Vishing Response Plan

Vishing is a form of phishing, where instead of people receiving an email trying to lure them into giving personal information, the criminal uses a phone call, either live or automated, to attack the bank or credit union customer and get critical information. In response to this spree of attacks, banking/security leaders from one of the impacted states have put together a vishing incident response plan for financial institutions.

Vishing Incident Response Plan

1. Set Procedures to Report Calls

Have procedure for employees to report at the time of first [and subsequent] notification. This should include:

A. Information on originating phone number [if known];
B. Any pertinent details of phone conversation or recorded message;
C. What information was solicited [account numbers, debit card information]?
D. Did customer give out information and, if so, was account closed or debit card inactivated?
E. What was the callback number if the customer was directed to return a call?
F. Was the call made to your customer’s cell phone or a landline?
G. If the call was to a cell, who was the carrier [eg ATT, Verizon, Sprint]?

2. Alert Customers

Notify customers as soon as you see a pattern of calls. Specifically:

A. Explain phone phishing [vishing] and text message phishing [smishing] to customers reporting calls. Have a script ready for your call center staff to refer to that describes what it is, and actions that the customer needs to take when they receive such calls.

B. Consider initiating a news article in your local paper or other media. This article needs to make clear that your bank is protecting customers with this information, and you have not suffered a breach. Non-customers will also be getting these calls, and that is proof that the calls are randomly generated to your area and not the result of any breach. This is a great time to reinforce that you will never call, email, or text to have your customer provide an account number or debit card information, as you already have that information available. Encourage anyone receiving these calls to hang up and call their financial institution directly on a number that they obtain themselves. Also provide a reminder that any caller ID is easily “spoofed.” Fraudsters can put in the number of any financial institution with a spoofing system and that will be displayed on the customer’s phone.

C. Place a banner with news of vishing attempts on your web page to let customers know that it is occurring in your area and you are protecting them through the notification. Consider adding signage and posters for drive-throughs and lobby areas to alert customers to the scam.

3. Run Down the Source

Identify the area code[s] on calls of origination and lines that customers are requested to call [simply Google the area code, "XXX area code"].

If the calls appear to be generated in the U.S., contact your local FBI office and ask for their cybercrime specialists or white collar crime division, which will handle bank fraud. They can help to get the phone line shut down immediately. You will also want to contact your local law enforcement contacts to alert them to the scam because consumers will be calling them to report the attempts.

If the calls are Canadian-based, contact the PhoneBusters in Ontario. This is the Canadian Anti-Fraud Call Center and is staffed by the Royal Canadian Mounted Police. They can be reached at www.phonebusters.com or 888-495-8501. They can assist in shutting down Canadian lines and will provide you with a reference number on your case in the event you secure additional information to report to them.

There are three great options for finding the carrier of a toll-free line. The first is a number that can be called to find out who the Responsible Organization [RespOrg] is for any toll free number, 800-337-4194. This is an IVR where you can enter the number and it will give you the carrier. The second is to search on such sites as www.customtollfree.com, where you often can find the carrier of the line. You [or your chosen law enforcement representative] can then contact the carrier directly to ask them to shut down the line, as it is being used for fraud. The third option is http://www.tollfreenumbers.com/resporg/ and can be used to track down numbers and call centers that handle the calls.

4. Notify Telecomm Carriers

Here’s a quick list of email addresses and sample email that get lines shut down:

A. Email addresses: ‘QwestFraud@qwest.com’; ‘abuse@att.com’; ‘abuse@verizon.com’; ‘abuse@qwest.com’; ‘fraud@qwest.com’; ‘abuse@sprint.com’; ‘fraud@sprint.com’; ‘abuse@level3.com’; ‘abuse@alltel.com’; ‘fraud@alltel.com’; ‘fraud@tmccom.com’.

B. Samples email text: Fraudulent Text messages are being sent to cell phones in Northeastern Oklahoma: “This is an automated message from XXXX National bank. Your ATM card has been suspended. To reactivate call urgent at 18775895978.” This is an IVR that attempts to get card numbers and PINs. If this 877 number is yours please shut it down, if not please forward to the responsible organization.

Typically, the words “Criminal Activity” in the subject line help get faster responses.

5. Make Customer Education a Priority

Keep the educational awareness of these types of scams in front of your customers by adding sections on the institution’s webpage about the types of crimes that may happen. Add the same messages to your statement stuffers, call waiting feature and newsletters for added impact. Also be sure to tell your customers that no one will ever call them from the institution, soliciting information from them. Always remind your customers to alert you when they receive a call, text, or email from your institution that doesn’t seem right.

For a more in-depth look at vishing attacks, visit Bank Info Security.

