Snowden Picking Info Off the NSA Network – What Went Wrong

As agreed I’d revisit this article from Computer World

The story is just screaming some basic fundamental but glaring omissions in the security practice. In the CISSP study material by lesson 3 or in the beginning they address least privilege roles and mandatory and discretionary controls. Where is the payoff of hiring someone with a CISSP working for the NSA who failed to demonstrate this practice? Why is it that we can see when people access certain shares and yet the big machine cannot?

The documents were kept in the portal so that NSA analysts and other officials could read and discuss them online, NSA CTO Lonny Anderson told National Public Radio in an interview Wednesday.

As a contracted NSA systems administrator with top-secret Sensitive Compartmented Information (SCI) clearance, Snowden could access the intranet site and move especially sensitive documents to a more secure location without raising red flags, Anderson said.

Thus, Snowden could steal the NSA Power Point slides, secret court orders and classified agency reports that he leaked to the media. “The assignment was the perfect cover for someone who wanted to leak documents,” Anderson told NPR.

“His job was to do what he did. He wasn’t a ghost. He wasn’t that clever. He did his job,” Anderson said.

That above mentioned quote should get a knee slap at happy hour for being duped by Snowden. While he wasn’t “clever” Ms. Anderson to hack in and get the loot he was clever enough to do it and leave before you stopped him. He went right in the front door and did it right under your nose. You’d be wise to allow only the people that need to know actually perform the technical work with the same controls mentioned below here with tagging a.k.a. similar to audit trail enabling.

The NSA has also started “tagging” sensitive data and documents to ensure that only people with a need to see a documents can access it. The document tagging rule also lets security auditors see how individuals with legitimate access to the data are actually using it, Anderson said.

This leads the general public to believe that you are using some Windows file share system and not a content delivery system that has audit trail turned on from design and the start of the system. This brings me back to my pharmaceutical days where there was a vendor Agilent who made a document system where one could see research and look up based on metadata. The NSA could learn a lesson here.

The following excerpt of the article indicating a response from Eric Chiu, is one I disagree with. While role based security is nice for the group, let’s look at the individual. As stated by Mr. Chiu

“Companies need to shift their thinking from an outside-in model of security to an inside out approach,” said Eric Chiu, founder of Hytrust, a cloud infrastructure management company.

“Only by implementing strong access controls [like] the recent NSA ‘two-man’ rule as well as role-based monitoring, can you secure critical systems and data against these threats and prevent breaches as well as data center failures,” he said.

Where is the detailed log of the individual user? In discretionary access control the user can make policy decisions contrary to mandatory access control. From the wiki for quick reference

With mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. (The traditional Unix system of users, groups, and read-write-execute permissions is an example of DAC.) MAC-enabled systems allow policy administrators to implement organization-wide security policies. Unlike with DAC, users cannot override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.

I believe the correct solution would be a Lattice based access control implementation where the user can only access data if their security designation is greater than the target AND there is user logging while in the system.

Now taking this story down the rabbit hole what makes you think that glasses wearing Snowden didn’t go in and read the documentation and record it with super spy glasses? How about the cell phone camera? How about a phone call with him reading verbatim the information right off the screen? These are also fundamental physical breaches that may or may not be considered as this can be done in plain sight. Why was he accessing so many files? Why wasn’t the 6 month security access check picking up on his behavior? Why isn’t the NSA watching their own people more closely than they are watching us? How come Israeli people can detect malicious people in airports by watching and interviewing them with no mechanical screening but the old fashion way?

