interface

How can users gain access to the SCADA application?
Objective to consolidate access to all information sources – i.e. to make access available to all users via a single interface
Are any RAS modems utilised within the SCADA environment?
Is the RAS call back feature utilised?
Is the mandatory RAS encryption feature used?
Are users allowed multiple attempts at authentication on the RAS?
Has the RAS auditing feature been enabled?
How is access between the business / corporate network and SCADA network controlled?
How is the administrator password controlled?
How is vendor access to the SCADA network controlled – i.e. password changes after contract has been completed?
Are SLA’s for outsourced support agreements reviewed on a periodic basis?
Are critical components of the SCADA Network supported by a UPS and are these batteries tested on a regular basis to ensure that they are reliable?
What capacity management and monitoring of critical SCADA network systems is performed (i.e. CPU utilisation and hard disk drive space)?
Are legal captions utilised during the login process to the SCADA application and associated infrastructure / devices?
Has an intrusion detection system (IDS) been deployed within the SCADA environment?
Has security been a focus within the development and deployment of the SCADA network?
Is there additional staff screenings performed when staff are hired to work within the SCADA environment (inclusive of vendors etc)?

Policies & Procedures

Is there a defined security strategy for the SCADA environment?
Who is responsible / accountable for security management within SCADA environment? Has the ownership of this responsibility been clearly defined and/or stated in any documentation?
Are there any periodic security reviews of the SCADA network performed?
What procedures are in place to handle the disposal of SCADA network media and devices? Additionally, is there a process in place for the disposal of confidential information / documentation?
Are there any policies or procedures covering the introduction of new devices to the SCADA environment?
What formal change control procedures exist for the SCADA environment?
Does a formal disaster recovery plan exist for the SCADA environment?
Does a formal business continuity plan exist for the SCADA environment?
Do physical and logical security standards differ significantly between SCADA sites?
Has a standard operating environment (SOE) minimum baseline standard been developed for systems being introduced into the SCADA environment?
What security logs are maintained for critical computer equipment and how often are the logs reviewed?
Who is responsible for the reviewing of security logs?
Has access to event logs been restricted?
Upon commencement of employment, are users provided with IT security information as part of the induction process? Additionally, are users provided with further information on security issues on a periodic basis?
What procedures exist to monitor dial-in access?
Is there a formally defined backup and recovery procedure?
Are encryption techniques and/or passwords applied to backup tapes?

Physical Access

How is physical access to SCADA terminals controlled?
Are SCADA control rooms segregated from other rooms?
What building security exists at remote sites to prevent unauthorised access?
What authentication methods are used at remote sites to allow access – i.e. swipe cards?
Are external windows at remotes sites barred?
What alarm systems have been employed at remote sites?

Network Security

Have all deployed routers been configured to ensure the filtering of communications that are unauthorised or not required?
What traffic control and monitoring capabilities have been deployed – i.e. all communication travels to a central point before traversing further on the network.
How are dial-in facilities to the SCADA environment secured?
How is suspicious or unusual activity on the SCADA WAN detected?
What firewall configurations have been set up to segregate the SCADA WAN from the United Water corporate network?
Are all key filtering devices on the network (such as routers and firewalls) configured to log all attempts to access the network? If so are they reviewed on a regular basis?
Have the auditing features of all routers and firewalls been enabled?
Has access to event logs been restricted?
How is the management of patches / hot fixes controlled in regards to firewalls and routers?
What backup and recovery measures are in place for network resources – firewalls and routers?
Has SNMP been implemented on core infrastructure?
Has any wireless equipment been deployed within the SCADA environment – has this been configured to a secure state?
Are all default passwords removed from SCADA devices after implementation?
Does a development environment exist to test changes prior to deployment into the SCADA network production environment?

Workstation Security

What operating systems (version) are installed on SCADA terminals?
Have operating system level passwords been activated on all SCADA terminals?
Do passwords have an indefinite expiry date?
What file and directory permission controls have been implemented on SCADA terminals to restrict unauthorised access by general users?
What logs are generated at the operating system level?
Has access to event logs been restricted?
What tools and services at the operating system level have been restricted for general users?
Who is responsible for patch management of SCADA terminals?
Has an audit feature been enabled for all SCADA terminals?
Are default services available with the operating system restricted?
Is virus protection implemented? Is this software manually or automatically updated?
Are shares enabled on SCADA terminals / workstations?
Are SCADA terminals backed up on a regular basis?
Is registry auditing of SCADA terminals performed?
Are user reviews and associated access rights performed on a regular basis?

SCADA Application Security

What are the username and password requirements of SCADA application?
Are session time out features activated?
Are complex passwords enforced to access the SCADA application?
Are user reviews and associated access rights performed on a regular basis?

System Penetration Testing

Internal penetration testing
External penetration testing
Password strength tests

Changes to the SCADA network

Please provide / list all potential changes being considered to the SCADA network.

Leave a Comment :access, account, authentication, bar, Card, Communications, Corporate, development, disaster recovery, encryption, environment, interface, ISP, Mall, network, operating systems, password, patch, Protection, SCADA, security, SLA, standards, support, technique more...

Cisco Command Cheat Sheet

by Derek on Jul.04, 2008, under Infrastructure

I found a list of useful Cisco commands which I though I would post here. The list has been updated since the original post extending on the original list from fastget2you.com.

Thanks to the fastget2you.com Joined With #missomhack Community for the original list.

ROUTER COMMANDS `:`

Config# terminal editing – allows for enhanced editing commands
Config# terminal monitor – shows output on telnet session
Config# terminal ip netmask-format hexadecimal|bit-count|decimal – changes the format of subnet masks

HOST NAME:

Config# hostname ROUTER_NAME

BANNER:

Config# banner motd # TYPE MESSAGE HERE # – # can be substituted for any character, must start and finish the message

DESCRIPTIONS:

Config# description THIS IS THE SOUTH ROUTER – can be entered at the Config-if level

CLOCK:

Config# clock timezone Central -6
# clock set hh:mm:ss dd month yyyy – Example: clock set 14:13:00 25 August 2003

CHANGING THE REGISTER:

Config# config-register 0×2100 – ROM Monitor Mode
Config# config-register 0×2101 – ROM boot
Config# config-register 0×2102 – Boot from NVRAM

BOOT SYSTEM:

Config# boot system tftp FILENAME SERVER_IP – Example: boot system tftp 2600_ios.bin 192.168.14.2
Config# boot system ROM
Config# boot system flash – Then – Config# reload

CDP:

Config# cdp run – Turns CDP on
Config# cdp holdtime 180 – Sets the time that a device remains. Default is 180
Config# cdp timer 30 – Sets the update timer.The default is 60
Config# int Ethernet 0
Config-if# cdp enable – Enables cdp on the interface
Config-if# no cdp enable – Disables CDP on the interface
Config# no cdp run – Turns CDP off

HOST TABLE:

Config# ip host ROUTER_NAME INT_Address – Example: ip host lab-a 192.168.5.1
-or-
Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 – Example: ip host lab-a 192.168.5.1 203.23.4.2 199.2.3.2 – (for e0, s0, s1)

DOMAIN NAME SERVICES:

Config# ip domain-lookup – Tell router to lookup domain names
Config# ip name-server 122.22.2.2 – Location of DNS server
Config# ip domain-name cisco.com – Domain to append to end of names

CLEARING COUNTERS:

# clear interface Ethernet 0 – Clears counters on the specified interface
# clear counters – Clears all interface counters
# clear cdp counters – Clears CDP counters

STATIC ROUTES:

Config# ip route Net_Add SN_Mask Next_Hop_Add – Example: ip route 192.168.15.0 255.255.255.0 205.5.5.2
Config# ip route 0.0.0.0 0.0.0.0 Next_Hop_Add – Default route
-or-
Config# ip default-network Net_Add – Gateway LAN network

IP ROUTING:

Config# ip routing – Enabled by default
Config# router rip
-or-
Config# router igrp 100
Config# interface Ethernet 0
Config-if# ip address 122.2.3.2 255.255.255.0
Config-if# no shutdown

IPX ROUTING:

Config# ipx routing
Config# interface Ethernet 0
Config# ipx maximum-paths 2 – Maximum equal metric paths used
Config-if# ipx network 222 encapsulation sap – Also Novell-Ether, SNAP, ARPA on Ethernet. Encapsulation HDLC on serial
Config-if# no shutdown

ACCESS LISTS:

IP Standard	1-99
IP Extended	100-199
IPX Standard	800-899
IPX Extended	900-999
IPX SAP Filters	1000-1099

IP STANDARD:

Config# access-list 10 permit 133.2.2.0 0.0.0.255 – allow all src ip’s on network 133.2.2.0
-or-
Config# access-list 10 permit host 133.2.2.2 – specifies a specific host
-or-
Config# access-list 10 permit any – allows any address
Config# int Ethernet 0
Config-if# ip access-group 10 in – also available: out

IP EXTENDED:

