Second-party audits: security in purchases and contracting (3)

In previous posts we saw a practical approach to the concept of auditing in general (currently only in Spanish) and then we discussed internal audits or first-party audits (currently only in Spanish). Let’s take now a leap, leaving the second-party audits for the next post and go directly to the third-party, external or certification audits.

Third party audits are carried out by certification authorities at the request of an organization. Its main purpose is to certify compliance with the requirements of a specific standard with the purpose to include the audited organization in a register or list of certified organizations. They are performed on a annual basis and, with some exceptions established by law, every organization, public or private, is free to choose to go through a certification process or not.

External audits are more centered in checking the efficacy in the way stated by the standard without getting into, usually, in issues related to efficiency and resource management. As we saw in the first-party or internal audits, the objectives are very different; in theory in an external audit it could be approved the use of cannons to kill flies.

As seen in the first post (currently only in Spanish) of the serie, for an audit to be carried out there are three essential ingredients:

  • High degree of preparation and training in auditing techniques along with good technical knowledge of the activities to be audited (aptitude).
  • Enough time, both a) prior to field work to prepare the site audit as well to b) carry it out in its entirety and then to document the results in a complete audit report appropriate to the objectives of the audit.
  • Professional pride (attitude).

These three ingredients are necessary but not sufficient by themselves and this applies to internal audits, second and third party audits. With missing only one of them the result of the audit may have limited value or even be useless.

From the point of view of the degree of training and experience of auditors, the processes and criteria used by certification bodies for qualifying auditors are often too lax in my opinion, since no previous great experience is required usually to audit a specific activity. Unfortunately, you may find auditors that are not experts in the activity they must assess, or that they have excessive bias towards those standards they know further. At the other extreme, it is noteworthy that there are auditors with extensive experience and knowledge that make audits a process that can be very profitable for the audited organization.

On the other hand, as we have already said in this blog, certification bodies face the target in a way contradictory to get new customers and keep the ones they have, while having to maintain a certain rigor in audits, what can make them to lose customers. Moreover, the current crisis has in many cases led to price discounts (and consequently to the number of days necessary established by the national accreditation bodies) that give auditors less time than the necessary to carry out their work.

On bad sized audits (I dare to say that almost always auditors would like to have more time than they usually have) and auditors that do not audit we discussed in this blog a few months ago so we will not extend.

To finish this post, indicate that one of the benefits that are attributed at the time to certification audits is precisely to provide confidence to lay the foundation of a solid business relationship and mutually beneficial relationship with certified suppliers. This would save both customers and suppliers dedications and costs associated with the second party audits, since it was assumed that a certified company had gone necessarily through an external audit. Objective not accomplished. I know of no single organization that was previously doing audits of its suppliers and that stopped to do so simply because the provider had achieved some sort of certification. That is: in practice, third party audits have failed to reduce the number of second party audits, just as expected.

Long life for the second party audits. Moreover, while this powerful technique of selection and performance monitoring of strategic suppliers is not well known nor is so widespread (excepting large corporations), the second party audit is of great interest, as it is shown it can provide high benefits in terms of improvement of the standards of quality and safety (and therefore costs).

The next post will be dedicated to that interesting and powerful management tool that are second party audits.

The result of pinging all the Internet IP addresses

In the previous post we considered the theoretical cost and feasibility of scanning all Internet IP addresses and it resulted to be very low. Therefore, we decided to conduct a little experiment: see if it was possible to scan the entire Internet, of course without doing anything harmful.

While the action may not be completely harmless (some may have IDS complaning), we have tried to do the experiment as innocuous as possible. In this sense, the safest action we thought was to launch a ping (ICMP echo) to each and every one of the Internet IP addresses. Although we have sent just a single packet per IP, we messed the scans to prevent a network receiving a high number of consecutive packets.

To do so we prepared two threads, in which work I have had the invaluable help of Nacho López, an experienced C programmer. The source code of ping could have been a good source of inspiration also:

Envia_echo-icmp ()
Recibe_echo_icmp ()

The process works in stateless mode: one thread sends the packets blindly, and the second one simply writes down the response packets received, so the connections do not consume any amount of memory.

The increased complexity came from the disk storage resources; it was necessary to adjust well and program the threads considering the disk performance, so the results received were not lost. After 10 hours, we got the following results:

Ping overall results answered: 284,401,158 IP addresses responded to the ping, i.e. 7% of systems. Graphically:

If we group the results in /8 networks we see the following percentages:

