DeepMac ALPHA

Almost a year after I first wrote about my idea for DeepMac, I can finally show something actually functional for the world to point and stare at!

DeepMac ALPHA is available at http://deepmac.jedimercer.com/ and includes the full MySQL dump of the database contents.I’m licensing the database under the Open Database License.

At this point, there’s only a few hundred OUI’s tied to a device of some sort. This is because I’ve had to focus on developing the skeletal framework to actually store the information, and have not yet put together tools for automating any part of the process of submitting data. Still, there’s a good breakdown of virtual computers, network-attached cameras, the major Smartphone models and a few videogame systems.

For DeepMac to become truely useful though, it needs a lot more raw data, and not just the easy pickings. That means there needs to be better ways to get data into DeepMac. A primitive search interface is just a baby-step. Ideally, we need to have a standard format for submitting new DeepMac data for analysis and inclusion. Mostly this is about sitting down and figuring out what would work best.

The other thing DeepMac needs to be useful is of course a real-world application that everyone can benefit from. I’d love to see DeepMac data integrated with great security tools like Wireshark, nMap, Kismet and others. There’s also a ton of commercial security software that could benefit from DeepMac such as SIMs, asset management tools and anything else that does network discovery. Alas, I don’t see that happening anytime soon. A side-project of mine is developing a tool for tracking IP<->MAC pairings for network surveillance. I’ll be integrating DeepMac data into that tool, and hopefully releasing it as an Open Source project sometime next year.

In the meantime, I’m still very much interested in feedback about the DeepMac project! What I’ve gotten so far has been small but very useful and greatly appreciated. And if you have any intelligence to offer the DeepMac project (as in OUI Device mapping), please e-mail me!

  • September 11, 2009
  • Old

Deepmac Presentation at Evil Robot Con

I probably should have posted this sooner but I was too busy trying to get something (mostly) functional to talk about.

I will be doing an informal, ad-hoc presentation on DeepMac at Evil Robot Con on Saturday, September 12th. See the Evil Robot Con website for details on the conference, schedule, location, etc.

And the good news is I have a pretty functional DB up and running that people can actually query. I’ll be making it public after the conference, during which I hope I’ll discover any horrific problems or gotchas and be able to fix them, :)

 

DeepMac Progress

It’s been almost exactly one month since my last entry on DeepMac’s goals and I’m happy to say significant progress has been made!

The biggest achievement is getting the project finally organized, with clear goals, usable data and a skeletal framework. But that’s kind of broad, so let’s breakdown what has been achieved:

  1. Historical creation dates for OUIs have been documented going back to 1998, thanks mostly to archive.org and the magic of Google. Thus the creation of the DeepMac knowledgebase!
  2. An automatic archiving of the IEEE OUI listing in text format has been established, running on a daily basis.
  3. Simple perl scripts have been written to convert the IEEE OUI file (oui.txt) into a tab-delimited format, one OUI per line, and to add OUI creation dates from the DeepMac knowledgebase.
  4. An actual MySQL database has been created and another perl script used to load some of the knowledgebase data into the MySQL database.
  5. A horribly primitive PHP interface has been written to allow very basic searching of the DeepMac database.

There is still an enormous amount to accomplish with this project. I’ve been thinking about where the focus should be and while I really want to evangelize the project and get input from the big boys in networking, it seems to me that it will never be managable until the project is fully organized and has the tools it needs. So the push for now is going to be on continuing to refine the MySQL database for DeepMac in terms of structure, and lots of work on a web-based front-end.

Ideally, it should be possible to not only fully search DeepMac on-line but also submit information, and for administrators to update the contents including approving submissions for inclusion. That’s a tall order, so the first sub-goal here will be to whip the search inteface into shape and allow full searching on multiple fields with varying levels of output detail.

 

DeepMac Goals

DeepMac has one primary goal, to provide as much intelligence about MAC addresses as possible. While IEEE provides a simple directory of OUI (aka MAC prefix), we want more. Here I’ll outline the milestones for this goal, with the realization that it is unlikely that all OUI assignments will reach the level of detail desired.


Creation Dates

I’ve verified with IEEE officials that the assignment date for each OUI is on record. However, that information is not freely available. IEEE officials did inform me that an individual organization may submit a request to find the creation date for a particular OUI assigned to them. Oh, and why do we want creation dates? It can be a very rough indication of the age of a device. For example, a CISCO device with a MAC prefix assigned in the 1990’s is more than likely an elderly model.

Device Classification

The real meat of the DeepMac project is to try and classify as many OUI’s as possible by the device the MACs are assigned to. For a very large number of MAC prefixes, these will be network interface cards, but in the past 10 years we’ve seen an explosion of embedded networking in consumer electronics, vehicles, and industrial devices. Device classification will be the most research-intensive aspect of the project, requiring a lot of searching, requests for assistance, and verification via input from device owners.

Vendor Participation

It is not likely that DeepMac will succeed in its goals without participation from major vendors such as Cisco, IBM, Apple, and Nokia.  Significant blocks of the OUI space are assigned to a relatively small number of companies, and breaking those blocks down for device classification will require “insider” knowledge about how the OUI space was parceled out by the vendor. I intend to reach-out to the security community at large, but also to folks within these large stakeholders.