Config# access-list 101 permit tcp 133.12.0.0 0.0.255.255 122.3.2.0 0.0.0.255 eq telnet
-protocols: tcp, udp, icmp, ip (no sockets then), among others
-source then destination address
-eq, gt, lt for comparison
-sockets can be numeric or name (23 or telnet, 21 or ftp, etc)
-or-
Config# access-list 101 deny tcp any host 133.2.23.3 eq www

-or-

Config# access-list 101 permit ip any any
Config# interface Ethernet 0
Config-if# ip access-group 101 outIPX STANDARD:
Config# access-list 801 permit 233 AA3 – source network/host then destination network/host

-or-

Config# access-list 801 permit -1 -1 – “-1″ is the same as “any” with network/host addresses
Config# interface Ethernet 0
Config-if# ipx access-group 801 outIPX EXTENDED:
Config# access-list 901 permit sap 4AA all 4BB all
- Permit protocol src_add socket dest_add socket
-”all” includes all sockets, or can use socket numbers

-or-

Config# access-list 901 permit any any all any all
-Permits any protocol with any address on any socket to go anywhere
Config# interface Ethernet 0
Config-if# ipx access-group 901 inIPX SAP FILTER:
Config# access-list 1000 permit 4aa 3 – “3″ is the service type

-or-

Config# access-list 1000 permit 4aa 0 – service type of “0″ matches all services
Config# interface Ethernet 0
Config-if# ipx input-sap-filter 1000 – filter applied to incoming packets

-or-

Config-if# ipx output-sap-filter 1000 – filter applied to outgoing packets

NAMED ACCESS LISTS:

Config# ip access-list standard LISTNAME
-can be ip or ipx, standard or extended
-followed by the permit or deny list
Config# permit any
Config-if# ip access-group LISTNAME in
-use the list name instead of a list number
-allows for a larger amount of access-lists

PPP SETUP:

Config-if# encapsulation ppp
Config-if# ppp authentication chap pap
-order in which they will be used
-only attempted with the authentification listed
-if one fails, then connection is terminated
Config-if# exit
Config# username Lab-b password 123456
-username is the router that will be connecting to this one
-only specified routers can connect

-or-

Config-if# ppp chap hostname ROUTER
Config-if# ppp chap password 123456
-if this is set on all routers, then any of them can connect to any other
-set same on all for easy configuration

ISDN SETUP:

Config# isdn switch-type basic-5ess – determined by telecom
Config# interface serial 0
Config-if# isdn spid1 2705554564 – isdn “phonenumber” of line 1
Config-if# isdn spid2 2705554565 – isdn “phonenumber” of line 2
Config-if# encapsulation PPP – or HDLC, LAPD

DDR – 4 Steps to setting up ISDN with DDR Configure switch type

1. Config# isdn switch-type basic-5ess – can be done at interface config

2. Configure static routes
Config# ip route 123.4.35.0 255.255.255.0 192.3.5.5 – sends traffic destined for 123.4.35.0 to 192.3.5.5
Config# ip route 192.3.5.5 255.255.255.255 bri0 – specifies how to get to network 192.3.5.5 (through bri0)

3. Configure Interface
Config-if# ip address 192.3.5.5 255.255.255.0
Config-if# no shutdown
Config-if# encapsulation ppp
Config-if# dialer-group 1 – applies dialer-list to this interface
Config-if# dialer map ip 192.3.5.6 name Lab-b 5551212
connect to lab-b at 5551212 with ip 192.3.5.6 if there is interesting traffic
can also use “dialer string 5551212″ instead if there is only one router to connect to

4. Specify interesting traffic
Config# dialer-list 1 ip permit any
-or-
Config# dialer-list 1 ip list 101 – use the access-list 101 as the dialer list

5. Other Options
Config-if# hold-queue 75 – queue 75 packets before dialing
Config-if# dialer load-threshold 125 either
-load needed before second line is brought up
-”125″ is any number 1-255, where % load is x/255 (ie 125/255 is about 50%)
-can check by in, out, or either

Config-if# dialer idle-timeout 180
-determines how long to stay idle before terminating the session
-default is 120

FRAME RELAY SETUP:

Config# interface serial 0
Config-if# encapsulation frame-relay – cisco by default, can change to ietf
Config-if# frame-relay lmi-type cisco – cisco by default, also ansi, q933a
Config-if# bandwidth 56
Config-if# interface serial 0.100 point-to-point – subinterface
Config-if# ip address 122.1.1.1 255.255.255.0
Config-if# frame-relay interface-dlci 100
-maps the dlci to the interface
-can add BROADCAST and/or IETF at the end
Config-if# interface serial 1.100 multipoint
Config-if# no inverse-arp – turns IARP off; good to do
Config-if# frame-relay map ip 122.1.1.2 48 ietf broadcast
-maps an IP to a dlci (48 in this case)
-required if IARP is turned off
-ietf and broadcast are optional
Config-if# frame-relay map ip 122.1.1.3 54 broadcast

SHOW COMMANDS

Show access-lists – all access lists on the router
Show cdp – cdp timer and holdtime frequency
Show cdp entry * – same as next
Show cdp neighbors detail – details of neighbor with ip add and ios version
Show cdp neighbors – id, local interface, holdtime, capability, platform portid
Show cdp interface – int’s running cdp and their encapsulation
Show cdp traffic – cdp packets sent and received
Show controllers serial 0 – DTE or DCE status
Show dialer – number of times dialer string has been reached, other stats
Show flash – files in flash
Show frame-relay lmi – lmi stats
Show frame-relay map – static and dynamic maps for PVC’s
Show frame-relay pvc – pvc’s and dlci’s
Show history – commands entered
Show hosts – contents of host table
Show int f0/26 – stats of f0/26
Show interface Ethernet 0 – show stats of Ethernet 0
Show ip – ip config of switch
Show ip access-lists – ip access-lists on switch
Show ip interface – ip config of interface
Show ip protocols – routing protocols and timers
Show ip route – Displays IP routing table
Show ipx access-lists – same, only ipx
Show ipx interfaces – RIP and SAP info being sent and received, IPX addresses
Show ipx route – ipx routes in the table
Show ipx servers – SAP table
Show ipx traffic – RIP and SAP info
Show isdn active – number with active status
Show isdn status – shows if SPIDs are valid, if connected
Show mac-address-table – contents of the dynamic table
Show protocols – routed protocols and net_addresses of interfaces
Show running-config – dram config file
Show sessions – connections via telnet to remote device
Show startup-config – nvram config file
Show terminal – shows history size
Show trunk a/b – trunk stat of port 26/27
Show version – ios info, uptime, address of switch
Show vlan – all configured vlan’s
Show vlan-membership – vlan assignments
Show vtp – vtp configs

CATALYST COMMANDS
For Native IOS – Not CatOS

SWITCH ADDRESS:

Config# ip address 192.168.10.2 255.255.255.0
Config# ip default-gateway 192.168.10.1DUPLEX MODE:
Config# interface Ethernet 0/5 – “fastethernet” for 100 Mbps ports
Config-if# duplex full – also, half | auto | full-flow-control

SWITCHING MODE:

Config# switching-mode store-and-forward – also, fragment-free

MAC ADDRESS CONFIGS:

Config# mac-address-table permanent aaab.000f.ffef e0/2 – only this mac will work on this port
Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3
-port 3 can only send data out port 2 with that mac
-very restrictive security
Config-if# port secure max-mac-count 5 – allows only 5 mac addresses mapped to this port

VLANS:

Config# vlan 10 name FINANCE
Config# interface Ethernet 0/3
Config-if# vlan-membership static 10TRUNK LINKS:
Config-if# trunk on – also, off | auto | desirable | nonegotiate
Config-if# no trunk-vlan 2
-removes vlan 2 from the trunk port
-by default, all vlans are set on a trunk port

CONFIGURING VTP:
Config# delete vtp – should be done prior to adding to a network
Config# vtp server – the default is server, also client and transparent
Config# vtp domain Camp – name doesn’t matter, just so all switches use the same
Config# vtp password 1234 – limited security
Config# vtp pruning enable – limits vtp broadcasts to only switches affected
Config# vtp pruning disableFLASH UPGRADE:
Config# copy tftp://192.168.5.5/configname.ios opcode – “opcode” for ios upgrade, “nvram” for startup config

DELETE STARTUP CONFIG:

Config# delete nvram

BGP:

show ip bgp – Displays entries in the BGP routing table.
show ip bgp injected-paths – Displays paths in the BGP routing table that were conditionally injected.
show ip bgp neighbors – Displays information about the TCP and BGP connections to neighbors.

BGP Conditional Route Injection:

Step 1 Router(config)# router bgp as-number
- Places the router in router configuration mode, and configures the router to run a BGP process.

Step 2 Router(config-router)# bgp inject-map ORIGINATE exist-map LEARNED_PATH
- Configures the inject-map named ORIGINATE and the exist-map named LEARNED_PATH for conditional route injection.

Step 3 Router(config-router)# exit
-Exits router configuration mode, and enters global configuration mode.

