Mobile Banking Security and Risk Assessment Considerations

Aug 05, 2008 in Banking and EFTPoS, Security

When considering Mobile and the associated risk, the an assessment approach depends greatly on the solution being created or provided.
Generally the approach is based on layered supporting and surrounding the technologies and techniques used.

Here are some things to consider.

assessments generally focuses on two main things.

1/ Sensitivity of the
What is being sent. eg. , card numbers, account balance, home address, account number, etc.
may not be sensitive to the , but may be considered by the client as sensitive.
etc……….

2/ Opportunity to the .
What medium is being used?
Is it easy to ?
What encryption is being used?
Are all paths secure (client and back end)?
Is there a 3rd party involved in the switching of the transactions?
etc………

Things to consider:

  • resets sent via to client, should not be used as the only method of accessing accounts. An additional client specific (possibly static) pass word/phrase should be used in addition to a dynamically generated . can be sniffed (depending on mode and location).
  • If WAP is used, are all devices capable of encryption? If devices are not capable of encryption, do we deny to these devices? If client side or (win CE, etc), ensure this can not be compromised by a Trojan’s and other techniques.
  • Has the organisation considered client side certificates to verify the device prior to transactions being accepted? Consider multiple device and user methods (very solution dependant).
  • Most mobile POS terminals encrypt the client entered number, but do not encrypt everything within the transaction. If the medium is compromised, we should consider if the encryption can be cracked and if unencrypted is sensitive. Consider additional encryption i.e. use of all of message encryption (SSL, ) or use a terminal that utilises Derived Unique Key Per Transaction ().
  • Many applications have been affected by typical hacks such as session hijacking, SQL , non random session keys (client side and side), etc… These typical hacks should be considered in your Secure SDLC and QA Processes once you are aware of the technology used and/or deployed.
  • PBX systems and cabling distribution frames can have devices connected to collect transactions. Wireless devices are now being connected to these systems. The attacker sits in their car in the car park outside. This is often done in super markets.
  • Wireless transaction gateways if not encrypted are easily collected by anyone within wireless range. 802.11 and other wireless/infra-red mediums are being used (assess the technology and medium being used).
  • Has the organisation considered dynamic keys for mobile users? There are some very low cost SecureID solutions available today, but customers need to have these devices on them when they want to do a transaction.

No Comments »

Cisco Command Cheat Sheet

Jul 04, 2008 in Infrastructure

I found a list of useful which I though I would post here. When I get a chance I will continue to expand the list and broaden command set.

Thanks to the fastget2you.com Joined With #missomhack Community for the original list.

ROUTER COMMANDS :

  • Config# terminal editing - allows for enhanced editing commands
  • Config# terminal monitor - shows output on session
  • Config# terminal ip netmask-format hexadecimal|bit-count|decimal - changes the format of subnet masks

HOST NAME:

  • Config# hostname ROUTER_NAME

BANNER:

  • Config# banner motd # MESSAGE HERE # - # can be substituted for any character, must start and finish the message

DESCRIPTIONS:

  • Config# description THIS IS THE SOUTH ROUTER - can be entered at the Config-if level

CLOCK:

  • Config# clock timezone Central -6
    # clock set hh:mm:ss dd month yyyy - Example: clock set 14:13:00 25 August 2003

CHANGING THE REGISTER:

  • Config# config-register 0×2100 - ROM Monitor Mode
  • Config# config-register 0×2101 - ROM boot
  • Config# config-register 0×2102 - Boot from NVRAM

:

CDP:

  • Config# cdp run - Turns CDP on
  • Config# cdp holdtime 180 - Sets the time that a device remains. Default is 180
  • Config# cdp timer 30 - Sets the update timer.The default is 60
  • Config# int 0
  • Config-if# cdp enable - Enables cdp on the
  • Config-if# no cdp enable - Disables CDP on the
  • Config# no cdp run - Turns CDP off

HOST TABLE:

  • Config# ip host ROUTER_NAME INT_Address - Example: ip host lab-a 192.168.5.1
    -or-
  • Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 - Example: ip host lab-a 192.168.5.1 203.23.4.2 199.2.3.2 - (for e0, s0, s1)

:

  • Config# ip domain-lookup - Tell router to lookup domain names
  • Config# ip name- 122.22.2.2 - Location of
  • Config# ip domain-name cisco.com - Domain to append to end of names

CLEARING COUNTERS:

STATIC ROUTES:

  • Config# ip route Net_Add SN_Mask Next_Hop_Add - Example: ip route 192.168.15.0 255.255.255.0 205.5.5.2
  • Config# ip route 0.0.0.0 0.0.0.0 Next_Hop_Add - Default route
    -or-
  • Config# ip default- Net_Add - Gateway LAN

