Hackin9

InfoSec News

What I'm seeing in the security field is a focus on vulnerabilties and exploits, in short - the cool stuff. And in real life, we see a much stronger focus on operations and cost.



But what we rarely see is a focus on Audit. Where Audit differs from the day-to-day round of penetration tests, log review and like is that an audit compares a configuration or a set of parameters to a known standard for yes/no or exceed/deficient compliance.



In this diary, I'll do a short description of auditing a WAN link for metrics key to VOIP (Voice over IP) call quality. Just a short proviso - this is not a complete guide to VOIP call quality or auditing for VOIP metrics, it's meant as a starting point which you can take to your own environment and tailor to your own needs and toolset.
So, why would you want to audit a WAN link for VOIP call quality metrics?

1/ To assess if your edge routers are properly re-marking TOS or DSCP bits in the right packets, for delivery to the wAN (commonly done with PBR, Policy Based Routing)

2/ To assess if your WAN provider is honoring your QOS settings, and delivering the appropriate QOS to your various types of traffic



I'll assume that there's at least one Cisco device at each end of the WAN link we're assessing (the commands described are available on IOSswitches and routers), but the functions I'm describing are certainly available in most of the other name-brand network platforms.



So first of all, what will we audit in this setup?

Delay - how long does it take a packet to make a round-trip from one end to the other?

Jitter - how much does Delay change during any given call? (zero would be ideal)

MOS (Mean Opinion Scores) - a mathematical distillation of overall call quality to a single value, with 5 being perfect fidelity.



Let's look at the configuration. On the core router, we'll create an IP SLA setup to send test packets to IP SLA Responders at the remote sites. These commands create a simulate actual VOIPtraffic and reports on the results. Again, these are Cisco commands (routers or switches), but have analagous functions in other network platforms.



ip sla 1

udp-jitter 192.168.4.249 5001 codec g711alaw codec-numpackets 100 advantage-factor 10

tos 160

timeout 10000

threshold 10000

history enhanced interval 3600 buckets 12

ip sla schedule 1 life forever start-time now



snmp-server community somestring RO ACL_SNMP



access-list standard ACL_SNMP

permit ip snmp.monitor.host.1

permit ip snmp.monitor.host.2
What this does is:

Simulates a voice conversation of 100 packets, with a TOS (Type of Service) setting of 160.
The conversation is repeated every 60 seconds (the default), and statistics are kept for 1 hour.
The ip sla schedule line does exactly what it looks like - starts the process with no end time. The snmp-server setup allows us to monitor the statistics using our Network Managemnt System (or the CLI which we'll get to).



Next, at the remote end we'll set up a responder, which responds to the request packets from the core. Basically it takes the UDP packet and sends it back where it came from. Note that the listener port of the responder (5001) has to match the target port in the SLAconfig on the core router (above)

ip sla responder

ip sla responder udp-echo port 5001


Now, to monitor this we'll use simple SNMP queries. The OIDs (Object IDs) to monitor for Cisco devices are documented at:

http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=entranslate=TranslateobjectInput=1.3.6.1.4.1.9.9.42.1.5.2.1.42#oidContent

This is a really handy link if you need an explanation of what any particular OID or group of OIDs is about.


So, to monitor MOS from the command line:

C:\snmpget 192.168.2.237 1.3.6.1.4.1.9.9.42.1.5.2.1.42.1 -ccomplex.string

SNMP++ Get to 192.168.2.237 SNMPV1 Retries=1 Timeout=100ms Community=complex.string

Oid = 1.3.6.1.4.1.9.9.42.1.5.2.1.42.1

Value = 434
Divide that value by 100, to get an MOS value of 4.34



To get Jitter, we'll query the rttMonLatestJitterOperAvgJitter parameter, which is defined as The average of positive and negative jitter values in SD and DS direction for latest operation:

C:\snmpget 192.168.2.237 1.3.6.1.4.1.9.9.42.1.5.2.1.46.1 -ccomplex.string

SNMP++ Get to 192.168.2.237 SNMPV1 Retries=1 Timeout=100ms Community=complex.string

Oid = 1.3.6.1.4.1.9.9.42.1.5.2.1.46.1

Value = 1
And for delay, we'll query the maximum RTT (Round Trip Time) value for the latest conversation:

C:\snmpget 192.168.2.237 1.3.6.1.4.1.9.9.42.1.5.2.1.5.1 -ccomplex.string

SNMP++ Get to 192.168.2.237 SNMPV1 Retries=1 Timeout=100ms Community=complex.string

