• In 2007 there were 500 million connected devices or 1/10th of a connected device per person worldwide. In 2010, there are now 35 billion (5 connected devices per person). In 2013, Forester Research projects that there will be 1 trillion (140 per person) connected devices.
• In 2007 there were about 3000 total mobile applications. In 2010, there are 265,000 mobile applications. Current growth trends estimate in 2013 there will be 1.5 million mobile applications.
• In 2007 there were approximately 624,000 security threats (the document doesn’t specify what this really means). In 2010, there will be 2.6 million security threats. The Symantec and Cisco projection for 2013 predicts 5.7 million security threats.

It is amazing how much things in the IT world have changed in the past three years and taking that projection out another three years seems staggering. How is an organization supposed to handle the growing environment and the growing threats? Cisco offers some suggestions in this report:

1. Close gaps in situational awareness. Be aware of the totality of the network.
2. Focus first on solving “old” issues – and doing it well. Begin making improvements in the area of software updates and patches.
3. Educate your workforce on security – and include them in the process. Remember in information sec-u-r-it-y, You Are IT (U-R-IT). Kinda cheesy I know but it is a basic truth. We are all responsible for IT security.
4. Understand that one security border is no longer enough. Business has now become borderless and mobile.
5. View security as a differentiator for your business. “How an enterprise approaches security and responds to trends such as social networking and mobility can have a direct impact on ability to hire and retain talent.”

What do you think is going to happen in the next 3 years with regards to devices, applications, and security threats? Is the Cisco on target, or off base? Let me and other ITKE readers know your thoughts. Thanks for reading and let’s continue to be good network citizens.

Some things you will learn in this webinar:

• Using the Default Capture and Display Filters
• Creating a Few Hot Capture Filters
• Filtering Tips and Tricks for Troubleshooting
• Filtering Tips and Tricks for Security

Even if you are very familiar with Wireshark or other packet capture and protocol decode tools, Laura’s seminars are well worth attending. You might even find out a little tidbit here or there because Repetition is one of the keys of learning. Unfortunately I will not be able to attend this webinar since I will be on a golf vacation in North Carolina. So, if you attend this event, please come back and share with me and other IT Trenches readers what you learned and how valuable the webinar was for you.

Thanks for reading and let’s continue to be good network citizens!

• Wireshark elements and capabilities
  
• Tapping into the wired or wireless network
  
• Capturing and filtering basics
  
• Graphing basics

If you cannot attend the seminar, you can still register and download the seminar notes and gain access to the trace files used in the session. If you manage a network, you should learn this stuff! Be sure to register and attend early. The sessions are limited to 1000 viewers and these fill up FAST!

See my entry

Repetition is one of the keys of learning

for a how attending one of these seminars helped address an issue I was having with using Wireshark.

Thanks for reading and lets continue to be good network citizens!

There are many options in Wireshark that go unused or require some understanding and practice to use.  Laura is great about going under the covers and revealing exactly what you need to use and how to use it. I have used ethereal (Wireshark’s predecessor) and Wireshark for several years now. It is only with continued education by Laura on the features that I am gaining a better understanding of this network analysis tool and the ins and outs of using it. For example, the Statistics – TCP Stream Graph – Round Trip Time Graph option. I thought my copy of Wireshark was flawed as I never received any results in the graph. Today, Laura’s online seminar showed me that I was likely reversing the results and ending up with an empty result set. Now I know! You can almost always learn something new about something old. Just keep digging! Thanks Laura for the tip.

In case you have missed any previous postings about Laura, here’s a few for you to check out.

Is protocol analysis or network management your thing?

ARP as a network auditing tool

Did you see this? – Latest Laura Chappell Newsletter

Did you see this? – the viral bitgirl

Thanks for reading & let’s continue to be good network citizens.

Is protocol analysis or network management your thing?

ARP as a network auditing tool

Did you see this? – Latest Laura Chappell Newsletter

Did you see this? – the viral bitgirl

She has now started a new online seminar series. Some of the presentation are free and others are accessible for a fee of $99. If you cannot get away for education, then this is an excellent alternative and you can gain a great amount of knowledge from this packet analysis expert. I recommend that you visit Chappell Online University and sign up for the free Wireshark Jumpstart: Master Key Tasks for Network Troubleshooting seminar to get a feel for the seminars.

