Archive

Posts Tagged ‘tech’

Attn – Media, unwashed masses: Stop saying “cyber”

October 24th, 2011 No comments

As the title says, please stop saying “cyber”. It means nothing. More specifically, what it does mean is “blah blah networks and/or security”. In the industry, this is so non-specific that it essentially means nothing anyways.

As a security engineer, I get pretty sick of seeing/hearing the term “cyber” thrown around to describe pretty much anything I do. Cyber security, cyber attack, cyber defense. Our team doesn’t sit down in a conference room discussing “how are the cyber defenses on company X holding up?”, or “company Y has been experiencing a higher number of cyber-threats recently”. Nobody says crap like that in real life. I decided to see how little the term actually gets thrown around. I know we never use it verbally except while making “air quotes” with our fingers and making fun of the sorts of people who DO actually say it. But I thought I should at least check my email to see if it ever sneaks its way in unnoticed.

I have 9001 emails in my inbox from the last six months or so when I last hit the “I cant send email anymore because I have too much crap in my inbox” button. 102 matched the search term “cyber”.

- A little more than half was vendor spam from companies I deal with, promoting new products, services, and whatnot else.
- A little less than half was internal emails from our global or pre-sales groups, discussing news or vendor spam.
- To my surprise there was in fact a single legitimate ticket email in the last 6 months with the term “cyber” in it.

I had to look into that one ticket to find out what the deal was. It was a ticket for a BlueCoat issue, and nowhere did the term cyber seem to appear. However there was a sysinfo attached (like a “show tech” for BlueCoat boxen), and tucked in there was a reference to a russian domain name containing the word “cyber”. That’s what had matched.

Close call, but in the end I was right. Nobody in my workplace actually uses the term “cyber” in referene to what goes on in the realm of network security.

Categories: Non-Technical Tags: , , , , ,

Tech History: Cisco’s Name and Logo

September 26th, 2011 1 comment

The other day I was driving around with Emily, and I mentioned to her the origin of the name and logo of Cisco Systems.  I can’t remember how it came up, but it did.  I’m constantly tinkering with stuff in my lab, so she knows what the logo looks like even though it isn’t her field at all.  Her mind was a little blown when she made the connection between the logo and its origins.  I mentioned this to a couple coworkers, and they hadn’t heard the history behind it either.  Their minds were also a little blown.  So I thought I’d post it here, because that’s what the internet is for.  Posting random crap, I mean…  Not Cisco history.

1) Cisco: short for San Fransisco.

Found this snippet below a couple websites, with sources leading back to cisco.com.  The link was identical on the sites, but was broken.  And cisco’s search function only really returns technical articles regardless of how hard I searched.   but…

Cisco Systems is the world leader in manufacturing of Network related equipment. The name “Cisco” is not an acronym, but an abbreviation of San Francisco. According to John Morgridge, employee 34 and the company’s first president, the founders hit on the name and logo while driving to Sacramento to register the company — they saw the Golden Gate Bridge framed in the sunlight.

The name cisco Systems (with the lowercase “c”) continued in use within the engineering community at the company long after the official company name was changed to Cisco Systems, Inc. Users of Cisco products can still see the name ciscoSystems occasionally in bug reports and IOS messages.

2) Cisco’s logo IS the Golden Gate Bridge

Exhibit A:

Exhibit B:

From the internets as well, a different but similar account of the above story:

According to John Morgridge, the company’s first president, the founders Len Bosack and Sandy Lerner hit on the name and logo while driving to Sacramento to register the company. They saw the Golden Gate Bridge framed in the sunlight. The logo was seen by them as a modified version of the past that would shape the future. Plus it looked really “cool”. They hoped the logo would convey something about creating an authentic life and making a living at something you believe in, in a place you love, with people you really like to be with.

I couldn’t find any working links back to cisco.com in the 15 minutes I spent searching around, but many sites mirror the same story. Wikipedia references what appears to be one of the sources over at famouslogos.us. So while I can’t link a solid article from Cisco at the moment, my magic 8-ball tells me “all signs point to yes”

If Ping, Then Bling

June 19th, 2011 No comments

There’s something soothing about a visual heartbeat.

So I was chilling at the Starbucks near me this morning. In fact, I still am right now. It’s pretty sweet that they offer free wifi, but it tends to be laggy and unreliable due to having gobs of leeches like me suckiing it up. I’m often in the middle of waiting for a web page to reload or an ssh session to do something, and I wonder to myself “frick, am I even still connected?”. So I wrote a little script to help keep me from having to think much (my favorite kind of scripts).