NETWORK /8 pongs answered % pongs answered
0.X.X.X 0 0,00% IANA – Local Identification RESERVED
1.X.X.X 1945822 11,60% APNIC ALLOCATED
2.X.X.X 3060724 18,24% RIPE NCC ALLOCATED
3.X.X.X 3 0,00% General Electric Company LEGACY
4.X.X.X 47999 0,29% Level 3 Communications, Inc. LEGACY
5.X.X.X 1476715 8,80% RIPE NCC ALLOCATED
6.X.X.X 41 0,00% Army Information Systems Center LEGACY
7.X.X.X 0 0,00% Administered by ARIN LEGACY
8.X.X.X 76429 0,46% Level 3 Communications, Inc. LEGACY
9.X.X.X 0 0,00% IBM LEGACY
10.X.X.X 3 0,00% IANA – Private Use RESERVED
11.X.X.X 0 0,00% DoD Intel Information Systems LEGACY
12.X.X.X 401646 2,39% AT&T Bell Laboratories LEGACY
13.X.X.X 635 0,00% Xerox Corporation LEGACY
14.X.X.X 2066669 12,32% APNIC ALLOCATED
15.X.X.X 10312 0,06% Hewlett-Packard Company LEGACY
16.X.X.X 18 0,00% Digital Equipment Corporation LEGACY
17.X.X.X 1897 0,01% Apple Computer Inc. LEGACY
18.X.X.X 25281 0,15% MIT LEGACY
19.X.X.X 0 0,00% Ford Motor Company LEGACY
20.X.X.X 2069 0,01% Computer Sciences Corporation LEGACY
21.X.X.X 0 0,00% DDN-RVN LEGACY
22.X.X.X 0 0,00% Defense Information Systems Agency LEGACY
23.X.X.X 2119841 12,64% ARIN ALLOCATED
24.X.X.X 2854162 17,01% ARIN ALLOCATED
25.X.X.X 0 0,00% UK Ministry of Defence LEGACY
26.X.X.X 0 0,00% Defense Information Systems Agency LEGACY
27.X.X.X 1846998 11,01% APNIC ALLOCATED
28.X.X.X 0 0,00% DSI-North LEGACY
29.X.X.X 2 0,00% Defense Information Systems Agency LEGACY
30.X.X.X 3 0,00% Defense Information Systems Agency LEGACY
31.X.X.X 1444805 8,61% RIPE NCC ALLOCATED
32.X.X.X 6791 0,04% AT&T Global Network Services LEGACY
33.X.X.X 0 0,00% DLA Systems Automation Center LEGACY
34.X.X.X 73 0,00% Halliburton Company LEGACY
35.X.X.X 30637 0,18% Administered by ARIN LEGACY
36.X.X.X 447230 2,67% APNIC ALLOCATED
37.X.X.X 1909720 11,38% RIPE NCC ALLOCATED
38.X.X.X 176523 1,05% PSINet, Inc. LEGACY
39.X.X.X 393476 2,35% APNIC ALLOCATED
40.X.X.X 1165 0,01% Administered by ARIN LEGACY
41.X.X.X 1785846 10,64% AFRINIC ALLOCATED
42.X.X.X 905039 5,39% APNIC ALLOCATED
43.X.X.X 13447 0,08% Administered by APNIC LEGACY
44.X.X.X 70 0,00% Amateur Radio Digital Communications LEGACY
45.X.X.X 1 0,00% Administered by ARIN LEGACY
46.X.X.X 2658072 15,84% RIPE NCC ALLOCATED
47.X.X.X 11729 0,07% Administered by ARIN LEGACY
48.X.X.X 0 0,00% Prudential Securities Inc. LEGACY
49.X.X.X 1643097 9,79% APNIC ALLOCATED
50.X.X.X 2086304 12,44% ARIN ALLOCATED
51.X.X.X 0 0,00% UK Government Department for Work and Pensions LEGACY
52.X.X.X 102 0,00% E.I. duPont de Nemours and Co., Inc. LEGACY
53.X.X.X 3 0,00% Cap Debis CCS LEGACY
54.X.X.X 22092 0,13% Merck and Co., Inc. LEGACY
55.X.X.X 0 0,00% DoD Network Information Center LEGACY
56.X.X.X 22 0,00% US Postal Service LEGACY
57.X.X.X 6653 0,04% SITA LEGACY
58.X.X.X 2583602 15,40% APNIC ALLOCATED
59.X.X.X 1508086 8,99% APNIC ALLOCATED
60.X.X.X 1798876 10,72% APNIC ALLOCATED
61.X.X.X 1652124 9,85% APNIC ALLOCATED
62.X.X.X 1561085 9,30% RIPE NCC ALLOCATED
63.X.X.X 569208 3,39% ARIN ALLOCATED
64.X.X.X 1372940 8,18% ARIN ALLOCATED
65.X.X.X 1136397 6,77% ARIN ALLOCATED
66.X.X.X 1835266 10,94% ARIN ALLOCATED
67.X.X.X 2623277 15,64% ARIN ALLOCATED
68.X.X.X 2117113 12,62% ARIN ALLOCATED
69.X.X.X 2335093 13,92% ARIN ALLOCATED
70.X.X.X 1841378 10,98% ARIN ALLOCATED
71.X.X.X 4511701 26,89% ARIN ALLOCATED
72.X.X.X 3287369 19,59% ARIN ALLOCATED
73.X.X.X 3589118 21,39% ARIN ALLOCATED
74.X.X.X 2976565 17,74% ARIN ALLOCATED
75.X.X.X 3341673 19,92% ARIN ALLOCATED
76.X.X.X 2727681 16,26% ARIN ALLOCATED
77.X.X.X 3639746 21,69% RIPE NCC ALLOCATED
78.X.X.X 3505048 20,89% RIPE NCC ALLOCATED
79.X.X.X 3991921 23,79% RIPE NCC ALLOCATED
80.X.X.X 2325444 13,86% RIPE NCC ALLOCATED
81.X.X.X 2380619 14,19% RIPE NCC ALLOCATED
82.X.X.X 3540108 21,10% RIPE NCC ALLOCATED
83.X.X.X 3170669 18,90% RIPE NCC ALLOCATED
84.X.X.X 3276645 19,53% RIPE NCC ALLOCATED
85.X.X.X 2651705 15,81% RIPE NCC ALLOCATED
86.X.X.X 1740467 10,37% RIPE NCC ALLOCATED
87.X.X.X 3251776 19,38% RIPE NCC ALLOCATED
88.X.X.X 4356116 25,96% RIPE NCC ALLOCATED
89.X.X.X 2724476 16,24% RIPE NCC ALLOCATED
90.X.X.X 2344320 13,97% RIPE NCC ALLOCATED
91.X.X.X 2404688 14,33% RIPE NCC ALLOCATED
92.X.X.X 2556074 15,24% RIPE NCC ALLOCATED
93.X.X.X 2878139 17,16% RIPE NCC ALLOCATED
94.X.X.X 3165218 18,87% RIPE NCC ALLOCATED
95.X.X.X 3512883 20,94% RIPE NCC ALLOCATED
96.X.X.X 3490340 20,80% ARIN ALLOCATED
97.X.X.X 970326 5,78% ARIN ALLOCATED
98.X.X.X 4549209 27,12% ARIN ALLOCATED
99.X.X.X 1392114 8,30% ARIN ALLOCATED
100.X.X.X 128763 0,77% ARIN ALLOCATED
101.X.X.X 1290800 7,69% APNIC ALLOCATED
103.X.X.X 93789 0,56% APNIC ALLOCATED
104.X.X.X 0 0,00% ARIN ALLOCATED
105.X.X.X 462111 2,75% AFRINIC ALLOCATED
106.X.X.X 1197732 7,14% APNIC ALLOCATED
107.X.X.X 300499 1,79% ARIN ALLOCATED
108.X.X.X 2426908 14,47% ARIN ALLOCATED
109.X.X.X 2469363 14,72% RIPE NCC ALLOCATED
110.X.X.X 2454778 14,63% APNIC ALLOCATED
111.X.X.X 1903735 11,35% APNIC ALLOCATED
112.X.X.X 2968386 17,69% APNIC ALLOCATED
113.X.X.X 3079706 18,36% APNIC ALLOCATED
114.X.X.X 2800478 16,69% APNIC ALLOCATED
115.X.X.X 2837602 16,91% APNIC ALLOCATED
116.X.X.X 1915863 11,42% APNIC ALLOCATED
117.X.X.X 2128063 12,68% APNIC ALLOCATED
118.X.X.X 2896711 17,27% APNIC ALLOCATED
119.X.X.X 3060064 18,24% APNIC ALLOCATED
120.X.X.X 1199805 7,15% APNIC ALLOCATED
121.X.X.X 2665125 15,89% APNIC ALLOCATED
122.X.X.X 2168852 12,93% APNIC ALLOCATED
123.X.X.X 2687657 16,02% APNIC ALLOCATED
124.X.X.X 2493104 14,86% APNIC ALLOCATED
125.X.X.X 3002885 17,90% APNIC ALLOCATED
126.X.X.X 952186 5,68% APNIC ALLOCATED
127.X.X.X 0 0,00% IANA – Loopback RESERVED
128.X.X.X 773669 4,61% Administered by ARIN LEGACY
129.X.X.X 335098 2,00% Administered by ARIN LEGACY
130.X.X.X 480277 2,86% Administered by ARIN LEGACY
131.X.X.X 181065 1,08% Administered by ARIN LEGACY
132.X.X.X 235630 1,40% Administered by ARIN LEGACY
133.X.X.X 49242 0,29% Administered by APNIC LEGACY
134.X.X.X 288572 1,72% Administered by ARIN LEGACY
135.X.X.X 23972 0,14% Administered by ARIN LEGACY
136.X.X.X 116382 0,69% Administered by ARIN LEGACY
137.X.X.X 178580 1,06% Administered by ARIN LEGACY
138.X.X.X 81333 0,48% Administered by ARIN LEGACY
139.X.X.X 167798 1,00% Administered by ARIN LEGACY
140.X.X.X 293204 1,75% Administered by ARIN LEGACY
141.X.X.X 288597 1,72% Administered by RIPE NCC LEGACY
142.X.X.X 344687 2,05% Administered by ARIN LEGACY
143.X.X.X 81379 0,49% Administered by ARIN LEGACY
144.X.X.X 90422 0,54% Administered by ARIN LEGACY
145.X.X.X 200673 1,20% Administered by RIPE NCC LEGACY
146.X.X.X 257674 1,54% Administered by ARIN LEGACY
147.X.X.X 148189 0,88% Administered by ARIN LEGACY
148.X.X.X 78053 0,47% Administered by ARIN LEGACY
149.X.X.X 301946 1,80% Administered by ARIN LEGACY
150.X.X.X 96794 0,58% Administered by APNIC LEGACY
151.X.X.X 954773 5,69% Administered by RIPE NCC LEGACY
152.X.X.X 147825 0,88% Administered by ARIN LEGACY
153.X.X.X 44430 0,26% Administered by APNIC LEGACY
154.X.X.X 25662 0,15% Administered by AFRINIC LEGACY
155.X.X.X 64935 0,39% Administered by ARIN LEGACY
156.X.X.X 53951 0,32% Administered by ARIN LEGACY
157.X.X.X 78752 0,47% Administered by ARIN LEGACY
158.X.X.X 106178 0,63% Administered by ARIN LEGACY
159.X.X.X 159920 0,95% Administered by ARIN LEGACY
160.X.X.X 120077 0,72% Administered by ARIN LEGACY
161.X.X.X 83081 0,50% Administered by ARIN LEGACY
162.X.X.X 43521 0,26% Administered by ARIN LEGACY
163.X.X.X 161035 0,96% Administered by APNIC LEGACY
164.X.X.X 124244 0,74% Administered by ARIN LEGACY
165.X.X.X 130803 0,78% Administered by ARIN LEGACY
166.X.X.X 256189 1,53% Administered by ARIN LEGACY
167.X.X.X 46554 0,28% Administered by ARIN LEGACY
168.X.X.X 187654 1,12% Administered by ARIN LEGACY
169.X.X.X 79520 0,47% Administered by ARIN LEGACY
170.X.X.X 88594 0,53% Administered by ARIN LEGACY
171.X.X.X 855441 5,10% Administered by APNIC LEGACY
172.X.X.X 41571 0,25% Administered by ARIN LEGACY
173.X.X.X 3501677 20,87% ARIN ALLOCATED
174.X.X.X 2853025 17,01% ARIN ALLOCATED
175.X.X.X 2498128 14,89% APNIC ALLOCATED
176.X.X.X 2036792 12,14% RIPE NCC ALLOCATED
177.X.X.X 3759343 22,41% LACNIC ALLOCATED
178.X.X.X 4004355 23,87% RIPE NCC ALLOCATED
180.X.X.X 2598738 15,49% APNIC ALLOCATED
181.X.X.X 874733 5,21% LACNIC ALLOCATED
182.X.X.X 2167285 12,92% APNIC ALLOCATED
183.X.X.X 3074376 18,32% APNIC ALLOCATED
184.X.X.X 3082669 18,37% ARIN ALLOCATED
185.X.X.X 3806 0,02% RIPE NCC ALLOCATED
186.X.X.X 3650599 21,76% LACNIC ALLOCATED
187.X.X.X 4419158 26,34% LACNIC ALLOCATED
188.X.X.X 3966741 23,64% Administered by RIPE NCC LEGACY
189.X.X.X 5836526 34,79% LACNIC ALLOCATED
190.X.X.X 3628220 21,63% LACNIC ALLOCATED
191.X.X.X 1 0,00% Administered by LACNIC LEGACY
192.X.X.X 180470 1,08% Administered by ARIN LEGACY
193.X.X.X 627709 3,74% RIPE NCC ALLOCATED
194.X.X.X 526129 3,14% RIPE NCC ALLOCATED
195.X.X.X 899577 5,36% RIPE NCC ALLOCATED
196.X.X.X 230604 1,37% Administered by AFRINIC LEGACY
197.X.X.X 348981 2,08% AFRINIC ALLOCATED
198.X.X.X 499496 2,98% Administered by ARIN LEGACY
199.X.X.X 448530 2,67% ARIN ALLOCATED
200.X.X.X 1238090 7,38% LACNIC ALLOCATED
201.X.X.X 2910652 17,35% LACNIC ALLOCATED
202.X.X.X 850551 5,07% APNIC ALLOCATED
203.X.X.X 863842 5,15% APNIC ALLOCATED
204.X.X.X 506084 3,02% ARIN ALLOCATED
205.X.X.X 255758 1,52% ARIN ALLOCATED
206.X.X.X 436237 2,60% ARIN ALLOCATED
207.X.X.X 718085 4,28% ARIN ALLOCATED
208.X.X.X 935239 5,57% ARIN ALLOCATED
209.X.X.X 941352 5,61% ARIN ALLOCATED
210.X.X.X 892003 5,32% APNIC ALLOCATED
211.X.X.X 1475532 8,79% APNIC ALLOCATED
212.X.X.X 1285251 7,66% RIPE NCC ALLOCATED
213.X.X.X 1489497 8,88% RIPE NCC ALLOCATED
214.X.X.X 15 0,00% US-DOD LEGACY
215.X.X.X 0 0,00% US-DOD LEGACY
216.X.X.X 1391324 8,29% ARIN ALLOCATED
217.X.X.X 1721029 10,26% RIPE NCC ALLOCATED
218.X.X.X 1859314 11,08% APNIC ALLOCATED
219.X.X.X 1634348 9,74% APNIC ALLOCATED
220.X.X.X 1714546 10,22% APNIC ALLOCATED
221.X.X.X 2076679 12,38% APNIC ALLOCATED
222.X.X.X 2484533 14,81% APNIC ALLOCATED
223.X.X.X 1803849 10,75% APNIC ALLOCATED
224.X.X.X 0 0,00% Multicast RESERVED
225.X.X.X 0 0,00% Multicast RESERVED
226.X.X.X 0 0,00% Multicast RESERVED
227.X.X.X 0 0,00% Multicast RESERVED
228.X.X.X 0 0,00% Multicast RESERVED
229.X.X.X 0 0,00% Multicast RESERVED
230.X.X.X 0 0,00% Multicast RESERVED
231.X.X.X 0 0,00% Multicast RESERVED
232.X.X.X 0 0,00% Multicast RESERVED
233.X.X.X 0 0,00% Multicast RESERVED
234.X.X.X 0 0,00% Multicast RESERVED
235.X.X.X 0 0,00% Multicast RESERVED
236.X.X.X 0 0,00% Multicast RESERVED
237.X.X.X 0 0,00% Multicast RESERVED
238.X.X.X 0 0,00% Multicast RESERVED
239.X.X.X 0 0,00% Multicast RESERVED
240.X.X.X 0 0,00% Future use RESERVED
241.X.X.X 0 0,00% Future use RESERVED
242.X.X.X 0 0,00% Future use RESERVED
243.X.X.X 0 0,00% Future use RESERVED
244.X.X.X 0 0,00% Future use RESERVED
245.X.X.X 0 0,00% Future use RESERVED
246.X.X.X 0 0,00% Future use RESERVED
247.X.X.X 0 0,00% Future use RESERVED
248.X.X.X 0 0,00% Future use RESERVED
249.X.X.X 0 0,00% Future use RESERVED
250.X.X.X 0 0,00% Future use RESERVED
251.X.X.X 0 0,00% Future use RESERVED
252.X.X.X 0 0,00% Future use RESERVED
253.X.X.X 0 0,00% Future use RESERVED
254.X.X.X 0 0,00% Future use RESERVED
255.X.X.X 0 0,00% Future use RESERVED


