Friday, July 09, 2010
The CISSP Study Guide has been sent to the printer!!!
The final PDFs for the Syngress CISSP Study Guide were completed today, and sent to the printer!! It's due out next month. You can pre-order on Amazon.
Monday, May 24, 2010
Security 560 in Brisbane, Australia
I'm in Brisbane, Australia teaching Security 560: Network Penetration Testing and Ethical Hacking this week. Having an awesome time so far. It will take me awhile to get used to saying "D M Zed."
Here's a link to my talk tonight: Look Out! Open Source Extrusion Detection
Here's a link to my talk tonight: Look Out! Open Source Extrusion Detection
Monday, March 22, 2010
CISSP Study Guide due out August 6th
Just a quick note to say The CISSP Study Guide is due out on Syngress August 6th. You can pre-order on Amazon. The Eleventh Hour CISSP is due out on August 29th.
Monday, February 22, 2010
SANS Security 564: Hacker Detection for System Administrators comes to Portland
My friend Troy Jordan is mentoring Security 564: Hacker Detection for System Administrators at University of Southern Maine (USM) in Portland, ME.
As far as I know, this is only the second time SANS has come to Portland Maine: the first was SANS Portland 2007, where I taught Security 504: Hacker Techniques.
Security 564 is written by the awesome John Strand. And he gets bonus points for using the old-school phrase "Wily Hacker." My infosec career began by detecting the wily hacker, except I didn't bust East German hackers on the KGB payroll.
Portland-area infosec folks should check out Troy's class; I plan to drop by.
As far as I know, this is only the second time SANS has come to Portland Maine: the first was SANS Portland 2007, where I taught Security 504: Hacker Techniques.
Security 564 is written by the awesome John Strand. And he gets bonus points for using the old-school phrase "Wily Hacker." My infosec career began by detecting the wily hacker, except I didn't bust East German hackers on the KGB payroll.
Portland-area infosec folks should check out Troy's class; I plan to drop by.
Monday, January 04, 2010
Happy 2010!!
SANS is jump starting 2010 by offering 25% off my next CISSP MGT 414 vLive class:
http://www.sans.org/vlive/details.php?nid=20663
Use promo code "IN414," combined with the early registration discount it will be a savings of $1,173.75. Code is good for this week only.
http://www.sans.org/vlive/details.php?nid=20663
Use promo code "IN414," combined with the early registration discount it will be a savings of $1,173.75. Code is good for this week only.
Wednesday, November 18, 2009
Identifying Counterfeit Cisco Equipment
Waking Sleeping Dogs: Information Security Ethics, a paper I wrote for my SANS Technology Institute masters degree, has generated a lot of great comments and questions.
Many folks are asking how to identify counterfeit Cisco gear that may be their environment. Continue reading for how we did it.
Our biggest counterfeit problem was with SFPs and GBICs. Our investigation showed we received them from a number of sources (all Cisco registered resellers), including a Cisco Gold partner.
We initially detected them due to shoddy packaging: labels that smear, cheap boxes, etc. The Cisco logo used was several generations old. Cisco is usually diligent on labeling: the serial number on the device matches the number on the bag (or box).
The counterfeit gear had a label/serial number on the device, but no serial number on the bag or box.
Once we investigated, there was a clear pattern on the counterfeit gear, regarding bogus serial numbers.
A legit SFP looks like this:
DECKARD-C3750-1#show idprom interface gigabitEthernet 1/0/1
General SFP Information
------------------------------
Identifier : 0x03
Connector : 0x07
Transceiver : 0x00 0x00 0x00 0x01 0x20 0x40 0x0C 0x01
Encoding : 0x01
BR_Nominal : 0x0C
Vendor Name : CISCO-FINISAR
Vendor Part Number : FTRJ-8519-7D-CSC
Vendor Revision : 0x00 0x00 0x00 0x00
Vendor Serial Number : FNS0827A12H
The key is the serial number (bolded), with is in the standard Cisco format for SFPs: 3 letters, followed by 4 numbers, followed by 4 letters/numbers. The 1st 3 letters are the factory, the next 4 numbers are a date code, and the last 4 letters/numbers are a unique ID.
Here's a counterfeit SFP:
BATTY-C3750-1#show idprom interface gigabitEthernet 1/0/1
General SFP Information
------------------------------
Identifier : 0x03
Connector : 0x07
Transceiver : 0x00 0x00 0x00 0x01 0x20 0x40 0x0C 0x00
Encoding : 0x01
BR_Nominal : 0x0C
Vendor Name : CISCO-FINISAR
Vendor Part Number : FTRJ-8519-7D-CSC
Vendor Revision : 0x20 0x20 0x20 0x20
Vendor Serial Number : H11F797
Note the serial number 'H11F797' is not in the standard (longer) format. This is very typical, and how we identified hundreds of bogus SFPs that were in production. The initial letter changes (we saw some begin with H, and P).