Penetration Testing with Linux – Featuring Kali and Armitage

Netwerk Guardian LLC is bringing this to you showing what can be done penetration testing with Kali or Backtrack and using Armitage. This is a technical subset of my thesis on Effective Penetration Testing. So without further delay…

Penetration testing with Linux is one of the best ways to perform tests. It is a
versatile tool. Linux comes in many flavors like Backtrack5 RC3 or now Kali. Linux allows for the customization of the software itself plus the tools that you use. Therefore, the customization and level of sophistication is limitless. This article will cover using Backtrack5 RC3 and Armitage for the test as it was executed during the pen test. This article may not cover all features of Armitage. However, in order to provide you a better understanding of Amritage, Kali will be used as well in different screenshots. Note that Armitage is no longer supported under Backtrack with the recent release of Kali in early 2013. We chose to use Kali in this article to show you something recent but the other versions of Linux are still very good tools to use in the field.

Backtrack comes loaded with metasploit and as you know in order to find and run an exploit you have to switch to the directory and run the commands specific to it. This is no longer the case with Kali and the FHS (Filesystem Hierarchy Standard) Kali has taken care of this to make all commands system wide accessible from the command line. Armitage provides a nice GUI interface to Metasploit. It also has a dashboard you can use for setting up the hosts or network you are going to target. You can import hosts from files associated with other network security assessment tools like Nessus, IP360, and Burp session xml. Armitage imports anything from a text or xml file. You can use some of the automation presented with Armitage. In addition, it is wise to use customized these scripts when delivering a penetration test. You never really know what the outcome may be unless you test in a lab first. The great thing about Armitage is that it has a database of known vulnerabilities and attacks in which you can draw from in your test. This helps save time and keep you focused but not all exploits work as targets can be hardened. Customizing scripts and Linux has long been the core of these releases. Armitage can be used as a standalone tool as well as network solution when working with other pen testers. There are a few reporting options that can be used with Backtrack or Kali to save your work and share results or progress. Armitage has its own place to store evidence in data format but not in a report format that would be all inclusive. This is what is called loot where the results go.

Launching Armitage comes from navigating to the Applications menu item and following the terms Kali Linux > Exploitation Tools > Network Exploitation > Armitage (Image 1). In this new installation of Kali, you will have to manually type the following commands in order to get Armitage to connect to the database. They are; service postgresql start and service metasploit start. Once these are entered, you can start Armitage successfully using the install default user name msf and password test.
Image 1
Starting_Kali

Next there are a series of prompts that you will be directed to for launching and customizing port usage. Once Armitage is open we can begin using it to scan for hosts or network subnets. Just launch nmap (Image 2) from within Armitage and choose to add a host or scan a network with several scripted choices. The rules are the same for using nmap in Armitage and by itself. There are aggressive scan and quieter scans. So choose wisely in order to remain quiet. The machines we want to target are 10.10.10.5 and 10.10.10.7. One is a server hosting the core business application and the other is a typical user workstation. See image 3 below from the previous run pen test Armitage on Backtrack5 RC3.

Image 2 (Launching nmap within Armitage)
Arm_Launching_Nmap

The next step you want to use is the find vulnerabilities scan. This takes Armitage and scans the hosts out there and it comes up with a proposed list of attacks. Now not all and every attack is going to work. It will give a type of technology to exploit. This coupled with your experience and training can then discover that it may or may not be successful. This is where the pen tester needs to be on their best game to find an exploit in which to launch a payload. What is good about Armitage is that each exploit or payload you try opens a new tab. So you can see what works and doesn’t and where to go next.
Now that we have our hosts found, targeted, and with an attack list, we can proceed. Since the machines were Windows based, we quickly went to this exploit to see if there was a way to pwn the boxes. In Armitage you can assign accounts to each host that is used to login and run the payloads. We chose many exploits but found that only one really works and will be addressed later. Below in Image 3 you can see that when a system username and password are known and the Login > psexec is used, the lightning is seen all around it.

