CISCO Router boot: cannot open “flash:”

November 26, 2008 by · Leave a Comment 



It can be quite painful when a network segment fails, your switches look good, but traffic from that network halts–this situation happened to me yesterday.  While troubleshooting the router, I could only access ROM monitor mode, or ROMmon. In ROMmon, I kept receiving the following error:

boot: cannot open “flash:”
boot: cannot determine first executable file name on device “flash:”

As it turns out, the flash image either became corrupt, or the flash card itself failed. The approach to handle this issue was to:

1. Download the latest IOS image and use the Xmodem Console Download procedures to upload it to the router

2. Replace the flash card with a spare component from a lab router and update the configuration

Personally, step 2 was a quicker solution as a lab router was available. Validating if the problem was a faulty flash card or if a re-image would fix it would’ve taken much longer. Therefore, the quickest solution was best, in order to get the production router back online ASAP. If funds are available, keeping spare parts on hand is an absolute must–especially for disaster recovery and continuity reasons.

Report to Congress: China’s Cyber Strategy is strong!

November 21, 2008 by · Leave a Comment 

The U.S.-China Economic and Security Review Commission recently reported to Congress on the strength of China’s cyber strategy. The report–released this month–outlines China’s attention to developing sophisticated cyber capabilities. Colonel Gary McAlum, who presides over global network operations, testified to the commission that China realises the urge for a strong cyber presence and has demonstrated this through increased resources and training in cyber attacks and cyber intrusions.

The Colonel further said that China currently has the intent and ability to conduct cyber operations anywhere in the world at any given time. Their cyber espionage program is so advanced that they can carry out cyber warfare at a level so sophisticated, that the U.S may not even notice or have the ability to counter.

The report further outlines how vulnerable the U.S is to cyber attacks. With systems such as power grids, financial, water, air traffic control, and other critical infrastructure connected to the Internet, a successful attack could paralyze the U.S. The bottom line, any system connected to the Internet has the potential to be accessed by foreign sources.

This report underscores the need for a more proactive and less reactive security strategy. Government and industry should collaborate a lot more and devote additional resources to research and development in information/cyber security. The report mentioned estimates of over 250 hacker groups in China that are tolerated, and possibly encouraged by their Government. We have a lot of talent in the mainstream and underground security/penetration industry here in the U.S. and should look to hone those skills instead of rejecting them.

If you’re interested in the report, it can be found here.

ASDM Error: Unconnected sockets not implemented

November 19, 2008 by · 21 Comments 

I tried logging into an ASA today and received the error, “Unconnected sockets not implemented.” After a bit of troubleshooting to discern what changes were made, it seems the latest version of Java is incompatible with the ADSM. The new version is JRE 6 update 10. The workaround: re-install JRE 6 update 7 or just use the CLI.



New malware targeting MAC OS X

November 18, 2008 by · Leave a Comment 

Trend Micro reports of a new form a malware targeting MAC OS X. The malware, called OSX_LAMZEV.A, can download itself when a user visits a compromised website, or when a user downloads it thinking it’s a legitimate program. 

According to Trend:

It prompts the user to select an application and port number above 1024. This may serve as a backdoor whenever the application is opened.

It creates the file /tmp/ and is copied to ~/Library/LaunchAgents. It is then deleted once it has been loaded. This routine allows the backdoor to execute during system startup

The full article can be found here.

Firewalls: Is your firewall hardened?

November 15, 2008 by · Leave a Comment 

If you’re working with firewalls, you should have a pretty good grasp of the OSI model by now. If not, review my brief “nuts and bolts” post (The OSI model in a nutshell) that explains each layer.