We need to keep in mind that we have scanned the entire address space without deleting reserved private addresses or networks. Obviously we see that the reserved addresses do not answer, which fits with what IANA says about the reserved networks.

We have also grouped the number of pongs that each /24 (class C) network has answered, so we can see the density level of IP addresses in these networks: From many C class networks did we receive 20 pongs?

Number of pongs answered Number of /24 networks
1 238877
2 138291
3 103826
4 84879
5 70612
6 68622
7 63042
8 62594
9 58333
10 55617
11 53531
12 52186
13 49189
14 47076
15 45662
16 44469
17 42722
18 41154
19 40506
20 41286
21 44013
22 39223
23 36442
24 35545
25 34471
26 33956
27 32876
28 32421
29 31634
30 31588
31 30484
32 30885
33 29614
34 29713
35 29065
36 28964
37 28204
38 28012
39 27586
40 27011
41 26751
42 26370
43 25801
44 25580
45 25302
46 25233
47 24642
48 24709
49 24396
50 24408
51 24086
52 24367
53 24158
54 24105
55 23730
56 23858
57 23725
58 23582
59 23626
60 23498
61 23583
62 23277
63 22940
64 22582
65 22202
66 22071
67 21547
68 21415
69 20912
70 20511
71 20155
72 19725
73 19194
74 18860
75 18930
76 18241
77 17725
78 17604
79 17134
80 17140
81 16573
82 16306
83 16177
84 15855
85 15660
86 15476
87 15457
88 15386
89 15039
90 14900
91 14802
92 14500
93 14100
94 14079
95 14019
96 13751
97 13409
98 13443
99 13240
100 13052
101 12727
102 12745
103 12143
104 12175
105 11793
106 11567
107 11502
108 11237
109 11088
110 10677
111 10621
112 10524
113 10353
114 10306
115 10048
116 9987
117 9798
118 9673
119 9747
120 9606
121 9398
122 9441
123 8991
124 9181
125 9095
126 8888
127 8556
128 8522
129 8406
130 8406
131 8267
132 8194
133 8252
134 8023
135 7910
136 7692
137 7643
138 7764
139 7566
140 7431
141 7403
142 7382
143 7512
144 7330
145 7261
146 7044
147 7078
148 7158
149 7210
150 6878
151 6941
152 6921
153 7072
154 6965
155 6919
156 6894
157 6909
158 7043
159 6816
160 6844
161 6892
162 6868
163 6958
164 6836
165 6905
166 6954
167 6917
168 7053
169 7005
170 6867
171 6931
172 6887
173 6849
174 6817
175 6781
176 6635
177 6630
178 6657
179 6514
180 6255
181 6310
182 6330
183 6134
184 5864
185 5680
186 5714
187 5559
188 5445
189 5415
190 5325
191 5211
192 5122
193 5110
194 4984
195 4939
196 4712
197 4549
198 4727
199 4582
200 4517
201 4550
202 4488
203 4442
204 4413
205 4210
206 4228
207 4182
208 4158
209 4137
210 4020
211 4013
212 3982
213 3941
214 3958
215 3978
216 3980
217 3924
218 3670
219 3690
220 3696
221 3620
222 3447
223 3483
224 3406
225 3387
226 3391
227 3193
228 3116
229 3233
230 3157
231 3123
232 3118
233 3278
234 3285
235 3430
236 3714
237 3922
238 4333
239 4594
240 5207
241 5740
242 6262
243 6736
244 7136
245 8169
246 9244
247 10536
248 11591
249 12330
250 12567
251 12092
252 9378
253 6096
254 3192
255 1481
256 467


We can see that many networks do not answer anything, mainly because they are reserved networks. Also, there are blocks with many IPs answering.

We have also performed the analysis on the least significant byte of the IP address, taking into account that we have treated them as if they were all normal IP addresses. It is clear that IP addresses finishing in .0 and .255 reply to the ping to a lesser amount. On the other hand we can also see that the IP ending in .1 is the one most answering the pings, because it usually corresponds to the router, and from there to inside the traffic is usually filtered. This can be seen by comparing the X% with the average. We see also some stripes corresponding to networks /25, /26, /27, etc.