IP ROUTING:

  • Config# ip routing - Enabled by default
  • Config# router rip
    -or-
  • Config# router igrp 100
  • Config# 0
  • Config-if# ip address 122.2.3.2 255.255.255.0
  • Config-if# no shutdown

IPX ROUTING:

LISTS:

IP Standard 1-99
IP Extended 100-199
IPX Standard 800-899
IPX Extended 900-999
IPX Filters 1000-1099

IP STANDARD:

  • Config# -list 10 permit 133.2.2.0 0.0.0.255 - allow all src ip’s on 133.2.2.0
    -or-
  • Config# -list 10 permit host 133.2.2.2 - specifies a specific host
    -or-
  • Config# -list 10 permit any - allows any address
  • Config# int 0
  • Config-if# ip -group 10 in - also available: out

IP EXTENDED:

  • Config# -list 101 permit tcp 133.12.0.0 0.0.255.255 122.3.2.0 0.0.0.255 eq
    -protocols: tcp, udp, icmp, ip (no sockets then), among others
    -source then destination address
    -eq, gt, lt for comparison
    -sockets can be numeric or name (23 or , 21 or ftp, etc)
    -or-
  • Config# -list 101 deny tcp any host 133.2.23.3 eq www

-or-

-or-

  • Config# -list 801 permit -1 -1 - “-1″ is the same as “any” with /host addresses
  • Config# 0
  • Config-if# ipx -group 801 outIPX EXTENDED:
  • Config# -list 901 permit 4AA all 4BB all
    - Permit protocol src_add socket dest_add socket
    -”all” includes all sockets, or can use socket numbers

-or-

  • Config# -list 901 permit any any all any all
    -Permits any protocol with any address on any socket to go anywhere
  • Config# 0
  • Config-if# ipx -group 901 inIPX FILTER:
  • Config# -list 1000 permit 4aa 3 - “3″ is the service

-or-

  • Config# -list 1000 permit 4aa 0 - service of “0″ matches all services
  • Config# 0
  • Config-if# ipx input--filter 1000 - filter applied to incoming packets

-or-

  • Config-if# ipx output--filter 1000 - filter applied to outgoing packets

NAMED LISTS:

  • Config# ip -list standard LISTNAME
    -can be ip or ipx, standard or extended
    -followed by the permit or deny list
  • Config# permit any
  • Config-if# ip -group LISTNAME in
    -use the list name instead of a list number
    -allows for a larger amount of -lists

PPP SETUP:

  • Config-if# ppp
  • Config-if# ppp chap pap
    -order in which they will be used
    -only attempted with the listed
    -if one fails, then connection is terminated
  • Config-if# exit
  • Config# username Lab-b 123456
    -username is the router that will be connecting to this one
    -only specified routers can connect

-or-

  • Config-if# ppp chap hostname ROUTER
  • Config-if# ppp chap 123456
    -if this is set on all routers, then any of them can connect to any other
    -set same on all for easy configuration

ISDN SETUP:

  • Config# isdn switch- basic-5ess - determined by telecom
  • Config# serial 0
  • Config-if# isdn spid1 2705554564 - isdn “phonenumber” of line 1
  • Config-if# isdn spid2 2705554565 - isdn “phonenumber” of line 2
  • Config-if# PPP - or HDLC, LAPD

DDR - 4 Steps to setting up ISDN with DDR Configure switch

1. Config# isdn switch- basic-5ess - can be done at config

2. Configure static routes
Config# ip route 123.4.35.0 255.255.255.0 192.3.5.5 - sends traffic destined for 123.4.35.0 to 192.3.5.5
Config# ip route 192.3.5.5 255.255.255.255 bri0 - specifies how to get to 192.3.5.5 (through bri0)

3. Configure
Config-if# ip address 192.3.5.5 255.255.255.0
Config-if# no shutdown
Config-if# ppp
Config-if# dialer-group 1 - applies dialer-list to this
Config-if# dialer map ip 192.3.5.6 name Lab-b 5551212
connect to lab-b at 5551212 with ip 192.3.5.6 if there is interesting traffic
can also use “dialer string 5551212″ instead if there is only one router to connect to

4. Specify interesting traffic
Config# dialer-list 1 ip permit any
-or-
Config# dialer-list 1 ip list 101 - use the -list 101 as the dialer list

5. Other Options
Config-if# hold-queue 75 - queue 75 packets before dialing
Config-if# dialer load-threshold 125 either
-load needed before second line is brought up
-”125″ is any number 1-255, where % load is x/255 (ie 125/255 is about 50%)
-can check by in, out, or either

