This is the Forth part in the series “Missives from the Trenches.” (Here are the (first), (second), and(third) parts of the series.) In today’s blog post we will be discussing Cisco IOS Netflow. Netflow has an interesting position as being both the most useful and least used tool. When meeting with other companies I often ask them “do you use Netflow?” By asking this question I am actually asking several different questions--Do you care about the security of your site? Or do you have any hopes in managing/responding to events at your site? Answers to these questions unfortunately tend to be as follows: What is Netflow? The network guys use it but we don’t. I think we capture it somewhere but not really sure where -- and so on. I then mention that Netflow is free, they don’t have to buy anything to start using it, and it’s used for every large case we do. At that point they start looking angrily at the sales engineer asking why this is the first they are hearing about it. So what is Netflow and why does Cisco CSIRT say its critical to daily event management? Read on to find out!
Have you ever watched a movie called “The Abyss?” Near the end of the movie there’s a scene that I think is particularly relevant to this post. Our hero has to go 17,000 feet under the sea to disarm a nuclear bomb (watch the movie and you’ll know how the bomb ended up there and why our hero has the unenviable task of disarming it). And when he gets to the bomb, he’s instructed to “cut the blue wire with a white stripe — not the black wire with a yellow stripe” in order to disable it.
Easy enough, right? The problem is that our hero is using a glow stick as a light source, and under its yellowish light he can’t accurately determine which wire is which; they both look exactly the same. So after a bit of indecision, preparing to cut one but changing his mind, he goes ahead and cuts a wire. Lucky for him, it was the right one.
While here at the Cisco PSIRT we do not have to deal with such explosive situations (well, maybe not in a physical sense), we do, however, think that making security decisions based on incomplete data is certainly not a good approach. And this is why our vulnerability disclosure process keeps evolving over time.
This past weekend, Gawker Media began notifying more than 1.3 million users, across its variety of website properties, that their user databases and other information assets had been compromised. A complete dump of the user database was being distributed via BitTorrent, and a pastebin.com log of various details was posted (this has since been removed). As details emerge and are analyzed, it appears that the breach was a final act from a group that had gained fairly considerable access to Gawker Media, and had reviewed and extracted a great deal of information for at least a month. As we often do on the Cisco Security Blog, let’s take a look at how we could learn from others’ misfortune.
Last week, an Internet Privacy Workshop was held at MIT, sponsored by IAB, W3C, MIT, and ISOC. About 60 people attended, including three of us from Cisco. In order to be invited to the workshop participants needed to write a short position paper on a topic relating to Internet Privacy. The position papers and the workshop covered a wide range of topics, and the papers are expected to be published in the near future. In the meanwhile, here is my submission, which ties closely to work being done in the identity field.
Hackers recently gained control of an Indonesian government Twitter account to falsely broadcast an impending, yet fictitious, tsunami in Jakarta, Indonesia to over 8,000 followers. While this was by no means considered a catastrophic event it certainly, I’m sure, caused a bit of chaos and disruption to the people in Jakarta and in the surrounding areas. Doesn’t this sound like the 21st century version of yelling “Fire” in a crowded movie theater? In any event, as is the case with any failures related to technology, there are some important lessons to be learned from this miscreant-generated Tweet…or shall we call it a “MisTweet”?