With each passing day, security reports – including Cisco’s – describe accounts of computers that are used in botnet attacks. Each computer, unwittingly, is infected with malware and controlled by remote unseen hands, foreign or domestic, and with little to no care for the computer’s owner. Simply put, the computer is no longer exclusively under the owner’s control; nor is the data or the privacy of the owner. Unchecked, botnets grow in variety, frequency, complexity, and capability.

Traditionally, dynamic teams, composed of private citizens and law enforcement, devise ways to contain the effects of a botnet and, if possible, shut it down in some way, such as:

• Releasing signatures to anti-virus vendors in the hopes that AV will clean some of the infected machines
• Disrupting the Command and Control channel, so that the infected computers are no longer receiving instructions
• Just attempting to stay one step ahead of the malware through DNS, detection, or blocking access lists

In nearly each circumstance, new approaches are developed to keep the botnet variants from succeeding.

Add another creative approach to the mix based in the rule of law.

Read More »

Tags: security, the good guys

An American with the aid of two Russian conspirators stole 130 million credit card numbers in 2007. In 2009, 32 million usernames and passwords were obtained from a social network game developer. More recently, Lizamoon gained quite a bit of media attention. The same technique that made these attacks successful has even been attempted by printing messages on a car bumper driving down a highway. These attacks all employed a technique called SQL injection. By sending carefully crafted SQL commands into a HTTP web form (or some other database interface), the attacker is hoping that the HTTP form parser isn’t watching for raw SQL commands in the input. The intended effect is that the database will either send back more information than the administrator intended, or drop tables with data altogether.

Read More »

Updated May 9^th: After a thorough investigation of the TCP Split Handshake issue raised by NSS Labs, Cisco has confirmed that the Cisco ASA firewall is not susceptible to this issue. In all test cases examined, the ASA operates as expected, providing protection in its default configuration against the Split-Handshake as defined in the original TCP Split Handshake paper. As a result, the Cisco PSIRT closed this investigation on May 4^th.

Cisco appreciates the extended engagement and data provided by NSS Labs as we’ve worked through these scenarios. During two recent visits to NSS Labs, Cisco was presented with a number of scenarios, including new test cases that deviated from the original Split-Handshake scenario. The Cisco PSIRT collected traces and provided feedback to NSS Labs on all scenarios. In each case, Cisco demonstrated successful network protection through the default ASA configuration or the implementation of firewall policies that are fully supported, documented and used pervasively in enterprise deployments.

As always vulnerability reports should continue to be reported to the PSIRT organization (psirt@cisco.com). Cisco customers are encouraged to contact their account manager with any questions.

Recently there’s been some activity in the press regarding an NSS Labs report on potential vulnerabilities in Next-Generation Firewalls (NGFW). The Cisco Adaptive Security Appliance (ASA) was one of the products mentioned as vulnerable to these attacks. Based on the investigation of this issue to date, the data indicates that Cisco customers are not exposed to this issue. As always, should the vulnerability be confirmed the Cisco Product Security Incident Response Team (PSIRT) will investigate, drive remediation and disclose per our normal communication channels. (PSIRT Vulnerability Policy)

On April 12th, NSS Labs published a report regarding vulnerabilities on a number of firewalls, including Cisco’s ASA product line. The full report has a hefty $3500 price tag, but NSS does provide a free (with registration) “Remediation Guide,” for users of these firewalls.

The NSS Labs Remediation Guide incorrectly lists the Cisco ASA as vulnerable to the TCP Split Handshake attack, and also mentions that there are no steps available to customers to mitigate or remediate this attack.

Following an investigation over the course of several months, involving well over a dozen Cisco engineers from various teams and working in conjunction with NSS Labs, no vulnerability of this nature has been observed on Cisco products. The following products have been investigated:

• Cisco ASA
• Cisco IOS Firewall
• Cisco Intrusion Protection (IPS) Appliances

It’s important to note that the NSS Labs report focuses only on one attack called the TCP Split Handshake, which is a third means to initiate TCP sessions that combines features of both the three-way handshake and the simultaneous-open connection.