Step 4 Router(config)# route-map LEARNED_PATH permit sequence-number
- Configures the route map named LEARNED_PATH.

Step 5 Router(config-route-map)# match ip address prefix-list ROUTE
- Specifies the aggregate route to which a more specific route will be injected.

Step 6 Router(config-route-map# match ip route-source prefix-list ROUTE_SOURCE
- Configures the prefix list named ROUTE_SOURCE to redistribute the source of the route.
Note The route source is the neighbor address that is configured with the neighbor remote-as command. The tracked prefix must come from this neighbor in order for conditional route injection to occur.

Step 7 Router(config-route-map)# exit
- Exits route-map configuration mode, and enters global configuration mode.

Step 8 Router(config)# route-map ORIGINATE permit 10
- Configures the route map named ORIGINATE.

Step 9 Router(config-route-map)# set ip address prefix-list ORIGINATED_ROUTES
- Specifies the routes to be injected.

Step 10 Router(config-route-map)# set community community-attribute additive
- Configures the community attribute of the injected routes.

Step 11 Router(config-route-map)# exit
- Exits route-map configuration mode, and enters global configuration mode.

Step 12 Router(config)# ip prefix-list ROUTE permit 10.1.1.0/24
- Configures the prefix list named ROUTE to permit routes from network 10.1.1.0/24.

Step 13 Router(config)# ip prefix-list ORIGINATED_ROUTES permit 10.1.1.0/25
- Configures the prefix list named ORIGINATED_ROUTES to permit routes from network 10.1.1.0/25.

Step 14 Router(config)# ip prefix-list ORIGINATED_ROUTES permit 10.1.1.128/25
- Configures the prefix list named ORIGINATED_ROUTES to permit routes from network 10.1.1.0/25.

Step 15 Router(config)# ip prefix-list ROUTE_SOURCE permit 10.2.1.1/32
- Configures the prefix list named ROUTE_SOURCE to permit routes from network 10.2.1.1/32.
Note The route source prefix list must be configured with a /32 mask in order for conditional route injection to occur.

DHCP

Step 1 (config)# interface ethernet0/0
(config-if)#ip address 1.1.1.1 255.0.0.0
(config-if)# no shutdown
- Configure an IP address on the router’s Ethernet port, and bring up the interface. (On an existing router, you would have already done this.)

Step 2 (config)# ip dhcp pool mypool
- Create a DHCP IP address pool for the IP addresses you want to use.

Step 3 (dhcp-config)# network 1.1.1.0 /8
- Specify the network and subnet for the addresses you want to use from the pool.

Step 4 (dhcp-config)#domain-name mydomain.com
- Specify the DNS domain name for the clients.

Step 5 (dhcp-config)#dns-server 1.1.1.10 1.1.1.11
- Specify the primary and secondary DNS servers.

Step 6 (dhcp-config)#default-router 1.1.1.1
- Specify the default router (i.e., default gateway).

Step 7 (dhcp-config)#lease 7
- Specify the lease duration for the addresses you’re using from the pool.

Step 8 (dhcp-config)#exit
- Exit Pool Configuration Mode.

This takes you back to the global configuration prompt.

Next, exclude any addresses in the pool range that you don’t want to hand out.

For example, let’s say that you’ve decided that all IP addresses up to .100 will be for static IP devices such as servers and printers. All IP addresses above .100 will be available in the pool for DHCP clients.

Here’s an example of how to exclude IP addresses .100 and below:

Optional (config)#ip dhcp excluded-address 1.1.1.0 1.1.1.100

The full DHCP reference can be found on the CISCO site.

Common Commands and Troubleshooting

Set a password on the console line:
- configure terminal
- line console 0
- password ‘cisco’
- login
Passwords are case sensitive.
You must configure a password on the VTY lines, without one no one will be able to telnet to the switch/router.
The default mode when logging into a switch/router via telnet or SSH is user exec mode, which is indicated by the ‘>’ prompt.
To configure the switch/router you need to use the privileged EXEC mode. To do this you enter the enable command in user EXEC mode. The prompt is indicated with ‘#’.
If both enable secret and enable password are set, the enable secret will be used.
The enable secret is encrypted (by default) where as the enable password is in clear text.
In a config containing an enable secret 5 ‘hash’ the 5 refers to the level of encryption being used.
If no enable password/secret has been set when someone telnets to the device, they will get a ‘%No password set’ message. Someone with physical access must set the password.
To place all telnet users directly into enable mode:
- configure terminal
- line vty 0 4
- privilege level 15
To put a specific user directly into privileged EXEC mode (enable mode)
- username superman privilege 15 password louise
Telnet sends all data including passwords in clear text which can be intercepted.
SSH encrypts all data preventing an attacker from intercepting it.
Setting up a local user/password login database for use with telnet:
- configure terminal
- line vty 0 4
- login local
- exit
- username telnetuser1 password secretpass
To set up SSH you need to create the local user database, the domain name must be specified with the ip domain-name command and a crypto key must be created with the crypto key generate rsa command. To enable SSH on the VTY lines, use the command transport input ssh.
If you connect two Cisco switches together and the lights don’t go amber then green, but instead stays off. A straight through cable has been used instead of a crossover cable.
The term ‘a switches management interface’ normally refers to VLAN1.
Assign a default gateway using the ip default-gateway ipaddress command.
You can use the command interface range fasterthernet 0/1 – 12 to select a range of interfaces to configure at once.
MOTD banner appears before login prompt.
The login banner appears before the login prompt but after the MOTD banner.
The banner exec appears after a successful logon.
line con 0 – configuring the logging synchronous on the console port stops the router from displaying messages (like an interface state change) until it detects no input from the keyboard and not other output from the router, such as a show commands output.
exec-timeout x y (x=minutes, y=seconds) – the default is 5 minutes. Can be disabled by setting x=0 y=0
Shortcut commands
- Up Arrow – will show you the last command you entered. Control+P does the same thing.
- Down Arrow – will bring you one command up in the command history. Control+N does the same thing.
- CTRL+A takes the cursor to the start of the current command.
- CTRL+E takes the cursor to the end of the current command.
- Left arrow or CTRL+B moves backwards (towards the start) of the command one character at a time.
- Right arrow or CTRL+P moves forwards (towards the end) of the command one character at a time.
- CTRL+D deletes one character (the same as backspace).
- ESC+B moves back one word in the current command.
- ESC+F moves forward one word in the current command.
show history command will show the last 10 commands run by default.
the history size can be increased individually on the console port and on the VTY lines with the history size x command.
Config modes
- config t R1<config> is the global configuration mode.
- line vty 0 4 R1<config-line> is the line config mode.
- interface fastethernet 0/1 R1<config-if> interface config mode.

Troubleshooting

Cisco Discovery Protocol (CDP) runs by default on Cisco routers and switches. It runs globally and on a per-interface level.
CDP discovers basic information about neighboring switches and routers.
On media that supports multicasts at the data link layer, CDP uses multicast frames. on other media, CDP sends a copy of the CDP update to any known data-link addresses.
The show cdp command shows CDP settings.
CDP can be disabled globally using the command no cdp run and re-enable using cdp run.
CDP can be disabled at an interface level using the no cdp enable command at the sub-interface level.
The command show cdp neighbor - lists one summary line of information about each neighbor. Including:
- Device ID – the remote devices hostname.
- Local Interface – the local switch/router interface connected to the remote host.
- Holdtime – is the number of seconds the local device will retain the contents of the last CDP advertisement received from the remote host.
- Capability – shows you the type of device the remote host is.
- Platform – is the remote devices hardware platform.
- Port ID – is the remote interface on the direct connection.
The command show cdp neighbor detail – lists one large set (approx 15 lines) of information, one set for every neighbor. Including:
- The IOS version.
- VTP management domain.
- Management addresses.
show cdp entry name - lists the same information as the show cdp neighbors detail command, but only for the named neighbor (case sensitive).
show cdp – states whether CDP is enabled globally, and lists the default update and holdtime timers.
show cdp traffic – lists global statistics for the number of CDP advertisements sent and received.
show cdp interface type number - states whether CDP is enabled on each interface or a single interface if the interface is listed, and states the update and holdtime timers on those interfaces.
CDP should be disabled on interfaces it is not needed to limit risk of an attacker learning details about each switch or router. Use the no cdp enable interface subcommand to disable CDP and the cdp enable interface subcommand to re-enable it.
The command show cdp interface shows the CDP settings for every interface.
Interface status messages:
- Interface status is down/down – this indicates a physical problem, most likely a loose or unplugged cable.
- Line protocol is down, up/down – this indicates a problem at the logical level, most likely an encapsulation mismatch or a missing clock rate.
- Administratively down – this indicates the interface has been shutdown and needs to be manually opened with the sub interface command no shutdown.
The command show mac-address-table shows the mac address table. show mac-address-table dynamic sows the dynamically learned entries only.
Most problems on a switch are caused by human error – misconfiguration.
The command show debugging shows all the currently running debugs.
undebug all – will turn all debugging off.
The command show vlan brief shows a switches VLAN configuration.
If pinging 127.0.0.1 fails on a pc, there is a problem with the local PC, most likely a bad install of TCP/IP.
On a pc the command netstat -rn shows the pc’s routing table.
Additional Telnet commands:
- show sessions shows information about each telnet session, the where command does the same thing.
- resume x, x being the session number is used to resume a telnet session.
- To suspend a session use the command CTRL+ALT+6.
- To disconnect an open session use the command disconnect x, x being the session number.
Ping result codes:
- !!!!! – IP connectivity to the destination is ok.
- ….. – IP connectivity to the destination does not exist.
- U.U.U – the local router has a route to the destination, but a downstream router does not.
debug ip packet – can help troubleshooting the above ping results.
When using traceroute or extended ping the Escape Sequence is: CTRL+SHIFT+6.
Extended ping can only be run from enable mode.
If a routing table contains multiple routes to the same destination with multiple next hops and the prefixes are different, the most specific (longest) prefix route will be used. If all of the prefix lengths are the same the Administrative Distance will be used. [AD/Metric].
Administrative Distance is a measure of a routes believability, with a lower AD being more believable than a route with a higher AD. AD only comes into play if the prefix lengths are the same.
You can set the Administrative Distance on a static route with the command ip route 55.55.55.0 255.255.255.0 192.168.1.2 150, you would do this to set a backup route if a dynamic route fails/is not available in the routing table.