Image 3 (Note the lightning around Hosts = pwned)
Arm_Pwnd_PCs

In the pen test shown here the machines’ administrator accounts were known in a white box test to see if we can sniff traffic from the core business application. The objective is that we are going to imitate an insider threat or demonstrate beyond passing the hash for Windows users in the network.
The following shows what we want to test. This is taken from a lab setup a typical company using earth materials management system. The network is made of Microsoft Windows machines with Windows 7 for end users and Windows Server 2008 R2. The objective is to look for vulnerabilities on the host machines to see if we can capture data on the hosts going across the network to the server for corporate espionage.
1. Test Core Business Application
a. Test core business application against
i. Clear text traffic capturing
ii. Man in the middle (MITM)
iii. Spoofing
iv. Armitage w/Meterpreter
v. DoS Slowloris

Port Scanning Results and Issues
Scanning Windows machines

The first test was scanning of services and ports on Microsoft devices. The test discovered the default Windows system ports open for unsigned SMB, telnet, and high ports. This included the port scanning by Nessus as well as the Microsoft Baseline Analyzer. The results from Nessus showed that there existed an unsigned SMB/Samba port (445) as well as using the open clear text port channel (23). Nessus found only (1) medium and (1) low alert for the server 10.10.10.5. Port (135) on the workstation was found open and that was used for remote procedure protocol. Port (139) was found open and used with SMB for file sharing with other devices beside Microsoft. Port (808) is the Streetsmarts Web based application running encrypted. Port (992) was found to be an SSL port with a certificate error. Additional ports were found open ranging from (49152-49157) and were due from a release from Microsoft in January 2008 to start the open port range at that (49152). Some P2P (peer-to-peer) file sharing has been known to run over these ports.
The possible attack that could have occurred but was not conducted in the test was escalation in privileges via SMB vulnerability and brute forcing usernames and passwords. The attacker also could have social engineered the information from an unsuspecting user. There is a probability that this could have happened.

Armitage has the option for you to ask it what vulnerabilities and attacks could be possible on the chosen target. Just go to the host and select it and then go to the menu Attacks > Find Attacks. It will return a list of possible attacks and say “Happy Hunting!” Therefore, that is exactly what happened.

The following tools were used to test a vulnerability of unencrypted communication on the LAN (Local Area Network) with ettercap always being used for the MITM. They are SSLstrip, Dsniff, Driftnet, Urlsnarf, and meterpreter.

Technical Overview – Sniffing MITM Attacks
Using Ettercap we copied traffic from the user and the gateway to our pent-testing laptop. We used Ettercap with the following in an attempt to see traffic, sslstrip, urlsnarf, dnsiff, and Driftnet with these commands entered. In Ettercap we scanned the subnet and added a target 1 = gateway and target 2 = the victim machine. Here we were able to get a copy of everything being sent by the user to the laptop (attacker) first before going to the real gateway. This is done with sslstrip, iptables, ettercap with MITM attack arp spoofing. It is very important that in a test where you are trying to conceal what you are doing from detection that you must ensure you laptop is able to handle the traffic. You must be ready to execute the sequence of commands in order to avoid seeing packets destined to the same IP address twice.

Each attack and tool used has its benefits and limitations. The idea was to see data going across for corporate espionage and send to a competitor for money. The tools researched and chosen for this pen test to see what would really come across the wire. The following is a brief overview of each tool.

SSLstrip – Is a tool that prohibits a connection from upgrading to an SSL session in an unnoticeable way. Also the history behind this is that one could forge a certificate as being signed and trusted in order to appear as an https session or that the session was legitimate with the intended server that actually ended up being the attacker (Wikipedia).

Dsniff – A tool used to sniff anything of interest like email or passwords. Arp spoof has to be running of course so that the traffic is routed through the attacker PC and back out to the real router and PC (Wikipedia).

Driftnet – This tool allows you to see what images are going across the user’s browser while surfing the web. In this test users were not on the internet but were using a browser to launch an application which we wanted to see.

Urlsnarf – A tool that places all visited url output to file for easy reviewing. Not a tool that provides much advantage in this pen test.

Meterpreter – This tool can be used to take advantage of many vulnerabilities in different platforms in order to gain root access or control of a PC.

