Archive for November, 2010

Some tips to find rogue devices on your network

November 30, 2010 6 comments

Any unknown entity on your network is bad, this is especially true for rogue devices. There are a variety of ways to protect your network from rogue devices, but honestly most small and medium businesses don’t have the resources to do this.  If you’re a network person with good switches you could track these devices down to a physical switch port fairly easily. However if you have unmanaged switches (yes, they still exist) or don’t know how to follow MAC addresses on a switch you may have to use other methods for your investigation.

To assist in finding rogue devices on your network it is helpful to determine the vendor for a MAC address. First, you will need to know the IP address of the rogue device. Chances are you already know the IP because you know this rogue device exists. Often these devices are found when you try to add an IP to a device on your network and find the IP is already in use.

Once you have the IP a protocol named ARP can be used to determine the MAC address. If your on a Windows machine do the following:

  1. Go to the command prompt.
  2. Ping the rogue device. It doesn’t matter if there are replies, this step gets the MAC address in your ARP table.
  3. Type the following command:  arp -a
    1. Here is a sample output:
      Internet Address      Physical Address      Type             00-03-ff-d1-19-04     dynamic
    2. The MAC address is the Physical Address listed as 00-03-ff-d1-19-04
  4. Take the MAC address and enter it into a tool or website that lets you know the manufacturer. I use this website for my vendor lookups, but there others out there.
    1. Using the sample address from above I got the following vendor info returned:
      Prefix      Vendor
      0003FF   Microsoft Corporation (was: Connectix)
  5. Now that I know the vendor of the network card I have some clues as to what kind of device the rogue element is.
    1. Knowing the vendor is Microsoft narrows down my search, since computers won’t show Microsoft as the vendor.
    2. In this case I can assume it is coming from a Windows Virtual PC, since this is the most likely device on my network to show up with a Microsoft MAC address.
    3. This device is actually a Windows Virtual PC running on my laptop for testing purposes. I used this example specifically because I am seeing more and more rogue virtual machines created by IT staff in various companies.

Using the above method can dramatically cut down the investigation time to find rogue devices. Yes, it is much quicker/easier to track rogue devices through managed switches. However as I mentioned before this is not always a possibility.


Tool spotlight: WIMI

November 29, 2010 Leave a comment

Today I thought I would put a spotlight on a favorite online tool: (WIMI). At its core this site serves a very simple and important task by showing what your public IP is. Simply go to the website and it automatically shows your IP address. If you are behind a proxy server it will also let you know that.

But getting information about your public IP is just the beginning of this sites usefulness. I won’t go through everything but here are some highlights:

  • Information. Every tool/section of the website has some good basic networking information available. Anyone looking to learn more about basic network concepts would do well to browse this site.
  • Internet Speed Test: Find out your true upload and download speeds. I wouldn’t use this just once, try it at different times of the day to see how your ISP’s load differs. An alternate I sometimes use for this is the speakeasy speed test, it’s powered by the same ookla code.
  • IP Address Lookup: This will give the physical location of an IP address, most of the time. Because of where this data is captured it may be incorrect, it really depends on who the ISP is and how they maintain their database.
  • IP WHOIS Lookup: This gives information about an IP address owners. This is not the same as an IP address lookup, in fact the information here will likely be completely different.
  • Host Name Lookup: Basically this does a reverse-IP lookup, so you can see if a DNS host name exists for an IP.
  • Email Trace: This is a not a tool to trace an email, however it has some basic steps to help do this yourself. The IP Address Lookup, IP WHOIS Lookup and Host Name Lookup can all be used when trying to find the source of an internet communication.
  • Forum: I haven’t been in the forums there much, but it does seem to be a very helpful forum with some good information.

As I mentioned this is one of my favorite websites. Its quick, uncluttered, and has great tools/information.

Categories: Networking, Tools Tags: ,

I click “Ignore” on FB spam events

November 22, 2010 3 comments

It seems I am getting more and more spam events on Facebook. It’s not a lot, but enough to be annoying. FYI: you don’t get thousands of reward points or free iPads from these!!!

One thing I don’t do on these events is click any of the three options: “I’m Attending”, “Maybe”, or “No”. By clicking any of these it gives the spammer a key piece of information: “this person took the time to click, so they looked at the event”.

Instead I go to the bottom of the event and click “remove from my events” without ever making a choice. I do this partially because the spammer gets no info that way. The other reason I do this is so it doesn’t show on “friends events”. It appears FB at times allows us to view other friends public event (haven’t looked into this much, but have noticed it). I want to insure these events never show as an event I’m attending, so someone else doesn’t think its valid.

Here is a sample of a spam event and where to click “Remove from My Events”:

Categories: Facebook Tags:

What to do when your ISP’s DNS servers are down? Use Google!

November 22, 2010 1 comment

My current ISP Charter is currently having DNS issues. This is easy to verify. I am able to ping some known IPs on the internet. But when I ping Charters DNS servers I get massive packet loss. Here is a sample ping to one of Charters DNS servers:

All of the Charter DNS servers I ping have the same result. Now to get my laptop back on the Internet I decided to drop Charter for name resolution. I have elected to use the Google Public DNS servers instead. The IP’s for the Google DNS servers are easy to remember:


For those unfamiliar with how to change your DNS server settings Google has these instructions. There are instructions for Windows, Mac, and Linux.

Even if you don’t change your DNS server settings, I would keep these IP’s handy just in case!!

Categories: Networking Tags: ,

Make sure you choose 2048-bit for key size in CSR’s

November 22, 2010 Leave a comment

Recently I had to order a bunch of new SSL certs for work and clients. It had been a couple of years so I didn’t realize Network Solutions and Entrust both require 2048-bit key size for their EV certs. This was no big deal, I just had to modify how I generate the keys. For instance here is how I generated the key on a Linux box:

[root@myhost]# openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr

Notice, the only difference is I had to add “‘-newkey rsa:2048” to my command. I’m not sure if -new is really needed, I’ve always just put it there.

I decided to see why both Entrust and Network Solutions made the change. I probably had seen something about this in the last couple years, but didn’t take notice of it. I found the change was made at the recommendation from NIST in NIST Special Publication 800-57. Specifically this is addressed in Part 3 (pdf link).

Their specific recommendations are show in the table below:

As you can see they recommend all RSA keys after 2010 be at least 2048 bits. I have no problem with this, I was curious as to where the change came from and thought I would post it here.

Categories: Security Tags: ,

Novell finally sold

November 22, 2010 Leave a comment

Today Novell announced it had finally found a final buyer. Attachmate will buy the company for $6.10 a share, value at about $2.2 billion. Novell has been looking for a buyer for some time, so this is no surprise. Attachmate will split Novel into two business units, Novell and SUSE.

The interesting part is Microsoft appears to be buying $450 million worth of intellectual property as part of the deal. I say appears because it is actually going to CPTN Holdings LLC, which is a consortium of technology companies organized by Microsoft Corporation.

Novel and Microsoft have a long history of lawsuits, especially intellectual property related. Theoretically this $450 million dollar purchase is to end this tradition.

I will be keeping an eye on the IP acquisition to see how that turns out. But as for the purchase of Novell.. Does it really matter??  I’m almost interested in what happens to SUSE, but have no opinion on Novell itself.

Categories: UNIX Tags: , ,