Less significative byte of ip address Count of pongs
x.x.x.0 749789
x.x.x.1 2188704
x.x.x.2 1432608
x.x.x.3 1312164
x.x.x.4 1260519
x.x.x.5 1344259
x.x.x.6 1317523
x.x.x.7 1226345
x.x.x.8 1210025
x.x.x.9 1396354
x.x.x.10 1338214
x.x.x.11 1253251
x.x.x.12 1225913
x.x.x.13 1297186
x.x.x.14 1290901
x.x.x.15 1194033
x.x.x.16 1177008
x.x.x.17 1424293
x.x.x.18 1297307
x.x.x.19 1210971
x.x.x.20 1208820
x.x.x.21 1274382
x.x.x.22 1258630
x.x.x.23 1171451
x.x.x.24 1157615
x.x.x.25 1346065
x.x.x.26 1247689
x.x.x.27 1172728
x.x.x.28 1160244
x.x.x.29 1232213
x.x.x.30 1252088
x.x.x.31 1133193
x.x.x.32 1129206
x.x.x.33 1438811
x.x.x.34 1273545
x.x.x.35 1191265
x.x.x.36 1166209
x.x.x.37 1232786
x.x.x.38 1222823
x.x.x.39 1132063
x.x.x.40 1128406
x.x.x.41 1308812
x.x.x.42 1220378
x.x.x.43 1142863
x.x.x.44 1130136
x.x.x.45 1203766
x.x.x.46 1192938
x.x.x.47 1108922
x.x.x.48 1097390
x.x.x.49 1328159
x.x.x.50 1225132
x.x.x.51 1143527
x.x.x.52 1120597
x.x.x.53 1186295
x.x.x.54 1176274
x.x.x.55 1103437
x.x.x.56 1089146
x.x.x.57 1253521
x.x.x.58 1173048
x.x.x.59 1104981
x.x.x.60 1106008
x.x.x.61 1169959
x.x.x.62 1192879
x.x.x.63 1048740
x.x.x.64 1048258
x.x.x.65 1425598
x.x.x.66 1229128
x.x.x.67 1142903
x.x.x.68 1118736
x.x.x.69 1183038
x.x.x.70 1183928
x.x.x.71 1099966
x.x.x.72 1087771
x.x.x.73 1259314
x.x.x.74 1168810
x.x.x.75 1102380
x.x.x.76 1085211
x.x.x.77 1155721
x.x.x.78 1151672
x.x.x.79 1065110
x.x.x.80 1062766
x.x.x.81 1285575
x.x.x.82 1166756
x.x.x.83 1092135
x.x.x.84 1073821
x.x.x.85 1141621
x.x.x.86 1133532
x.x.x.87 1058285
x.x.x.88 1048255
x.x.x.89 1209209
x.x.x.90 1136792
x.x.x.91 1069963
x.x.x.92 1057058
x.x.x.93 1121637
x.x.x.94 1128962
x.x.x.95 1031653
x.x.x.96 1030381
x.x.x.97 1311889
x.x.x.98 1160407
x.x.x.99 1088350
x.x.x.100 1090587
x.x.x.101 1146524
x.x.x.102 1134417
x.x.x.103 1054936
x.x.x.104 1044601
x.x.x.105 1206107
x.x.x.106 1126080
x.x.x.107 1060212
x.x.x.108 1046358
x.x.x.109 1110790
x.x.x.110 1119034
x.x.x.111 1036203
x.x.x.112 1025151
x.x.x.113 1239712
x.x.x.114 1125907
x.x.x.115 1059326
x.x.x.116 1041760
x.x.x.117 1100008
x.x.x.118 1095607
x.x.x.119 1023199
x.x.x.120 1025290
x.x.x.121 1194711
x.x.x.122 1107546
x.x.x.123 1046629
x.x.x.124 1040910
x.x.x.125 1105172
x.x.x.126 1145872
x.x.x.127 985964
x.x.x.128 986104
x.x.x.129 1442315
x.x.x.130 1204525
x.x.x.131 1115891
x.x.x.132 1086213
x.x.x.133 1148537
x.x.x.134 1135487
x.x.x.135 1061941
x.x.x.136 1047919
x.x.x.137 1210584
x.x.x.138 1130277
x.x.x.139 1064659
x.x.x.140 1059272
x.x.x.141 1120880
x.x.x.142 1117912
x.x.x.143 1033455
x.x.x.144 1024556
x.x.x.145 1245701
x.x.x.146 1129222
x.x.x.147 1058225
x.x.x.148 1042170
x.x.x.149 1102226
x.x.x.150 1108112
x.x.x.151 1033029
x.x.x.152 1018604
x.x.x.153 1175163
x.x.x.154 1097739
x.x.x.155 1038438
x.x.x.156 1023688
x.x.x.157 1086790
x.x.x.158 1095228
x.x.x.159 996251
x.x.x.160 1001094
x.x.x.161 1276329
x.x.x.162 1128019
x.x.x.163 1050767
x.x.x.164 1031524
x.x.x.165 1092194
x.x.x.166 1086726
x.x.x.167 1013206
x.x.x.168 1002480
x.x.x.169 1166589
x.x.x.170 1087625
x.x.x.171 1023086
x.x.x.172 1007972
x.x.x.173 1071052
x.x.x.174 1072040
x.x.x.175 993387
x.x.x.176 983700
x.x.x.177 1193184
x.x.x.178 1081461
x.x.x.179 1014492
x.x.x.180 1007535
x.x.x.181 1063379
x.x.x.182 1056237
x.x.x.183 986611
x.x.x.184 974867
x.x.x.185 1130743
x.x.x.186 1054739
x.x.x.187 993950
x.x.x.188 988367
x.x.x.189 1047415
x.x.x.190 1076031
x.x.x.191 948336
x.x.x.192 946319
x.x.x.193 1293959
x.x.x.194 1108300
x.x.x.195 1036982
x.x.x.196 1012541
x.x.x.197 1070404
x.x.x.198 1062760
x.x.x.199 994345
x.x.x.200 1000985
x.x.x.201 1150214
x.x.x.202 1070547
x.x.x.203 1005395
x.x.x.204 990207
x.x.x.205 1055065
x.x.x.206 1053152
x.x.x.207 973577
x.x.x.208 964460
x.x.x.209 1173406
x.x.x.210 1070650
x.x.x.211 1002023
x.x.x.212 983619
x.x.x.213 1039752
x.x.x.214 1035196
x.x.x.215 969089
x.x.x.216 957765
x.x.x.217 1115906
x.x.x.218 1035071
x.x.x.219 972473
x.x.x.220 971376
x.x.x.221 1027993
x.x.x.222 1039586
x.x.x.223 943255
x.x.x.224 942572
x.x.x.225 1214697
x.x.x.226 1067487
x.x.x.227 995786
x.x.x.228 978545
x.x.x.229 1036333
x.x.x.230 1039868
x.x.x.231 973194
x.x.x.232 962046
x.x.x.233 1112893
x.x.x.234 1036105
x.x.x.235 976903
x.x.x.236 964068
x.x.x.237 1024653
x.x.x.238 1025546
x.x.x.239 948607
x.x.x.240 948034
x.x.x.241 1157102
x.x.x.242 1046467
x.x.x.243 977487
x.x.x.244 962750
x.x.x.245 1017034
x.x.x.246 1011215
x.x.x.247 948181
x.x.x.248 944969
x.x.x.249 1108805
x.x.x.250 1039464
x.x.x.251 995880
x.x.x.252 981302
x.x.x.253 1024893
x.x.x.254 1226421
x.x.x.255 679518


Obviously from the number of answers it is not possible to draw conclusions about the density of IP population, as they may be conveniently filtered.

The % of IP addresses answering to ping seems reasonable, given that it is logical that the external equipment answers to this protocol to aid troubleshooting. It is also normal that many others do not answer, but in any case IPv4 does not appear to be so saturated as usually it is said.

This experiment is a proof of concept of how easy it is to make a global action against all Internet, with almost no cost, short time and basic knowledge. We can see that it would be possible to scan a TCP port, or even do some intrusion attack globally (always stateless), for which any UDP attack could be very effective (as it did with slammer). In any case these actions are and would be considered as attacks, so as expected we will not go further and evolve this project.

Probed that IPv4 is really small, we have another argument to answer the usual question: Why would somebody want to attack me? With IPv6, the attack vector is many orders of magnitude higher, preventing scans “so brute”.

Curiously, we did not have any counter response, or received hostile activity in response. However, we were receiving traffic from a server that sent us the pong for hours continuously and repeatedly (DUP!), we think that due to a IP error that we could not determine.

Although the experiment has been the most innocuous and harmless we could thought about, during the experiment we have received some complaints from organizations related to the the scan. However, taking into account the number of “attacked” sites, the complaints have been few and the hosting provider that received the pings acted in any case time communicating the complaint after the end of the experiment, which shows that such a global attack would be really unstoppable.

With the extracted data more interesting analysis can be done, that we leave for next entries, such as the issue with network and broadcast addresses (.0 and .255). I hope you liked the experiment, and in any case I apologize if I annoyed you with my ping.

Defenses against DHCP attacks

After reading @chemaalonso‘s post about DHCP Ack Inyector, I remembered my college years back in 2005 when you just needed to go to the library, plug-in your laptop to the network and voilà, just “listening” network traffic you saw all those vulnerable or misconfigured protocols such as STP, HSRP, DTP, etc..

Not only that. There wasn’t any type of control over the information the users could send, and using tools such as Gobbler, dsniff, ettercap, yersinia, etc., you could perform any man-in-the-middle attack. The most interesting part was that the networking devices used for traffic management were almost entirely Cisco. I.e. devices fully able to control and mitigate virtually most of these attacks, but that were configured to perform basic networking functions: routing, VLANS, ACL, QoS, etc. Either because of ignorance or carelessness, they were not being taken the performance that actually justified his acquisition.