Before discussing how firewalls are bypassed, it’s important to know the types of firewalls. Depending on your infrastructure and protection needs, there are a number of firewall types you may use. I won’t go into specific vendor brands (such as PIX/ASA, CheckPoint NG, ISA, Juniper, etc.), but I will briefly cover the main firewall technologies. A few of the common types of firewalls on the market today fall into one or more of the following categories:

  • Packet filtering: packet filtering firewalls make decisions based on header information: IP address, protocol and port number. They use access control lists (ACLs) to determine what to accept or deny. One shortcoming, however, is that packet filtering firewalls can be bypassed when the traffic is fragmented or configured to arbitrarily meet the ACL criteria.
  • Application proxies: application proxies are firewall devices that act as the middle man to hosts. Unlike packet filtering firewalls, application proxies focus on the top layers of the OSI model. When establishing communications, proxies re-create conversations between the host and outside sources, masking the sources’ identity. They work in tandem with traditional firewalls, as they typically don’t possess the ability to deny traffic. One shortcoming is that proxies are a single point of failure, since all connections to the outside world must be re-created at this single point.
  • Stateful packet inspection: stateful packet inspection firewalls maintain a state table that keeps track of each session, or conversation. This type of firewall is more secure, as communication is only allowed through the firewall if a valid connection exists. Whether it’s TCP (connection-oriented) or UDP (connectionless), data is recorded in the state table. If traffic isn’t in response to a session, it’s blocked. Note: the state table includes source and destination IP addresses, ports, TCP sequence data, and other flags associated with the connection.

Now that you know a little bit about the types of firewalls, let’s discuss a common way attackers find out what rules are configured on your firewall. A tool known as Firewalk, can be used to determine which ports are open through the firewall. Firewalk is freely available at  So how does firewalk work? Well, according to their authors, “Firewalk works by sending out TCP or UDP packets with a TTL one greater then the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets on the floor and it will see no response.” So in essence, it works like traceroute which uses the time-to-live (TTL) field to determine the hops packets take to reach a particular destination.

Each organization is unique and may have to live with the fact that external sources can figure out their firewall rules. Depending on the complexities of your network, not allowing ICMP_TIME_EXCEEDED messages is an option. Security administrators will have to assess the impact against their infrastructure in regards to network diagnostics.  Beyond assessing Firewalk, there are other means to hardening your firewall.

Most security administrators realize that the basic way to secure any product is to disable unnecessary services and processes. The same holds true with firewalls. Many of the latest brands come equipped with additional functionality that your infrastructure may not need or support. This may be due to integration issues or if another device is already performing the additional function. Therefore, if it’s not required, disable it.

Firewalls can have vulnerabilities, just like anything else. Some administrators have a false sense of security when they think of their “firewall” as the king reigning over their fortress. How silly will they feel when they realize their firewall was owned by a foreign source because of a buffer overflow that had a patch released over 6 months ago? So like other systems and applications, maintain proper patch management with firewalls and other security devices.

Another hardening measure is to know your configuration. If your firewall allows comments or a description, use it. This enhances change management and complements maintaining backups. Backups should be made of your configuration as consistent as you make changes. When descriptions are used, an old backup will reveal exactly what each rule was in place for.

I could write for hours on this topic, but some additional measures include maintaining proper logs (while securing your syslog server), using warning banners, a consistent naming convention, and defining a proper baseline. Although firewalls are great for network security, they are far from the “silver bullet” solution.

Words to live by

November 10, 2008 by · Leave a Comment 

Last week I posted a quote by Anthony Robbins and recommended his book, Unlimited Power. Ironically, I was cleaning up my inbox today and stumbled upon an e-mail I sent myself in June of 2006. The subject was “Words to live by”, and included the following excepts from Unlimited Power:

  • There’s no such thing as failure. There are only results! or an outcome….
  • Your belief will become your reality! The brain will do what it’s told!
  • Human behavior is the result of the state we’re in. Your state is the result of your internal representations and your physiology.
  • How you’re feeling is not the result of what is happening in your life-it is your interpretation of what is happening.
  • Successful people are willing to do W.I.T (Whatever It takes).
  • Belief in failure is a way of poisoning the mind.
  • Belief can turn on or shut off the flow of ideas.
  • John Stuart Mill once said, “One person with a belief is equal to a force of ninety-nine who have only interest”.
  • When we congruently believe something is true, it is like delivering a command to our brain saying how to represent what is occurring.
  • “Our doubts are traitors, and make us lose the good we oft might win, by fearing to attempt.” -William Shakespeare

You’d think I co-authored the book the way I’ve been talking about it so much. I’ve always been pretty big on reading/listening to leaderhip and personal development books. Maybe I’ll start adding some other “lessons” from different authors in the thoughts section of this blog.