Thanks for reading and let’s continue to be good network citizens!

· Ability to capture WWAN (mobile broadband) and Tunnel traffic on Windows 7.

· Full Hyper-V support on Windows Server 2008

· Right-click-add-to-alias: Right-click a frame in the Frame Summary window with an IPv4, IPv6 or MAC address to add that address as a new alias. This is one of those little things that simplifies your work-flow.

· Right-click-go-to-definition: Have you ever wondered where and how the protocols fields you see in the Frame Details are defined in our in-built parsers? Wonder no more. Introducing right-click-go-to-definition: right-click a field in the Frame Details window and select Go To Data Field Definition or Go To Data Type Definition to see where the field is defined in the NPL parsers.

· Autoscroll: Another one of those little, but priceless things … auto-scroll. See the most recent traffic as it comes in. In a live capture, click the AutoScroll button on the main toolbar to have the Frame Summary window automatically scroll down to display the most recent frames as they come in. Click Autoscroll again to freeze the view in its present location.

Several other new features are described in the Technet blog. If you capture packets on a Microsoft network, then you should get this upgraded version to add to your toolbox.

Thanks for reading and let’s continue to be good network citizens.

• Network Diagnostic Tool

  Test your connection speed and receive sophisticated diagnosis of problems limiting speed.

• Glasnost

  Test whether BitTorrent is being blocked or throttled.

• Network Path and Application Diagnosis

  Diagnose common problems that impact last-mile broadband networks.

• DiffProbe (coming soon)

  Determine whether an ISP is giving some traffic a lower priority than other traffic.

• NANO (coming soon)

  Determine whether an ISP is degrading the performance of a certain subset of users, applications, or destinations.

We had a situation recently where malicious software got onto a couple of machines and attempted to use the Administrator account to login. We have account lockout on our Windows 2003 AD domain, so after the appropriate number of invalid tries the Administrator account was locked out in the domain. This is because the machines were members of the domain and the malware did not distinguish the local administrator account from the domain administrator when attempting to elevate authority. Note that we use least user authority in our environment so the malware was not able to spread beyond these two machines. We suspect the machines became infected due to out of date antivirus signatures.

Unfortunately, the antivirus we use did not alert us to the situation. The way we were alerted was by our Microsoft Systems Center Operations Manager (SCOM) implementation. It notified the SCOM admin that the domain Administrator account was locked. The operations team was then tasked with tracking down what or who was locking this account. This is where the Microsoft Account Lockout and Management Tools came in use and helped isolate the cause.

The first tool that we used was the LockoutStatus.exe. The screen looks like this after running and finding the Administrator account is NOT locked out. This is after I had already unlocked the account.

As you can see it checked a lot of domain controllers. I ran this directly on one of the AD domain controllers. When an account is locked out, there will be a lockout time and an Orig. Lock domain controller listed. You can set what account you wish to check lockout on as well as what domain you want to test. The options screen looks like this.

If the account is locked and a domain controller is listed, the next step is to run the EventCombMT tool. This tool can be used for much more than just account lockout analysis but that is the only focus of its use today. You need to specify several things in this tool to get it to find the event log records of interest.

The domain needs to be filled in. Then right-click in the Select To Search/Right Click to Add field and select what servers’ event logs you wish to scan for the event of interest. In this case, I’m choosing the domain controller that is shown in the Orig.Lock column in the LockoutStatus tool. Select the Security log and the Success Audit and Failure Audit Event Types. The Event ID of 675 is the specific event of interest where the client is attempting to use a locked account. The Text field would have the account of interest.

One additional thing you might consider doing is to narrow down the date range. As default, the eventcombmt tool looks through all of the active logs on the server(s). So, it could take a substantial amount of time to complete the scan. The eventcombmt Options menu item has the following selections that can help you narrow down the search or tweak how the tool runs.

In my case, since the LockoutStatus window would have the Lockout Time listed, I would take a time span on either side of this event. So, in this example, I used a 24 hour period from 11:37 AM yesterday, until 11:37 today.