Script Execution
In the following presentation of code we see that numerous attempts utilizing ettercap and arp spoofing was done to send traffic to the attacker. Each tool was run alongside ettercap to see what information would actually pass to the attacker. The most exciting tools were Driftnet and meterpreter because of what could be seen and the control.

ettercap –mitm ARP:REMOTE –text –quiet –write /root/sslstrip/ettercap.log –iface eth0
Also the GUI was used to pick target client Windows 7 machine 10.10.10.7 and second target the application server 10.10.10.5.

Execute the following commands
In the CLI we entered:
root@bt:/# echo 1 > /proc/sys/net/ipv4/ip_forward
root@bt:/#cat /proc/sys/net/ipv4/ip_forward
root@bt:# sudo iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000
Now verify it took the filter
root@bt:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp — anywhere anywhere tcp dpt:www redir ports 10000
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
root@bt:# sudo python sslstrip.py -l 1000 -f lock.ico

Results sslstrip: No data or text of any sort was visible, since all data was being passed through an encrypted channel.

Results with dsniff: Web addresses were visible, but no usernames or passwords. These results show that the application is very secure.

Results with driftnet: There were no pictures or images of the site going across. There were web addresses being listed.

Results with urlsnarf: The only thing that came through here was some local address space and some internet address space redacted for publication. Still there were no real gems of information for quick gains.

Technical Output
root@bt:~# urlsnarf -n -i eth0
urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]
10.10.10.7 – – [15/Jan/2013:23:10:12 -0500] “GET http://www.google.com/ HTTP/1.1” – – “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)”
10.10.10.7 – – [15/Jan/2013:23:10:13 -0500] “GET
10.10.10.7 – – [15/Jan/2013:23:11:17 -0500] “GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nqRS HTTP/1.1” – – “http://10.10.10.5/” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)”
10.10.10.7 – – [15/Jan/2013:23:11:17 -0500] “GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nr9Z HTTP/1.1” – – “http://10.10.10.5/” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)”
10.10.10.7 – – [15/Jan/2013:23:11:17 -0500] “GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nr9K HTTP/1.1” – – “http://10.10.10.5/” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)”
10.10.10.7 – – [15/Jan/2013:23:11:17 -0500] “GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nr9A HTTP/1.1” – – “http://10.10.10.5/” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)”
10.10.10.7 – – [15/Jan/2013:23:11:17 -0500] “GET http://www.mwsystems.com/servlet/servlet.FileDownload?file=01540000000nroD HTTP/1.1” – – “http://10.10.10.5/” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)”

Executed commands (example):
root@bt:/# echo 1 > /proc/sys/net/ipv4/ip_forward
root@bt:/#cat /proc/sys/net/ipv4/ip_forward 1

In another terminal, we used Driftnet
root@bt:/# driftnet -i eth0
root@bt:/# driftnet -i eth0 -v -s (in an attempt to gain audio being streamed)
We could then see what the user was looking at for images.

Results: Images from core business application were not being sent to our laptop despite driftnet running
root@bt:~# driftnet -i eth0 -v
driftnet: using temporary file directory /tmp/driftnet-AmaowM
driftnet: listening on eth0 in promiscuous mode
driftnet: using filter expression `tcp’
driftnet: started display child, pid 2562
driftnet: link-level header length is 14 bytes
.driftnet: new connection: 10.10.10.7:49363 -> 23.45.9.75:80
…driftnet: new connection: 10.10.10.7:49365 -> 23.45.9.75:80
…driftnet: new connection: 10.10.10.7:49364 -> 23.45.9.75:80
…driftnet: new connection: 10.10.10.7:49368 -> 23.45.9.75:80

Meterpreter – Meterpreter used in with Armitage a connection made it impossible to glean any data or provide a way to leak data out; Meterpreter was used in this test. Knowing the administrator password, the connection was possible. Even a regular user with a known password would be able to both pass the hash dump and crack passwords later in order to attempt to escalate privileges. Time being the factor is how successful the cracker would be by going slow and password cracking.

