Re: Synful Knock questions...
On 16 Sep 2015, at 11:51, Paul Ferguson wrote: Please bear in mind hat the attacker *must* acquire credentials to access the box before exploitation. And must have access to the box in order to utilize said credentials - which of course, there are BCPs intended to prevent same. --- Roland Dobbins
Re: Synful Knock questions...
Roland Dobbins wrote on 9/16/2015 1:27 AM: On 16 Sep 2015, at 11:51, Paul Ferguson wrote: Please bear in mind hat the attacker *must* acquire credentials to access the box before exploitation. And must have access to the box in order to utilize said credentials - which of course, there are BCPs intended to prevent same. There's a big used equipment market. Even in the new equipment market, these devices could be intercepted prior to delivery.
Re: Synful Knock questions...
It's unlikely the routers that got exploited were the initial entry point of the attack. The chain of events can look like this: spearfishing email with exploit laden attachment end user opens attachment, internal windows endpoint compromised malware makes outbound connection to command & control server on internet; downloads more horrible stuff threat actor has access to windows endpoint via reverse tunnel threat actor makes lateral attacks to other windows endpoints; key loggers installed threat actor attacks windows AD servers threat actor achieves domain admin; and/or harvests user credentials via keyloggers threat actor connects via vpn using harvested user credentials At this point when they start messing around with routers, you're going to see activity coming from the intended internal management range using legit credentials. When the compromise becomes advanced enough the malware stops being used, and everything is done via legit credentials, which makes the badness more difficult to distinguish. Part 2 of the Mandiant blog is up, it discusses detection, and seems to reinforce these are backdoored IOS images, and not ROMMON. Although given the Cisco PSIRT post about backdoored ROMMON recently, there's probably multiple attack trends going on concurrently. https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis0.html On Wed, Sep 16, 2015 at 2:27 AM, Roland Dobbinswrote: > > On 16 Sep 2015, at 11:51, Paul Ferguson wrote: > > Please bear in mind hat the attacker *must* acquire credentials to access >> the box before exploitation. >> > > And must have access to the box in order to utilize said credentials - > which of course, there are BCPs intended to prevent same. > > --- > Roland Dobbins >
Re: Synful Knock questions...
HD Moore just posted the results of a full-Internet ZMap scan. I didn't realize that it was remotely detectable. 79 hosts total in 19 countries. https://zmap.io/synful/ Royce
RE: Re: Synful Knock questions...
That could NEVER happen. :-) --p http://www.theregister.co.uk/2015/03/18/want_to_dodge_nsa_supply_chain_taps_ask_cisco_for_a_dead_drop/ -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Blake Hudson Sent: Wednesday, September 16, 2015 8:37 AM To: nanog@nanog.org Subject: [EXTERNAL]Re: Synful Knock questions... . . . There's a big used equipment market. Even in the new equipment market, these devices could be intercepted prior to delivery.
Re: Synful Knock questions...
On 16 Sep 2015, at 21:00, Michael Douglas wrote: It's unlikely the routers that got exploited were the initial entry point of the attack. I understand all that, thanks. At this point when they start messing around with routers, you're going to see activity coming from the intended internal management range using legit credentials. It would still be quite difficult, and readily detected if accomplished, had BCPs such as AAA, per-command auth, per-command logging, and monitoring of same been implemented. Plus, iACLs would prevent C comms, and monitoring of all traffic to/from router interfaces would potentially pick that up, as well. --- Roland Dobbins
RE: SMS Gateway
As a retro twist on that, we still use alpha pagers with TAP. Basement level coverage on a single AA battery that lasts 3 months. The nice thing about them is that you can turn your cellphone off at night (yes, I do that), and still know that important alerts will come through the pager. At 01:36 PM 15/09/2015, Gary T. Giesen wrote: Another option might be an analog modem + phone line + carrier TAP gateway (if your carrier(s) has/have one). Might or might not be more cost-effective. GTG > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Martin > Hotze > Sent: September 15, 2015 8:37 AM > To: nanog@nanog.org > Subject: Re: SMS Gateway > > > From: Leonardo Arena> > To: Graham Johnston > > Cc: "'nanog@nanog.org'" > > > > Il giorno lun, 14/09/2015 alle 14.53 +, Graham Johnston ha scritto: > > > Today we use a product from MultiTech Systems call MultiModem iSMS > > > to > > send SMS text messages from our monitoring system to our on call staff. > > This is a 2G product and we need to replace it soon. I know there are > > more generic cellular modems that can do texting if you are willing to > > put in the effort, the product we use currently though has a simple > > HTTP based API specifically to send SMS. Is anybody out there using > > something similar that can work on 3G or 4G networks? > > > > > > > Here we use SMSTools (http://smstools3.kekekasvi.com/) on a Linux box > > with a Multitech Serial/USB modem. It takes formatted text files from > > a spooling directory. It never let us down since some years. > > +1 for smstools. > > and I'd add playsms.org > > grab yourself a compatible USB 3G stick which you can switch to a modem. eg > a HUAWEI E1762 should work. You might want to look into a device with an > antenna plug so you can put the antenne out of your cabinet for better > reception. > > martin -- Clayton Zekelman Managed Network Systems Inc. (MNSi) 3363 Tecumseh Rd. E Windsor, Ontario N8W 1H4 tel. 519-985-8410 fax. 519-985-8409
Re: Synful Knock questions...
Follow-up to my own post, Fireeye has code on github: https://github.com/fireeye/synfulknock On 2015-09-16 10:27 AM, Stephen Fulton wrote: Interesting, anyone have more details on how to construct the scan using something like nmap? -- Stephen On 2015-09-16 9:20 AM, Royce Williams wrote: HD Moore just posted the results of a full-Internet ZMap scan. I didn't realize that it was remotely detectable. 79 hosts total in 19 countries. https://zmap.io/synful/ Royce
Re: Synful Knock questions...