Oid = 1.3.6.1.4.1.9.9.42.1.5.2.1.5.1

Value = 4
I would expect that in most cases, you'd plug these OID values into your Network Management System and graph them over time. But in a pinch, you can collect them using a Windows CMD file and graph the values in Excel. The batch file QOS.CMDbelow creates a once-per-minute CSV file that you can read directly into most spreadsheets:
date /t qos.tmp

time /t qos.tmp

rem round trip delay

snmpget 192.168.2.237 1.3.6.1.4.1.9.9.42.1.5.2.1.5.1 -cerbro | find Value qos.tmp

rem max jitter on last conversation

snmpget 192.168.2.237 1.3.6.1.4.1.9.9.42.1.5.2.1.46.1 -cerbro | find Value qos.tmp

rem MOS on last conversation

snmpget 192.168.2.237 1.3.6.1.4.1.9.9.42.1.5.2.1.42.1 -cerbro | find Value qos.tmp

type qos.tmp | sed s/Value = // | tr '\n' ',' | tr -d '\r' qos.out

echo. qos.out

sleep 60

goto LOOPSTART
I use the GNU utils for my sed and tr, mostly because I can bundle everything up in only a few exe and dll files to run on any version of Windows. But the Services for Unix (SFU) that's in Windows these days works great also, and is probably a better way to go in most cases - - that tr weirdness might be better handled with SFU for instance. There are also several snmpget utilities floating around, each with slightly different syntax.



To meet our standard for good quality voice, the target values we are auditing against are:
Delay

When listening to speech, the human ear normally accepts up to about 150 ms of delay without noticing it (discussed in the ITU G.114 standard) Once the delay exceeds 150 ms, a conversation becomes akin to speaking on a walkie-talkie, with weird pauses in the conversation. In high delay environments, people tend to wait for their partner to finish speaking before talking (as on a walkie-talkie)



Jitter

Jitter values should be low, zero is the ideal. Values of over 20-30 ms will degrade voice quality, resulting in choppy sounding conversations or sometimes echo. Jitter can be compensated for in the end devices (jitter buffers on the phones for instance), or by proper prioritization and queuing of voice traffic. Excessive Jitter can indicate a problem in the queueing and forwarding algorithms on the WAN, exceeding the EF (express forwarding) budget on the WAN, or non-uniform delays imposed by queuing, encapsulation or encryption, or any forwarding operation in the path.



MOS

MOS is a simple, overall measure of call quality. If you graph one statistic for Management, this should be it, with the caption Greater than 4 is Good. The formal matrix for MOS definitions is:



MOS


Quality
Impairment


5
Excellent
Imperceptible


4
Good
Perceptible but not annoying


3
Fair
Slightly annoying


2
Poor
Annoying


1
Bad
Very annoying





I hope this short description helps you in assessing your network for VOIP readiness, or helps in troubleshooting VOIP issues. More importantly, I hope that this emphasizes the importance of Audit (the A in SANS) as an important part of your Security matrix.



===============
Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Though both are critical, physical and information security remain separate entities at many organizations. However, you can get a better grip on overall risk by integrating the two. Austin Recovery, a drug and alcohol treatment center, successfully took on the integration challenge-- and what it learned can teach corporations valuable lessons.
 
Oracle said on Tuesday it will continue porting its database and other software to Hewlett-Packard's Itanium server platform after a California judge ruled that it was obligated to do so.
 
The first round of Windows 8 tablets and laptops coming out later this year will be "just the beginning" of a range of form factors and styles that will evolve as the operating system matures, according to the president of a major Taiwanese computer maker.
 
Like many her age, 19-year-old Zhao Caixia left her hometown in the Chinese province of Gansu to see the world.A That world now revolves around a Samsung factory in the Chinese city of Tianjin, where she spends eight to 12 hours a day inspecting cameras before they're shipped out.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A labor rights group has accused Samsung of "illegal and inhumane violations" at its factories in China, reporting cases of excessive overtime and exhausting working conditions, with employees being made to stand for up to 12 hours for a single shift.
 
Service providers taking steps to solve expected mobile congestion problems at the Democratic National Convention this week are addressing issues that are likely to grow in many areas over the next few years.
 