Config-if# dialer idle-timeout 180
-determines how long to stay idle before terminating the session
-default is 120

FRAME SETUP:

  • Config# serial 0
  • Config-if# frame- - cisco by default, can change to ietf
  • Config-if# frame- lmi- cisco - cisco by default, also ansi, q933a
  • Config-if# bandwidth 56
  • Config-if# serial 0.100 point-to-point - subinterface
  • Config-if# ip address 122.1.1.1 255.255.255.0
  • Config-if# frame- -dlci 100
    -maps the dlci to the
    -can add and/or IETF at the end
  • Config-if# serial 1.100 multipoint
  • Config-if# no inverse-arp - turns IARP off; good to do
  • Config-if# frame- map ip 122.1.1.2 48 ietf
    -maps an IP to a dlci (48 in this case)
    -required if IARP is turned off
    -ietf and are optional
  • Config-if# frame- map ip 122.1.1.3 54

SHOW COMMANDS

  • Show -lists - all lists on the router
  • Show cdp - cdp timer and holdtime
  • Show cdp entry * - same as next
  • Show cdp neighbors detail - details of neighbor with ip add and ios version
  • Show cdp neighbors - id, local , holdtime, capability, platform portid
  • Show cdp - int’s running cdp and their
  • Show cdp traffic - cdp packets sent and received
  • Show controllers serial 0 - DTE or DCE status
  • Show dialer - number of times dialer string has been reached, other stats
  • Show flash - files in flash
  • Show frame- lmi - lmi stats
  • Show frame- map - static and dynamic maps for ’s
  • Show frame- - ’s and dlci’s
  • Show history - commands entered
  • Show hosts - contents of host table
  • Show int f0/26 - stats of f0/26
  • Show 0 - show stats of 0
  • Show ip - ip config of switch
  • Show ip -lists - ip -lists on switch
  • Show ip - ip config of
  • Show ip protocols - routing protocols and timers
  • Show ip route - Displays IP routing table
  • Show ipx -lists - same, only ipx
  • Show ipx interfaces - RIP and info being sent and received, IPX addresses
  • Show ipx route - ipx routes in the table
  • Show ipx servers - table
  • Show ipx traffic - RIP and info
  • Show isdn active - number with active status
  • Show isdn status - shows if SPIDs are valid, if connected
  • Show mac-address-table - contents of the dynamic table
  • Show protocols - routed protocols and net_addresses of interfaces
  • Show running-config - dram config file
  • Show sessions - connections via to remote device
  • Show startup-config - nvram config file
  • Show terminal - shows history size
  • Show a/b - stat of port 26/27
  • Show version - ios info, uptime, address of switch
  • Show vlan - all configured vlan’s
  • Show vlan-membership - vlan assignments
  • Show vtp - vtp configs

CATALYST COMMANDS
For Native IOS - Not CatOS

SWITCH ADDRESS:

  • Config# ip address 192.168.10.2 255.255.255.0
  • Config# ip default-gateway 192.168.10.1DUPLEX MODE:
  • Config# 0/5 - “fastethernet” for 100 Mbps ports
  • Config-if# duplex full - also, half | auto | full-flow-control

SWITCHING MODE:

  • Config# switching-mode store-and-forward - also, fragment-free

MAC ADDRESS CONFIGS:

  • Config# mac-address-table permanent aaab.000f.ffef e0/2 - only this mac will work on this port
  • Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3
    -port 3 can only send out port 2 with that mac
    -very restrictive
  • Config-if# port secure max-mac-count 5 - allows only 5 mac addresses mapped to this port

VLANS:

  • Config# vlan 10 name FINANCE
  • Config# 0/3
  • Config-if# vlan-membership static 10 LINKS:
  • Config-if# on - also, off | auto | desirable | nonegotiate
  • Config-if# no -vlan 2
    -removes vlan 2 from the port
    -by default, all vlans are set on a port

    CONFIGURING VTP:

  • Config# delete vtp - should be done prior to adding to a
  • Config# vtp - the default is , also client and transparent
  • Config# vtp domain Camp - name doesn’t matter, just so all switches use the same
  • Config# vtp 1234 - limited
  • Config# vtp pruning enable - limits vtp broadcasts to only switches affected
  • Config# vtp pruning disableFLASH UPGRADE:
  • Config# copy tftp://192.168.5.5/configname.ios opcode - “opcode” for ios upgrade, “nvram” for startup config

DELETE STARTUP CONFIG:

  • Config# delete nvram

1 Comment »