Cisco NX-OS/IOS BGP (Advanced) Comparison

These may also assist: Undocumented Cisco Commands

6 Comments :access, authentication, authentification, boot system, broadcast, cisco commands, data, DES, DNS, domain name services, EFT, encapsulation, Ethernet, frequency, hack, interface, ISP, name server, network, password, phone, pvc, Relay, SAP, script, security, server, Shiraz, telnet, text, trunk, type more...

E-Commerce Glossary

by Derek on Jun.18, 2008, under Banking and EFTPoS

Acquiring Institution
The Financial Institution which holds the Merchant Account partaking in a financial transaction, typically the first bank involved in the processing of a payment.

Applet
A small computer program which facilitates the performance of particular tasks.

Bandwidth
The capacity of a server to carry or process information. The higher the bandwidth the faster graphics-laden web pages will download.

Browser
Short for Web browser, a software application used to locate and display Web pages. The two most popular browsers are Netscape Navigator and Microsoft Internet Explorer. Both of these are graphical browsers, which means that they can display graphics as well as text. In addition, most modern browsers can present multimedia information, including sound and video, though they require plug-ins for some formats.

Caching
The automatic copying and storage of frequently used information onto a computer system – Typically caching is seen whilst surfing the internet (graphics, etc.) and used by Internet Services Providers (ISP’s) to reduce the amount of data requested from the user onto the internet.

Issuer
The Financial Institution which issued the cardholder’s account and card.

Cardholder
The individual participating in the financial transaction whose card is being credited or debited.

Card Verification Data
The additional information printed on the card to be processed. This is used to verify if the card was present when the transaction was initiated. This is the additional digits imprinted on the card usually on the reverse side for VISA & Mastercard and on the front for AMEX.

Certificate
An x.509 certificate used to authenticate entities such as Merchants and Payment Gateways. Certificates can be used to identify and/or encrypt sensitive data such as card numbers and personal cardholder information.

CGI
Common Gateway Interface: A protocol that allows a Web page to run a program on a Web server. Forms, counters, and guest books are common examples of CGI programs.

Any piece of software can be a CGI program if it handles input and output according to the CGI standard. Usually a CGI program is a small program that takes data from a web server and does something with it, like putting the content of a form into an e-mail message, or turning the data into a database query. CGI “scripts” are just scripts which use CGI. CGI is often confused with Perl, which is a programming language, while CGI is an interface to the server from a particular program.

Client
A computer or software that requests a service of another computer system or process (a “server”). For example, a workstation requesting the contents of a file from a file server is a client of the file server. A web browser is commonly referred to as a client.

Clients and Servers
In general, all of the machines on the Internet can be categorised as two types: servers and clients. Those machines that provide services (like Web servers or FTP servers) to other machines are servers. And the machines that are used to connect to those services are clients.

When you connect to Yahoo at www.google.com to read a page, Google is providing a machine (probably a cluster of very large machines), for use on the Internet, to service your request. Google is providing a server. Your machine, on the other hand, is probably providing no services to anyone else on the Internet. Therefore, it is a user machine, also known as a client. It is possible and common for a machine to be both a server and a client !

Cookie
A file sent by some web servers to your computer’s hard drive to enable you to quickly and easily return to particular sites. Cookies give rise to privacy concerns as they are often used to store information used for marketing purposes.

The main purpose of cookies is to identify users and possibly prepare customised Web pages for them. When you enter a Web site using cookies, you may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your Web browser which stores it for later use. The next time you go to the same Web site, your browser will send the cookie to the Web server. The server can use this information to present you with custom Web pages. So, for example, instead of seeing just a generic welcome page you might see a welcome page with your name on it.

CRN
The Customer Receipt Number (CRN) is used to assist the card holder, the payment gateway and the transaction acquirer to confirm the transaction has been processed and to track the transaction throughout the end-to-end transaction process. This is often used when making enquiries about a transaction or for transaction tracking.

Cybersquatting
Bad faith, abusive domain name registration. Cybersquatters register company and product names as domain names with a view to selling them at inflated prices to the “rightful” owners.

/CVC
The additional information printed on the card to be processed. This is used to verify if the card was present when the transaction was initiated. This is the additional digits imprinted on the card usually on the reverse side for VISA & Mastercard and on the front for AMEX.

Database
A collection of data: part numbers, product codes, customer information, etc. It usually refers to data organised and stored on a computer that can be searched and retrieved by a computer program.

Deep link
A hypertext link directly to a web page, often bypassing home pages or other identifying pages.

Digital Certificate
A pop up window that allows you to identify the level of encryption used to secure a particular web site.

Digital Signature
A complex numeric “signature” designed to be used, in conjunction with special software, to authenticate the sender of a message and guarantee that the contents of the message have not been altered during transmission to the recipient. The EU has adopted legislation which makes electronic signatures legally valid. The Electronic Transaction Bill (Cth) 1999 has the same effect in Australia.

Domain Name
The plain English name given to a host destination on the Internet, for example, www.madrock.net. The suffix, dot.com is known as the generic top level domain, the prefix madrock. The domain name forms part of the Internet Address or URL.

A name that identifies one or more IP addresses. For example, the domain name microsoft.com represents about a dozen IP addresses. Domain names are used in URLs to identify particular Web pages. For example, in the URL http://www.madrock.net, the domain name is madrock.net.

Download
To transfer information from one computer to your computer.

Dynamic web page
A web document that is created from a database in real-time or “on the fly” at the same time it is being viewed, providing a continuous flow of new information and giving visitors a new experience each time they visit the web site.

Dynamic web sites offer the user the ability to interact with the web site. This interaction can take place in the form of a search for products, a questionnaire that automatically posts results or online polls. Basically, dynamic web pages and content are generated from the input of the user.

EC
Electronic Commerce.

Often referred to as simply e-commerce, business that is conducted over the Internet using any of the applications that rely on the Internet, such as e-mail, instant messaging, shopping carts, Web services, and FTP, among others. Electronic commerce can be between two businesses transmitting funds, goods, services and/or data or between a business and a customer.

ECI
The Electronic Commerce Indicator (ECI), is used to determine the source of the original transaction request. This is a program that the banks have developed and have mandated it’s use.

Electronic Data Interchange (EDI)
Systems set up by businesses, which facilitate the electronic exchange of information.

Encryption
The process of scrambling data to prevent it being viewed by unauthorized persons.

Expiry Date
The date printed on the card indicating when the card will expire. Not to be confused with the card issue date found on some cards.

Firewall
An electronic security barrier and/or traffic filter.

Forms
Forms are web pages comprised of text and “fields” for a user to fill in with information. They are an excellent way of collecting and processing information from people visiting a web site, as well as allowing them to interact with web pages. Forms are written in HTML and processed by CGI programs.

Frame
A means of dividing a web screen into a number of compartments. Frames may give rise to legal disputes if web sites created by third parties are framed as your own.

FTP servers
One of the oldest of the Internet services, File Transfer Protocol makes it possible to move one or more files securely between computers while providing file security and organisation as well as transfer control.

Fulfilment
1. Process of supplying goods after an order has been received.
2. Process of reacting to a customer’s request, covering everything that has to happen from the time the customer places an order until they are completely satisfied.

Host
Any computer on a network that provides services or information to other computers on the network. A host is also called a server.

Integration
The software and/or business processes which combine the Merchant’s (website, back office, etc.) order processing system with the EFT Network Electronic Payment System.

IP address
Every computer connected to the Internet is assigned a unique number known as an Internet Protocol (IP) address. Since these numbers are usually assigned in country-based blocks, an IP address can often be used to identify the country from which a computer is connecting to the Internet.