WordPress BuddyPress 'page' Parameter SQL Injection Vulnerability
 
Coppermine Photo Gallery 'keywords' Field HTML Injection Vulnerability
 
Apple's iPhone share of U.S. smartphone subscribers bumped upward 2 percentage points from May through July, giving it 33.4% of the market, online tracking and analytics firm comScore said Tuesday.
 
HL7, a set of standards promoted by two global nonprofit organizations, will soon be available free of charge so more hospitals and physician practices will be able to use them to share patient information.
 
Bugzilla LDAP Injection and Information Disclosure Vulnerabilities
 
Google has released a new version of its Chrome browser for iOS devices that stamps out some bugs, including one that interfered with Yahoo Mail.
 
Two trade groups focused on fighting software piracy have signed a partnership agreement, with the goal of bringing more cases against people and businesses using unlicensed software.
 
A judge ordered Oracle to pay about $1 million to Google for costs related to the companies' lawsuit over the Android mobile OS. The ruling is only a partial victory for Google, which had originally sought about $4 million.
 
Intel has started shipping 21 new processors for laptops and desktops, including a new Core i7 chip with a base clock speed of 3GHz, a new high for the company's mobile processors based on the Ivy Bridge microarchitecture.
 
Claims that security awareness training doesn't work are unsubstantiated, explain software security experts Gary McGraw and Sammy Migues.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Apple today announced a Sept. 12 event in San Francisco to unveil its newest iPhone.
 
The IT department should behave like every other department in the company and forthrightly explain what it is up to. Insider (registration required)
 
Hacker group AntiSec has published what it claims is about 1 million unique device identifier numbers for Apple devices that it said it accessed earlier this year from a computer belonging to an FBI agent.
 
Microsoft has taken its server OS a giant step forward with Tuesday's release of Windows Server 2012, making this version the first that can be controlled remotely so it is more suitable for data centers.
 
Ipswitch WhatsUp Gold 'sGroupList' Parameter SQL Injection Vulnerability
 
Group-Office Calendar SQL Injection
 
Secunia Research: Adobe Photoshop TIFF SGI24LogLum Decompression Buffer Overflow
 
Security Advisory AA-004: Directory Traversal Vulnerability in Sitecom Home Storage Center
 
Security Advisory AA-003: Directory Traversal Vulnerability in Conceptronic GrabnGo Network Storage
 
[slackware-security] slocate (SSA:2012-244-05)
 
Two years after it managed to place a browser-related app on the iOS App Store, Mozilla has reited Firefox Home and yanked it from Apple's market.
 
The Democratic Party embraced its version of Internet freedom and called for new cybersecurity legislation in its platform released as the party begins its convention in Charlotte.
 
Admidio 2.3.5 Multiple security vulnerabilities
 
We have come to expect quality phishing/fake email work these days. In a recent diary I showed how well one crew impersonated Verizon e-mails to spread malware. So I was a bit disappointed when I got this e-mail this morning:

(click on image to see it full size)
The e-mail has a number of obvious deficiencies. For example, the missing digits in the payment amount., and the fact that it is all lower case. But all wasn't lost. Looks like ACME Phishing was hard at work fixing the bugs, and the QA team shortly sent a second email (but to another account of mine):

Finally, a real e-mail from American Express. I blurred the amount and the last few digits of the account number. I also replaced the image of the card. But as you can see, the real e-mail is VERY CLOSE. Probably the most significant difference is that the last digits of the account number are missing at the fake. But I doubt many people look for this.

So what is the fake e-mail trying to do? Imagine that: It will get you malware... In my copies, the initial link goes tohxxp:// vserver94 . antagus . de
That page then includes three javascript files loaded from these domains:
atriumworkcomp.com, mlegion.com , watchdogwebdesign.com . The javascript file name is js.js.
The javascript will then redirect the user to one of these two IP addresses:
96.47.0.163, 108.178.59.26
both IP addresses yield heavily obfuscated javascript. The wepawet analysis can be found here:
http://wepawet.iseclab.org/view.php?hash=3c550bbf81ebfcd7979f2147fb69729ctype=js
It appears to be the usual what vulnerable plugin are you running today? javascript.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Social engineering tactics often involve email attachments targeting various industry sectors, says the security firm.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
About five years ago Genomic Health began to introduce cloud-based business applications. Ken Stineman, senior director of enterprise architecture and security, quickly became aware of the security risks these apps posed.
 