However, the goal of this post isn’t to discuss the technical details of TCP handshakes, but rather to present what Cisco has done and is doing to investigate the impact to our products and protect our customers.

Read More »

Tags: firewalls, psirt, security

As a Silicon Valley technology industry worker, I often try to reconcile the humanitarian, environmental, or political aspects of global issues with business realities. I may wish it made business sense for companies to focus on alleviating poverty or improving health care and education, but—even with the best intentions—by definition, for-profit companies are not charities. As it is, big multinational companies spend millions on corporate social responsibility efforts.

Thankfully, the business argument for sustainability is fairly easy to make. At least until emerging market growth slows appreciably and manufacturers find alternative materials to use, the price of elements in our high tech gadgets, and the security risks of not finding alternatives, are both headed up.

Read More »

While the IT industry is in many ways moving toward an outsourced model, with the widespread adoption of the cloud and XaaS, marketing has been moving in a similar direction as well. And while PR agencies have been around for quite some time and it has been normal to look to outside agencies for help with creatives, over the past several years a new kind of service provider, the Email Service Provider, or ESP, has emerged from the shadows. Not to be mistaken for cloud-based email security services, ESPs are in the business of sending mass email (typically opt-in), not blocking it. Unfortunately, for many, their first exposure to these companies (outside of an inbox full of enticing offers) has been via news around data breaches, first, in 2010 with Silverpop and now Epsilon.

Read More »

Tags: cloud, cloud security, email, phishing, security, spear phishing

In the previous installment of our series of IPv6 security posts, we covered some of the ways addressing has changed in IPv6 compared to IPv4. In this post, we’ll talk about some of the things to consider when securing IPv6 compared to IPv4. Before digging into this topic, however, it is important to remember that while IPv6 may have different security concerns than IPv4, it is not necessarily any more secure than IPv4. Furthermore, the post will focus on those aspects that are different or unique to IPv6, since many of the common best practices for IPv4 networks also apply to IPv6 networks.

Read More »

Tags: IPv6, IPv6-security, security

It is clear that we are in a transition with regards to the way information is published and consumed. Old school media such as newspapers and network news are in decline or are, like the New York Times and the Wall Street Journal, looking for new ways to remain relevant.

The rise of social media as a source of news has both positive and negative aspects. On the positive side the speed of social media has proven hard to match. For example, on November 23, 2010, North Korea shelled Yeongyeong Island in South Korea. My first notification about that event was via Twitter and it was only later that I was able to get confirmation via CNN. Similarly on March 11, 2011, when the earthquake and subsequent tsunami hit Japan with tragic consequences, my first notification was again via Twitter. Clearly first-mover advantage goes to social media, largely due to the lack of overhead and the few barriers to and low cost of publishing.

Recently we saw one of the weaknesses to the often knee-jerk, fast-twitch responses that social media can create with the unfortunate accusations that were falsely leveled at Samsung; statements accusing the Korean manufacturer of putting keylogging software on its laptops. Read More »

Tags: security, social media, twitter

Recent media reports have focused on a mass SQL injection attack involving a malware domain named lizamoon.com. While the lizamoon.com domain is new, this particular series of SQL injection compromises is actually several months old. Cisco ScanSafe logs record the first instance on 20-sep-10 21:58:08 GMT. Since then, various malware domains have been used for a total of 42 domains signifying 42 separate occurrences of these compromises since September 2010. Lizamoon.com was the 41st of these.

Cisco ScanSafe data reveals that from Sept 2010 to Feb 2011, all the compromises were on smaller, low traffic sites. Any encounters likely resulted from Web searches for very niche topic areas. As a result, the number of encounters with these compromised websites remained very low. Most importantly, this attacker is employing severe throttling such that only 0.15% of encounters even result in live content delivery. The remaining 99.85% of encounters are non-resolvable at the time of encounter. The result is a negligible rate of actual encounter with live content.

Read More »

Tags: lizamoon, security, sql injection

Recently, during my daily “let’s see what’s happening today” routine, I read an article that struck me in an eerie — better yet, intriguing — manner. The gist of the story is that a crime ring syndicated from cyber space, consisting of Internet-savvy folks and run-of-the-mill thieves, managed to purchase (let’s just call it what it is, steal) thousands of dollars in products while conducting shopping sprees at Apple stores.