Over time I have realized that this situation is quite common: it is really hard to find a company with strict configuration policies to secure the local network environment. I personally think that many organizations are unaware of the damage that a disgruntled employee could do in a network “poorly controlled”. Without using any sophisticated tools like Loki or Yersinia, it is possible to bring down an entire network with just a couple of packets. Using Scapy, you can perform MitM using ARP / DHCP / VRRP / HSRP or without much effort even more entertaining things like getting a pool of shells with Metasploit browser_autopwn and etterfilters.

[Read more…]

How much does it take to ping the whole Internet?

(Check the result of this experiment in the second part of this post: The result of pinging all the Internet IP addresses)

Internet, the World Wide Web. All modern organizations in the world are connected to the Internet. A large number of people have Internet access, at work, in the homes and on the mobile device.

This can make us think we’re talking about a vast range of addresses within which attackers can focus their attacks in a given organization. For now we will take the entire Internet address space of IPv4. When deployed IPv6, this will change and there will be an added level of complexity.

Let’s suposse we want to carry action against all the Internet addresses? Would it be viable? How much would it cost? Technical resources? Physical resources? Time? Money? Let’s do some maths and maybe then do a little experiment. To begin, we assume the following scenario:

  • We want to do a ping (ICMP ECHO) to each and every one of the Internet IP addresses.
  • We store the result of whether they have responded to ping or not (if they have made pong).

Here are some calculations:

How many IP addresses are there?

256^4 = 4,294,967,296, i.e. approx. 4 billion addresses.

How much bandwidth is consumed by a ping?

  • In our case we will consider as 58 bytes per ping.
  • Let the bandwidth necessary to ping all the Internet: 256^4 * 58 bytes = 232 GB.

If we store the response with only one bit per address it would take 512 MB. If for processing convenience we store one byte per response it would take 4GB.

Considering a bandwidth of 50 Mbit/sec we would finish the scan in approx. 10 hours.

Technical skills required: We need a program with two threads: one that continuously send packets blindly, and another that receives responses in a stateless manner (there is similar software for TCP scans called scanrand).

Technical capacity: Any person with some knowledge of sockets in C, looking at ping.c, could do this program.

Power required: With an average PC is more than enough. In our experiments we have done it without problems with a Dual-Core 2.66Ghz 4GB of RAM and a 100Mbits internet connection.

Cost of equipment and connection: In any known hoster it can cost 30 EUR per month. In server usage percentage it would be 0.42€.

So anyone with knowledge in C programming and 30 Euros can make a massive, global action to all Internet addresses in less than 10 hours. Another example that just by being connected to the Internet you can receive an attack (spanish link). In the history of Internet there have been many worms that have indiscriminately attacked all the Internet addresses. The networks of today and the power equipment can turn local problems into global incidents within minutes. A famous example of this was the SQL Slammer worm that in just under 10 minutes got Internet crashed, taking advantage of a vulnerability attacked with a single UDP packet of 376 bytes.

So, it is clear that the Internet is a very, very small place, and you have to be really well protected. As seen, just being on the Internet makes you an indirect target of global and automated attacks. And not being on the Internet is no longer an option.

In the next post we will see the result of implementing this theoretical exercise. To do so, we decided to make a simple and benign ping against all Internet IP addresses. While it is true that a ping can be the first step to a more sophisticated attack, this is not (obviously) the intention of this experiment. Furthermore, that ping can show us the filtering level or the population level of Internet IP ranges what may have some academic interest.

Do not miss the next post where we will describe the results of the experiment. What technical problems we encountered ? How many pongs we received? And complaints? Any counterattack? What networks do answer more?

Aurora vulnerability or how to exploit knowledge of physical processes

Trying to raise awareness of cybersecurity issues among my fellow process & control engineers is a challenging task. We’ve talked about it before, making it clear how the lack of the basic notions on ICT environments and procedures turn the risks and mechanisms of attack almost inconceivable for these engineers. I mean ‘inconceivable’ sensu stricto: not something with a very low assigned probability, but something you cannot even think about because you lack the cultural background and experience to do so.

The most common response is denial, built on several fallacies that often explain this sense of security. One is the confidence in the mechanisms laid to provide physical protection of equipment: i.e. safety interlocks by mechanical or electrical devices that operate autonomously without processing or communication capabilities and, therefore, are regarded as cyberattack-proof. Somehow, in a control engineer state of mind (myself included), these systems are regarded as the last line of defense, absolutely isolated and independent of processor-based systems malfunction (even when those processors are human) and are laid to avoid damage to physical equipment caused by improper process operation.

In my own experience, design of control systems has always relied on a two-fold strategy:

  • Deployment of a higher control level based on electronic instrumentation and processing algorithms which, by their very nature, allow for a finer tuning and higher efficiency. This is a processor-based level.
  • Deployment of a lower level based on relays and electrical and mechanical actuators that enable system operation in case of control system crash-down or severe malfunction. This level is not processor-based and, as has been stated above, prevents the physical system operation under improper conditions. It relies on built-in and hard-wired electromechanical equipment.

This second level supports the claims for the virtual impossibility of physical equipment suffering severe damage, even if a malicious individual or organization takes control of the system. However, there are two facts that undermine this security paradigm:

  • I have noticed that in many brand new control systems safety interlocks are implemented through digital instrumentation readings, communication networks and control network PLCs. The aim is twofold: first, lower costs in wiring and devices regarded as redundant and, secondly, a will to leverage the greater accuracy and adaptability of digital systems. I know of some epic fail cases which rank in the tens to hundreds of thousand Euros because of this practice.
  • Interlocks and protection systems are designed to prevent damage if the process runs beyond the allowable operating conditions. But since physical systems are not explained on a 1 and 0 basis (there is a continuum of intermediate states) one should always allow a regulation deadband to prevent annoying tripping of protection devices and to account for normal measurement variability. This is achieved by setting deadband controls, hysteresis loops, tripping delays, etc…

In the first case physical protection devices are seriously compromised by their being software and network dependant. But even in the latter case it is possible, in principle, to conduct an attack planned to take advantage of this design logic and aimed to force working conditions that result in damage to physical systems. Too complicated? Vain speculation? Not really. There is at least one documented case in which this strategy was used with spectacular results: The so called Aurora vulnerability.

This is an experiment conducted at the INL (Idaho National Laboratory) in 2007 and, as far as I can see, has fallen into that limbo that lies between professionals involved in control systems and those who are engaged in information and communication technologies security: after all, to get a full understanding of the attack one must have, so to speak, a foot in each half of the field. This could be the reason that explains why news of the experiment went almost unnoticed (beyond a video broadcast by CNN that, possibly because of its spectacular nature, triggered the typical reaction of denial in those who may be directly concerned). Even the veracity of the facts shown has been intensely questioned, suggesting that pyrotechnic devices were used to enhance the visual effect!

What is Aurora all about? To put it simply: Aurora is an attack designed specifically to cause damage to an electric power generator. The thing goes like this: all generator units are (or should be) protected to avoid out-of-synchronism connection to a power grid. This is achieved by checking the waveform being generated to asses that it matches that of the power grid (within certain limits). To do that voltage, frequency and phase are monitored. Why? Because connecting to a power grid in out-of-synchronism condition will cause the generator to synchronize almost instantaneously, resulting in an extraordinary mechanical torque at the shaft of the generator, stress this device is not designed to bear. Repetition of this anomalous operating condition will cause the equipment to fail. Let’s imagine someone willing to jump onboard a moving train: We can see him running along the tracks trying to match the train’ speed and then jumping inside. If he’s lucky enough he will get a soft landing on the wagon’s floor. An alternative but no advisable method is to stand beside the tracks and grab the ladder handrail as it passes right in front of you. It is easy to see that the resulting pull is something you don’t want to experience.

However, the protective relays allow for a certain delay between the out-of-syncronism condition recognition and the protection devices action, delay set to avoid annoyance tripping. This offers a window of opportunity to force undesirable mechanical stress in the generator without power grid disconnection. You can find a detailed technical analysis of the attack and possible mitigating measures.

True, for an attack of this kind to be successful a number of pre-conditions must be met: physical system knowledge, remote access to a series of devices, certain operating conditions of the electrical system, knowledge of existing protections and their settings … These are the arguments that will arise in the denial phase. But that’s not the point.

The point is: given the degree of exposure of industrial control systems to cyber attacks (owing to several reasons: historical, cultural, organizational and technical issues), the only thing needed to wreak havoc upon them is knowledge of physical systems and their control devices. Aurora Vulnerability is a very specific case. But it should be enough to show that confidence in physical protection of equipment has its limits, limits waiting to be discovered. Regarding them as our only line of defense is a risk that no one can afford.

Can we?