Project Simplification

Most importantly, the DeepMac project can’t succeed if it is not kept simple. There needs to be relatively little effort in order to contribute information. The OUI blocks need to be consolidated for research purposes, so the largest blocks owned by a single company can be focused on. Tools for automatically converting and extracting data related to OUI and MAC prefixes should be developed. And finally, the end-result of all this research and data compilation needs to be a simple, clean data file that can easily be parsed or re-compiled for use by various tools.

 


So here’s the pitch: I need help! What I’m currently looking for is participation, in the form of people with first-hand knowledge about a particular MAC prefix or company with OUI assignments. I’m also looking for contributions of device classifications. The Cisco OUI space is going to be a big priority, both due to size and the utility of the additional intelligence. So if you work for a major company that owns OUI space, please drop me a line! General suggestions and comments are also welcome, of course.

 

You may e-mail me at jedi@jedimercer.com

Quick Observations

Just some quick observations here, maybe I’ll have time to write about them in more depth in the future.

 

  1. Information Security does not flow from Policy. It flows from Policy Implementation.
  2. You can have secure information without policy, and you can have policy but no secure information. They are not mutually inclusive.
  3. Always remember to use hashes in your Perl scripts to cache data that you look-up (DNS, whois, LDAP, whatever). It will make everything faster, trust me on this.
  • March 4, 2009
  • Old

NessusWX Development

I’ve uploaded a text file giving detailed instructions on how to set-up a development environment under Windows for compiling the NessusWX client software. The document explains everything in excruciating detail and can be found in the files section. Have fun!

 

  • February 3, 2009
  • Old

When will Microsoft learn…

 

Once again, Microsoft has decided that when you install a “critical” security patch via their Update service, they can add unrequested software silently and it’s not only OK, but no one will notice.

 Hah!

This time around it’s the release of the .NET v3.5 Service Pack 1, which will also silently add a Firefox extension (even if you don’t have Firefox installed, and yes that’s possible). You will never be prompted if this is OK, and what’s more, you can’t easily uninstall it.

Yeah. Real cute.

So here’s how they do it. Here is how to remove the offending extension if you are so inclined. And here’s someone else who discovered the same thing, so props to him.

 

So what has Microsoft done wrong with this? Simply:

  1. Modified a user’s third-party application without permission, from either the user or the third-party vendor (Mozilla)
  2. Created yet another potential channel for  unsolicited software installs (ClickOnce)
  3. Prevented the average end-user from being able to uninstall the unsolicited extension
  4. Deceived users by implying this was a critical security patch when in reality it is much more

Anyone who has any version of .NET installed will be offered v3.5 as a critical security patch when they use Windows Update. If you have Windows Update set to automatically update then you’ve just been given a new Firefox extension.

It does not appear that this is the case with Vista users, though that is not fully confirmed yet.

 

  • January 23, 2009
  • Old

UPDATED: Annual Identity Checks article

I’ve updated my article on performing an Annual Identity Check. It now includes details on requesting credit reports from Innovis, TeleCheck and more. And I re-verified all the phone numbers and website links. You can read the article here.

  • January 3, 2009
  • Old

I never had these problems when I was a kid

This Christmas my daughter got a Fisher-Price Kid Tough digital camera from a relative. It’s an adorable pink camera of modest resolution with a USB cable to use for downloading the pictures to your computer.

And it comes with a free virus! Yay!

Fortunately, my anti-virus software instantly detected the malware and quarantined it. And I long ago disabled all Auto Run support in Windows. If I hadn’t, the virus may have actually been able to run briefly. Malware needs only seconds to wreak havoc. In this case, it was a worm that installs backdoors, probably to open up a PC for eventual induction into a botnet.

Attempts to contact Fisher-Price (or rather Mattel) have been fruitless, but I suspect this is a case of the factory where they were being made using a crappy, infected PC for doing quality assurance checks. Other possibilities that come to mind are disgruntled factory workers, or even an organized attempt to increase the size of a botnet. It’s not beyond the realms of possibility a criminal organization is paying off workers in factories to infect the devices being distributed.

Fortunately, all I had to do was format the flash drive and my daughter can go back to taking insanely large number of pictures of her toys.

 Hello Blurry!

MACOUIIAB!

Quick, what does MAC stand for?

Even after decades working with computers, I still forget. No one really remembers “Media Access Controller”, because we call them NICs. MAC is just short for “MAC Address”. Frankly, more often than not I think of MAC as “Machine Address Code”. Makes more frelling sense to me.

But for those who have no clue what I’m talking about, MAC does indeed stand for “Media Access Controller”, it relates to Network Interface Cards and we don’t really care about Media Access Controllers because no one calls them that, we call them NICs or Network Cards. Got that?

Here’s what everyone in IT means when they refer to a MAC: 00:11:AA:44:F1:DD

Every network controller needs a MAC address, regardless of what kind of networking it does. MAC addresses are need for layer 2 networking. If you don’t know what that means, you can review the OSI model or just ignore it because it’s not important. Just know that MAC addresses (or MACs) are just as critical to computer networks as IP addresses. And just like IP addresses, MACs are assigned by a central authority. The IEEE.

<cue ominous crack of thunder>
(more…)