Parser View

With CLI view, we can restrict which access each network administrator have based on role.Superviews allow a network administrator to easily assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users. 

Here is the basic configuration of the Parser View.

R2 <----> R3    
192.168.1.1   <---->  192.168.1.2

Task: 

• Allowing telnet access with the username OPERATOR and password CISCO to be able to configure the HTTP feature in the router only.
• Configure Username ADMIN and password CISCO to have access to every feature in the router.

aaa new-model
!
!
aaa authentication login default local
aaa authentication login VTY local
aaa authentication login CON none
aaa authorization exec default local
aaa authorization exec VTY local

username OPERATOR view HTTP password 0 CISCO

username ADMIN privilege 15 password 0 CISCO

parser view HTTP

 secret 5 $1$6ZRJ$CIjM5cdVUvhpinttlR/361

 commands configure include ip http

 commands configure include ip

 commands exec include configure terminal

 commands exec include configure

 commands exec include show running-config

 commands exec include show

Bypassing Google Two Factor Authentication

Duo Security found a loophole in Google's authentication system that allowed them to Google's two factor authentication and gain full control over a user's Gmail account by abusing the unique passwords used to connect individual applications to Google accounts.

Duo Security itself a two-factor authentication provider and the flaw is located in the auto-login mechanism implemented in Chrome in the latest versions of Android, that allowed them to use an ASP to gain access to a Google account's recovery and 2-step verification settings. 

Auto-login allowed users who linked their mobile devices or Chromebooks to their Google accounts to automatically access all Google-related pages over the Web without ever seeing another login page.

"Generally, once you turn on 2-step verification, Google asks you to create a separate Application-Specific Password for each application you use (hence “Application-Specific”) that doesn’t support logins using 2-step verification," Duo Security said in a blog post.

"Then you use that ASP in place of your actual password. In more-concrete terms, you create ASPs for most client applications that don’t use a web-based login: email clients using IMAP and SMTP (Apple Mail, Thunderbird, etc.); chat clients communicating over XMPP (Adium, Pidgin, etc.), and calendar applications that sync using CalDAV (iCal, etc.)."

ASPs are specialized tokens generated for each application that users enter in place of the password/token combination. Duo Security discovered that ASPs actually weren't application-specific, In fact, one code could be used to log in to almost any of the Google's Web properties because of Auto-login feature.

"So, given nothing but a username, an ASP, and a single request to https://android.clients.google.com/auth, we can log into any Google web property without any login prompt (or 2-step verification)"

The researchers have shared their findings with Google and they has fixed this security hole last week.