Gateway
A system allowing incompatible computer networks to send and receive information.

HTML (Hypertext Markup Language)
Language used to translate text documents into a form which can be sent over the web.

Hyperlink
A highlighted phrase in a document which permits linking to another document or part of a document.

Internet Content Host (ICH)
Those who host or propose to host content on the Internet. Anybody who is responsible for a web site, news group or bulletin board that contains articles, graphics or other internet content provided by others. The host may/may not also produce their own content and/or provide access to the Internet through a carriage service, ie they may also be an ISP.

Internet Service Provider (ISP)
A company that provides an Internet connection through some kind of Internet carriage service, for example Sprint, Chello Broadband, Telstra Bigpond, Adam Internet, Internode. ISP’s may/may not also be ICHs.

Mail servers
Almost as ubiquitous and crucial as Web servers, mail servers move and store mail over corporate networks (via LANs and WANs) and across the Internet.

Merchant account
This is an account set up with a bank to process credit card orders from customers.

Merchant
The entity receiving payments for goods and/or services.

Merchant Account
The merchant’s account into which transactions are credited or debited.

Merchant Server
The software installed on the Merchant’s web sites or back office system to enable real-time or batched processing of financial transactions.

Merchant Server Administrator
The individual(s) responsible for the maintenance of the Merchant Server, including issuing and importing merchant certificates.

MTL
Merchant Transaction Layer (MTL)

PAN
Primary Account Number (PAN) is the number printed on the customers card to reference the cardholder’s financial account. This is typically the card number.

Payment Gateway
The Payment Gateway provides a central point of contact/transaction switching with the banking network for the Merchant Server software or devices. The EFT Networks Payment gateway provides advanced integrated reporting, merchant integration services (Mainframe, Mini, Windows, UNIX, OS400, Desktop/Server, EFT PoS Terminals. Loyalty systems, etc.) and Merchant/Bank customised solutions not offered by regional or global banking institutions.

An online system for real-time charging of credit cards when a customer places an order. Normally requires a merchant account.

A common question from merchants is “Do we have to change banks to use payment gateways?”

The answer is NO! – All you need to do is open a merchant facility with one of the supported banks, EFT Networks can ensure you open the correct one for your transaction needs. The merchant facility is then linked to a nominated bank account for example: Bank of New Zealand, ANZ, St George Bank, NAB, Commonwealth, Westpac, Bank of America, Bank of Scotland, Barclay’s, Bank of Queensland, etc. The money is then transferred at the end of each day from your merchant account to your nominated account.

“Pretty Good Privacy”
A type of encryption program used to scramble data.

Portal
A site that gathers together many sites under a common branding, for example, Yahoo and Excite.

Private key
The password which permits information to be decoded in a public key encryption system.

Public key
The password which is used to send a secure message in a public key encryption system.

Secure Certificate
A document that is used to certify that a user or organisation is who they say they are. They contain information about who it belongs to, who it was issued by, expiry date and information that can be used to check out the contents of the certificate. It is as an important part of the SSL system for establishing secure connections.

Server
A computer that provides a service to other computers (known as clients) on a network.

Shopping cart
A shopping cart is a piece of software that acts as an online store’s catalogue and ordering process. Typically, a shopping cart is the interface between a company’s Web site and its deeper infrastructure, allowing consumers to select merchandise; review what they have selected; make necessary modifications or additions; and purchase the merchandise.

Shopping carts can be sold as independent pieces of software so companies can integrate them into their own unique online solution, or they can be offered as a feature from a service that will create and host a company’s e-commerce site.

Spam
The use of email or newsgroups to send unsolicited information.

SSL
Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that’s transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:.

Letting your customers know that you have SSL protection gives your site credibility and may encourage customers to deal with you in confidence.

A security protocol used to protect information – typically used between the cardholder’s web browser and the merchant’s webserver and throughout the transaction processing process. 128bit SSL is typical used as a minimum level within the Payment & Financial industries.

A Secure Server uses an SSL certificate. It is generally a piece of web space that can only be dealt with by using SSL ensuring that data transferred between the web space and the browser is encrypted.

Static web page
In web site terms, static means web pages that are not interactive. Because the web site visitor does not have any control over the information provided, the pages and information do not change with each visit. There is not a two-way communication between the user (client) and the web site (server) in a static page.

Uniform Resource Locator (URL)
An Internet address.

Web page
A specific group of related files on the web, which is usually viewed as a single document.

Web servers
At its core, a Web server serves static content to a Web browser by loading a file from a hard disk and serving it across the network to a user’s Web browser. This entire exchange is mediated by the browser and server talking to each other using HTTP.

Web site
A collection of web pages stored on a file server.

1 Comment :access, account, acquirer, Australia, authenticate, bank, Banking, bar, Card, card verification, Commerce, common gateway interface, Corporate, Credit, data, Debit, DES, Digital, Dust, EFT, Electronic, encryption, Explorer, financial institution, financial transaction, IEC, integration, interface, Internet, ISP, Mall, Merchant, Microsoft, money, network, online, password, payment, payment gateways, Pin, privacy, processing, Protection, reporting, script, security, server, Shiraz, SLA, something, support, Telstra, text, transaction, transmission, type, Verification, verification data, VISA, web more...

ISO 14443 contactless card

by admin on Mar.24, 2008, under RFID

An international standard for proximity or contactless smart card communication

ISO 14443 contactless card

ISO 14443 is an international standard which describes how contactless cards and terminals should work to ensure industry-wide compatibility, for example in identity, security, payment, mass-transit and access control applications.

ISO standards are developed by the ISO, the International Organization for Standardization. Technical committees comprising experts from the industrial, technical and business sectors develop the standards to increase levels of quality, reliability and interoperability on a global scale.

Gemplus has always had a strong involvement in ISO definition of the chip card standards, and has been represented in the development of this international standard. The ISO 14443 is divided into 4 separate parts outlining physical characteristics, radio frequency power and signal interface, initialization and anti-collision and transmission protocol.

Gemplus has developed a wide range of contactless payment solutions based on the ISO 14443 international standard. The speed and convenience of contactless technology has created a significant demand for this sort of solution in environments such as fast food restaurants, gas stations, public transport services, banks and many others.

Leave a Comment :access, bank, Card, Chip, chip card, contactless card, contactless cards, DES, development, Dust, environment, frequency, identity, interface, ISO 14443, iso standards, payment, payment solutions, proximity, public transport services, Radio, radio frequency power, Restaurant, security, Shiraz, smart card, standards, Technical, technology, transmission more...

Serious flaws in bluetooth security lead to disclosure of personal data

by admin on Mar.24, 2008, under Bluetooth

source

Summary
In November 2003, Adam Laurie of A.L. Digital Ltd. discovered that there are serious flaws in the authentication and/or data transfer mechanisms on some bluetooth enabled devices. Specifically, three vulnerabilities have been found:

Firstly, confidential data can be obtained, anonymously, and without the owner’s knowledge or consent, from some bluetooth enabled mobile phones. This data includes, at least, the entire phone book and calendar, and the phone’s IMEI.

Secondly, it has been found that the complete memory contents of some mobile phones can be accessed by a previously trusted (“paired”) device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be “backed up” to an attacker’s own system.

Thirdly, access can be gained to the AT command set of the device, giving full access to the higher level commands and channels, such as data, voice and messaging. This third vulnerability was identified by Martin Herfurt, and they have since started working together on finding additional possible exploits resulting from this vulnerability.

Finally, the current trend for “Bluejacking” is promoting an environment which puts consumer devices at greater risk from the above attacks.
Vulnerabilities

The SNARF attack:
It is possible, on some makes of device, to connect to the device without alerting the owner of the target device of the request, and gain access to restricted portions of the stored data therein, including the entire phonebook (and any images or other data associated with the entries), calendar, real-time clock, business card, properties, change log, IMEI (International Mobile Equipment Identity [6], which uniquely identifies the phone to the mobile network, and is used in illegal phone ‘cloning’). This is normally only possible if the device is in “discoverable” or “visible” mode, but there are tools available on the Internet that allow even this safety net to be bypassed[4]. Further details will not be released at this time (see below for more on this), but the attack can and will be demonstrated to manufacturers and press if required.

The BACKDOOR attack:
The backdoor attack involves establishing a trust relationship through the “pairing” mechanism, but ensuring that it no longer appears in the target’s register of paired devices. In this way, unless the owner is actually observing their device at the precise moment a connection is established, they are unlikely to notice anything untoward, and the attacker may be free to continue to use any resource that a trusted relationship with that device grants access to (but note that so far we have only tested file transfers). This means that not only can data be retrieved from the phone, but other services, such as modems or Internet, WAP and GPRS gateways may be accessed without the owner’s knowledge or consent. Indications are that once the backdoor is installed, the above SNARF attack will function on devices that previously denied access, and without the restrictions of a plain SNARF attack, so we strongly suspect that the other services will prove to be available also.