By isolating apps and tasks to lightweight VMs, the Qubes operating system aims to offer advanced users a quick way to isolate the effects of malware. After three years of development, the Xen- and Linux-based system has reached version 1.0


 
[slackware-security] mozilla-thunderbird (SSA:2012-244-03)
 
[slackware-security] mozilla-firefox (SSA:2012-244-02)
 
[slackware-security] glibc (SSA:2012-244-01)
 
[ MDVSA-2012:149 ] fetchmail
 
On Wednesday, Nokia and Microsoft are once again taking the stage together to launch Nokia's second-generation Windows Phones.
 
The European Commission has no plans to force spectrum license holders to give free access to their frequencies.
 
Career maps are a win-win for companies and employees, giving everyone a bird's eye view of the IT employment landscape.
 
Oracle is appealing a US$306 million settlement in the TomorrowNow corporate-theft case against German competitor SAP, according to court documents.
 
A million unique iPhone and iPad identifiers have been released by AntiSec who claim they are part of a 12 million strong data set taken from an FBI agent's laptop


 
One in five Mac users has adopted OS X Mountain Lion, the upgrade launched five weeks ago, according to Web analytics company Net Applications.
 

Posted by InfoSec News on Sep 04

http://timesofindia.indiatimes.com/city/noida/Two-techies-arrested-for-hacking-cell-recharge-site/articleshow/16160044.cms

By Vandana Keelor
The Times of India
Sept 2, 2012

NOIDA: Two members of the hacker group, "Indishell", and its offshoots
were arrested on Saturday after an extensive investigation by the Gautam
Budh Nagar cyber crime cell. The accused, who did BTech in computer
science, were charged with hacking into an...
 

Posted by InfoSec News on Sep 04

http://news.cnet.com/8301-1009_3-57505330-83/antisec-claims-to-have-snatched-12m-apple-device-ids-from-fbi/

By Steven Musil
CNET News
Security & Privacy
September 3, 2012

An online hacker group associated with Anonymous claims to have posted 1
million Apple Unique Device Identifiers (UDIDs) by breaching FBI
security.

UDIDs are the unique string of numbers that individually identifies each
iOS device and formerly used by developers to...
 

Posted by InfoSec News on Sep 04

http://news.techworld.com/security/3379060/mystery-wiper-malware-linked-duqu-says-security-firm/

By John E Dunn
Techworld
03 September 2012

It appeared from nowhere last April, attacked computers in Iran and then
destroyed almost all evidence of its existence. But what was the
super-destructive malware now dubbed ‘Wiper’?

Evidence for the malware emerged in April after the Iranian Oil Ministry
announced that some of its installations...
 

Posted by InfoSec News on Sep 04

http://en.trend.az/regions/iran/2061538.html

4 September 2012

Azerbaijan, Baku, Sept. 4 /Trend S.Isayev, T. Jafarov/

Iranian cyber police will enlist the while-hat hackers to help fighting
the cyber criminals, Iran's cyber police chief Kamal Hadyanfar said,
ISNA reported.

Speaking to ISNA in an interview, Hadyanfar noted that many of the
hackers have expressed interest and willingness to cooperate with the
police.

Hadyanfar added...
 

Posted by InfoSec News on Sep 04

http://www.cio.com/article/715288/Manual_Examines_How_International_Law_Applies_to_Cyberwarfare

By Jeremy Kirk
IDG News Service
September 03, 2012

A cybersecurity think tank has published a manual studying how
international law applies to conflicts in cyberspace, where the laws of
conventional warfare are more difficult to apply.

The manual comes from experts working with the Cooperative Cyber Defense
Center of Excellence (CCDCOE), an...
 
Unknown attackers are sending emails claming to be from Google, warning users of suspicious activity in the mail recipient's Google Accounts


 

Clearwater Compliance Announces Its Gold Sponsorship of InfoSec 2012
PR Web (press release)
We are proud to sponsor InfoSec because it provides an opportunity for critical education, hands on exposure, and a forum for conversation and sharing about cyber security for such a large contingent of information security professionals. Quote end ...

and more »
 
VMware has shipped updates for open source components of its various server products, including refreshed Java, OpenSSL, Perl and Linux kernel


 

Clearwater Compliance Announces Its Gold Sponsorship of InfoSec 2012
DigitalJournal.com (press release)
Jointly presented by the Nashville Technology Council and the Middle Tennessee chapter of the Information Systems Security Association (ISSA), InfoSec brings technologists and information security professionals together for a full day of learning with ...

 
Internet Storm Center Infocon Status