I basically wanted a script that would make something blink on my laptop for a moment on each successful return of an ICMP echo request (ping). Sort of a visual heartbeat. While ping is a terrible measure of whether your layer 3 path will support TCP, without a layer 3 path you will get no ping. So it’s good enough. I decided to use the “standby” light, since it wouldn’t be doing a whole lot while the laptop was actually running. Capslock, numlock, etc. It can be any light as long as it typically holds one state or the other. I’m posting a version of the script here that’s much simpler and uses the ThinkPad’s “ThinkLight” as the bling source. I think it’s easier to take away from this script exactly what’s going on and how to modify it to your liking.

I’m actually fairly happy to have been annoyed just enough by the connection at Starbucks to get motivated to write this. As a network engineer I’m constantly on the road trying to connect to this or that, or what I’m doing depends on constant connectivity to thus or thus. Not having to check a bunch of terminal windows for heartbeats will be great.

#!/bin/bash
# pingbling.sh - If ping, then bling.

# Typically you've got to be root to mess with changing sysfs/proc values
if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root"
   exit 1
fi

# Script spits out tons of crap if there are no args.  saving sanity.
if [ -z $1 ] ; then
  echo "Please supply an IP address or hostname to ping"
  exit 1
fi

while true ;
do
  # we're already seeing the bling from the ping, we don't need stdout too.
  # dialing in a longish return time since this is a "are we still connected" test
  # and not a "how fast is my connection" test.
  ping -c1 -W3 $1 > /dev/null
  if [ $? -eq 0 ] ; then
    state_before=$(head -1 /proc/acpi/ibm/light | awk '{ print $2 }')
    echo "on" > /proc/acpi/ibm/light
    sleep 0.2
    echo "off" > /proc/acpi/ibm/light
    echo $state_before > /proc/acpi/ibm/light
    sleep 0.8
  fi
done

exit 0
Categories: Uncategorized Tags: , , ,

Netting the Botnets with Cisco ASA Without a License

May 14th, 2011 4 comments

So I was tinkering with my ASA the other day. I was interested in this neat Botnet Traffic Filter thingy they’d been clamoring about. Cisco frequently pitches how their products are made with magic and rainbows and cruelty-free unicorn meat, and I tend to be a bit skeptical. But a lot of people have been talking about it recently in my circles, and I really can’t help but tinker with things anyways.

After some reading, Cisco words it like the Botnet Filter is pretty much useless without a proper license. However it is enabled and ready to use in all ASAs 8.2(x) and above… the license only activates the subscription service, the base functionality works just fine. Below is a script I wrote to manually apply and update blacklists using the Botnet Filter on an ASA without bothering with a subscription license. It’s a bash script which does most of the work and depends additionally on the expect scripting interpreter for operating on the ASA itself. The script looks for an external tftp server but can be easily written to use a local /tftpboot directory instead. Older versions of the script failed seldom but in amusingly spectacular ways, so the current version is somewhat lengthy due to the sanity checks I built into it.

A big problem with blacklists tends to be keeping them current. A stale blacklist is worse than useless as the IPs may belong to legitimate sites after some time. I’ve used the lists over at Emerging Threats for a while now, and they’re very frequently updated. The script can be easily modified for use with any published or local list.. 5 minutes of work adapted this script from using the C&C list to the larger “-ALL” list. Just do some find/replace magic and modify the regex syntax that changes ACL entries into dynamic-filter formatted “address x.x.x.x m.a.s.k” lines.

I apologize in advance for the terrible line wrapping in the code, I need to find a new theme. Note that the box running this is OpenBSD, you’ll probably have to change your bash path. UUOC police: It’s my cat and I’ll do what I want with it.

Ez-wget links to the below script and the larger “-ALL” variant as a modification example.

asa-botlist.txt

asa-botlist_all.txt

#!/usr/local/bin/bash
#
# asa-botlist.sh - written by Iggdawg
#
# This script uses a feature in the Cisco ASA Botnet Filter feature. Although
# a licensed feature that requires a paid subscription, this feature also
# allows administrators to use the "dynamic-filter blacklist" directive for
# manual blacklisting.  Emerging Threats (http://www.emergingthreats.net)
# publishes well maintained blacklists from many sources. This script applies
# that list as a manual blacklist on the ASA, and keeps it up to date with diffs
# rather than removing and re-applying the list every time to change as little
# as possible with each transaction.
#
#

