The news this week that Japanese researchers have devised a practical method to attack Wi-Fi Protected Access (WPA) with Temporal Key Integrity Protocol (TKIP) encryption in about a minute should not come as earth-shattering news to anyone. Just as earlier encryption methods have been compromised, the contest between security standards and the methods to defeat those standards is a continuously advancing process. The evolving speed of computing equipment has also made attacks much quicker as that equipment has become faster.

Wired Equivalent Protection (WEP), the earliest standard for Wi-Fi encryption was an interim solution that lasted about four years before it was rendered useless by attacks on the protocol and the encryption method used, Rivest Cipher Four (RC4). Since the initial weaknesses in WEP were discovered, additional methods of attack have been developed and CPU speed has increased, further aiding the attacker.

Read More »

In the first part of 2008 we announced that we would be following a new disclosure schedule for Cisco IOS Security Advisories. This was done in response to customer feedback and the desire to make our advisory announcements more deterministic and less burdensome.

This new schedule means that we now aim to announce groups of Cisco IOS Security Advisories, called “bundles”, only twice a year: on the fourth Wednesdays in March and September. However, as mentioned in the announcement, our policy remains flexible in allowing for out-of-cycle publications where we feel extraordinary circumstances warrant. For example, we might announce issues that required industry coordination or if our assessment indicates that an earlier publication would reduce risk to our customers.

Today, on the 8th of September we did exactly that: we notified our customers of how they may be impacted by a vulnerability disclosed by a third-party coordinator. While not ideal, I believe that out-of-cycle advisories like this one are a good thing.

Read More »

I’ve talked to many small business owners about security over the last several years, first as a professional serving that segment and later in casual conversation with friends and business owners in my local community. One question that comes up time and again is “Why would someone hack our computers? Who would even know we exist?” That question has had different answers over the years, and varies depending on the likelihood of targeted attacks versus untargeted ones. Some businesses get by just fine with automatic software updates, strong passwords, and a firewall. Others need more control over their environments, but the attackers have never lost sight of their goal. For the intruders, it’s all about getting what they want and finding out who they can get it from as easily as possible. And these days, they may be taking aim at small business. Read More »

A bank in the United States, USAA, recently announced a new way their customers can deposit a check into a bank account: capture images on an iPhone and transmit them using an application provided by the bank. In fact, USAA has offered the capability to deposit checks using an ordinary document scanner for several years. Of course, scanners don’t fit in your pocket or purse and are connected to a more traditional personal computer — hence most of us are likely to trust the security of the scanner-based solution because it utilizes technology that has become familiar through regular usage in a variety of ways. More specifically, few people question the security of the transaction when they are able to view the lock icon in their browser while connected to their bank.A cursory read of USAA’s terms and conditions suggest that the security (and potential misuses) of the iPhone application have been duly considered. Indeed, USAA is planning to expand the capability to other popular ‘smart’ phones as well. Given the number of publicized security incidents at financial institutions in the last couple of years, does this have the potential to become another vector for miscreants? Read More »

It seems like the amount of security information about new vulnerabilities, threats, and attacks is increasing weekly. Staying on top of this information while still getting other work done can become a real challenge. Network World rated the Cisco Security Intelligence Operations Portal one of the top twenty IT Security resources last year, but we want to make it even better. You can help; in just a few minutes, you can complete an online survey and tell us what you want and expect from a security site. We value your input. Read More »

Since 2000, the United Kingdom has been operating under the Regulation of Investigatory Powers Act (RIPA). Part 3, Section 49 of RIPA has been of particular interest to the security community because it concerns the disclosure of decrypted data or encryption keys. In the course of an investigation, law enforcement officers can invoke Section 49 to compel notice recipients to provide the encryption keys or disclose the decrypted contents of encrypted files. Failure to do so can lead to prosecution, with a potential for two years in jail, or five years in the case of a national security investigation. For the first time since RIPA’s inception, the latest annual report from the Chief Surveillance Commissioner has revealed that this has resulted in jail time. Read More »

The Cyber Risk Report For June 29 to July 5 covered the story of an insider attack at a Dallas, Texas (United States) hospital. The attacker, Jesse “GhostExodus” McGraw, allegedly was able to leverage his position as a night security guard at the hospital to gain physical access to heating, ventilation, and cooling (HVAC) control systems and manipulate those systems. The intrusion was discovered when security researcher Robert Wesley McGrew from Mississippi State University discovered screenshots taken from the control systems. McGrew approached the United States Federal Bureau of Investigation (FBI) with this evidence, who then took action against the security guard. The guard was recently indicted by the FBI under felony charges of “transmitting a malicious code” according to the Department of Justice press release.

McGrew, a supervisory control and data acquisition (SCADA) systems security researcher, realized the seriousness of the threat, leading to the notification of law enforcement authorities of his findings. Significant danger to the facility could have occurred if the HVAC infrastructure could have been changed in such a way to compromise pharmaceutical storage or stress the health of patients within the medical facility. Read More »

