that the ideas will register and be remembered because they were considered when repeating them back to the speaker.

Think about this in a troubleshooting example. A junior admin is supposed to go down the hall and tell you when a link light comes for port 38. If the admin just nods and doesn’t pay attention, ask them to repeat those instructions back. The admin will need to remember that port 38 is the right port and that they need to wait until the link light is on before saying something. It’s only two pieces of information, but it does require thought and timing. By making the admin repeat the instructions, you make sure they have them down right.


Tom’s Take

Think about all the times recently when someone has repeated something back to you. A food order or an amount of money given to you to pay for something. Perhaps it was a long list of items to accomplish for an event or a task. Repetition is important to internalize things. It builds neural pathways that force the information into longer-term memory. That’s why a couple of seconds of repetition are time well invested.


by networkingnerd at August 17, 2016 03:43 PM

XKCD Comics

August 16, 2016

Peter's CCIE Musings and Rants
Hi Guys

If my complete lack of posts has got you down, there is loads of good info over at my good Friend Paul Tursans blog, you can find it here:
http://chilli-net.blogspot.com/

by peter_revill (noreply@blogger.com) at August 16, 2016 07:08 PM

Networking Now (Juniper Blog)

The QFX10002 receives US Department of Defense Certification

Juniper Networks expands its portfolio of US Department of Defense certified devices.

<object data-extension-version="0.5.0.161" data-install-updates-user-configuration="true" data-supports-flavor-configuration="true" height="150" id="__symantecPKIClientMessenger" style="display: none;" width="300"></object>

<object data-extension-version="0.5.0.161" data-install-updates-user-configuration="true" data-supports-flavor-configuration="true" height="150" id="__symantecPKIClientMessenger" style="display: none;" width="300"></object>

<object data-extension-version="0.5.0.161" data-install-updates-user-configuration="true" data-supports-flavor-configuration="true" height="150" id="__symantecPKIClientMessenger" style="display: none;" width="300"></object>

<object data-extension-version="0.5.0.161" data-install-updates-user-configuration="true" data-supports-flavor-configuration="true" id="__symantecPKIClientMessenger" style="display: none;"></object>

by bshelton at August 16, 2016 02:24 PM

ipSpace.net Blog (Ivan Pepelnjak)

We Need to Educate Our Peers

Failure to use DNS, IP addresses embedded in the code, ignoring the physical realities (like bandwidth and latency)… the list of mistakes that eventually get dumped into networking engineer’s lap is depressing.

It’s easy to reach the conclusion that the people making those mistakes must be stupid or lazy… but in reality most of them never realized they were causing someone else problems because nobody told them so.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at August 16, 2016 11:08 AM

August 15, 2016

Honest Networker

When you overhear “I’m considering deploying Noction in my network, any config advice?”

Fd1znXo

When you overhear “I’m considering deploying Noction in my network, any config advice?”


by ohseuch4aeji4xar at August 15, 2016 06:33 PM

XKCD Comics

August 14, 2016

My Etherealmind

August 12, 2016

Networking Now (Juniper Blog)

Ransomware in the Cloud

What ransomware does to animals..What ransomware does to animals..

Can ransomware attack cloud data? Are you safe if you use online backups or backup services like Dropbox or Google Drive?  It depends...

by rsinayev at August 12, 2016 10:01 PM

XKCD Comics

August 11, 2016

Dyn Research (Was Renesys Blog)

Syria goes to extremes to foil cheaters

syria_exam_schedule

Early this morning in Syria, the Internet was almost entirely down for four hours.  It was the ninth such outage since 31 July 2016 — each one lasting from approximately 4am to 8am local time.  And, according to sources inside Syria, the objective of these outages was to prevent cheating on national High School exams.  The motivation for today’s national outage: a Chemistry final.

syria_outages_labeled3
Below is the High School exam schedule that was evidently driving these national Internet blackouts.

syria_exam_schedule
Last year, we first reported on country-wide Internet blackouts in Iraq to prevent cheating during their national 6th grade placement exams.  The Atlantic magazine covered this story when Iraq began conducting Internet outages again earlier this year for more exams.  Also Algeria, Uzbekistan, and the Gujarat region of India have also all recently blocked mobile service to prevent students from cheating on their exams.

It is striking how far we have come since Egypt in 2011, when their country-wide outage was a huge international story.  National Internet blackouts are so routine and banal that they are now becoming a common tactic to prevent cheating among youth.  In fact, this latest round of exams were the make-up exams for students who couldn’t sit for the first round of exams, which occurred in June, and were the motivation for another round of national outages in Syria that we tweeted about several weeks ago:

<script async="async" charset="utf-8" src="http://platform.twitter.com/widgets.js"></script>

According to our sources, the Internet is taken down from 4am to 8am, while the exam is being distributed around the country — or at least the portion of the country still participating in the national Syrian education system.  When the exams begin at 8am, mobile service is taken down until 11am.  In years past, exam questions would begin appearing on social media 30-60 minutes before each exam, thus allowing cheaters to circulate correct answers and compromise the integrity of the test.

#KeepItOn

We have been documenting the sad history of Internet blackouts in Syria on this blog going back to June 2011 as violence began to erupt in this troubled country and the Internet started to disappear with some regularity.  Five years later in June 2016, advocacy group Access Now launched its #KeepItOn campaign to raise awareness of Internet blackouts around the world and to “challenge service providers to fight back against government shutdown requests.”