Massive Web attack

November 10, 2008 by · Leave a Comment 

The good folks at Kaspersky Labs warned of a massive ‘successful’ hack to thousands of servers in Europe and the U.S. They believe the attack was either SQL injection or the use of previously compromised accounts. Here’s what they’re saying:

Yesterday we detected the onset of the latest mass hack attack – websites being hacked and links placed on them that lead to malicious servers. We’re estimating that in the last two days along, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this.We’re still working on determining exactly how the sites were hacked, but there are two scenarios which are the most likely – using SQL injection or using accounts to the sites which had already been stolen. One common factor is that the majority of the hacked sites run on some type of ASP engine.

You can visit the analyst’s diary here.

Be sure to check out their recommendations for the eradication of malicious links. As the analysts stated, “It’s not just your security that’s at stake, but the security of everyone using your site!”

Measuring information security performance

November 8, 2008 by · Leave a Comment 

As a follow-up to my post on “How to approach baselining for better asset security,” I will discuss the benefits of measuring information security performance.

Security measurement allows managers to make informative decisions based on quantitative data. Once an information assurance process is in place, it must be measured to validate its effectiveness. With the increased complexities of system integration, security controls can degrade overtime. Therefore, a proper baseline with detailed documentation can help facilitate measurements.

Documentation is truly the key. Detailed documents defining the configurations, processes, standards, and information security controls help define the baseline for performance measurements. Through such well-defined documents, conclusions can be made based upon evidence, not assumption. So what metrics constitute the best performance measurements? Let’s discuss a few.

There are many industry standards that can help an organization build a personalized framework to measure their performance against. Some include the Generally Accepted Systems Security Principles (GASSP), ISO 17799, and the Standard of Good Practice for Information Security. These standards, along with other compliance and regulatory standards such as SOX, HIPAA, PCI-DSS, GLBA, and FISMA, serve as minimal requirements to protect an infrastructure. I wrote an article that addresses creating a security framework beyond such standards, and will supply the link once it’s published in a few weeks.

So, organizations must document each process and system within their infrastructure and assess their controls. This assessment can be made against the above listed standards for a baseline measurement of security performance. At the end of the measurement, the gap between the implemented controls and that of the standards should be addressed immediately. This gap represents the vulnerabilities between the baseline standards and the organizations configurations. With the increase of attacks becoming more sophisticated and targeted, organizations must take proactive measures to develop a framework beyond a standard baseline. Once the article I mentioned above is published, I’ll further explain the steps required to produce that framework.

Thought of the day

November 7, 2008 by · Leave a Comment 

“Look at a day when you are supremely satisfied at the end. It’s not a day when you lounge around doing nothing, it’s when you’ve had everything to do and you’ve done it!” – Margaret Thatcher

We are most satisfied when we set out goals for ourselves and achieve them. For me, I can’t sit idle–I have no satisfaction in non-productivity.

Beware of President Obama Spam!

November 5, 2008 by · Leave a Comment 

According to Sophos Plc., hackers have already launched a “President Obama” malware campaign. This widespread attack claims to provide up-to-date news results about the election. The e-mail message attempts to lure you in by saying “Watch his amazing speech.” However, the link redirects you to a fake news page that presents a download box posed as an Adobe flash player update–supposedly required to view the video.

Sophos also noted that this isn’t the first instance they’ve seen, as hackers have been quite interested in the U.S presidential race.

The full article can be found here.

Next Page »


Warning: Unknown: open(/home/content/30/5076530/tmp/sess_uh3vj2jqrdpm20sr4d2c8bfcr1, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0