Cisco Blogs

Security Questions

May 24, 2009 - 0 Comments

What a fantastic show last week – “Crime Still Pays” featuring Patrick Peterson and Kevin Kennedy taped LIVE from the RSA 2009 show. (You can catch the recording right now with no waiting). We had questions and some consistency with ‘requests for clarification’ that I promised we would follow up on in the blog here. Several people inquired about a tool that Jimmy Ray referred to in rather loving fashion…it was ‘Maltego’ – an open source forensics application that can assist in drawing out hard to define relationships. * * * * * *Another common question we received was around MD6. What is it? In a nutshell…its new cryptography that although it had not had time to make it into any real products yet…it was already being used in Conficker B. This fact, plus the speed in which it was updated is fascinating. Here is a great explanation straight from the SRI International Analysis under the ‘implications of Variant C:In evaluating this mechanism, we find that the Conficker authors have devised a sophisticated encryption protocol that is generally robust to direct attack. All three crypto-systems employed by Conficker’s authors (RC4, RSA, and MD-6) also have one underlying commonality. They were all produced by Dr. Ron Rivest of MIT. Furthermore, the use of MD-6 is a particularly unusual algorithm selection, as it represents the latest encryption hash algorithm produced to date. The discovery of MD-6 in Conficker B is indeed highly unusual given Conficker’s own development time line. We date the creation of Conficker A to have occurred in October 2008, roughly the same time frame that MD-6 had been publicly released by Dr. Rivest (see While A employed SHA-1, we can now confirm that MD-6 had been integrated into Conficker B by late December 2008 (i.e., the authors chose to incorporate a hash algorithm that had literally been made publicly available only a few weeks earlier).Unfortunately for the Conficker authors, by mid-January, Dr. Rivest’s group submitted a revised version of the MD-6 algorithm, as a buffer overflow had been discovered in its implementation. This revision was inserted quietly, followed later by a more visible public announcement of the buffer overflow on 19 February 2009, with the release of the Fortify report ( We confirmed that this buffer overflow was present in the Conficker B implementations. However, we also confirmed that this buffer overflow was not exploitable as a means to take control of Conficker hosts. Nevertheless, the Conficker developers were obviously aware of these developments, as they have now repaired their MD-6 implementation in Conficker C, using the identical fix made by Dr. Rivest’s group. Clearly the authors are aware of, and adept at understanding and incorporating, the latest cryptographic advances, and are actively monitoring the latest developments in this community.* * * * * * iACL’s or ‘Infrastructure ACL’s’ were also a hot topic in this show. Jimmy Ray wanted to share how these little known commands can make life a lot easier when you feel like you are getting run over with the never ending list of regular ACL’s. Many were asking for copies of his commands and examples..fortunatly for me…he waxed eloquent in a blog entry recently on that very subject over at the Cisco Learning Network Community on ‘Please Stop the Insanity’The final request that came out of this same iACL discussion revolved around a list of Special Use IPv4 Addresses: – This block, formerly known as the Class D address space, is allocated for use in IPv4 multicast address assignments. The IANA guidelines for assignments from this space are described in [RFC3171]. – This block, formerly known as the Class E address space, is reserved. The “limited broadcast” destination address should never be forwarded outside the (sub-)net of the source. The remainder of this space is reserved for future use. [RFC1700, page 4]3. Summary Table Address Block Present Use Reference ——————————————————————— “This” Network [RFC1700, page 4] Private-Use Networks [RFC1918] Public-Data Networks [RFC1700, page 181] Cable Television Networks — Reserved but subject to allocation [RFC1797] Loopback [RFC1700, page 5] Reserved but subject to allocation — Link Local — Private-Use Networks [RFC1918] Reserved but subject to allocation — Reserved but subject to allocation — Test-Net 6to4 Relay Anycast [RFC3068] Private-Use Networks [RFC1918] Network Interconnect Device Benchmark Testing [RFC2544] Reserved but subject to allocation — Multicast [RFC3171] Reserved for Future Use [RFC1700, page 4]You can get that whole list here * * * * * All the documentation for SAFE can be found by simply going to* * * * * Our final points in the show centered on the proper use of IPS in a network, especially when using Etherchannel Load Balancing. Cisco has some good documentation on this you should check out for more detail – just be advised that it does refer to an older version of IPS in the example but the design principles still apply.Please check out the great whitepaper and reference docs at IronPort for more information on the power of reputation analysis and more detail around the web threats we were discussing with Kevin Kennedy. You can also reference information found in the show notes blog entry as well. Got any more questions? Did my explanations only raise more questions? Let us know – Robb

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.