Need to find a certain host IP or application on your network? Do you have a user on your network who is violating network policies and you need to provide proof of that to management? Or do you suspect someone is using an application not allowed on your network? Using the searching utility in this network traffic analyzer, you can quickly find the offender, and more.
Read more »

To celebrate the release of Version 7.0 of Scrutinizer NetFlow and sFlow Analyzer, which is absolutely free, I thought I’d share with you three fabulous free resources for Cisco network administrators. Read more »

This is the final part in a two-part blog series on using Cisco NetFlow to identify if your network is part of a botnet. Part 1 gave a quick overview of distributed denial of service (DDoS) attacks and how they’re often caused by botnets flooding Web sites with requests, thus making the Web site inaccessible to others.

It’s not just home computers that could be part of botnets. Any work computer could be compromised if users unwittingly download malware or visit malicious Web sites, putting corporate networks at risk.  How can Cisco NetFlow be used to identify DDoS attacks?
Read more »

Distributed denial of service (DDoS) attacks are unfortunately par for the course on the Internet these days but when high-profile sites are targeted, the attacks are big news. Take for example last week’s DDoS attack on Twitter, which the microblogging site speculated was geopolitical in motivation.

Quick overview of DDoS

DDoS attacks are often caused by botnets flooding Web sites with requests thus bringing the site’s Web servers to their knees. A botnet is a collection of computers that have been compromised by viruses and worms so that they can be controlled by malicious individual(s). An example could be the collection of computers compromised by Conficker, however a Conficker botnet has yet to be leveraged to do harm.

In the case of Twitter, the irony is that it could have been the compromised computers of some of Twitter’s own users that caused the DDoS. Read more »

Black Hat Las Vegas is taking place this week. The event is where professional hackers gather to share what they’ve been working on over the past few months. The results are often pretty startling for most average computer users.

For instance, Alessandro Acquisti, a researcher at Carnegie Mellon University is going to show how information about an individual’s place and date of birth can be exploited to predict his or her Social Security Number. To cut a long story short, Acquisti says SSNs were designed to be simple identifiers and not for authentication purposes, and so businesses should stop using them as confidential passwords.

We know enterprise networks are big targets for cybercriminals. Here are some Black Hat Vegas briefing sessions by security professionals about new attacks that could be around the corner and how to protect against them. Slides from the presentations are expected to be available at the Black Hat site after the event. Slides from January’s Black Hat DC 2009 briefing sessions are here. Read more »

C‭isco, in its midyear security report, notes that although vulnerability and threat activity has been off to a slower start this year compared to 2008, we should expect spam volumes to rise to record levels. Cisco says that Memorial Day on May 25, 2009 was the third-highest volume day ever recorded for spam. The report also suggests that criminals are expected to maintain their aggressive targeting of legitimate websites to create botnets through the propagation of malware.

Cisco also warns that until social networking sites use “more robust protection”, cyber criminals will continue to target popular online communities to lure unsuspecting users to click to fraudulent sites or to download malware. Read more »

We work hard to protect our corporate networks from external threats but any security consultant will tell you that the average corporate network is far more at risk of coming to harm by internal hackers than external. Last month, it emerged that an ex-employee of Dallas-based Energy Future Holdings allegedly hacked into the Texas power company’s network and emailed proprietary information to a personal Yahoo account, and modified and deleted files. The intrusion cost the company’s energy forecast system more than $26,000 for a day in March, reports Wired.com.

And almost a year ago, city employee Terry Childs was arrested on four counts of computer tampering with the City of San Francisco’s multimillion-dollar FiberWAN, which holds much of San Francisco’s key records. Childs, who built and administered the network refused to hand over passwords to the network, effectively putting the city on lock-down.

Read more »

Oftentimes, when I’m running around the country setting up Flow Analytics, I don’t see Null Scans pop up. However, recently I’ve visited high profile customers that are big targets for malicious behavior. As we configure Cisco NetFlow on their routers and ASA firewalls, I’ve noticed FA alerting on these packets with no flags set.

The Null Scan is a type of TCP scan that hackers — both ethical and malicious — use to identify listening TCP ports. In the right hands, a Null Scan can help identify potential holes for server hardening, but in the wrong hands, it is a reconnaissance tool. It is a pre-attack probe.

A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and edge routers that filter incoming packets with particular flags.

The expected result of a Null Scan on an open port is no response. Since there are no flags set, the target will not know how to handle the request. It will discard the packet and no reply will be sent. If the port is closed, the target will send an RST packet in response.

Information about which ports are open can be useful to hackers, as it will identify active devices and their TCP-based application-layer protocol.

Cisco NetFlow packets contain a summary of the packets flowing through an interface including TCP flags, or in this case, not set. Cisco NetFlow coupled with a behavior analysis tool can help identify when Null Scans are occurring on your network.

Cisco has changed its ways! Cisco ASA now supports NetFlow. The new feature in Cisco ASA version 8.2 is called NSEL (NetFlow Security Event Logging) and it allows all ASA models to support NetFlow. Below I have provided the NetFlow configuration of a Cisco ASA.

flow-export destination inside x.x.x.x xxxx(Collector & Port)
access-list flow_export_acl permit ip host x.x.x.x host x.x.x.x

class-map flow_export_class
match access-list flow_export_acl

policy-map flow_export_policy
class flow_export_class

flow-export event-type flow-creation destination x.x.x.x(Collector IP)

service-policy flow_export_policy global

To see all event type records with NetFlow
event-type all

If you disable logging for flow export events this will increase performance
logging flow-export syslogs disable

The CLI is great but, configuring the ASA to export NetFlow is easier with Cisco ASDM.

Milton

You know when something new in the tech world has become mainstream is when hackers begin targeting it. The recent Twitter worm created by 17-year-old Michael “Mikeyy” Mooney helped put Twitter on the map – although not in a way that Twitter would have liked – and exposed a cross-site scripting vulnerability in the microblogging site.

The self-propagating worm struck Easter weekend infecting some Twitter profiles and making them send messages to their contacts to check out Mikeyy’s StalkDaily.com Twitter-like site. (Read an interview with Mikeyy at the NetNewsDaily site.)

Last year, Facebook was hit by the Koobface worm, twice. Like the Twitter worm, Koobface generated messages to friends of infected users on the social networking site. The messages enticed readers to click on a site to watch a video but only after downloading the latest copy of Adobe Flash – yes, you can guess what happens next.

The Facebook and Twitter worms bring home the message that users need to be vigilant when clicking on links in emails, instant messages, Tweets, and so on, even if they appear to be sent by friends or respected brands.

The popularity of Twitter is also giving a boost to URL shortening services, such as the grandaddy TinyURL and the new kids on the block Bit.ly and TweaK. Since Twitter only allows users to update in no more than 140 characters, users are turning to URL shortening services when they want to include long URLs in their updates. But Mikeyy has shown that even updates apparently coming from your friends may not be kosher.

Some URL shortening services enable users to preview links before they click. TechRepublic has posted a useful guide detailing which services offer this feature and how they work.

We believe that you shouldn’t block social networking sites such as Facebook, Twitter and YouTube as they can be beneficial to business, but you can teach your users how to practice safe social networking.

Facebook has details about how to deal with Koobface at its Facebook Security page, and Biz Stone, Twitter co-founder wrote about Mikeyy’s worm in his blog. Security researchers are advising people to disable JavaScript on their browsers to help protect against the Twitter worm. Here are some more security recommendations from Douglas Haider, a Computerworld columnist.

And you know that you can always use Scrutinizer to monitor traffic to these social networking sites.