Filed under: Response Plans, Social Engineering , response plan, social engineering, vishing

Configure EIGRP

What do you need to know about EIGRP?

Before you configure EIGRP, there are some things you should know about it first. Here they are:

• EIGRP is the Enhanced Interior Gateway Routing Protocol.
• EIGRP is a Cisco proprietary routing protocol based on their original Interior Gateway Routing Protocol.
• EIGRP can only be used on networks where all routers are Cisco routers.
• The administrative distance for EIGRP is 90 and 170 for internal and external EIGRP, respectively.

What features does EIGRP offer?

• Automatic redistribution of routes between IGRP and EIGRP.
• Ability to turn off and on EIGRP and IGRP on individual interfaces of the router.
• Fast network convergence thanks to EIGRP’s DUAL algorithm (convergence is when all routers know about all the networks that every other router is offering).
• Incremental Updates that save network bandwidth and speed convergence.
• Reduced router CPU load, as compared to IGRP.
• EIGRP uses neighbor discovery to find and keep track of neighboring routers. Neighbor discovery uses multicast IP and is not tied to whether or not the the IP network is properly configured.
• EIGRP prevents routing loops on the network
• Supports variable length subnet masks (VLSM)
• Automatic Route Summarization

How do you configure EIGRP in the Cisco IOS?

To configure EIGRP in the Cisco IOS, just follow these steps:

1.  Set the bandwidth on your interfaces using the bandwidth command

Router (config-if)# bandwidth XX

(where XX signify the bandwidth of the WAN connection)

2.  Start the EIGRP routing process and specify your AS number

Router (config)# router eigrp AS

Where the “AS” in the above-mentioned command stands for Autonomous System number. This number should be the same on all routers.

3.  Once you are through this stage, next step is to instruct the router in order to advertise the networks that are directly linked to it. You can do it with the help of command

Router (config-router)# network X.X.X.X

Where X.X.X.X is the network id of a network that is linked directly to the router. You should enter this command for each network directly attached to the router. However, you can, in a single statement, enter the supernet of a group of subnets. When you do that, the router will automatically identify the subnets.

Optionally, you can configure the amount of WAN link bandwidth that an EIGRP router will use with this command:

Router(config-if)# ip bandwidth-percent eigrp XX

Once EIGRP is configured, you can check the status using the show ip route and show ip eigrp commands. Here are some examples:

Router# show ip route

207.71.26.0/28 is subnetted, 1 subnets D 207.71.26.128 [90/8199936] via 10.6.199.1, 1w1d, Serial0/0 10.0.0.0/8 is variably subnetted, 217 subnets, 4 masks D 10.110.100.0/30 [90/6535936] via 10.6.199.1, 5w1d, Serial0/0

Notice the “D” on the left side of the output. All “D” routes are EIGRP routes.

There are a number of show ip eigrp xxxx commands. Here is an example of the “neighbors” version:

Router# show ip eigrp neighbors

IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq Type (sec) (ms) Cnt Num 0 10.6.199.1 Se0/0 11 5w1d 20 282 0 887645 Router#

Summary

While some of you might say that EIGRP is past its prime or has been replaced by OSPF, it remains an excellent routing protocol and is the protocol of choice in most enterprise networks today.

For a more granular insight into EIGRP, visit Cisco IOS IP Configuration Guide, Release 12.2 – Configuring EIGRP.

Filed under: Cisco, Network, Routing , cisco, eigrp, Network, routing

Load Balancer vs. Reverse Proxy

Load Balancer

A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across a number of servers. Load balancers are used to increase capacity (concurrent users) and reliability of applications. They improve the overall performance of applications by decreasing the burden on servers associated with managing and maintaining application and network sessions, as well as by performing application-specific tasks.

Load balancers are generally grouped into two categories: Layer 4 and Layer 7. Layer 4 load balancers act upon data found in network and transport layer protocols (IP, TCP, FTP, UDP). Layer 7 load balancers distribute requests based upon data found in application layer protocols such as HTTP.

Requests are received by both types of load balancers and they are distributed to a particular server based on a configured algorithm. Some industry standard algorithms are:

* Round robin
* Weighted round robin
* Least connections
* Least response time

Layer 7 load balancers can further distribute requests based on application specific data such as HTTP headers, cookies, or data within the application message itself, such as the value of a specific parameter.

Load balancers ensure reliability and availability by monitoring the “health” of applications and only sending requests to servers and applications that can respond in a timely manner.

Reverse Proxy

A reverse proxy is a device or server placed in front of a Web server. Incoming requests are handled by the proxy sever, which retrieves information from the Web server and then forwards it to the user. A reverse proxy can also be deployed to handle SSL acceleration, load balancing, intelligent compression, and caching.