By the way, the original Aurora vulnerability video can be seen below:

VLAN Management Policy Server

Usually, when we have to do network segmentation using VLANs, we create the necessary networks either manually or automatically using protocols like Cisco VTP (VLAN Trunking Protocol). After that, we assign each one of the network devices to the different VLANs defined. This means that if I move tomorrow and change my laptop of network connection point, I will have to change the new network connection point so it belongs to the original VLAN I had.

One solution to this problem is the use of the VTP protocol together with the Cisco VMPS (VLAN Management Policy Server) service, which provides a first approximation to a solution of network access control such as the ones offered by manufacturers today. Among other features, VMPS allows to dynamically associate devices to VLANs based on MAC address (with the security issues this involves). This way, I can connect my laptop to any network point of the office and it will always belong to the same correct VLAN.

Any midrange Cisco switch supports VMPS as client. However, only the upper range (higher than 4000) support the server mode. Despite this, it is not necessary to have one of these devices to implement this solution because there are many tools, both free (some outdated) and commercial, that provide the VMPS server functionality we need. Among all them, we have selected vmpsd (, a little daemon for GNU/Linux that provides a VMPS server without installing too much software, as a management system database. To configure VMPS on our switch (the Cisco 2960 is the chosen device), we have to perform the following steps:

1) Configure VTP

Switch(config)#vtp  mode  server 
Switch(config)#vtp  domain s2

Switch#show  vtp  status 
          : running VTP2
Configuration Revision          : 1
Maximum VLANs supported locally : 255
Number of existing VLANs        : 14
VTP Operating Mode              : Server
VTP Domain Name                 : s2
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xC4 0xE8 0xDB 0x1A 0xF2 0x6B 0xC2 0x79 

2) Configure the switch device as a VMPS client

To perform this configuration, we use the IP address of the main VPMS server (we can have several).

Switch(config)# vmps retry 3
Switch(config)# vmps reconfirm 1
Switch(config)# vmps server primary
Switch#show  vmps 
VQP Client Status:
VMPS VQP Version:   1
Reconfirm Interval: 1 min
Server Retry Count: 3
VMPS domain server: (primary, current)
Reconfirmation status
VMPS Action:         No Dynamic Port

3) Create the VLANs

Switch(config)#vlan 21
Switch(config-vlan)#name MANAGMT
Switch(config)#vlan 22
Switch(config-vlan)#name USUARIOS
Switch(config)#vlan 23
Switch(config-vlan)#name GUESTS
Switch#show  vlan 
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    
22   USUARIOS                         active    
23   GUESTS                           active   

4) Mark the interfaces that use VMPS

Switch(config)#interface  range  fastEthernet 0/10-20 
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan dynamic

Switch#show  interface fastEthernet 0/10 switchport 
Name: Fa0/10
Switchport: Enabled
Administrative Mode: dynamic access  ******
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: unassigned  *******
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

5) Configure the VMPS server (vlan.db)

vmps domain s2
vmps mode open
vmps fallback GUESTS
vmps no-domain-req deny

address 0023.8bd7.c2b3 vlan-name MANAGMT

In the configuration must take into account the following:

  • The domain must coincide with the one configured in VTP.
  • The “GUESTS” VLAN is used to redirect the MACs that are not authorized by the policy because we have configured the open mode. If we use the secure mode, the interface would be disabled.
  • We assign the MAC address of my laptop to the VLAN “MANAGMT”.

Once here, we start the daemon and launch a test query (we use the IP address, the VTP domain and MAC address)

perl  -s -v s2  -m 0023.8bd7.c2b3
MAC Address: 00238bd7c2b3 
Status: ALLOW

As we can see, the MAC address is authorized and it gets the VLAN “MANAGMT”. Reached this point, we just have to connect to the switch (we set the debug mode on with the command debug vqpc all) to do several tests:

Connect the laptop to one of the network connection points defined to use VMPS (fa0/13).

*Mar  1 02:23:09.070: VQPC EVENT: -pm_port_vqp_start: port Fa0/13
*Mar  1 02:23:11.075: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
*Mar  1 02:23:12.081: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed 
                      state to up
*Mar  1 02:23:13.986: VQPC LEARN: 
*Mar  1 02:23:13.986: VQPC LEARN: -learning mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13
*Mar  1 02:23:13.986: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13, type = 0x0021
*Mar  1 02:23:13.986: VQPC: allocating transID 0x00000471
*Mar  1 02:23:13.986: VQPC PAK: xmt transaction ID = 0x00000471
*Mar  1 02:23:13.986: VQPC PAK: sending query to VMPS
*Mar  1 02:23:13.986: VQPC PAK:  
*Mar  1 02:23:13.986: VQPC PAK: rcvd packet from VMPS
*Mar  1 02:23:13.994: VQPC PAK: transaction ID = 0x00000471
*Mar  1 02:23:13.994: VQPC: rcvd response, transID = 0x00000471
*Mar  1 02:23:13.994: VQPC PAK: VLAN name TLV, vlanName = MANAGMT
*Mar  1 02:23:13.994: VQPC PAK: Cookie TLV, cookie = 0023.8bd7.c2b3, length = 6
*Mar  1 02:23:13.994: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 21, mac: 0023.8bd7.c2b3
*Mar  1 02:23:13.994: VQPC EVENT: saving 0023.8bd7.c2b3 from old vlan 0
*Mar  1 02:23:13.994: VQPC EVENT: changing Fa0/13 to vlan 21
*Mar  1 02:23:13.994: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 21, port Fa0/13, type = 0x0001
*Mar  1 02:23:13.994: VQPC LEARN: deleting mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13
*Mar  1 02:23:13.994: VQPC LEARN: changing mac 0023.8bd7.c2b3 on vlan 21, port Fa0/13 to FORWARDING

As we can see, it assigns to the MAC address the VLAN 21 (“MANAGMT”):

Switch#show  vlan 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    Fa0/13
22   USUARIOS                         active   
23   GUESTS                           active    

Switch#show  interface fastEthernet  0/13 switchport 
Name: Fa0/13
Switchport: Enabled
Administrative Mode: dynamic access
Operational Mode: dynamic access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 21 (MANAGMT)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled

Now we disconnect it and connect it to other switch port (fa0/17):

*Mar  1 02:24:42.938: VQPC EVENT: -pm_port_vqp_start: port Fa0/17
*Mar  1 02:24:44.650: VQPC LEARN: 
*Mar  1 02:24:44.650: VQPC LEARN: -learning mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17
*Mar  1 02:24:44.650: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17, type = 0x0021
*Mar  1 02:24:44.650: VQPC: allocating transID 0x00000491
*Mar  1 02:24:44.650: VQPC PAK: xmt transaction ID = 0x00000491
*Mar  1 02:24:44.650: VQPC PAK: sending query to VMPS
*Mar  1 02:24:44.650: VQPC PAK:  
*Mar  1 02:24:44.650: VQPC PAK: rcvd packet from VMPS
*Mar  1 02:24:44.650: VQPC PAK: transaction ID = 0x00000491
*Mar  1 02:24:44.650: VQPC: rcvd response, transID = 0x00000491
*Mar  1 02:24:44.650: VQPC PAK: VLAN name TLV, vlanName = MANAGMT
*Mar  1 02:24:44.650: VQPC PAK: Cookie TLV, cookie = 0023.8bd7.c2b3, length = 6
*Mar  1 02:24:44.650: VQPC EVENT: -set_hwidb_vlanid: port Fa0/17 to vlan 21, mac: 0023.8bd7.c2b3
*Mar  1 02:24:44.650: VQPC EVENT: saving 0023.8bd7.c2b3 from old vlan 0
*Mar  1 02:24:44.650: VQPC EVENT: changing Fa0/17 to vlan 21
*Mar  1 02:24:44.658: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 21, port Fa0/17, type = 0x0001
*Mar  1 02:24:44.658: VQPC LEARN: deleting mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17
*Mar  1 02:24:44.658: VQPC LEARN: changing mac 0023.8bd7.c2b3 on vlan 21, port Fa0/17 to FORWARDING
*Mar  1 02:24:44.943: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed state to up
*Mar  1 02:24:45.950: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/17, 
                      changed state to up

Switch#sh mac-address-table | inc DYNAMIC
  21    0023.8bd7.c2b3    DYNAMIC     Fa0/17

Switch#show  vlan                                    

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    Fa0/13, Fa0/17
22   USUARIOS                         active   
23   GUESTS                           active    

We see that the Fa0/13 interface is still assigned to the VLAN “MANAGMT”, so we connect other computer to that port:

*Mar  1 00:03:35.016: VQPC EVENT: -pm_port_vqp_start: port Fa0/13
*Mar  1 00:03:36.887: VQPC LEARN: 
*Mar  1 00:03:36.887: VQPC LEARN: -learning mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar  1 00:03:36.887: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 0, port Fa0/13, type = 0x0021
*Mar  1 00:03:36.887: VQPC: allocating transID 0x00000061
*Mar  1 00:03:36.887: VQPC PAK: xmt transaction ID = 0x00000061
*Mar  1 00:03:36.887: VQPC PAK: sending query to VMPS
*Mar  1 00:03:36.887: VQPC PAK:  
*Mar  1 00:03:36.887: VQPC PAK: rcvd packet from VMPS
*Mar  1 00:03:36.887: VQPC PAK: transaction ID = 0x00000061
*Mar  1 00:03:36.887: VQPC: rcvd response, transID = 0x00000061
*Mar  1 00:03:36.887: VQPC PAK: VLAN name TLV, vlanName = GUESTS
*Mar  1 00:03:36.887: VQPC PAK: Cookie TLV, cookie = 0005.1b00.3f81, length = 6
*Mar  1 00:03:36.887: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 23, mac: 0005.1b00.3f81
*Mar  1 00:03:36.887: VQPC EVENT: saving 0005.1b00.3f81 from old vlan 0
*Mar  1 00:03:36.887: VQPC EVENT: changing Fa0/13 to vlan 23
*Mar  1 00:03:36.895: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 23, port Fa0/13, type = 0x0001
*Mar  1 00:03:36.895: VQPC LEARN: deleting mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar  1 00:03:36.895: VQPC LEARN: changing mac 0005.1b00.3f81 on vlan 23, port Fa0/13 to FORWARDING
*Mar  1 00:03:37.021: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
*Mar  1 00:03:38.028: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, 
                      changed state to up

As the MAC address is not authorized by the defined policy, it assigns dinamically the VLAN “GUESTS”.