Results: We were able to log keystrokes and take screen shots of the user’s computer. This is one way data could be captured. In this test, we show that key logging and screen captures are possible; however, they are not very effective as shown below, Image 7. Anything that was operating on the application level of the OSI model remained visible and the tool worked. When things went encrypted at the network level it was impossible to see.

Image 4 – Armitage Text Output of Key logging

Arm_Keylog_output

Image 5 – Email Credentials Entered
Email_Creds_Entered


Image 6 Screenshot Before Launching Encrypted Application

SS_b4_launch_app

Image 7 – After Launching Encrypted Application
SS_after_Launch_app

We have seen before that the desktop can be captured with screen shots and information could be leaked this way. However, notice in the image below that the application icon is present as a big ‘S’ in the toolbar, and on the workstation it is in the foreground. However, the image reveals that it is not seen and therefore encrypted to the reverse tcp shell. That ‘S’ represents the business’s core business application. The launch html page is the only visible part of the application, which is done on port 80. This demonstrates that the application running on the computer was able to encrypt all activity for queries, results, and navigation.


DoS – Slowloris Python Script

Now we get to some fun. Besides trying to sniff traffic and look at client proprietary data, we can also try to make their systems unavailable to them for this test. Remember that an unavailable system is loss of income or a serious impact that can make generating income and staying operational difficult to do. The script that we will use is a python script called slowloris. This script can be found at http://ha.ckers.org/slowloris/. There is a script for IPv6 as well. This script is unique in that it does not try to hammer the web server right away with a full load of requests but that it comes in waves. There is a setting in the script for the number of connections per second and the frequency of those connections. These two fields were used against the server. The server was a Windows Server 2008 R2 (fresh install and no updates).

In order to start the script after you have downloaded it to your pen test PC is by As with any test you start with what is supposed to work and then review the results and make changes. The changes we made were simple as each time slowloris runs it makes a whole bunch of half requests to the web server. The requests never get finished and the web server is just sitting there with a session consumed waiting for the user to resume communication. This weakness is known for some Apache servers but not on IIS 7.0. At the time of this test it was unknown but thought it would be fun to try. Also check to make sure that you have Perl installed perl –v as most Linux instances do.

We modified the script to change the number of connections and then we lowered the timeout period for waiting to start that new connection. As the script ran we would notice the CPU on the server would spike to 78% and then 100% and then go down again as the script had entered its wait interval. Then it would run again and we would see similar results on the CPU. Now as far as hacking goes if you do not get the results you want just keep trying. So we stopped the script and change the connection per second to the maximum it would take 10,000 per second and again tested. After the second run the Server 2008 R2 would just take a hit but continue to serve out the web page. Unfortunately for the pen tester there was no break in service. Fortunately, for the company running the software they stayed operational. As a side note for non-Linux tool we used the Low orbit Ion Cannon multiple times on the server in addition to slowloris and still the web site was up.

The following commands will result in the same activity as we tested earlier in 2013. ./slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 10000 –https

In conclusion, we see that Linux offers a wide variety of attack tools that can be run independently or a part of a package like Armitage, Kali, Ubuntu, and of course the metasploit framework. This gives penetration testers the tools they need to perform tests against vulnerabilities by testing the exploits with different payloads. Some Windows based tools that can be used have gained notoriety but still Linux is a preferred platform. What is great about Linux and the open source community is that there are a lot of people contributing to its success. That is something that will carry the distributions forward as time and technology change.

XKeyscore: NSA tool collects ‘nearly everything a user does on the internet’

Amazing in and of itself but I guess it’s fair game for thwarting terrorism. If used to target anyone with that intent of hostile acts. I would agree with the program if and only if it was used to collect data on people of interest and not just random or everyone. That being said there must be some control used in the system to do that effectively. However, it is alo just as easy to spoof email addresses and come up with rogue or false chat systems just to make the data useless. Remember a system is only as good as the data in it. So in theory, the NSA could not omit regular general public because the bad people could also be using spoofed email addresses and IRC chats etc and fake systems just to introduce false information or hide under the guise of some other legitamate system. So it is easier for them to collect data from anyone. If anyone gave enough time and effort to build a system to make this system useless, than that would be a good attack platform.