Filed under: Network , Load Balancing, Network

Windows Shortcuts

CTRL+C [Copy]
CTRL+X [Cut]
CTRL+V [Paste]
CTRL+Z [Undo]
DELETE [Delete]
SHIFT+DELETE [Delete the selected item permanently without placing the item in the Recycle Bin]
CTRL while dragging an item [Copy the selected item]
CTRL+SHIFT while dragging an item [Create a shortcut to the selected item]
F2 key [Rename the selected item]
CTRL+RIGHT ARROW [Move the insertion point to the beginning of the next word]
CTRL+LEFT ARROW [Move the insertion point to the beginning of the previous word]
CTRL+DOWN ARROW [Move the insertion point to the beginning of the next paragraph]
CTRL+UP ARROW [Move the insertion point to the beginning of the previous paragraph]
CTRL+SHIFT with any of the arrow keys [Highlight a block of text]
SHIFT with any of the arrow keys [Select more than one item in a window or on the desktop, or select text in a document]
CTRL+A [Select all]
F3 key [Search for a file or a folder]
ALT+ENTER [View the properties for the selected item]
ALT+F4 [Close the active item, or quit the active program]
ALT+ENTER [Display the properties of the selected object]
ALT+SPACEBAR [Open the shortcut menu for the active window]
CTRL+F4 [Close the active document in programs that enable you to have multiple documents open simultaneously]
ALT+TAB [Switch between the open items]
ALT+ESC [Cycle through items in the order that they had been opened]
F6 key [Cycle through the screen elements in a window or on the desktop]
F4 key [Display the Address bar list in My Computer or Windows Explorer]
SHIFT+F10 [Display the shortcut menu for the selected item]
ALT+SPACEBAR [Display the System menu for the active window]
CTRL+ESC [Display the Start menu]
ALT+Underlined letter in a menu name [Display the corresponding menu]
Underlined letter in a command name on an open menu [Perform the corresponding command]
F10 key [Activate the menu bar in the active program]
RIGHT ARROW [Open the next menu to the right, or open a submenu]
LEFT ARROW [Open the next menu to the left, or close a submenu]
F5 key [Update the active window]
BACKSPACE [View the folder one level up in My Computer or Windows Explorer]
ESC [Cancel the current task]
SHIFT when you insert a CD-ROM into the CD-ROM drive [Prevent the CD-ROM from automatically playing]
CTRL+SHIFT+ESC [Open Task Manager]

Filed under: Windows , Shortcut, Windows

CIDR Conversion

 CIDR Conversion / IP Addressing Management

CIDR Length	Masks	# Networks	# Hosts
/1	128.0.0.0	128 A	2,147,483,392
/2	192.0.0.0	64 A	1,073,741,696
/3	224.0.0.0	32 A	536,870,848
/4	240.0.0.0	16 A	268,435,424
/5	248.0.0.0	8 A	134,217,712
/6	252.0.0.0	4 A	67,108,856
/7	254.0.0.0	2 A	33,554,428
/8	255.0.0.0	1 A	16,777,214
/9	255.128.0.0	128 B	8,388,352
/10	255.192.0.0	64 B	4,194,176
/11	255.224.0.0	32 B	2,097,088
/12	255.240.0.0	16 B	1,048,544
/13	255.248.0.0	8 B	524,272
/14	255.252.0.0	4 B	262,136
/15	255.254.0.0	2 B	131,068
/16	255.255.0.0	1 B	65,024
/17	255.255.128.0	128 C	32,512
/18	255.255.192.0	64 C	16,256
/19	255.255.224.0	32 C	8,128
/20	255.255.240.0	16 C	4,064
/21	255.255.248.0	8 C	2,032
/22	255.255.252.0	4 C	1,016
/23	255.255.254.0	2 C	508
/24	255.255.255.0	1 C	254
/25	255.255.255.128	2 subnets	124
/26	255.255.255.192	4 subnets	62
/27	255.255.255.224	8 subnets	30
/28	255.255.255.240	16 subnets	14
/29	255.255.255.248	32 subnets	6
/30	255.255.255.252	64 subnets	2
/31	255.255.255.254	none	none
/32	255.255.255.255	1/256 C	1

 

A network is called a supernet when the prefix boundary contains fewer bits than the network’s natural (i.e. classful) mask. A network is called a subnet when the prefix boundary contains more bits than the network’s natural mask.

Examples

209.60.128.0 is a class C network address with a natural mask of /24.