Also, in restrospect, we realized the counterfeit devices had a far higher failure rate than real Cisco. We shipped the questionable SFPs to Cisco Brand Protection Labs, and they verified all were counterfeit.
Here's a photo of an SFP that appears to be counterfeit:
Note the serial number. This photo was taken from a reseller located in Asia. This SFP is priced for $20 on that site (a real SFP from a legitimate Cisco reseller lists for hundreds). That seller has plenty of other "Cisco" equipment for sale at equally impressive discounts compared to legit gear:
We got ours for 50% off Cisco list. These parts listed for $500 then (they are less now). We got a bargain price of $250: for a $20 knockoff.
Many folks are asking how to identify counterfeit Cisco gear that may be their environment. Continue reading for how we did it.
Our biggest counterfeit problem was with SFPs and GBICs. Our investigation showed we received them from a number of sources (all Cisco registered resellers), including a Cisco Gold partner.
We initially detected them due to shoddy packaging: labels that smear, cheap boxes, etc. The Cisco logo used was several generations old. Cisco is usually diligent on labeling: the serial number on the device matches the number on the bag (or box).
The counterfeit gear had a label/serial number on the device, but no serial number on the bag or box.
Once we investigated, there was a clear pattern on the counterfeit gear, regarding bogus serial numbers.
A legit SFP looks like this:
DECKARD-C3750-1#show idprom interface gigabitEthernet 1/0/1
General SFP Information
------------------------------
Identifier : 0x03
Connector : 0x07
Transceiver : 0x00 0x00 0x00 0x01 0x20 0x40 0x0C 0x01
Encoding : 0x01
BR_Nominal : 0x0C
Vendor Name : CISCO-FINISAR
Vendor Part Number : FTRJ-8519-7D-CSC
Vendor Revision : 0x00 0x00 0x00 0x00
Vendor Serial Number : FNS0827A12H
The key is the serial number (bolded), with is in the standard Cisco format for SFPs: 3 letters, followed by 4 numbers, followed by 4 letters/numbers. The 1st 3 letters are the factory, the next 4 numbers are a date code, and the last 4 letters/numbers are a unique ID.
Here's a counterfeit SFP:
BATTY-C3750-1#show idprom interface gigabitEthernet 1/0/1
General SFP Information
------------------------------
Identifier : 0x03
Connector : 0x07
Transceiver : 0x00 0x00 0x00 0x01 0x20 0x40 0x0C 0x00
Encoding : 0x01
BR_Nominal : 0x0C
Vendor Name : CISCO-FINISAR
Vendor Part Number : FTRJ-8519-7D-CSC
Vendor Revision : 0x20 0x20 0x20 0x20
Vendor Serial Number : H11F797
Note the serial number 'H11F797' is not in the standard (longer) format. This is very typical, and how we identified hundreds of bogus SFPs that were in production. The initial letter changes (we saw some begin with H, and P).
Also, in restrospect, we realized the counterfeit devices had a far higher failure rate than real Cisco. We shipped the questionable SFPs to Cisco Brand Protection Labs, and they verified all were counterfeit.
Here's a photo of an SFP that appears to be counterfeit:
Note the serial number. This photo was taken from a reseller located in Asia. This SFP is priced for $20 on that site (a real SFP from a legitimate Cisco reseller lists for hundreds). That seller has plenty of other "Cisco" equipment for sale at equally impressive discounts compared to legit gear:
- CISCO GBIC&SFP
- CISCO MODULE
- WIC CARD
- NETWORK MODULE(NM)
- VWIC CARD
- VIC CARD
- 1700 SERIES
- 1800 SERIES
- 2800 SERIES
- 2950 SERIES
- 2970 SERIES
- 3560 SERIES
We got ours for 50% off Cisco list. These parts listed for $500 then (they are less now). We got a bargain price of $250: for a $20 knockoff.
Tuesday, November 17, 2009
SANS ISC Webhoneypot project
The SANS Internet Storm Center Webhoneypot project is now live.
I wrote back-end Perl scripts and regex classification system used by the Webhoneypot as part of my SANS Technical Institute Master of Science Degree in Information Security Engineering degree.
I wrote back-end Perl scripts and regex classification system used by the Webhoneypot as part of my SANS Technical Institute Master of Science Degree in Information Security Engineering degree.
Subscribe to:
Posts (Atom)
