Back in the day “recon” had a different meaning than it does today. Today, in the age of cyber-terrorism and cyber-stalking or Google stalking, reconnaissance comes from a variety of different sources including tools such as mash-up applications make things quite palpable for a social engineer. For the purpose of this discussion, let’s consider two entities “stalker” (the person seeking information about “someone”) and the “stalkee” (the “someone” whose information is being sought).
Back in the day (and man I’m only talking about 4-5 years ago!), the only source was public forums where users would post questions using constant email IDs. You would need to scourge through different Usenet groups and that was it…and possibly a Friendster account. Now, people have Facebook profiles which can be publicly viewed. This gives us the information about a person’s friends giving us information about the stalkee’s geographical location and may be even birthday. LinkedIn gives information about the stalkee’s job. You can even confirm the geographical location of the stalkee using LinkedIn. Now you have the name of the person and the geographical location. If you need more information about the person such as his/her age/birthdate, I’ve seen that ZabaSearch is a good resource. You can get a lot of information using ZabaSearch but if the stalkee needs he/she can remove this information using the block feature of Zaba located here. I do not know how they deal with this information but Zaba does have a “premium service” and I do not know if this premium service would give access to these “blocked records”. Now you have the information about the age of the stalkee. You could even search Twitter for the person’s twitter feed to see what the stalkee’s doing. I came across an interesting mashup application that crawls twitter to get information about where a person is and it’s aptly called Please Rob Me!. There are other great tools available such as Loopt and Tripit. Just as Twitter, Google Buzz can also give a lot of information. And the best part about google buzz is things are searchable …cool…the stalker’s job’s now easier.

I’ve often tried to use MS Word tables and do computations with the values in the tables. Example:

Suppose, the following conditions hold true:
c1 = a1xb1
c2 = a2xb2
a3 = a1 + a2
b3 = b1 + b2
c3 = c2 + c2

Click on the c1 cell, click on the “Layout” button, click on “Formula” button, in the Formula field, enter the following:
=PRODUCT(a1:b1)
Similarly, for c2 use =PRODUCT(a2:b2).
For a3,b3,c3 use =SUM(ABOVE)

I’ll be attending the Shmoocon in Washington, DC from Feb 6th-8th. Hope to see all you h4X0rs out there!

Just started blogging…actually getting pretty late into the blogging culture! Studying and doing projects to complete graduation at USC. My homepage is at http://www-scf.usc.edu/~swarup/.

Long time since I posted anything here …. but it’s just been those times been busy as a bee. So securing Cisco routers is a big deal especially since the routers (especially the edge routers) can be critical to any organizations infrastructure. I am not a Cisco guru but am only a student. However, I thought I should create a list that could help me perform security reviews of routers.
Security of routers is important as attackers could add static routes, advertise bad BGP neighbours on edge routers, create inbound tunnel into the intranets and such. Therefore, it’s imperative that adequate efforts be put in to secure Cisco routers.

I thought I’ll put in my first attempt at creating a small checklist:

1. Use SSH for non-console access (“line vty” command should not have telnet in it)
2. Use class 5 passwords, do *not* use class 7 passwords as they’re easily reversed (“enable secret”) alongwith the use of strong passez
3. Limit virtual terminal access by using an ACL
      access-list 100 permit 10.10.10.10 log
      access-list 100 permit 10.10.10.11 log
      access-list deny any log
      line vty 0 4
       access-class 100 in
4. Disable Proxy ARP on each interface (“no ip proxy arp”)
5. Disable CDP as it can be used for information disclosures (“no cdp run”)
6. Use AAA (TACACS+ or RADIUS) (“aaa new-model”, “aaa authentication”, etc.)
7. Use “access-list ACL_NAME deny ip any any log” at the end of each ACL
8. Disable http server (“no ip http server”)
9. Keep the IOS versions updated
10. Set centralized logging using a syslog (“logging internal_ip_address”)
11. Configure NTP to keep the time synchronization (“ntp server 129.6.15.28”)
12. Disable TCP and UDP small services e.g., echo, chargen, discard, etc. (“no service tcp-small-servers” and “no service udp-small-servers”)
13. Put RFC 1918 (ingress filtering) protections using ACLs
       access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
       access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
       access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
       access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
14. Put some more filtering for common IPs
       access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
15. Use SNMPv3 with ACLs if you must (“snmp-server v3 auth priv”)
16. Use SSHv2 (“ip ssh version 2”)
17. Try to use EIGRP instead of RIP/OSPF (“ip authentication mode eigrp N md5”)
18. Use MD5 authentication for RIP/OSPF if you must use these protocols (RIPv2/OSPF)
    (“ip rip authentication mode md5”)
19. For edge routers using BGP authentication (if possible)
       router bgp 10
        neighbor 10.10.10.10 password Cr4zY$%^
20. Configure BGP route flap dampening that prevents BGP oscillations (“bgp dampening”)
21. Use warning banners that could be used for legal purposes for prosecuting hackers

Come end of semester and the project deadlines start impending! The situation I am in is one of great thrill and rush! For the CS558L I’m doing this project in which I have to implement an automated worm fingerprinting mechanism but not only that combining it with ITrace I want to make Worm attacks and DDoS attacks a thing of past!
The scheme in plain English is to detect automatically if your network is being attacked by looking at the traffic and if so communicate this information to whoever you are forwarding this packet to! The ICMP messages that will be forwarded will carry information about who sent this traffic and other such information (including the signature of attack traffic). The receiver with all this information could gather the source of attacks. If all the routers followed this scheme then we will be able to reconstruct the entire path of the attack so the entry point of the attack could also be sealed….(hopefully leading to a Worm and DDoS attack-free internet)!!!
Really hopeful…aren’t I??? 😉
But again this technique has the same single flaw as the other techniques in that it needs co-operation between ISPs.
I am currently coding this scheme in the Linux Kernel 2.6.11.7 and this is my first tryst with linux kernel programming…let’s see what future holds for me!

An interesting thing happened today …I was trying to redirect some input to /dev/null in cygwin…using something like:
some_exec -p params 2>&/dev/null | grep blah
I kept getting an error : bash: Ambiguous redirect.
I then realized that I should probably doing a simple direct and not a re-direct…seemed to solve my problem. Come to think of it…it makes sense, why should I need to redirect when I’m sending it to /dev/null…should simply be able to direct it using:
some_exec -p paraa 2>/dev/null | grep blah