The BLUEBUG attack:
The bluebug attack creates a serial profile connection to the device, thereby giving full access to the AT command set, which can then be exploited using standard off the shelf tools, such as PPP for networking and gnokii for messaging, contact management, diverts and initiating calls. With this facility, it is possible to use the phone to initiate calls to premium rate numbers, send sms messages, read sms messages, connect to data services such as the Internet, and even monitor conversations in the vicinity of the phone. This latter is done via a voice call over the GSM network, so the listening post can be anywhere in the world. Bluetooth access is only required for a few seconds in order to set up the call. Call forwarding diverts can be set up, allowing the owner’s incoming calls to be intercepted, either to provide a channel for calls to more expensive destinations, or for identity theft by impersonation of the victim.

Bluejacking:
Although known to the technical community and early adopters for some time, the process now known as “Bluejacking”[1] has recently come to the fore in the consumer arena, and is becoming a popular mechanism for exchanging anonymous messages in public places. The technique involves abusing the bluetooth “pairing”[2] protocol, the system by which bluetooth devices authenticate each other, to pass a message during the initial “handshake” phase. This is possible because the “name” of the initiating bluetooth device is displayed on the target device as part of the handshake exchange, and, as the protocal allows a large user defined name field – up to 248 characters – the field itself can be used to pass the message. This is all well and good, and, on the face of it, fairly harmless, but, unfortunately, there is a down side. There is a potential security problem with this, and the more the practice grows and is accepted by the user community, and leveraged as a marketing tool by the vendors, the worse it will get. The problem lies in the fact that the protocol being abused is designed for information exchange. The ability to interface with other devices and exchange, update and synchronise data, is the raison d’être of bluetooth. The bluejacking technique is using the first part of a process that allows that exchange to take place, and is therefore open to further abuse if the handshake completes and the “bluejacker” successfully pairs with the target device. If such an event occurs, then all data on the target device becomes available to the initiator, including such things as phone books, calendars, pictures and text messages. As the current wave of PDA and telephony integration progresses, the volume and quality of such data will increase with the devices’ capabilities, leading to far more serious potential compromise. Given the furore that irrupted when a second-hand Blackberry PDA was sold without the previous owner’s data having been wiped[3], it is alarming to think of the consequences of a single bluejacker gathering an entire corporate staff’s contact details by simply attending a conference or camping outside their building or in their foyer with a bluetooth capable device and evil intent. Of course, corporates are not the only potential targets – a bluejacking expedition to, say, The House of Commons, or The US Senate, could provide some interesting, valuable and, who’s to say, potentially damaging or compromising data.<<<

The above may sound alarmist and far fetched, and the general reaction would probably be that most users would not be duped into allowing the connection to complete, so the risk is small. However, in today’s society of instant messaging, the average consumer is under a constant barrage of unsolicited messages in one form or another, whether it be by SPAM email, or “You have won!” style SMS text messages, and do not tend to treat them with much suspicion (although they may well be sceptical about the veracity of the offers). Another message popping up on their ‘phone saying something along the lines of “You have won 10,000 pounds! Enter this 4 digit PIN number and then dial 0900-SUCKER to collect your prize!” is unlikely to cause much alarm, and is more than likely to succeed in many cases.

Workarounds and fixes
We are not aware of any workarounds for the SNARF or BLUEBUG attacks at this time, other than to switch off bluetooth. For permanent fixes, see the ‘Fixes’ section at the bottom of the page.

To permanently remove a pairing, and protect against future BACKDOOR attacks, it seems you must perform a factory reset, but this will, of course, erase all your personal data.

To avoid Bluejacking, “just say no”.

The above methods work to the best of our knowledge, but, as the devices affected are running closed-source proprietary software, it not possible to verify that without the collaboration of the manufacturers. We therefore make no claims as to the level of protection they provide, and you must continue to use bluetooth at your own risk.

Who’s Vulnerable
To date the quantity of devices tested is not great. However, due to the fact that they are amongst the most popular brands, we still consider the affected group to be large. It is also assumed that there are shared implementations of the bluetooth stack, so what affects one model is likely to affect others. This table is accurate to the best of our knowledge, but without the cooperation of the manufacturers (which we currently do not have), it is not possible to conduct more extensive validation.

The devices known to be vulnerable at this time are:

Vulnerability Matrix ( = NOT Vulnerable)*
Make	Model	Firmware Rev	BACKDOOR	SNARF when Visible	SNARF when NOT Visible	BUG
Ericsson	T68	20R1B 20R2A013 20R2B013 20R2F004 20R5C001	?	Yes	No	No
Sony Ericsson	R520m	20R2G	?	Yes	No	?
Sony Ericsson	T68i	20R1B 20R2A013 20R2B013 20R2F004 20R5C001	?	Yes	?	?
Sony Ericsson	T610	20R1A081 20R1L013 20R3C002 20R4C003 20R4D001	?	Yes	No	?
Sony Ericsson	T610	20R1A081	?	?	?	Yes
Sony Ericsson	Z1010	?	?	Yes	?	?
Sony Ericsson	Z600	20R2C007 20R2F002 20R5B001	?	Yes	?	?
Nokia	6310	04.10 04.20 4.07 4.80 5.22 5.50	?	Yes	Yes	?
Nokia	6310i	4.06 4.07 4.80 5.10 5.22 5.50 5.51	No	Yes	Yes	Yes
Nokia	7650	?	Yes	No (+)	?	No
Nokia	8910	?	?	Yes	Yes	?
Nokia	8910i	?	?	Yes	Yes	?
* Siemens	S55	?	No	No	No	No
* Siemens	SX1	?	No	No	No	No
Motorola	V600 (++)	?	No	No	No	Yes
Motorola	V80 (++)	?	No	No	No	Yes

+ We now believe the 7650 is only vulnerable to SNARF if it has already been BACKDOORed.
++ The V600 and V80 are discoverable for only 60 seconds, when first powered on or when this feature is user selected, and the window for BDADDR discovery is therefore very small. Motorola have stated that they will correct the vulnerability in current firmware.

Disclosure
What is the Philosophy of Full Disclosure, and why are we providing the tools and detailing the methods that allow this to be done? The reasoning is simple – by exposing the problem we are achieving two goals: firstly, to alert users that the dangers exist, in order that they can take their own precautions against compromise, and secondly, to put pressure on manufacturers to rectify the situation. Consumers have a right to expect that their confidential data is treated as such, and is not subject to simple compromise by poorly implemented protocols on consumer devices. Manufacturers have a duty of care to ensure that such protection is provided, but, in practice, commercial considerations will often take precedence, and, given the choice, they may choose to simply supress or hide the problem, or, even worse, push for laws that prevent the discovery and/or disclosure of such flaws[5]. In our humble opinion, laws provide scant consumer protection against the lawless.

After 13 months, and in consideration of the fact that affected manufacturers had acknowledged the issues and made updated firmware available, Full Disclosure took place at the Chaos Computer Club’s annual congress – 21C3, in Berlin, 2004.

Slides from the disclosure talk can be found here: http://trifinite.org/Downloads/21c3_Bluetooth_Hacking.pdf

Tools
Proof of concept utilities have been developed, but are not yet available in the wild. They are:

bluestumbler – Monitor and log all visible bluetooth devices (name, MAC, signal strength, capabilities), and identify manufacturer from MAC address lookup.
bluebrowse – Display available services on a selected device (FAX, Voice, OBEX etc).
bluejack – Send anoymous message to a target device (and optionally broadcast to all visible devices).
bluesnarf – Copy data from target device (everything if pairing succeeds, or a subset in other cases, including phonebook and calendar. In the latter case, user will not be alerted by any bluejack message).
bluebug – Set up covert serial channel to device.
Tools will not be released at this time, so please do not ask. However, if you are a bona-fide manufacturer of bluetooth devices that we have been otherwise unable to contact, please feel free to get in touch for more details on how you can identify your device status.

Credits
The above vulnerabilities were discovered by Adam Laurie, during the course of his work with A.L. Digital, in November 2003, and this announcement was prepared thereafter by Adam and Ben Laurie for immediate release.

Adam Laurie is Managing Director and Chief Security Officer of A.L. Digital Ltd.

Ben Laurie is Technical Director of A.L. Digital, and author of Apache-SSL and contributor to many other open source projects, too numerous to expand on here.

A.L. Digital Ltd. are the owner operators of The Bunker, the world’s most secure data centre(s).
e: adam@algroup.co.uk
w: http://www.aldigital.co.uk

e: ben@algroup.co.uk
w: http://www.apache-ssl.org/ben.html

Further information relating to this disclosure will be updated at http://www.bluestumbler.org

References:
[1]

[2]

http://www.palowireless.com/infotooth/tutorial/lmp.asp

[3]

www.outlaw.com

[4]

bluesniff
btscanner
redfang

[5]

http://www.eff.org/

[6]

http://www.babt.com/gsm-imei-number-allocation.asp
http://www.mobiledia.com/glossary/68.html
- The Bluetooth SIG.
- Bruce Potter’s Defcon-11 presentation [Powerpoint].
- @Stake’s Bluetooth Discovery Paper [PDF].
- Marcel Holtmann’s German papers.
- Marcel Holtmann’s other papers.
- Bluetooth Device Security Database.
- Martin Herfurt’s CeBIT snarfing expedition.
- Slides from Blackhat/DEFCON talk.
- Nokia releases patches.