Anyways…a good read into the intrigue.

XKeyscore- NSA Tool that Collects….Everything??

Going Black – Making it Tough for Big Brother (Series)

Good day, I hope today finds you in perfect peace. Today we are going to talk about a new service and a new approach to keeping your data private. Recent events showing that the NSA as well as the big companies out there are profiling you. They want to store your identity and habits for future use. Netwerk Guardian is going to show you how to thwart their efforts. What good is it to the NSA or Google or any place that collects and harvests your personal profile through behavior monitoring, its information on how you think and live. They can use that information against you if they would like to have a contest of who can put more shame on whom. More likely, they will use it to see your political bias and connections. After the Snowden release, they really cannot be any more shameful than now. Therefore, we are going to show you how to give them useless data. Useless data really renders a system useless and reduces the taxpayer’s dollar (your money) to really a waste of money and time. I hope that enough people do this, maybe then they will get the picture and just stop. This will be at the end of the series. However, the evil in man and the lust for power and control will likely just make this tick them off and come up with some other regulatory way to make you commit information to them about you.

First step in going off the grid and going black is to change everything you use to something else. Change you email address, your online profiles, if you have Facebook, MySpace or other limelight platforms…ditch them. YouTube is going to be tough to leave but granted, if another site is made that offers the same service then that too will be a success. Until then use TOR network and a VMware appliance. The best way to change your email address is buy a domain. It can cost you but what is your privacy worth?!

Second, is buy or use free encryption software to encrypt your emails. Granted, it is going to be a bit painful in the beginning but you will sleep better knowing that it is you and the close ones around you that know who you are. There are a few places on the web you can go to get this service. However, I would rather encrypt locally. One place is while I have not used it, it seems to do the job. There is a group researching the use of a java based encryption and decryption tool that works on anything found here . I think this will carry for into the future for use on mobile devices with various platforms running. More to come on this as more software comes to mind.

Third thing that can be done is to start using TOR network for browsing as well as proxy servers for ditching your fingerprints on the web.

Fourth, is that you could start using another forma of currency that the Federal Reserve will not approve, BitCoin. Untraceable but holds it worth. There is movement to make this outlawed since it cannot be regulated by one particular body (Global Banks) so it obviously works.

In the meant time if you have time, you can use some automation and start sending up erroneous web traffic data under your old Gmail account and start using Google search page.

More to come as we investigate and get back in control of who gets access to what. Stay tuned because this service is being launched by Netwerk Guardian to accept requests to anonymize one’s identity and provide safe ways of browsing and using the internet.

Just think…I privatized your God given right to be yourself. This peace of mind comes with a little costs but we now will have done two things, privatized anonymity and stimulated the economy in the technology and security sector.

Keeping Your Internet and Computing Private

Recent stories about Edward Snowden gets you thinking just how secure and private your “Personal Computer” really is. The big data companies are always promoting Google Voice, Google Chat, Gmail and all that. You have to ask yourself why is that free? What are they really trying to push? Each year you are at the edge of your seat when you hear they are allowing another free year of Google Voice. Well that is because you the public are offering free intelligence to them and willingly. We all psychologically want to be a part of something. We all like gadgets and technology as it makes our days fin and easier. Well to combat that surveillance of Big Brother or Big Sis, you use the following apps from Android Market Place.

Orbot Proxy with TOR – Surf Anonymously with TOR project. They will never know you are coming to visit.
TextSecure – Secure Text messaging on device and in transit
Gibberbot – Secure chat with popular chat programs, providing the other user has Gibberbot or Pidgin and uses services like Google Chat.

All these applications are a step forward to guarding your mobile privacy. Start falling off the grid with these applications. Next, start using TOR network at home. Start using VMware for surfing and use your chassis computer for the local network best you can.