Interesting, anyone have more details on how to construct the scan using something like nmap? -- Stephen On 2015-09-16 9:20 AM, Royce Williams wrote: HD Moore just posted the results of a full-Internet ZMap scan. I didn't realize that it was remotely detectable. 79 hosts total in 19 countries. https://zmap.io/synful/ Royce
Ashburn
What the world is going on in Ashburn? Over the last two days I've seen multiple flaps from multiple carriers going through there. They generally last about two to three minutes and then everything restores.
Re: Sign-On Letter to the Court in the FCC's Net Neutrality Case
Why don't you post a copy here or a link? The message seems good; the process is broken. Beckman On Tue, 15 Sep 2015, Eric Brunner-Williams wrote: i read it, its rather good. -e On 9/12/15 12:45 PM, John Levine wrote: /*If you're willing to sign on and help today, please email me directly (off list) */and I will be happy to share a copy of the letter for you to review before you agree to sign on. Why don't you just send us a copy or a link? If you're planning to file it as an amicus it's not like it's going to be a secret for very long. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Ashburn
removal of nsa taps On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppeswrote: > What the world is going on in Ashburn? Over the last two days I've seen > multiple flaps from multiple carriers going through there. They generally > last about two to three minutes and then everything restores.
Re: Ashburn
I heard that yesterday... I can't figure out why NTT having issues is affecting other carriers that peer in Ashburn though must be a routing table is blowing up somewhere there. On 9/16/15 11:32 AM, Justin wrote: I know NTT is having issues. We received an RFO stating there was an issue and they were going to do software upgrades to fix. On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppes> wrote: What the world is going on in Ashburn? Over the last two days I've seen multiple flaps from multiple carriers going through there. They generally last about two to three minutes and then everything restores.
Re: Ashburn
I know NTT is having issues. We received an RFO stating there was an issue and they were going to do software upgrades to fix. On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppeswrote: > What the world is going on in Ashburn? Over the last two days I've seen > multiple flaps from multiple carriers going through there. They generally > last about two to three minutes and then everything restores. >
Re: Ashburn
Or router bugs. Or even inserting new NSA taps since some of the rest have been caught. --- Keith Stokes From: NANOGon behalf of Christopher Morrow Sent: Wednesday, September 16, 2015 10:34 AM To: Matt Hoppes Cc: North American Network Operators' Group Subject: Re: Ashburn removal of nsa taps On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppes wrote: > What the world is going on in Ashburn? Over the last two days I've seen > multiple flaps from multiple carriers going through there. They generally > last about two to three minutes and then everything restores.
Re: Ashburn
If there are ongoing issues at NTT I’m not aware of them, please contact me off-list with details. Happy to follow-up. - Jared > On Sep 16, 2015, at 11:36 AM, Matt Hoppeswrote: > > I heard that yesterday... I can't figure out why NTT having issues is > affecting other carriers that peer in Ashburn though must be a routing > table is blowing up somewhere there. > > On 9/16/15 11:32 AM, Justin wrote: >> I know NTT is having issues. We received an RFO stating there was an >> issue and they were going to do software upgrades to fix. >> >> On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppes >> > wrote: >> >>What the world is going on in Ashburn? Over the last two days I've >>seen multiple flaps from multiple carriers going through there. >>They generally last about two to three minutes and then everything >>restores. >> >>
Re: Ashburn
*chuckle* I did hear rumors of a fiber cut yesterday in the area but no hard details. - Jared > On Sep 16, 2015, at 11:34 AM, Christopher Morrow> wrote: > > removal of nsa taps > > On Wed, Sep 16, 2015 at 10:34 AM, Matt Hoppes > wrote: >> What the world is going on in Ashburn? Over the last two days I've seen >> multiple flaps from multiple carriers going through there. They generally >> last about two to three minutes and then everything restores.
Re: root zone archive
On Thu, 17 Sep 2015, Joe Abley wrote: Is anybody here aware of a complete or partial archive of root zone data that is older than the set available at DNS-OARC? OARC's archive has nothing older than July 2009. I covered most of the root changes up to 2002 on a DNS timeline. http://www.donelan.com/dnstimeline.html
Re: root zone archive
Hi Alvin, On 17 Sep 2015, at 1:27, alvin nanog wrote: On 09/17/15 at 12:33am, Joe Abley wrote: ... I'm particularly interested in zone data that describes the build out of the original root zone NS set to nine servers in mid-1994, the renaming under the ROOT-SERVERS.NET domain and the subsequent assignment of J, K, L and M. wouldn't that info be in the files included with bind-0.x I don't know, but worth a look. Good idea, thanks! Joe
root zone archive
Hi all, Is anybody here aware of a complete or partial archive of root zone data that is older than the set available at DNS-OARC? OARC's archive has nothing older than July 2009. I'm particularly interested in zone data that describes the build out of the original root zone NS set to nine servers in mid-1994, the renaming under the ROOT-SERVERS.NET domain and the subsequent assignment of J, K, L and M. I realise this is a bit of a long shot, but the answer's always no if you don't ask :-) [I'm asking the same question on a small handful of lists; apologies if you get multiple copies of this.] Joe
Re: root zone archive
hi On 09/17/15 at 12:33am, Joe Abley wrote: ... > I'm particularly interested in zone data that describes the build out of the > original root zone NS set to nine servers in mid-1994, the renaming under > the ROOT-SERVERS.NET domain and the subsequent assignment of J, K, L and M. wouldn't that info be in the files included with bind-0.x have fun alvin