In the news

Bluetooth

by admin on Mar.24, 2008, under Bluetooth

Source

This article is about the Bluetooth wireless specification. For King Harold Bluetooth, see Harold I of Denmark

Bluetooth is an industrial specification for wireless personal area networks (PANs).

Bluetooth provides a way to connect and exchange information between devices like personal digital assistants (PDAs), mobile phones, laptops, PCs, printers and digital cameras via a secure, low-cost, globally available short range radio frequency.

Bluetooth lets these devices talk to each other when they come in range, even if they’re not in the same room, as long as they are within 10 metres (32 feet) of each other.

The spec was first developed by Ericsson, later formalised by the Bluetooth Special Interest Group (SIG). The SIG was formally announced on May 20, 1999. It was established by Sony Ericsson, IBM, Intel, Toshiba and Nokia, and later joined by many other companies as Associate or Adopter members.

* 1 About the name
* 2 General information
o 2.1 Embedded Bluetooth
* 3 Features by version
o 3.1 Bluetooth 1.0 and 1.0B
o 3.2 Bluetooth 1.1
o 3.3 Bluetooth 1.2
o 3.4 Bluetooth 2.0
* 4 Future Bluetooth uses
* 5 Security concerns
* 6 Bluetooth profiles
* 7 See also
* 8 External links

About the name

The system is named after a Danish king Harald Blåtand (<arold Bluetooth in English), King of Denmark and Norway from 935 and 936 respectively, to 940 known for his unification of previously warring tribes from Denmark, Norway and Sweden. Bluetooth likewise was intended to unify different technologies like computers and mobile phones. The Bluetooth logo merges the Nordic runes for H and B.

General information

A typical Bluetooth mobile phone headset

The latest version currently available to consumers is 2.0, but few manufacturers have started shipping any products yet. Apple Computer, Inc. offered the first products supporting version 2.0 to end customers in January 2005. The core chips have been available to OEMs (from November 2004), so there will be an influx of 2.0 devices in mid-2005. The previous version, on which all earlier commercial devices are based, is called 1.2.

Bluetooth is a wireless radio standard primarily designed for low power consumption, with a short range (up to 10 meters [1], ) and with a low-cost transceiver microchip in each device.

It can be used to wirelessly connect peripherals like printers or keyboards to computers, or to have PDAs communicate with other nearby PDAs or computers.

Cell phones with integrated Bluetooth technology have also been sold in large numbers, and are able to connect to computers, PDAs and, specifically, to handsfree devices. BMW was the first motor vehicle manufacturer to install handsfree Bluetooth technology in its cars, adding it as an option on its 3 Series, 5 Series and X5 vehicles. Since then, other manufacturers have followed suit, with many vehicles, including the 2004 Toyota Prius and the 2004 Lexus LS 430. The Bluetooth car kits allow users with Bluetooth-equipped cell phones to make use of some of the phone’s features, such as making calls, while the phone itself can be left in a suitcase or in the boot/trunk, for instance.

The standard also includes support for more powerful, longer-range devices suitable for constructing wireless LANs.

A Bluetooth device playing the role of “master” can communicate with up to 7 devices playing the role of “slave”. At any given instant in time, data can be transferred between the master and one slave; but the master switches rapidly from slave to slave in a round-robin fashion. (Simultaneous transmission from the master to multiple slaves is possible, but not used much in practice). These groups of up to 8 devices (1 master and 7 slaves) are called piconets.

The Bluetooth specification also allows connecting two or more piconets together to form a scatternet, with some devices acting as a bridge by simultaneously playing the master role in one piconet and the slave role in another piconet. These devices have yet to come, though are supposed to appear within the next two years.

Any device may perform an “inquiry” to find other devices to which to connect, and any device can be configured to respond to such inquiries.

Pairs of devices may establish a trusted relationship by learning (by user input) a shared secret known as a “passkey”. A device that wants to communicate only with a trusted device can cryptographically authenticate the identity of the other device. Trusted devices may also encrypt the data that they exchange over the air so that no one can listen in.

The protocol operates in the license-free ISM band at 2.45 GHz. In order to avoid interfering with other protocols which use the 2.45 GHz band, the Bluetooth protocol divides the band into 79 channels (each 1 MHz wide) and changes channels up to 1600 times per second. Implementations with versions 1.1 and 1.2 reach speeds of 723.1 kbit/s. Version 2.0 implementations feature Bluetooth Enhanced Data Rate (EDR), and thus reach 2.1 Mbit/s. Technically version 2.0 devices have a higher power consumption, but the three times faster rate reduces the transmission times, effectively reducing consumption to half that of 1.x devices (assuming equal traffic load).

Bluetooth differs from Wi-Fi in that the latter provides higher throughput and covers greater distances but requires more expensive hardware and higher power consumption. They use the same frequency range, but employ different multiplexing schemes. While Bluetooth is a cable replacement for a variety of applications, Wi-Fi is a cable replacement only for local area network access. A glib summary is that Bluetooth is wireless USB whereas Wi-Fi is wireless Ethernet.

Many USB Bluetooth adapters are available, some of which also include an IrDA adapter.

Embedded Bluetooth

Bluetooth devices and modules are increasingly being made available which come with an embedded stack and a standard UART port. The UART protocol can be as simple as the industry standard AT protocol, which allows the device to be configured to cable replacement mode. This means it now only takes a matter of hours (instead of weeks) to enable legacy wireless products that communicate via UART port.

Features by version

Bluetooth 1.0 and 1.0B

Versions 1.0 and 1.0B had numerous problems and the various manufacturers had great difficulties in making their products interoperable. 1.0 and 1.0B also had mandatory Bluetooth Hardware Device Address (BD_ADDR) transmission in the handshaking process, rendering anonymity impossible at a protocol level, which was a major set-back for services planned to be used in Bluetooth environments, such as Consumerism.

Bluetooth 1.1

In version 1.1 many errata found in the 1.0B specifications were fixed. There was added support for non-encrypted channels.

Bluetooth 1.2

This version is backwards compatible with 1.1 and the major enhancements include

Adaptive Frequency Hopping (AFH), which improves resistance to radio interference by avoiding using crowded frequencies in the hopping sequence
Higher transmission speeds in practice
extended Synchronous Connections (eSCO), which improves voice quality of audio links by allowing retransmissions of corrupted packets.
Received Signal Strength Indicator (RSSI)
Host Controller Interface (HCI) support for 3-wire UART
HCI access to timing information for Bluetooth applications.

Bluetooth 2.0

This version is backwards compatible with 1.x and the major enhancements include

Non-hopping narrowband channel(s) introduced. These are faster but have been criticised as defeating a built-in security mechanism of earlier versions; however frequency hopping is hardly a reliable security mechanism by today’s standards. Rather, Bluetooth security is based mostly on cryptography.
Broadcast/multicast support. Non-hopping channels are used for advertising Bluetooth service profiles offered by various devices to high volumes of Bluetooth devices simultaneously, since there is no need to perform handshaking with every device. (In previous versions the handshaking process takes a bit over one second.)
Enhanced Data Rate (EDR) of 2.1 Mbit/s.
Built-in quality of service.
Distributed media-access control protocols.
Faster response times.
Halved power consumption due to shorter duty cycles.

Future Bluetooth uses

One of the ways Bluetooth technology may become useful is in Voice over IP. When VOIP becomes more widespread, companies may find it unnecessary to employ telephones physically similar to today’s analogue telephone hardware. Bluetooth may then end up being used for communication between a cordless phone and a computer listening for VOIP and with an infrared PCI card acting as a base for the cordless phone. The cordless phone would then just require a cradle for charging. Bluetooth would naturally be used here to allow the cordless phone to remain operational for a reasonably long period.

Security concerns

In November 2003, Ben and Adam Laurie from A.L. Digital Ltd. discovered that serious flaws in Bluetooth security lead to disclosure of personal data (see http://bluestumbler.org). It should be noted however that the reported security problems concerned some poor implementations of Bluetooth, rather than the protocol itself.

In a subsequent experiment, Martin Herfurt from the trifinite.group was able to do a field-trial at the CeBIT fairgrounds showing the importance of the problem to the world. A new attack called BlueBug was used for this experiment.

In April 2004, security consultants @Stake revealed a security flaw that makes it possible to crack into conversations on Bluetooth based wireless headsets by reverse engineering the PIN.

