As the idea of using false fronts on bank card insertion slots to scan the magentic stripes on bank cards has become well known, banks have put in protections against this scheme and begun to thwart criminals.  However, some clever criminals in Russia and Ukraine have devised a new type of attack where they insert a specially formatted bank card which tells the ATM machine to print out a list of all bank cards used during the day along with the cards’ PIN numbers and expiration dates.  This information is then used to create “clone” bank cards and clean out the bank accounts of unsuspecting customers.

Even more shocking is that the criminals’ special bank card can also be used to eject a cash storage cassette from the front of some older model ATM machines.

How do they accomlish this?  It was discovered that the crooks had used a malware program disguised as the lsass.exe file on the Windows operating system of the ATM machines to create a back door which can be triggered with the special bank cards.  You might wonder how the criminals could get the malware onto the ATM machine’s Windows OS in the first place.  According to the security analysts hired by the banks, it looks like the crooks had some inside help from bank or ATM employees bribed or coerced by the criminals.

As bad as all this sounds, the real pants-around-the-ankles fact here is that the ATM machines actually store the customers’ bank card numbers, PINs, and expiration dates without any encryption.  What were they thinking?  I hope that the rest of the banks and ATM manufacturers from around the world are taking note of the situation in Russia and Ukraine.  They need to update their ATM infrastructure immediately to protect against such abuses.  Of course, in my opinion, it’s extreme negligence to not have encrypted any crucial bank card data in the first place.  An ATM machine might be very physically secure against the outside world, but we know that the majority of security breaches in business come from employees, not 15 year old kids in their parents’ basement.

By now you’ve either seen them or read about them. Companies are selling all kinds of useful appliances based on embedded Linux. Some are for small tasks like wireless APs, mobile devices, or cell phones. Others are geared towards enterprise needs like load balancers, routers, and NAS (network attached storage) and SANs (storage attached network). They all run some version of Linux or BSD. You know you have a couple of Linux geeks working for you in the IT department. Why aren’t they coming up with some of these cool Linux appliances for your own company to use? The excellent Debian Router project by Vadim Berkgaut is the help that your Linux admins need to develop their very own Linux appliances.

At my company, q!Bang Solutions, we provide all types of IT solutions, but our strong suit is our solutions built upon Open Source software. Our employees have used the Debian Router Project (which we refer to as “DebRouter”) to build numerous solutions, including firewalls, OSPF and BGP routers, DNS servers, and even VoIP servers. DebRouter is a cornerstone of our technology solutions.

What’s great about DebRouter is that you get a fully functional Debian Linux installation. So you can add whatever software packages you want to extend the functionality of the DebRouter. This is implemented through the usual Debian package management utilities, which means that you can change a DebRouter’s functionality on the fly and in the field after it’s been deployed.

Another important feature of DebRouter is that it boots from a flash device like a compact flash card (via an IDE adapter) or a USB flash drive. So if there are any problems with changes you’ve made, a reboot takes you back to the previous known-good version of your running system. Does this mean that you lose changes you’ve made when power to the DebRouter goes out? No. DebRouter implements a “write to flash” function much like a hardware router or manageable switch. So you can install and configure new packages, test them out, and write your changes to the flash-based boot media if everything went well in testing. If your tests revealed there was a problem, then just reboot without writing the changes to flash and you will roll back to the same state of the filesystem that you had before your changes. This makes it extremely easy to test potentially unstable software and configuration changes. If things don’t work, just reboot, and voila! Your working system is back within seconds.

This also means that the machines are harder for crackers to abuse if they succeed in infiltrating the DebRouter. If you discover that your DebRouter has been compromised, you can reboot and be rid of the cracker. Then you check for security updates from Debian, install them, write your changes, and you’re back up and running. I can tell you from experience that eradicating a cracker’s presence from a normal machine with hard drives whose data persists across reboots is not this easy!

The boot process of the DebRouter provides another nice benefit. DebRouter boots from flash media, creates a RAM disk, copies the flash media’s filesystem to the RAM disk and then unmounts the flash media filesystem and runs from the RAM disk. RAM is fast – lot faster than any hard drive. So now your filesystem I/O speed is absurdly fast. So if you install the Apache web server and put up some HTML and image files, you now have one of the fastest web servers available – without the hassle of a special configuration to load your pages into a ramdisk. It can also run web scripts (such as PHP, Perl, Python, Ruby, etc.) as fast as your normal hard drive based servers do.

What can you build with a DebRouter? Here are a few ideas to get you started:

• Add the Quagga routing software package to make an OSPF/RIP/BGP router
• Install the Apache web server with Perl/PHP/Python/etc scripting environments
• Use the Asterisk software for a cheap VoIP server for a remote office
• NAT/Firewall
• Web content filtering via the Squid proxy package
• Make a captive portal system for wireless networks in cafes or other public access areas
• DNS server using the venerable and always popular BIND software
• Create a network sniffer with the tcpdump utility which writes data to a remote NAS or other storage device
• Combined with a NAS (Network Attached Storage) or an NFS server, a DebRouter can do most anything.