# Variables, modify to your liking
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH

# NOTE: I use scp with certificates to ransport stuff to the tftp server.
# Expect the script to fail if you're not set up to do this.
TFTPSERV="tftp server IP address"
FWIP="firewall IP address"
USERNAME="tftp server user"
FWUSERNAME="firewall user"
PASSWORD="firewall password"
ENPASSWORD="firewall enable password"
FWHOSTNAME="firewall hostname"
BASEPATH="/tmp"

#Blacklist Revisions
touch $BASEPATH/emerging-PIX-CC.rev
Rev0="$(cat $BASEPATH/emerging-PIX-CC.rev)"
Rev1="$(lynx --source http://rules.emergingthreats.net/fwrules/FWrev)"

# script depends on expect, check for it

EXP="$(which expect)"

if [ $? -ne 0 ] ; then
  echo "Expect binary not found, exiting"
  exit 1
elif [ -e "$EXP" ] ; then
  echo "Expect binary found, running"
fi

# check list revision

if [ -s $BASEPATH/emerging-PIX-CC.rev ] ; then
  if [ $Rev0 -ge $Rev1 ] ; then
    echo "Current revision $Rev1 matches last revision processed $Rev0, Exiting"
    exit 0
  else
    echo "Current revision $Rev1 is newer than last revision processed $Rev0, Working"
  fi
else
  echo "No existing blacklist revision number. Possible file errors. Starting from scratch with $Rev1"
  echo "Snagging most current list:"
  wget http://rules.emergingthreats.net/fwrules/emerging-PIX-CC.rules -O $BASEPATH/emerging-PIX-CC.rules

  # update revision now so script won't re-run in case of some random failure:
  awk '/Rev/ {print $3}' $BASEPATH/emerging-PIX-CC.rules > $BASEPATH/emerging-PIX-CC.rev

  # start processing
  # rewrite ET-drop to ET-cc so the list is consistant, then parse
  sed 's/ET-drop/ET-cc/g' $BASEPATH/emerging-PIX-CC.rules | egrep "^access-list ET-cc deny" $BASEPATH/emerging-PIX-CC.rules | sed 's/access-list ET-cc deny ip/address/g;s/host //g;s/any/255.255.255.255/g' | awk '{print $1,$2,$3}' > $BASEPATH/emerging-PIX-CC.rules.pix

  # can't verify current version, remove all old entries and apply current list.
  # this will be a temporary list, preserving "raw" list so diffs don't break next time
  echo "no dynamic-filter blacklist" > $BASEPATH/emerging-PIX-CC.rules.pix.tmp
  echo "dynamic-filter blacklist" >> $BASEPATH/emerging-PIX-CC.rules.pix.tmp
  cat $BASEPATH/emerging-PIX-CC.rules.pix >> $BASEPATH/emerging-PIX-CC.rules.pix.tmp

  chmod 666 $BASEPATH/emerging-PIX-CC.rules.pix.tmp
  chown nobody:nogroup $BASEPATH/emerging-PIX-CC.rules.pix.tmp

  echo "Sending files to TFTP server"

  echo "emerging-PIX-CC.rules.pix..."
  scp $BASEPATH/emerging-PIX-CC.rules.pix.tmp $USERNAME@$TFTPSERV:/tftpboot/emerging-PIX-CC.rules.pix.tmp

  # log into the firewall and tell it to snag the diffs
  #
  # uncomment to call expect script from its own file
  #$EXP /some/script

  $EXP - << EndMark   spawn ssh -l $FWUSERNAME $FWIP   expect "*assword:"     exp_send -- "$PASSWORD\r"   expect "$FWHOSTNAME>"
    exp_send -- "enable\r"
  expect "Password:"
    exp_send -- "$ENPASSWORD\r"
  expect "$FWHOSTNAME#"
    exp_send -- "
  copy /noconfirm tftp://$TFTPSERV/emerging-PIX-CC.rules.pix.tmp running-config
    \r"
  expect "$FWHOSTNAME#"
    exp_send -- "exit\r"
  interact
EndMark

exit 0
fi

echo ""
echo ""
echo ""
# If old revision exists but the list is missing, script will diff against an
# empty file and just use whole current list. ASA silently dismisses
# duplication of existing address entries, so this is not harmful.
if [ -e $BASEPATH/emerging-PIX-CC.rules.pix ] ; then
  mv $BASEPATH/emerging-PIX-CC.rules.pix $BASEPATH/emerging-PIX-CC.rules.pix.old
else
  echo "Revision file exists, but last blacklist file missing. Will apply whole list."
  touch $BASEPATH/emerging-PIX-CC.rules.pix.old
fi

