Month: November 2010

Network Security Monitoring with Dualcomm DCSW-1005PT

For a while now I have been looking for a cost effective solution to perform Network Security Monitoring (NSM) for small businesses. NSM basically means collecting, analyzing and escalating indications and warnings to detect advanced threats and intrusions.

One of the best ways to do this is to monitor traffic from a live line tap. A tap is a port that provides a copy of the live data on a second port so it can be recorded, and analyzed. High end switches and routers usually have a tap port for this function. You could also use an old repeater hub to get a copy of the signal. Herein lays the problem, high end switches are usually very pricey and overkill for a small business, and finding a hub has become nearly impossible and they are not as efficient (due to collisions).

Dualcomm to the rescue! John from Dualcomm recently provided me with a Dualcomm DCSW-1005PT Mini 5-Port 10/100 LAN Switch/ Sniffer for evaluation. The Dualcomm unit provides Plug & Play port mirroring, with no configuration needed. You simply plug the source data line into port one, the device you are monitoring into port 2 and you instantly get a copy of the data on port 5. That’s it, it is truly that simple.

When I first opened the box, I was surprised to see how small the DCSW-1005PT is. It is about the size of a deck of playing cards (pen used in photo for size reference). Also, the device is USB powered, so all you need is an open USB port to power it.

To test the device, I used Wireshark to capture the data from the mirrored port and save the packet data stream. I then used Netwitness Investigator to analyze the saved pcap files for threats. For the tests, I wanted to monitor the incoming line from my ISP to my firewall and secondly, monitor the data from the firewall to a specific workstation.

In both tests, placing the Dualcomm in line with the data to be monitored was quick and painless. The unit functioned flawlessly and data acquisition was very rapid.

Although I did not test it, according to the manual, the device also performs Power over Ethernet (PoE). It can expand a PoE uplink port into four downstream ports or with the port mirroring feature; you can use it to record IP phone calls to a monitoring PC.  

The size and price point of the DCSW-1005PT makes it a very attractive solution for NSM or any solution that requires a mirrored port. I am very satisfied with the Dualcomm unit, and highly recommend it.

Wikileaks Releases Documents. Again…

Again Wikileaks proves they are on a mission to destroy the United States. Wikileaks released thousands of sensitive US documents today through proxy. The main Wikileaks site was under massive denial of service attack (any guesses here?), but that did not stop the release.

Several large news agencies already had copies of the information and released it today. The New York Times in the US, the Guardian in the UK, and three European news agencies went ahead and released portions of the leaked information.

Much of the information released was a no brainer. It is not earth shattering news that we spy on our allies and they spy on us. This has been going on for years. Ambassadors are trained in espionage, its standard operating procedures (SOP).

What wasn’t SOP though is that many personal correspondences were revealed that weren’t meant for public release. But, that is probably why they were marked “Classified” or “Secret” in the first place…

Some of it was just political name calling:

“The cables contain specific allegations of corruption, as well as harsh criticism by US embassy staff of their host governments, from Caribbean islands to China and Russia. The material includes a reference to Putin as an “alpha-dog”, Hamid Karzai as being “driven by paranoia” while Angela Merkel allegedly “avoids risk and is rarely creative”. There is also a comparison between Mahmoud Ahmadinejad and Adolf Hitler.” – The Guardian

But some of the information covered was much more serious:  

“Mixed records against terrorism: Saudi donors remain the chief financiers of Sunni militant groups like Al Qaeda, and the tiny Persian Gulf state of Qatar, a generous host to the American military for years, was the “worst in the region” in counterterrorism efforts, according to a State Department cable last December. Qatar’s security service was “hesitant to act against known terrorists out of concern for appearing to be aligned with the U.S. and provoking reprisals,” the cable said.”  – New York Times

The release also included information that the Chinese Politburo was behind Google being hacked. The US is very concerned about Pakistan and its handling of nuclear material. And Saudi Arabia is pushing for the US to bomb Iran.

The information in this release seemed to focus again solely around the US, even though Wikileaks founder claimed that their next release would focus on Russian and Chinese documents.

Wikileaks seems to be on a personal vendetta against the US and needs to be shut down, now.

Stuxnet a Sign of New Cyber Special-Operations Warfare?

Stuxnet has been called the first true cyber war weapon and the most advanced virus ever created. As time goes by, additional information on Stuxnet is leaking out. A FoxNews article released yesterday contained a lot of new and interesting details. Here is a summation of the information presented:

Complexity: Stuxnet attacked and penetrated a secure underground facility that had no external connections. The virus was specifically written to spread from machine to machine, and network to network until it found its target.

The command and control process of Stuxnet was also highly advanced, and was programmed to disappear once the target was penetrated.

“…During this time the worms reported back to two servers that had to be run by intelligence agencies, one in Denmark and one in Malaysia. The servers monitored the worms and were shut down once the worm had infiltrated Natanz. Efforts to find those servers since then have yielded no results.”

Target: When Stuxnet found the nuclear power plant network, it went to work attacking its main target, the centrifuge frequency converters.

“The worm then took control of the speed at which the centrifuges spun, making them turn so fast in a quick burst that they would be damaged but not destroyed. And at the same time, the worm masked that change in speed from being discovered at the centrifuges’ control panel.”

The centrifuges were not the only target, as the virus also attacked the Russian built steam turbine at the Bushehr plant.

Result: A physical attack against the nuclear plants this late in the game could have released a lot of radiation. According to the report, Stuxnet was created not to destroy the nuclear power plant, but to disable its ability to function. This it has done in spades.

An estimated 30,000 Iranian systems were infected by the worm. Of Iran’s 9000 centrifuges, it is estimated that only 3700 are now in use.

It is believed that it will take another year to clean up the effects of Stuxnet from the nuclear plant systems.

Also, Stuxnet has created a strong psychological warfare effect at the plants. Iranian intelligence officers have clamped down on the facilities, interrogating and monitoring many. Iranian scientists and engineers have been jailed, executed, or simply disappeared.

This was obviously a coordinated attack against Iran. One of the big clues that Iran was the main target is in the way the Centrifuge Frequency programs were attacked. Very specific commands had to be known about the frequency systems. Iran used two sources for the systems, one was a Finnish Company, but the other was an Iranian company. According to the article, no one knew about the Iranian source, not even the IAEA. 

We are seeing in Stuxnet a new era of special operations. An advanced cyber warfare unit and intelligence agency teamed up to form a very effective force. This team worked closely together with civilian SCADA system & nuclear power plant experts to try create the first true cyber weapon. Could this be the beginning of Cyber Spec-Op warfare?