Since most enterprises will try to install all machines in racks, I checked a couple of online vendors to see how much it would cost to build a good 1RU DebRouter machine. I found that a 1RU machine far above the minimum specs can be had for $500, including shipping. This includes a 1RU case, motherboard with all essential functionality on board, a P4 2.8GHz CPU, 1GB ram, and a 512MB CF card and IDE-based CF reader.

So how about a $500 router that can do RIP/OSPF/BGP? Consider both the business and technology reasons that your company might want to use a DebRouter instead of a router from Cisco or one of the other routing big boys. The business side is easy. The hardware is cheap, even for a system with generous amounts of RAM and CPU. For the price of a typical router support contract, you can buy a couple of extra DebRouters to have sitting around as spares ready to jump into action if you have a hardware failure on your primary DebRouter. Subsequent years of support contracts you don’t need to buy equal money that remains in your coffers helping to fatten up your Christmas bonus next year. Of course, let’s not forget that most router vendors charge extra for the advanced software like OSPF or BGP routing, or encryption software so that you can use the more secure SSH instead of the gaping security hole called Telnet to remotely connect to your router. DebRouter has all that (and so much more) for free!

On the technology side, with the screaming fast processors available today, a DebRouter can pretty well hold its own against most of the major router vendors’ offerings. And it’s the versatility of the DebRouter that will likely interest your techies. Did I mention that Linux does 802.1q VLANs? How about an OSPF router that does double duty as a slave DNS server? Or perhaps an edge router that also acts as a VPN concentrator with strong encryption for hundreds of tunnels?

So walk on down to IT and find those two Linux guys tucked away in their cubicles and let them loose on a Debian Router project. They should be glad to have an interesting project to work on instead of trying to recover emails that Marge from Accounting accidentally deleted the other day, and you just might get some nifty devices from them that save you some cash on your bottom line. Your Linux admins are welcome to reach out to me if they need some help or just want to share their ideas on a new use for a Debian Router.

In the future, I’ll touch on embedded Linux in extremely cheap devices that are excellent for smaller tasks.
[My q!Bang Solutions co-owner Josh Kuo beat me to the punch. Read his article "Beef Up Your Wireless Router".]

High Mobley
Co-Owner of q!Bang Solutions

It is often cited that the biggest issue in the fight against worms and viruses and other such malware is uneducated users. If a person doesn’t understand why it’s a bad thing to open email attachments from people that he doesn’t know, then you can bet that he will open every attachment which comes to him. Several email clients (not just MS Outlook!) will happily open and execute any Visual Basic or batch file that a user clicks on. Then wham! – You’ve got an infected machine that’s probably already calling home to the nasty individual who wrote the malware and now “owns” the user’s computer – which you as the IT department have to go and fix…

Of course the various network security and bug tracking sites are great about announcing the security flaws and exploits that are found, but arguably their audience is only people who are already pretty savvy about security issues. So I was pleased to see an article written more for public consumption at howstuffworks.com today, entitled “What’s the problem with Microsoft Word?”. The author, Julia Layton, does an excellent job of explaining some computer security jargon and bringing the layman up to speed with the MS Word zero-day flaws which were recently announced. I hope that this is a sign of a new trend of educating the end user in a comprehensible language.

When I was a full time sysadmin and helpdesk tech responsible for a few hundred users and 50 servers, I struggled to explain the same topics to the many end users individually. So instead, I sent out ocassional messages via email with some helpful tip on how to use their computer or a link to a web article that contained some useful information on a subject that I knew would tweak their interest. So I always had these sorts of articles bookmarked to send out to my users. They appreciated that I was trying to educate them and I appreciated that I had fewer infected machines to reformat and reinstall.

High Mobley
Co-Owner of q!Bang Solutions

• Crafted TCP Packet Can Cause Denial of Service
• Crafted IP Option Vulnerability
• IPv6 Routing Header Vulnerability

Usually these security notifications are released to large customers before the general public, so large customers have time to update or protect their equipment. However, it’s the smaller networks that are at the greatest risk. Many don’t have Cisco support contracts (or can’t afford them), or don’t have an individual on staff to upgrade their equipment.

When will the first exploit code be released? Will anybody admit to being compromised by the exploit? How will a common user realize they have a problem? The small business customers who think owning Cisco is the way to go need to address the total cost of keeping those systems up to date. Many times a customer won’t upgrade a core router or switch because they don’t know how or don’t know they have a problem. How many service providers will contact their customers warning them about these flaws? Most small businesses don’t have a clue if they are vulnerable or not. How does Cisco fix this issue? What means does a small company have to keep all their systems up to date? Most end users barely can keep up with Windows, virus, adware and spyware updates little alone keeping up with all their network equipment. How many people have updated the software on your home router?

I believe the next great worm will be targeted towards networking equipment. How about taking over all the Linksys routers/access points and making them spam bots or open relays? What about using a Cisco vulnerability to create tunnels to specific locations to monitor all traffic through a router. More to come …

]]> http://blog.qbangsolutions.com/cisco-owners-be-very-afraid/feed/ 0