This is one of a number of concerns that have been raised over the security of Bluetooth communications. In 2004 the first purported virus using Bluetooth to spread itself among mobile phones appeared for the Symbian OS. The virus was first described by Kaspersky Labs and requires users to confirm the installation of unknown software before it can propagate. The virus was written as a proof-of-concept by a group of virus writers known as 29a and sent to anti-virus groups. Because of this, it should not be regarded as a security failure of either Bluetooth or the Symbian OS. It has not propagated ‘in the wild’.

In August 2004, a world-record-setting experiment (see also Bluetooth sniping) showed that with directional antennas the range of class 2 Bluetooth radios could be extended to one mile. This enables attackers to access vulnerable Bluetooth-devices from a distance beyond expectation.

Bluetooth uses the SAFER+ algorithm for authentication and key generation.

Bluetooth profiles

In order to use Bluetooth, a device must be able to interpret certain Bluetooth profiles. These define the possible applications. Following profiles are defined:

Generic Access Profile (GAP)
Service Discovery Application Profile (SDAP)
Cordless Telephony Profile (CTP)
Intercom Profile (IP)
Serial Port Profile (SPP)
Headset Profile (HSP)
Dial-up Networking Profile (DUNP)
Fax Profile
LAN Access Profile (LAP)
Generic Object Exchange Profile (GOEP)
Object Push Profile (OPP)
File Transfer Profile (FTP)
Synchronisation Profile (SP)

This profile allows synchronisation of Personal Information Manager (PIM) items. As this profile originated as part of the infra-red specifications but has been adopted by the Bluetooth SIG to form part of the main Bluetooth specification, it is also commonly referred to as IrMC Synchronisation.

Hands-Free Profile (HFP)
Human Interface Device Profile (HID)
Hard Copy Replacement Profile (HCRP)
Basic Imaging Profile (BIP)
Personal Area Networking Profile (PAN)
Basic Printing Profile (BPP)
Advanced Audio Distribution Profile (A2DP)
Audio Video Remote Control Profile (AVRCP)
SIM Access Profile (SAP)

Compatibility of products with profiles can be verified on the Bluetooth Qualification website.

External links

Bluetooth Tutorial Includes information on Architecture, Protocols, Establishing Connections, Security and Comparisons
Bluetooth connecting and paire guide
The Official Bluetooth® Wireless Info Site<SIG public pages
Howstuffworks.com explanation of bluetooth
The Bluetooth Car Concept
A series of guides on how-to connect devices like mobile phones, PDAs, desktop/laptops, headsets and use different Bluetooth services
Mapping Salutation Architecture APIs to Bluetooth Service Discovery Layer
Bluetooth™ Security White Paper
Security Concerns
Laptops, PDA and mobile (cell) phones with Bluetooth(TM) and Linux
Bluetooth qualified products
Bluecarkit discussion forum about Bluetooth car handsfree
Bluetooth in spanish
Radio-Electronics.Com – Overview of Bluetooth and its operationi>

Bluetooth Background information about bluetooth (German)
Bluetooth.org – The Official Bluetooth Membership Sitei>

1 Comment :access, algorithm, antenna, architecture, ASP, attack, authenticate, authentication, Bluejacking, Bluetooth, bluetooth profiles, bluetooth special interest group, broadcast, Card, Chip, Communications, Cryptographically, data, DES, Digital, Dust, EDR, EFT, Electronic, encryption, environment, Ericsson, Ethernet, frequency, GHz, Guide, hardware, HCI, identification, identity, interface, ISP, JAVA, javascript, Mall, mobile phones, network, personal area networks, phone, php, Pin, Radio, RSA, SAP, scatternet, script, security, security concerns, Serious, Shiraz, SLA, SNARF, standards, support, Technical, technology, template, transmission, trunk, USB, VOIP, Vulnerable, web, wireless personal area, wireless personal area networks more...

What do you mean by three technologies on one card?

by admin on Mar.24, 2008, under RFID

There is confusing terminology used in the market to refer to cards that can support a combination of technologies. Cards are described as multiple technology when multiple, independent technologies share a common plastic card and do not communicate or interact with each other (e.g., magnetic stripe and contactless or contact chip). Cards are described as having a “dual-interface” when the card has a single integrated circuit (IC) that can communicate with a smart card reader/terminal via either contact or contactless.

Leave a Comment :Card, Chip, circuit, DES, dual interface, interface, magnetic stripe, Reader, Shiraz, smart card, smart card reader, support, technology more...

New e-Commerce and Payment Technologies Company

by admin on Mar.24, 2008, under Banking and EFTPoS

Recently I came across a new e-Commerce company called EFT Networks, which seems to have an exciting future in the Global Payments Market.

It looks like they have a good mix of consulting and solution design.

www.eftnetworks.com

Services

Electronic Payment

Designed to enable both credit card and direct debit, EFT Networks electronic payment solutions work effectively across multiple sales channels—including Web, Contact Call Centre, IVR and EFTPOS. Manage your payment processing system in-house or outsource, depending on your business needs.

Global Payments

International commerce requires fully integrated global payment and risk management solutions. Requirements span the gamut of payment acceptance considerations from accepting local payment types, pricing in local currencies and dynamically updating prices with changes in exchange rates (dynamic currency conversion), authorising and settling in multiple currencies, to managing fraud and compliance issues such as tax and export regulations. EFT Networks offers a single interface to the global payment network to handle all of these considerations as your business grows.

ICE – Reporting & Management

The EFT Networks Enterprise Business Center gives you a single, easy-to-use interface for managing and configuring payment processing services.

ICE caters for each area of the payment transaction cycle from authentication, authorisation, settlement, dispute resolution and reconciliation – enabling our clients to reduce transaction costs, eliminate fraud, minimise risk, maximise cash flow and increase profitability.

Integrations

EFT Networks provides flexible and secure payment and risk management integrations in to host and legacy systems as well as industry-leading software.

Using industry standards and protocols, our solutions can be customised to suit your exact business requirements

Products

ICE (Intelligent Communications Exchange)

At the core is our Intelligent Communications Exchange (ICE) which enables all known transaction enablers from EFTPOS to eCommerce to be routed directly to a client’s bank without intervention for real time acceptance and authentication.

The EFT Networks ICE operates under a philosophy of total System and Physical redundancy delivering the highest uptime rates possible, whilst the transaction network is protected using Solid State and Application Firewalls on all points of ingress and egress.

Every transaction processed through EFT Networks is encrypted using 128 bit Secure Socket Layer (SSL) encryption and submitted for authorisation through EFT Networks “Secure Virtual Private Network” (SVPN).

Our commitment to security is also reflected in our swift compliance with Card Schemes security initiatives such as VerifiedByVisa and MasterCard SecureCode.

EFT Networks comprehensive suit of online reporting tools combined with daily transaction reports will ensure that our clients always have access to up-to-date management information allowing Business Managers to make quick and well-informed business decisions. The decision making process is simplified even further with the power of daily reports that are customised to be imported into most existing legacy systems.

Leave a Comment :access, authentication, Authorisation, bank, Card, card schemes, Commerce, Communications, Credit, Debit, DES, Dust, EFT, EFTPoS, Electronic, encryption, Enterprise, Ingres, integration, interface, ISP, JAVA, javascript, network, online, payment, payment solutions, processing, reporting, script, security, settlement, Shiraz, standards, SWIFT, transaction, type, VISA, web more...

Howdy. Welcome to Madrock!
Thanks for dropping by! Feel free to join the discussion by leaving comments, and stay updated by subscribing to the RSS feed. See ya around!
Categories
Recent Posts
- No need to bypass security with a boot disk – 17 year old Windows exploit found
  
  The problem has been discovered in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several [...]
  
  more...
- The Internet is the modern day electricity
  
  Recently I have been been sorting through some of my old electronic engineering books and found myself randomly flicking through circuit design principals and practical electronics/radio theory application of calculus.
  I remember the amount of hours I spent trying to get the different laws (Faraday, Coulomb, Kirchhoff, Lenz, Ohm, etc.) stuck in my head ready for [...]
  
  more...
- SSLv3 / TLS Man in the Middle vulnerability
  
  Recently I have been looking into the vulnerabilities in the TLS negotiation process discovered late last year.
  There are a range of experts debating the exploit methods, tools and how it may be fixed (server or client site or both). From what I have seen so far this may prompt a change to the TLS standard [...]
  
  more...

Recent Comments
Translator

By N2H
Visitors Online
- 16 visitor(s) online
- powered by WassUp

Tag: interface

ROUTER COMMANDS :

These may also assist: Undocumented Cisco Commands

Table of contents

About the name

General information

Embedded Bluetooth

Features by version

Bluetooth 1.0 and 1.0B

Bluetooth 1.1

Bluetooth 1.2

Bluetooth 2.0

Future Bluetooth uses

Security concerns

Bluetooth profiles

See also

External links

Services

Electronic Payment

Global Payments

ICE – Reporting & Management

Integrations

Products

ICE (Intelligent Communications Exchange)

Howdy. Welcome to Madrock!

Categories

Blogroll

Recent Comments

Translator

Visitors Online

ROUTER COMMANDS `:`