Read More »

Tags: cyber security, cyber space, security

Few people in the world would disagree that a network firewall is an essential component for any size datacenter. In fact, operating without one could be considered by many to be network asset suicide! But adding a firewall to an existing datacenter is by no means a trivial task. In fact, the amount of work that would be required to re-cable every physical interface to properly tie it in with the rest of the network is enough to make many network administrators think twice about just how badly they really need that shiny new firewall, versus just sticking with what they have. Add to that the additional rack space, power, cooling, and management required by the new device, and some serious ROI questions may be raised.

Read More »

Tags: ASA, ASAMC, product launch, security

Today many organizations find themselves addressing concerns over their proprietary information being stolen and their systems being compromised. Some may view this as a single problem since, in most cases, system compromise is an overture to information theft. The most common ways in which computers are compromised include visiting a web site with malicious content, opening a harmful file — malicious or otherwise — attached to an e-mail message, running a program of dubious provenance and clicking the “yes” button on every message that pops up on the screen. Organizations are fighting back by installing virus scanners, blocking known malicious web sites, filtering incoming e-mail and locking down (aka “hardening”) operating systems as much as possible. But let us take a step back and think about this whole situation again.

Read More »

Tags: culture, Internet and life, security

Cryptography has been, and continues to be, the most important and ubiquitous aspect of security services (firewall, secure access, VPN, authentication). There is a vast number of cryptographic algorithms and techniques that provide information security features that are used in different protocols and functions. It is important to be able to understand the challenges, attacks, and concerns of cryptographic algorithms in order to be able to use them efficiently. Just as important is the ability to follow the latest developments in the field so that we can be “as secure as possible.” This post is trying to present the latest transformations in the cryptography field to raise awareness on what the status quo is on recommended algorithms and key sizes.

Read More »

Tags: crypto, security

For corporations, Advanced Persistent Threat (APT) is a widely publicized yet little understood topic.  Does it exist?  Is it a real threat?  How can an organization tell if it is impacted?

The Cisco Computer Security Incident Response Team (CSIRT) is a global team of information security professionals responsible for the 24/7 monitoring, investigation and response to cyber security incidents for Cisco-owned businesses. CSIRT engages in proactive threat assessment, mitigation planning, incident detection and response, incident trending with analysis, and the development of security architecture. This article will provide the Cisco CSIRT team’s perspective on APT, and is the fifth in a series of blog posts on related issues from CSIRT’s point of view.  As with the other posts, provided here are some real-world examples and techniques that will hopefully help organizations utilize existing tools and processes, or even understand gaps in security infrastructure.  Read on to find out more.

Read More »

Tags: advanced persistent threat, APT, CSIRT, security

In the previous installment of our series of IPv6 posts, we covered some of the ways ICMP has changed in IPv6 compared to IPv4. In this post, we’ll talk about how addressing has changed in IPv6 compared to IPv4.

While IPv4 addresses are 32 bits log, the IPv6 address space has been extended to 128 bits, which will make it virtually impossible to remember the numeric representation of the address for a given host. This will definitely lead to more reliance on DNS. It will be difficult to operate even very simple test networks  without relying on DNS to resolve host names to IPv6 addresses. Because of this, more attacks will be targeted against your DNS servers. Making sure your DNS configuration and servers are secure will be very more important in IPv6. DNS will also be targeted by attackers to attempt to locate systems on the network by trying to resolve “common host names,” since scanning a remote IPv6 network is essentially impossible due to the size of the IPv6 address space.

Read More »

Tags: IPv6, IPv6-security, security

Global smartphone sales have finally eclipsed PC sales for the first time in history, and that’s without counting the millions of non-phone devices like tablets that tend to share the operating systems and functionality of their phone-based brethren. Based on these numbers, it is disappointing to see the state of security in devices that have taken the world by storm. Design decisions, policies, and various stakeholders have resulted in a fairly hostile device ecosystem in which, for example, users can be easily fooled into installing malware on their phones.

Read More »