This modifies the search criteria. Then, click Search and the application searches the event logs of the server(s) for the criteria selected.

When eventcombmt finishes the log search, some summary statistics are displayed.

The application writes a text file to the C:\Temp folder by default. This text file contains a text file with a single line per event found matching the search criteria in the selected logs. A sample line for a search match is shown below with wrapping as needed.

675,AUDIT FAILURE,Security,Wed Feb 11 05:03:15 2009,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: Administrator

User ID: %(sid removed for security purposes) Service Name: krbtgt/domain.COM Pre-Authentication Type: 0×2 Failure Code: 0×18

Client Address: 10.xx.xx.200

The Client Address may indicate another domain controller or a client machine. If it is another domain controller, then you will need to rerun the eventcombmt process against that server. If the server is across a WAN link, then consider running the eventcombmt tool directly on that server. It could take a while to search the event logs across a slow WAN link. If the Client Address is the actual suspected source, then go to the client and speak with the user about the situation. If the device or user is locking out a security principal account, then severe action may need to be taken to ensure your environment is not placed at further risk letting the device and/or user remain on the network.

Thanks for reading and let’s continue to be good network citizens!

Newsletter 120908

Discount Codes – Nmap Book – Wireshark Certification Status – Global Knowledge – Movie Update – Virtual Conference Survey

Holiday/End-of-Year Specials at www.wiresharkU.com

• 25% off on Wireshark University Self-Paced Courseware (code WSU1208)
• $500 off already discounted price on Laura Chappell Master Library (code LCML1208)

Hot Links

• Summit 09 Notification
• Wireshark University Discounts – See above
• Fyodor Releases Nmap Network Scanning Book!
• Virtual Conference Survey – Should we or shouldn’t we?
• Pesky Pike: Dead Rocker – D’Ambrosia/Teves, see “Hollywood” item below
• Wireshark Training Video: Customized Columns (YouTube)

Fyodor Releases Nmap Book

Gordon “Fyodor” Lyon, the creator of the must-have tool, Nmap, has released the long-awaited title “Nmap Network Scanning”. This 468-page book (nmap.org/book/) is a required reading for anyone securing a network. I was thankful that Fyodor sent me a pre-release copy of the book, which was a blessing since the content was more in-depth than I’d hoped for. Chapters define scan variations, OS fingerprinting techniques, tips and tricks and the newly-developed ZenMap, the graphic front end for Nmap. “Nmap Network Scanning” should be front and center on your desk for months and years to come! Thanks, Fyodor!

Wireshark Certification Status

Final beta tests are underway for a planned January 2009 release of the long-awaited Wireshark Certification test. The Wireshark Certification Information Packet (WCIP) should be out at the beginning of the year (sign up to receive the document at www.wiresharktraining.com/certification).I know you’ve waited a long time for the certification and I appreciate your patience – it took me a lot longer to get the questions together and ensure we could deliver via the Internet.

Global Knowledge Signed as Wireshark Authorized Training Partner

We are thrilled to sign on Global Knowledge as our North American Wireshark University Authorized Training Partner. In Q1 2009, two new Wireshark courses release – the first course focuses on Wireshark basic through advanced functionality and in-depth review of TCP/IP communication patterns (CORE 1). The second course delves into troubleshooting and network forensics with the Wireshark Certification Vouchers included in the course price (CORE 2). More course information will be put on www.wiresharkU.com before end of year.Read the press release.

The Only Thing Slower than This Network is Hollywood!

Well, folks… after hearing about the ‘movie’ project for a few years now, you’re probably thinking the darn thing isn’t going to make it out there. You’re probably right, but one more step was checked off last week – the script was finalized. The writers, Joe D’Ambrosia and Tom Teves (Murray Hill 5 Productions) gave me the near-shocking news on Friday. If you don’t know these guys, check out the “Dead Rocker” (appropriate for kids) at www.youtube.com/watch?v=I5aD00UeE9g. I kinda figured out who the murderer was (at least I knew what the main clue was) after watching a second time. Can you/your kids figure it out?

Happy Holidays to All! [Oh... and if you checked out the movie link...no, I'm not a spy and no, my kids don't play soccer.]

Laura Chappell