209.60.128.0 /22 is a supernet which yields:

209.60.128.0 /24
209.60.129.0 /24
209.60.130.0 /24
209.60.131.0 /24

192.0.0.0 /25
Subnet    Host Range
  0        192.0.0.1      -  192.0.0.126
  1        192.0.0.129  -  192.0.0.254

192.0.0.0 /26
Subnet Host Range
0 192.0.0.1 – 192.0.0.62
1 192.0.0.65 – 192.0.0.126
2 192.0.0.129 – 192.0.0.190
3 192.0.0.193 – 192.0.0.254

192.0.0.0 /27
Subnet Host Range
0 192.0.0.1 – 192.0.0.30
1 192.0.0.33 – 192.0.0.62
2 192.0.0.65 – 192.0.0.94
3 192.0.0.97 – 192.0.0.126
4 192.0.0.129 – 192.0.0.158
5 192.0.0.161 – 192.0.0.190
6 192.0.0.193 – 192.0.0.222
7 192.0.0.225 – 192.0.0.254

 Reserved Network Numbers

Class	Start	End	# Hosts	Comment
A	10.0.0.0	10.255.255.255	16,777,216	a single Class A network number
B	172.16.0.0	172.31.255.255	1,048,544	16 contiguous Class B network numbers
C	192.168.0.0	192.168.255.255	65,534	256 contiguous Class C network numbers

Filed under: Network , IP addressing, Network

OSI Model

Layer	Name	Common Protocols
7	Application	SSH, telnet, FTP
6	Presentation	HTTP, SMTP, SNMP
5	Session	RPC, Named Pipes, NETBIOS
4	Transport	TCP, UDP
3	Network	IP
2	Data Link	Ethernet
1	Physical	Cat-5

 

The functions of the seven layers of the OSI model are:

Layer Seven of the OSI Model

The Application Layer of the OSI model is responsible for providing end-user services, such as file transfers, electronic messaging, e-mail, virtual terminal access, and network management. This is the layer with which the user interacts.

Layer Six of the OSI Model

The Presentation Layer of the OSI model is responsible for defining the syntax which two network hosts use to communicate. Encryption and compression should be Presentation Layer functions.

Layer Five of the OSI Model

The Session Layer of the OSI model is responsible for establishing process-to-process commnunications between networked hosts.

Layer Four of the OSI Model

The Transport Layer of the OSI model is responsible for delivering messages between networked hosts. The Transport Layer should be responsible for fragmentation and reassembly.

Layer Three of the OSI Model

The Network Layer of the OSI model is responsible for establishing paths for data transfer through the network. Routers operate at the Network Layer.

Layer Two of the OSI Model

The Data Link Layer of the OSI model is responsible for communications between adjacent network nodes. Hubs and switches operate at the Data Link Layer.

Layer One of the OSI Model

The Physical Layer of the OSI model is responsible for bit-level transmission between network nodes. The Physical Layer defines items such as: connector types, cable types, voltages, and pin-outs.

Filed under: Network , OSI Model

Common ports

20 FTP data (File Transfer Protocol)
21 FTP (File Transfer Protocol)
22 SSH (Secure Shell)
23 Telnet
25 SMTP (Send Mail Transfer Protocol)
43 whois
53 DNS (Domain Name Service)
68 DHCP (Dynamic Host Control Protocol)
79 Finger
80 HTTP (HyperText Transfer Protocol)
110 POP3 (Post Office Protocol, version 3)
115 SFTP (Secure File Transfer Protocol)
119 NNTP (Network New Transfer Protocol)
123 NTP (Network Time Protocol)
137 NetBIOS-ns
138 NetBIOS-dgm
139 NetBIOS
143 IMAP (Internet Message Access Protocol)
161 SNMP (Simple Network Management Protocol)
194 IRC (Internet Relay Chat)
220 IMAP3 (Internet Message Access Protocol 3)
389 LDAP (Lightweight Directory Access Protocol)
443 SSL (Secure Socket Layer)
445 SMB (NetBIOS over TCP)
666 Doom
993 SIMAP (Secure Internet Message Access Protocol)
995 SPOP (Secure Post Office Protocol)

Ports between 1024 and 29151 are known as the Registered Ports. Basically, programs are supposed to register their use of these ports and thereby try to be careful and avoid stomping on each other. Here are some common ports and their programs.

1243 SubSeven (Trojan – security risk!)
1352 Lotus Notes
1433 Microsoft SQL Server
1494 Citrix ICA Protocol
1521 Oracle SQL
1604 Citrix ICA / Microsoft Terminal Server
2049 NFS (Network File System)
3306 mySQL
4000 ICQ
5010 Yahoo! Messenger
5190 AOL Instant Messenger
5632 PCAnywhere
5800 VNC
5900 VNC
6000 X Windowing System
6699 Napster
6776 SubSeven (Trojan – security risk!)
7070 RealServer / QuickTime
7778 Unreal
8080 HTTP
26000 Quake
27010 Half-Life
27960 Quake III
31337 BackOrifice (Trojan – security risk!)

Filed under: Network , network ports, ports