# clean up
echo "" > $BASEPATH/emerging-PIX-CC.rules.egress.pix

# grab current
echo "Snagging most current list:"
wget http://rules.emergingthreats.net/fwrules/emerging-PIX-CC.rules -O $BASEPATH/emerging-PIX-CC.rules

# update revision now so script won't re-run in case of some random failure:
echo "Updating revision"
awk '/Rev/ {print $3}' $BASEPATH/emerging-PIX-CC.rules > $BASEPATH/emerging-PIX-CC.rev

# start processing
# rewrite ET-drop to ET-cc so the list is consistant, then parse
sed 's/ET-drop/ET-cc/g' $BASEPATH/emerging-PIX-CC.rules | egrep "^access-list ET-cc deny" $BASEPATH/emerging-PIX-CC.rules | sed 's/access-list ET-cc deny ip/address/g;s/host //g;s/any/255.255.255.255/g' | awk '{print $1,$2,$3}' >> $BASEPATH/emerging-PIX-CC.rules.pix

echo "Processing blacklist diffs"
diff $BASEPATH/emerging-PIX-CC.rules.pix $BASEPATH/emerging-PIX-CC.rules.pix.old | grep ^\< | sed 's/\< //g' > $BASEPATH/emerging-PIX-CC.rules.ingress
diff $BASEPATH/emerging-PIX-CC.rules.pix $BASEPATH/emerging-PIX-CC.rules.pix.old | grep ^\> | sed 's/\> //g' > $BASEPATH/emerging-PIX-CC.rules.egress

# check for errors in processing
echo "" > $BASEPATH/ingress.exceptions
echo "" > $BASEPATH/egress.exceptions

echo "Blacklist diff errors:"
echo ""

awk '{print $2}' $BASEPATH/emerging-PIX-CC.rules.egress | while read LINE ; do
  grep $LINE $BASEPATH/emerging-PIX-CC.rules.ingress > $BASEPATH/ingress.exceptions
done
echo "$BASEPATH/emerging-PIX-CC.rules.ingress:"
cat $BASEPATH/ingress.exceptions

awk '{print $2}' $BASEPATH/emerging-PIX-CC.rules.ingress | while read LINE; do
  grep $LINE $BASEPATH/emerging-PIX-CC.rules.egress > $BASEPATH/egress.exceptions
done

echo "$BASEPATH/emerging-PIX-CC.rules.egress:"
cat $BASEPATH/egress.exceptions

# bring it all together and dump it on a tftp server
echo "Combining diffs"

echo "dynamic-filter blacklist" > $BASEPATH/emerging-PIX-CC.rules.diff.pix

sed 's/^/no\ /g' < $BASEPATH/emerging-PIX-CC.rules.egress >> $BASEPATH/emerging-PIX-CC.rules.egress.pix
cat $BASEPATH/emerging-PIX-CC.rules.egress.pix $BASEPATH/emerging-PIX-CC.rules.ingress >> $BASEPATH/emerging-PIX-CC.rules.diff.pix

# some tftp servers are weird about permisssions
chmod 666 $BASEPATH/emerging-PIX-CC.rules.diff.pix
chown nobody:nogroup $BASEPATH/emerging-PIX-CC.rules.diff.pix

chmod 666 $BASEPATH/emerging-PIX-CC.rules.pix
chown nobody:nogroup $BASEPATH/emerging-PIX-CC.rules.pix

echo "Sending files to TFTP server"

echo "emerging-PIX-CC.rules.pix..."
scp $BASEPATH/emerging-PIX-CC.rules.pix $USERNAME@$TFTPSERV:/tftpboot/emerging-PIX-CC.rules.pix

echo "emerging-PIX-CC.rules.diff.pix..."
scp $BASEPATH/emerging-PIX-CC.rules.diff.pix $USERNAME@$TFTPSERV:/tftpboot/emerging-PIX-CC.rules.diff.pix

# log into the firewall and tell it to snag the diffs
#
# uncomment to call expect script from its own file
#$EXP /some/script

$EXP - << EndMark spawn ssh -l $FWUSERNAME $FWIP expect "*assword:"   exp_send -- "$PASSWORD\r" expect "$FWHOSTNAME>"
  exp_send -- "enable\r"
expect "Password:"
  exp_send -- "$ENPASSWORD\r"
expect "$FWHOSTNAME#"
  exp_send -- "
copy /noconfirm tftp://$TFTPSERV/emerging-PIX-CC.rules.diff.pix running-config
  \r"
expect "$FWHOSTNAME#"
  exp_send -- "exit\r"
interact
EndMark

exit 0
Categories: Uncategorized Tags: , , ,