If that is a topic that interests you, you can take a pledge to spread the word about such outages.  We will continue, as we have for many years, to document such incidents here on this blog and on Twitter.

Media coverage:

<script async="async" charset="utf-8" src="http://platform.twitter.com/widgets.js"></script>

<script async="async" charset="utf-8" src="http://platform.twitter.com/widgets.js"></script>

The post Syria goes to extremes to foil cheaters appeared first on Dyn Research.

by Doug Madory at August 11, 2016 06:33 PM

August 10, 2016

The Networking Nerd

Networking Needs Information, Not Data

GameAfoot

Networking Field Day 12 starts today. There are a lot of great presenters lined up. As I talk to more and more networking companies, it’s becoming obvious that simply moving packets is not the way to go now. Instead, the real sizzle is in telling you all about those packets instead. Not packet inspection but analytics.

Tell Me More, Tell Me More

Ask any networking professional and they’ll tell you that the systems they manage have a wealth of information. SNMP can give you monitoring data for a set of points defined in database files. Other protocols like NetFlow or sFlow can give you more granular data about a particular packet group of data flow in your network. Even more advanced projects like Intel’s Snap are building on the idea of using telemetry to collect disparate data sources and build collection methodologies to do something with them.

The concern that becomes quickly apparent is the overwhelming amount of data being received from all these sources. It reminds me a bit of this scene:

<iframe allowfullscreen="true" class="youtube-player" height="359" src="https://www.youtube.com/embed/OXc5ltzKq3Y?version=3&amp;rel=1&amp;fs=1&amp;autohide=2&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent" style="border:0;" type="text/html" width="584"></iframe>

How can you drink from this firehose? Maybe you should be asking if you should instead?

Order From Chaos

Data is useless. We need to perform analysis on it to get information. That’s where a new wave of companies is coming into the networking market. They are building on the frameworks and systems that are aggregating data and presenting it in a way that makes it useful information. Instead of random data points about NetFlow, these solutions tell you that you’ve got a huge problem with outbound traffic of a specific type that is sent at a specific time with a specific payload. The difference is that instead of sorting through data to make sense of it, you’ve got a tool delivering the analysis instead of the raw data.

Sometimes it’s as simple as color-coding lines of Wireshark captures. Resets are bad, so they show up red. Properly torn down connections are good so they are green. You can instantly figure out how good things are going by looking for the colors. That’s analysis from raw data. The real trick in modern networking monitoring is to find a way to analyze and provide context for massive amounts of data that may not have an immediate correlation.

Networking professionals are smart people. They can intuit a lot of potential issues from a given data set. They can make the logical leap to a specific issue given time. What reduces that ability is the sheer amount of things that can go wrong with a particular system and the speed at which those problems must be fixed, especially at scale. A hiccup on one end of the network can be catastrophic on the others if allowed to persist.

Analytics can give us the context we need. It can provide confidence levels for common problems. It can ensure that symptoms are indeed happening above a given baseline or threshold. It can help us narrow the symptoms and potential issues before we even look at the data. Analytics can exclude the impossible while highlighting the more probably causes and outcomes. Analytics can give us peace of mind.


Tom’s Take

Analytics isn’t doing our job for us. Instead, it’s giving us the ability to concentrate. Anyone that spends their time sifting through data to try and find patterns is losing the signal in the noise. Patterns are things that software can find easily. We need to leverage the work being put into network analytics systems to help us track down the issues before they blow up into full problems. We need to apply the thing that makes network professionals the best suited to look at the best information we can gather about a situation. Our concentration on what matters is where our job will be in five years. Let’s take the knowledge we have and apply it.


by networkingnerd at August 10, 2016 06:44 AM

ipSpace.net Blog (Ivan Pepelnjak)

Ring Message Bus on RS-232

After I completed the LAN-over-RS-232 project, it was obvious (well, not in retrospect) that the solution to every problem must be Z80 computers connected with some crazy RS-232 wiring. A few years later we had to write an application to support rally races. Guess what the solution was ;)

by Ivan Pepelnjak (noreply@blogger.com) at August 10, 2016 06:14 AM

XKCD Comics

August 08, 2016

ipSpace.net Blog (Ivan Pepelnjak)

And this is why you need automation

I stumbled upon a great description of how you can go bankrupt in 45 minutes due to a manual deployment process. The most relevant part of it:

Any time your deployment process relies on humans reading and following instructions you are exposing yourself to risk. Humans make mistakes. The mistakes could be in the instructions, in the interpretation of the instructions, or in the execution of the instructions.

And no, it's not just application deployment. A similar disaster could happen in your network.

by Ivan Pepelnjak (noreply@blogger.com) at August 08, 2016 06:24 AM

XKCD Comics

August 05, 2016

ipSpace.net Blog (Ivan Pepelnjak)
XKCD Comics

August 04, 2016

ipSpace.net Blog (Ivan Pepelnjak)

Local Area Networking on RS-232

It was early 1980s and I was just entering my MacGyver phase when someone asked me “could you make a local area network out of RS-232-based shared bus?” Sure, why not, it can’t be that hard…

by Ivan Pepelnjak (noreply@blogger.com) at August 04, 2016 07:41 AM