Switch#show  vlan 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    Fa0/17
22   USUARIOS                         active    Fa0/24
23   GUESTS                           active    Fa0/13

If we now change the policy to the secure mode and without a fallback VLAN we connect the same PC:

*Mar  1 00:12:57.019: VQPC LEARN: 
*Mar  1 00:12:57.019: VQPC LEARN: -learning mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar  1 00:12:57.019: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 0, port Fa0/13, type = 0x0021
*Mar  1 00:12:57.019: VQPC: allocating transID 0x00000151
*Mar  1 00:12:57.019: VQPC PAK: xmt transaction ID = 0x00000151
*Mar  1 00:12:57.019: VQPC PAK: sending query to VMPS
*Mar  1 00:12:57.019: VQPC PAK:  
*Mar  1 00:12:57.019: VQPC PAK: rcvd packet from VMPS
*Mar  1 00:12:57.019: VQPC PAK: transaction ID = 0x00000151
*Mar  1 00:12:57.019: VQPC: rcvd response, transID = 0x00000151
*Mar  1 00:12:57.019: %VQPCLIENT-2-SHUTDOWN: Interface Fa0/13 shutdown by VMPS
*Mar  1 00:12:57.019: %PM-4-ERR_DISABLE: vmps error detected on Fa0/13, putting Fa0/13 in 
                      err-disable state
*Mar  1 00:12:57.019: VQPC EVENT: -pm_port_vqp_stop: port Fa0/13
*Mar  1 00:12:57.019: VQPC EVENT: port Fa0/13, REMOVE dynamic access config
*Mar  1 00:12:57.019: VQPC EVENT: deleting all addresses on vlan 0,t Fa0/13
*Mar  1 00:12:57.019: VQPC EVENT: Deleted TCAM catch-all for port Fa0/13
*Mar  1 00:12:57.019: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 0, mac: NULL
*Mar  1 00:12:57.019: VQPC EVENT: changing Fa0/13 to vlan 0
*Mar  1 00:12:58.026: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, 
                      changed state to down
*Mar  1 00:12:59.024: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down

Switch#show interfaces fas 0/13 status 

Port      Name     Status       Vlan        Duplex  Speed Type
Fa0/13             err-disabled unassigned  auto    auto 10/100BaseTX

We can see as it has disconnected the interface from the switch and so it shows in the VPMS protocol stats:

Switch#show  vmps statistics
VMPS Client Statistics
VQP  Queries:               53
VQP  Responses:             20
VMPS Changes:               0
VQP  Shutdowns:             5
VQP  Denied:                0
VQP  Wrong Domain:          0
VQP  Wrong Version:         0
VQP  Insufficient Resource: 0

As shown, this solution provides more security than the usual solution, improving the mobility in our network. However, it has other security problems we will see in future posts.

New MFTParser plugin in the alpha version of Volatility

Last week, playing with a forensics challenge left by Jack Crook (@jackcr) in the GCIH LinkedIn group, I upgraded Volatility to version 2.3_alpha. In this challenge, the author had included the RAM dump and the disk timeline of each one of the affected computers, and a capture file of the network traffic. However, reviewing the novelties included in this Alpha version I saw a couple of them quite interesting: mbrparser and mftparser.

Mftparser, as indicated in the Volatility webpage, scans and analyzes entries in the Master File Table (MFT). The plugin scans the memory dump for possible MFT entries and prints out information for certain attributes. For more information see OMFW 2012: Reconstructing the MBR and MFT from Memory.

Despite having the timeline, I decided to try the new plugin and compare the output with the one we had been provided. The output can be displayed in a tabular format or, and here is where it gets powerful, in the body format of Sleuthkit (with option –output=body).

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/ --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin mftparser –output=body
Volatile Systems Volatility Framework 2.3_alpha

Scanning for MFT entries and building directory, this can take a while
(FN) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273|
(SI) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273|
(FN) 0x12d588|WINDOWS\Prefetch\|11727|---a-------I---|0|0|424|1353971273|
(FN) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306|
(SI) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306|
(FN) 0x2bbee0|(Null)|11728|---------------|0|0|432|0|0|0|0
(FN) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353971306|1353971306|
(SI) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353980005|1353980005|
(FN) 0x311000|WINDOWS\Prefetch\|11728|---a-------I---|0|0|480|1353971306|13
(FN) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971435|1353971435|
(SI) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971493|1353971493|

Then you just have to run mactime (included on Sleuthkit) on this file and you get a system timeline from the RAM dump.

mbelda@audit:~/Forensics/jackcr-challenge$ mactime -b  ENG-USTXHOU-148/body.txt >  

I find this especially useful when, for reasons of size or availability, we can not have a disk image to get the information about the creation or access times of certain files.

Here’s an example. Thanks to searching for strings (strings command with the IP showed with the command connscan) directly on the RAM dump, we find a mail received by the user is that contains a link to a suspicious executable file:

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/ --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin connscan

Volatile Systems Volatility Framework 2.3_alpha
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x01f60850                        36569092
0x01ffa850          1024
0x0201f850         4
0x02084e68         628
0x020f8988         696
0x02201008         628
0x18615850         4
0x189e8850          1024
0x18a97008         628
0x18b8e850                        36569092
0x18dce988         696

mbelda@audit:~/Forensics/jackcr-challenge$ strings ENG-USTXHOU-148/memdump.bin > 
mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/strings.txt


Received: from d0793h ( [])
        by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
        Mon, 26 Nov 2012 15:00:07 -0500
Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>
From: "Security Department" <>
To: <>, <>,
Subject: Immediate Action
Date: Mon, 26 Nov 2012 14:59:38 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
This is a multi-part message in MIME format.
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus.  This is critical and must be done ASAP!  Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions.  Failure =
to install this anti-virus may result in loosing your job!
Please donwload at
The IS Department
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META content=3D"text/html; charset=3Diso-8859-1" =
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18702">

Running the iehistory plugin (also new in this version 2.3 of Volatility) we could confirm that the user clicked the link:

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/ --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin iehistory

Volatile Systems Volatility Framework 2.3_alpha
Process: 284 explorer.exe
Cache type "URL " at 0x2895000
Record length: 0x100
Location: Visited: callb@
Last modified: 2012-11-26 23:01:53 
Last accessed: 2012-11-26 23:01:53 
File Offset: 0x100, Data Offset: 0x0, Data Length: 0xa8

But it would be thanks to the timeline created by the plugin mftparser that we could confirm he did not only clicked the link but also that the file was downloaded and executed, and thus the system compromised.

mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/body_mactime.txt
Mon Nov 26 2012 23:01:54      472 mac. --------------- 0  0  10117    Documents and Settings\
                                                                       callb\Local Settings\Temp
                              352 macb ---a-------I--- 0  0  11721    System Volume Information\
                              504 macb ---a-------I--- 0  0  11722    WINDOWS\Prefetch\
                              504 macb ---a-------I--- 0  0  11722    WINDOWS\Prefetch\SYMANT~1.PF
                              584 mac. --------------- 0  0  3420     WINDOWS\system32\CatRoot2
                              824 .a.. --------------- 0  0  3432     WINDOWS\system32\CatRoot2\
                              344 mac. ---a----------- 0  0  6996     WINDOWS\system32\CatRoot2\
                              352 .a.. ---a----------- 0  0  8499     WINDOWS\system32\CatRoot2\
                              344 .ac. -h------------- 0  0  8610     WINDOWS\system32\6to4ex.dll
                              336 mac. ---a----------- 0  0  8611     WINDOWS\system32\CatRoot2\
                              472 mac. -----------I--- 0  0  8823     System Volume Information\
Mon Nov 26 2012 23:01:55      352 m.c. ---a-----c----- 0  0  10219    WINDOWS\system32\dllcache\
                              344 mac. ---a----------- 0  0  206      WINDOWS\system32\drivers\
                              416 .a.. ---a----------- 0  0  3438     WINDOWS\system32\CatRoot2\
                              416 .a.. ---a----------- 0  0  3439     WINDOWS\system32\CatRoot\
                              576 .a.. -h------------- 0  0  45       WINDOWS\inf
                              344 mac. ---a----------- 0  0  7161     WINDOWS\system32\wbem\Logs\
                              352 .a.. ---a----------- 0  0  8071     WINDOWS\inf\syssetup.inf
                              568 ..c. -hs--------I--- 0  0  8835     Documents and Settings\callb\
                              344 m.c. -hsa-------I--- 0  0  8836     Documents and Settings\callb\
                              344 .a.. --s------------ 0  0  9481     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                              344 .a.. --s------------ 0  0  9482     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                              472 .a.. --s------------ 0  0  9483     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
Mon Nov 26 2012 23:01:56      352 macb ---a-------I--- 0  0  10216    System Volume Information\
                              360 mac. ---a----------- 0  0  3355     WINDOWS\inf\syssetup.PNF
Mon Nov 26 2012 23:01:59      352 .ac. ---a-----c----- 0  0  10219    WINDOWS\system32\dllcache\
                              352 macb ---a-------I--- 0  0  11705    System Volume Information\
                              936 mac. rhs------c----- 0  0  71       WINDOWS\system32\dllcache
Mon Nov 26 2012 23:02:07      352 .a.. ---a----------- 0  0  23813    WINDOWS\system32\racpldlg.dll
Mon Nov 26 2012 23:03:10      472 macb --------------- 0  0  7556     WINDOWS\webui
Mon Nov 26 2012 23:03:21      488 macb ---a-------I--- 0  0  11706    WINDOWS\Prefetch\
                              488 macb ---a-------I--- 0  0  11706    WINDOWS\Prefetch\IPCONF~1.PF
                              352 .a.. ---a----------- 0  0  24145    WINDOWS\system32\ipconfig.exe
Mon Nov 26 2012 23:03:55      376 mac. ---a----------- 0  0  3436     WINDOWS\system32\CatRoot2\
Mon Nov 26 2012 23:04:14      352 .a.. ---a----------- 0  0  23351    WINDOWS\system32\drivers\
Mon Nov 26 2012 23:04:24      336 mac. ---a----------- 0  0  9790     WINDOWS\system32\CatRoot2\
Mon Nov 26 2012 23:06:34      504 macb ---a----------- 0  0  11710    WINDOWS\ps.exe
                              472 m.c. --------------- 0  0  28       WINDOWS
Mon Nov 26 2012 23:06:35      504 m.c. ---a----------- 0  0  11710    WINDOWS\ps.exe
Mon Nov 26 2012 23:06:47      416 macb ---a----------- 0  0  11719    WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:48      416 mac. ---a----------- 0  0  11719    WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:52      440 macb ---a----------- 0  0  11723    WINDOWS\webui\ra.exe
Mon Nov 26 2012 23:06:56      344 macb ---a----------- 0  0  11724    WINDOWS\webui\sl.exe
Mon Nov 26 2012 23:06:59      368 macb ---a----------- 0  0  11725    WINDOWS\webui\wc.exe
                              288 m... ---a----------- 0  0  11739    WINDOWS\system32\wc.exe
Mon Nov 26 2012 23:07:31      352 .a.. --------------- 0  0  11470    WINDOWS\system32\iertutil.dll
                              344 .a.. ---a----------- 0  0  11498    WINDOWS\system32\urlmon.dll
                              344 .a.. ---a----------- 0  0  11502    WINDOWS\system32\wininet.dll
                              488 mac. ---a-------I--- 0  0  11706    WINDOWS\Prefetch\IPCONF~1.PF
                              352 macb ---a----------- 0  0  11726    WINDOWS\webui\netuse.dll

The other highlighted files are those that Dropper creates when executed in order to compromise the PC. If anyone wants to see the final report of the challenge, follow the link below provided by Bryan Nolen (@BryanNolen) at Volatility page.

@Jackcr Forensics Challenge.

Introduction to PCI DSS: Payment Card Industry Data Security Standard

A month ago took place in Madrid a new edition of the seminar “Recent developments in Payment Systems“. A seminar organized by “Athena Interactive”, where were discussed some of the most important aspects of payment systems currently in operation.

One of the issues that was raised more comments was the complexity to obtain the lists of companies audited by the organization PCI DSS, and this saw interesting enough to write an entry about the function of this organization and its most relevant characteristics.

According to his own website, “PCI Security Standards Council is an open global forum established in 2006“, whose mission is to increase the security of the card industry payment, protect the user and reduce credit card fraud .

[Read more…]

Cybersecurity. The European Parliament is worried.

Anyone who carefully reads the report A7-0167/2012 of 05.16.2012 on the protection of critical information infrastructure of the European Commission will notice that the authors of the report, members of the Committee on Industry, Research and Energy, are very worried. We can also analyze the opinion of the Committee on Civil Liberties, Justice and Home Affairs of the EU with this report and see —you don’t need to read between the lines— that not only those with direct relation with the issue are concerned, but also commissions that aren’t apparently directly affected by issues related to cyber security of critical infrastructures.

If you also have the patience to study the recent report on cybersecurity and cyberdefense 2012/2096 (INI) of the Committee on Foreign Affairs, dated October 17th, 2012, you will realize that the concerns sometimes turn into “fear”, urging everyone to put to work enumerating countless reasons why we should do it (the “considerations” are impressive…).

The outlook is bleak because the “considerations” show many points that we should be working on and even though there is work done, they are not functional for many reasons, all of them logical. The fact is that everything that has to do with cyberthreats is moving very fast, too fast, and the European institutions very slow, too slow. As a society we should be prepared to take control of the situation but, unfortunately, this is one of those cases where I get the impression that the regulator is ahead of civil society because society is not aware of the magnitude of the threat.

This report on cybersecurity and cyberdefense literally says, “the danger posed by cyber-threats and cyber-attacks against government, administrative, military and international agencies is growing rapidly, both in the EU and in the world, and there are important concerns that state and non-state actors, especially terrorists and criminal organizations, can attack critical infrastructures of information and communication institutions and members of the EU, with the chance of causing significant damages including kinetic effects“, taking into account that most cyber incidents, as stated in the report, both in the public and private sector go unreported, urging the authorities to assess the possibility that a EU member state may suffer a cyberattack and talking about the possibility of implementation of the mutual defense clause (Article 42, paragraph 7 of the EU Treaty) without prejudice to the principle of proportionality. In this sense, could be a cyberattack considered a state-backed casus belli?

We leave the question open but in the case that the answer to the above question is yes, there are still other troubling statements in that report: It “notes that recent cyberattacks against European information networks and state information systems have caused extensive damage from the viewpoints of economic and security whose scope has not been adequately evaluated“.

Clearly cyber defense should be part of the common security and defense policy (CSDP) to, among others, to protect and preserve the lives of people, digital freedoms and respect for human rights online. However until June 2012, only 10 Member States have adopted a cybersecurity strategy, the first step to get to work. In Spain is under development.

In any case, both reports urge to develop strategies for cybersecurity and emergency plans for their own systems, asking explicitly to all institutions and agencies to address in their risk analysis the consequences of cyber crisis and emphasizing the importance of awareness. The members are encouraged to increase their investment in R&D in defense to 2% to make it one of the principal support of cybersecurity and cyberdefense.

This is alright, but they are nothing more than petitions done by the EU commission to the European Parliament through its reports and draft reports but… what happens in the meantime in the real world? Are we really doing our duties in this matter? Are we aware of the danger as a society? Are politicians who run our country aware of these risks? Yes? To what degree?

I have my own pinion. We see it in the work we do every day. And we will have to do an enormous effort to awareness society that this is a very important problem for all of us…

(1) Casus belli refers to the fact that is considered a cause or pretext for military action. The term appears in the context of international law of the late nineteenth century as a result of the ius in bello political doctrine. The casus belli, as part of the ius in bello or “law of war”, seeks to regulate the military actions of different countries, so a priori it prohibits the use of armed force to resolve conflicts, but allows the military power against another country under the principle of ultima ratio, ie as a last resort.

(2) In 2010 only a European member had reached 2% in research and development in defense, and thar year five countries had invested nothing.

Buster Sandbox Analyzer

(Today we have an interesting collaboration of Pedro Lopez, who describes Buster Sandbox Analyzer tool for those who do not already know it and invites anyone interested to collaborate with its development)

Buster Sandbox Analyzer is a tool designed to analyze the suspicious behavior of applications, ie those actions carried out typically by malware. Some examples of typical actions performed by malware are making a copy of itself elsewhere on the hard drive, modifying registry keys or adding files in the Windows installation directory among others.

However, when identifying an action as “dangerous”, the question is that some of the actions considered as suspicious are also usually performed by legitimate applications. It is thus very important to consider the overall context of the analyzed application: is it reasonable that the application we tested perform these actions?

[Read more…]