Prefix Filter Background

An important Border Gateway Protocol (BGP) protection mechanism is the filtering of routing prefixes received from eBGP peers to prevent the BGP process from inadvertently installing unwanted or illegal prefixes in the routing table, whether due to malicious intent or simple misconfiguration. Prefix filtering allows a network administrator to permit or deny specific prefixes that are sent to or received from each eBGP peer, and ensures that network traffic is sent over the intended paths.A real-life example of what can happen when proper prefix filtering is not implemented was generously provided to us by those ISPs peering with Pakistan Telecom (AS17557) back in February 2008. RIPE NCC published an excellent case study on the event.Everything was going well and YouTube (AS36561) was announcing 208.65.152.0/22, that is until Sunday, 24 February 2008 when the longest prefix match game began. On Sunday, 24 February 2008 at 18:47 (UTC), Pakistan Telecom (PT) announced a more specific route (208.65.153.0/24), also known as longest prefix match rule for YouTube, a route which should have been filtered, and then PCCW Global (AS3491) subsequently propagated the announcement, resulting in traffic to YouTube being redirected to Pakistan Telecom. In a nutshell, this was a prefix hijack as a result of the BGP announcement by PT. This, of course, was not exactly what PT envisioned when they invited YouTube to their BGP Party, nor was it the type of party invite that PCCW Global wanted to propagate. Prefix Filters to the rescue! Read More »

When news of Conficker surfaced I obtained a traffic sample from our botnet honeynet. I wanted to see what relevant aggregate information I could extract and see if there was any specific indication of Conficker activity. Using some lightweight tools I was able to quickly analyze my traffic sample and focus further research. I find that these high level analysis techniques lead me to ask the more interesting questions and, more importantly, come to my rescue when I’m pressed for time. Below, I share a little about how I deconstructed the traffic sample, briefly discuss visualization and turn to IPS and Global Correlation to get a bigger perspective on what was happening. Some of my colleagues here in Cisco Security Intelligence Operations (SIO) find these techniques useful so I thought I would pass them on in the hopes that others will as well. I’d like to hear from some of you on your favorite tools and tricks for this sort of sleuth work.

There are some things I should point out before delving into my traffic sample:

• I sanitized all IP addresses because the hosts in this traffic sample are Internet facing. That is, I replaced all IP addresses with a fictitious FQDN. Hosts with the domain honeynet.eg are on the honeynet and all other hosts use the network.eg domain. The hostnames are randomly selected three-letter words from CrackLib’s dictionary. My fictitious FQDNs are consistent across this post.
• Some of the xterm windows below may have a scroll bar. It’s easy to miss. Scroll down for more info.
• The honeynet has several hosts which each have multiple IP addresses. We use this to increase attack surface. Because this isn’t relevant, I normalized the traffic such that each host on my network has one and only one IP address.

Read More »

Tags: conficker, emerging threats, security, security research, tshark, wireshark

At this year’s DEFCON 17 security conference, which ended August 2, several presentations focused on physical security. Jason Ostrom and Arjun Sambamoorthy of Sipera Systems presented on several tools for intercepting, capturing, and spoofing video feeds over the network. Armed with these tools, attackers could eavesdrop on live video conferences, video phone conversations, or IP security cameras. In addition, they demonstrated the ability to capture video feeds and replay video of their choosing. This would allow someone to inject messages into video conferences or to trick security personnel by replaying video, instead of showing live video of a monitored area. Read More »

Just read an article in Network World that seems to tie perfectly to my previous post about the intersection between telemedicine and cybersecurity. Read More »

For those of us whose interests cross sci-fi and the internet (sometimes it seems there’s no difference), we recently celebrated a silver anniversary: 25 years since the publication of William Gibson’s Neuromancer. The book draws me in on so many levels, but what fascinates me most is the security aspect—people are able to ‘jack’ into cyberspace, with corporate and military databases visible as physical constructs, surrounded by an intrusion detection system called ‘ICE’—neuromancer speak for Intrusion Countermeasure Electronics, according to Wikipedia’s glossary for this iconic book. Hackers, known as ‘cowboys,’ play cat-and-mouse with ever more powerful defenses, with the stakes much higher than they are now. You see where I’m going with this? Read More »

July 30 marked the close of the annual Black Hat USA security conference in Las Vegas, Nevada. Though Black Hat events are held at many venues throughout the year, the Vegas Black Hat Briefings are generally seen as the premier opportunities for disclosing security vulnerabilities or unveiling new research. This year’s conference hosted a number of presentations that made quite a few waves in the security industry and in the press. Cisco Security Intelligence Operations has already alerted you to many of these. Read More »

On July 28, 2009, Microsoft published two out-of-band security bulletins, MS09-034 and MS09-035, for Internet Explorer and Visual Studio’s Active Template Library. These bulletins are related to MS09-032, which disabled a vulnerable version of Microsoft’s MPEG2TuneRequest ActiveX Control Object, among other things. Cisco has released a Security Advisory that details which products are impacted by this issue as well as those that are not. The team that discovered this vulnerability, Ryan Smith, Mark Dowd and David Dewey, shared their research at Black Hat USA this week. In this post, we share some insight into these vulnerabilities as well as offer advice that can help you minimize the risk of criminals exploiting these vulnerabilities to compromise your network. Read More »

Border Gateway Protocol (BGP) is an Internet Engineering Task Force (IETF) standard, and the most scalable of all routing protocols. BGP is the routing protocol of the global Internet, as well as for service provider private networks. BGP has expanded upon its original purpose of carrying Internet reachability information, and can now carry routes for Multicast, IPv6, VPNs, and a variety of other data. For more information on BGP please reference RFC 1163 and RFC 1267.The use of BGP as a routing protocol is ubiquitous on the Internet (used by both Internet Service Providers (ISPs) and non-ISPs). Because of its prevalence, there is a great deal concern on behalf of the Internet community whenever there is public knowledge of a BGP or TCP-based vulnerability that is being or could be exploited. It is this concern that prompted me to provide you with some helpful techniques to secure BGP. Read More »