There will be more tips coming in the days ahead of how to be safe and private on the web.

Cisco Bumbles Training Material for Exam – 642-648 Deploying VPN 2.0 Solutions

Justice is blind, but sweet in victory. The story goes after nearly two years to finish my masters degree I had one month left to prepare for a device exam to sustain my certifications. As such being the burdened with life, work, family, college etc you can see how I quickly prepared to succeed for this exam and keep my certifications current. I had purchased the Cisco Press text for Exam 642-648, my day time job purchased training from Ascolta, and then my personal private practice purchased CBT Nuggets training for Deploying VPN Solutions. I went for the exam and I took it. The exam was heavily weighted in three areas not really testing the candidate for a grasp of the material. In fact the Pearson Vue test questions were a great study and I think provided better training for the exam and made a better exam than the exam. As to not violate the NDA we are going to focus on one topic that cost me some points. Cisco Secure Desktop. Chapter 13 in the Cisco Press book. I studied and prepared but had a few questions that none of the vendors made clear in their lecture or web based training. Ascolta did mention it in the text but not in lecture. CBT Nuggets had one nugget covering two topics in which one was CSD and the other DAP. Not nearly enough time in the training videos to help you really nail the exam. I found a video online from a Mac user who did a real good job illustrating what Cisco Press failed to do. So the real big stink about this is that CSD is not real secure as they say because as a hacker there are many ways to spoof the parameters CSD is looking for if you know how root someone’s PC. Before we get into how to break CSD let’s look at where Cisco Press & Howard Hooper went wrong. Howard, if you write another book again, I am going to break your fingers. Finish the thought and stop being vague.

Here is the scoop I found shortly after March 11,2013.

Deprecation of Features: Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection

Cisco stopped developing the Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection (KSL), and Host Emulation Detection features on November 20, 2012.
Deprecated features, the screens used to configure these features in the Adaptive Security Device Manager (ASDM), and the commands used to configure these features in the Adaptive Security Appliance (ASA) command line interface will not be removed from the packages in which they are delivered until the end of engineering support to address severity 1 and severity 2 defects.
After the features have been deprecated, they will continue to provide the functionality for which they were built but will eventually be incompatible with future releases of the ASA, ASDM, AnyConnect, or the operating system on which the endpoint runs.

Also note for my case is that on page 505 it mentions that in second paragraph up from the bottom, that “The Advanced Endpoint Assessment extension is available through the purchase of an additional license from Cisco….blah blah” How about saying the exact license? There are 3 different scan types which can be confusing. Basic host, Endpoint Assessment, and Advanced Endpoint Assessment. Which is covered in the license? We know remediation happens in Adv Endpoint Assessment. Looks like that chapter was pushed through with poor editing. Further stressing my point that when you go take the exam you better answer it the way Cisco has it in the Press Book, the following has been provided.

Why does question 6 in the Cisco Press book say “Which of the following are not valid prelogin assessment criteria? (Choose all that apply)
A) Certificate attributes
B) Local file
C) OS version
D) OS patch level
Answer from book: D Yet we find on page 467 item 2 says OS detection module downloads runs and reports back device’s OS and patch level to ASA. Next on page 497 says just an OS check in the bullet. Now back again to patch level support on page 504 says a Basic host scan can detect OS and patch level. Cisco, appears bipolar in this publication or schizophrenic.

As you can see I was quite ticked off ready to grenade and send my foot through some @$$. After pursuing with Cisco Training representative there was no movement. They just listened. No action no remorse until the above was presented in my case. Then that information kind of made Cisco think twice for INFOSEC professional holding their feet in the fire. They finally got the message and honored my case against their material. I made two statement “It would be wise for Cisco to reconsider” and “get me someone who speaks english natively”. Cisco extended my certifiacations til 2016. Considering the training material, Ascolta is a Cisco training outlet whose material is better than Cisco Press. Cisco provides the material to Ascolta, they just present it better. So hats off to Ascolta. Strike against CBT Nuggets, and Cisco Press Howard Hooper….dude go back to the data closet and just wrench.

