Wednesday, November 18, 2009

Identifying Counterfeit Cisco Equipment

Waking Sleeping Dogs: Information Security Ethics, a paper I wrote for my SANS Technology Institute masters degree, has generated a lot of great comments and questions.

Many folks are asking how to identify counterfeit Cisco gear that may be their environment. Continue reading for how we did it.

Our biggest counterfeit problem was with SFPs and GBICs. Our investigation showed we received them from a number of sources (all Cisco registered resellers), including a Cisco Gold partner.

We initially detected them due to shoddy packaging: labels that smear, cheap boxes, etc. The Cisco logo used was several generations old. Cisco is usually diligent on labeling: the serial number on the device matches the number on the bag (or box).

The counterfeit gear had a label/serial number on the device, but no serial number on the bag or box.

Once we investigated, there was a clear pattern on the counterfeit gear, regarding bogus serial numbers.

A legit SFP looks like this:

DECKARD-C3750-1#show idprom interface gigabitEthernet 1/0/1

General SFP Information
Identifier : 0x03
Connector : 0x07
Transceiver : 0x00 0x00 0x00 0x01 0x20 0x40 0x0C 0x01
Encoding : 0x01
BR_Nominal : 0x0C
Vendor Part Number : FTRJ-8519-7D-CSC
Vendor Revision : 0x00 0x00 0x00 0x00
Vendor Serial Number : FNS0827A12H

The key is the serial number (bolded), which is in the standard Cisco format for SFPs: 3 letters, followed by 4 numbers, followed by 4 letters/numbers. The 1st 3 letters are the factory, the next 4 numbers are a date code, and the last 4 letters/numbers are a unique ID.

Here's a counterfeit SFP:

BATTY-C3750-1#show idprom interface gigabitEthernet 1/0/1

General SFP Information


Identifier : 0x03
Connector : 0x07
Transceiver : 0x00 0x00 0x00 0x01 0x20 0x40 0x0C 0x00
Encoding : 0x01
BR_Nominal : 0x0C
Vendor Part Number : FTRJ-8519-7D-CSC
Vendor Revision : 0x20 0x20 0x20 0x20
Vendor Serial Number : H11F797

Note the serial number 'H11F797' is not in the standard (longer) format. This is very typical, and how we identified hundreds of bogus SFPs that were in production. The initial letter changes (we saw some begin with H, and P).

Also, in restrospect, we realized the counterfeit devices had a far higher failure rate than real Cisco. We shipped the questionable SFPs to Cisco Brand Protection Labs, and they verified all were counterfeit.

Here's a photo of an SFP that appears to be counterfeit:

Note the serial number. This photo was taken from a reseller located in Asia. This SFP is priced for $20 on that site (a real SFP from a legitimate Cisco reseller lists for hundreds). That seller has plenty of other "Cisco" equipment for sale at equally impressive discounts compared to legit gear:
  • 1700 SERIES
  • 1800 SERIES
  • 2800 SERIES
  • 2950 SERIES
  • 2970 SERIES
  • 3560 SERIES
All of this stuff ends up in secondary channels like Ebay. Some Cisco certified resellers get greedy, buy the counterfeit stuff for pennies on the dollar, and then resell it a 'great discount.' All of this violates their Cisco reseller agreement, but greed seems to win the day.

We got ours for 50% off Cisco list. These parts listed for $500 then (they are less now). We got a bargain price of $250: for a $20 knockoff.

Tuesday, November 17, 2009

SANS ISC Webhoneypot project

The SANS Internet Storm Center Webhoneypot project is now live.

I wrote back-end Perl scripts and regex classification system used by the Webhoneypot as part of my SANS Technical Institute Master of Science Degree in Information Security Engineering degree.

Tuesday, August 04, 2009

Xfiltr8 Extrusion Detection Live CD

Greetings from SANS Boston 2009.

I just posted the 1st public alpha version of the Xfiltr8 live CD to sourceforge:

Xfiltr8 is an open source Ubuntu-based live CD dedicated to networked extrusion detection.

Friday, June 26, 2009

The National Cryptologic Museum

I finally got a chance to visit the National Cryptologic Museum yesterday, on the way back to BWI to fly home after SANSFIRE and a few day's family vacation (including 2 Red Sox games at National's Park).

The museum was a real treat, far exceeding my expectations. The had all the classic crypto gear, including a set of Jefferson Disks, an original Confederate cipher disk, multiple Japanese Red, Jade, and Purple machines/analogues, American Sigaba, an original Hebern Machine and multiple Enigma Machines. I really enjoyed the VENONA exhibit.

A really nice touch were the 2 fully-functional Enigma Machines, freed of their cases, with pencil and paper next to each, with instructions on how to encode and decode a message.

With the wheels set to '414' (in honor of SANS Management 414), 'CISSP' encodes to 'DCNXK'. As you click each typewriter key, the wheels turn, and the ciphertext letter illuminates. To decode, turn the wheels back to '414', type 'DCNXK', and 'CISSP' illuminates.

I was also impressed with how kid-friendly the museum was. The kids were handed the pictured cipher disk, and a 'Cryptokids Challenge' score sheet, which included 14 numbered stations. As the kids reached each station, they were presented with a cipher disk setting, and ciphertext to convert back into plaintext. They both successfully decoded all 14 ciphertexts, and were presented with prizes for their handiwork.

The kids had a blast, and both declared the Cryptologic Museum 'the best museum in the DC area, tied with the Smithsonian National Air and Space Museum.' High praise from my young cryptanalysts!!

Friday, April 17, 2009

Visualizing Network Attacks

Greetings from friendly Calgary, Canada.

As promised, here is the link to my Visualizing Network Attacks paper.

The scripts, etc. are here.

Sunday, March 29, 2009

Waking Sleeping Dogs: Information Security Ethics

My paper on ethics has been posted: Waking Sleeping Dogs: Information Security Ethics. I wrote it for Management 421, as part of my MSISE program at the SANS Technical Institute.

It's a true story.

Wednesday, March 25, 2009

SANS Management 512 in Taunton, MA

My good friend Thom Daley is leading Management 512: SANS Security Leadership Essentials as a Mentor-lead session.

My SANS teaching career began as a SANS Mentor, and it was a fantastic experience. Spending 10 weeks in a peer-lead format works very well. The age old advice of 'network, network, network' is true, and the mentor format makes that easy.

Thom is a deeply talented professional with loads of hands-on experience.

Saturday, March 21, 2009


The Internet Storm Center posted a Conficker update, mentioning that the folks at SRI International updated their excellent analysis of the Conficker.C worm.

This worm is highly advanced, and it's peer-to-peer update capability allows it to operate in networks where botnets do not typically thrive. Conficker-infected hosts will attempt to download new functionality April 1st.

Friday, March 06, 2009

Blogging from SANS 2009 Orlando

I'm hitting day 5 of MGT 414 at Sans 2009 Orlando.

Jason Andress, A student of mine, wrote a great paper on IPv6, a topic we discussed during telecom.