As for as the disconnect from the Cisco test question writers and the Cisco training material depts….much to be desired. Looks like something is spinning out of control there. The key to remember is that there are three different scan types. Only the licensed Adv End Pt Assessment checks OS Patch level. CSD is not desirable as it only works on so many platforms. I have tested a Trustwave NAC appliance (blows the doors off the ASA for NAC) and I was able to spoof it with Virtual Box running on Linux with GTK-Macchanger. So Cisco don’t tell me I can’t take exams, don’t tell me I don’t know my stuff. I will stomp a whole in your platform to drive my will home.

More to come on this story as we all all know that Cisco has pulled the development of Cisco Secure Desktop and the ASA product line early this year. We will show where they went wrong (done) in the material, where they messed up in their device (partial), and who is taking lead.

#OpUSA Flops Just After #OpIsrael Flopped

Israel_Message_OpIsrael

Just as predicated by Netwerk Guardian LLC, the ever and over reaching arm of Anonymous just couldn’t make it happen 2X’s in a row. After a failed attempt at #OpIsrael, Anonymous decided to saddle up and hit American banks, financial institutions, and government web sites with a message that they crossed the line. Now granted there have been some issue with the leftist radical Obama Abomination administration with moves to put American freedoms and rights on the chopping block for the sake of security.

*** NEWS FLASH *** Nothing really bad has happned lately. Oh, all these tragedies in the north east….yes say some false flag to push a more controlling and tyrannical government and same say it was real. My question is why are they always involving youth and young people to perpetrate these attacks? Why has the FBI failed to produce the video footage from the Boston attack? I digress.

The efforts of Anonymous against Israel ended up in being no more than an inconvenience to non important sites and accounts. According this article here Israel never really even had to lend a helping hand.

Looks Like a Power Struggle – “Israeli cyber activists attack anti-Israel hackers”

Reported by the Jerusalem Post, Israel cyber hacktivists strike back. In an amusing blow to the groups trying to take them down. As reported

Israeli hackers responding to a campaign to launch cyber-attacks on the country’s websites and Facebook accounts by breaking into the server hosting a major anti-Israeli hacking nerve center.

So it looks like the ones trying to take down Israel had their own command and control center taken down. That sure tops breaking into a twitter account or defacing a website on any day. Stay tuned as we the hacks rage on.I’m betting on Israel.

Anon Ghost – Hasn’t read His Bible Lately, Israel Isn’t Going Away

A recent article published off Israel Today mentioned that Anon Ghost is uniting hackers all over the world to erase Israel off the planet in terms of Cyber presence. News Flash Anon Ghost, Hitler tried genocide and to burn all Bibles and guess what…….(psss, come closer)……two things, 1) The Bible is still here and I don’t see Hitler, 2) Your no Hitler.

Today marks the resurrection of my Lord and Christ, Jesus. Who’s name is above all names, who took on all the sin of the world so that you and I could have eternal life if we just believe. Again, as it is written,

1 Corinthians 15:55-57

New International Version (NIV)

55 “Where, O death, is your victory?
Where, O death, is your sting?”[a]

56 The sting of death is sin, and the power of sin is the law. 57 But thanks be to God! He gives us the victory through our Lord Jesus Christ.

Jesus paid it all. He went to hell and back and took the keys for you and me. Why would you then refuse such a free and perfect gift to continue on as you are bound to your idol computer and to your vices.

John 3:16 (New International Version)
16 For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.

So my question to Anon Ghost, do you think you are all powerful over sin and death, create and destroy energy, be all knowing and omnipotent? You bleed just like me and to dust you will return. Your idea is feeble and has no strength because you are only able to do what God allows you to do. Feel like tempting God over His chosen people?

Just the right info to keep yourself safe!