Cisco Blogs


Cisco Blog > Security

NCSAM Tip #4: The Hidden Data in JPG Photos

Digital photography has certainly brought considerable joy into the lives of millions of people around the world, but there are also security implications and they may be somewhat different than what many people believe. Many images, including JPGs, can contain metadata, data about the data in the image. To illustrate, I took a picture of the Ike cutout in front of my cube.

ike

Seems harmless enough, but let’s take a look at the EXIF data in this image.

I used http://regex.info/exif.cgi but there are other sites and apps that will let you view and/or manipulate EXIF data. Per regex.info here is some of the EXIF data:

Basic Image Information

Description: SAMSUNG
Camera: Samsung GT-I9000
Lens: 3.5 mm (Max aperture f/2.6)
Exposure: Auto exposure, Program AE, 1/13 sec, f/2.6, ISO 100
Flash: Off, Did not fire
Date: September 15, 2011 9:26:08AM
Location: 37° 24′ 30″N, 121° 55′ 39″WAltitude: 0 m
Timezone guess from earthtools.org: 8 hours behind GMT
File: 1,920 × 2,560 JPEG (4.9 megapixels)
1,542,855 bytes (1.5 megabytes) Image compression: 90%

Look, it put me correctly in Building 17.

Read More »

Tags: , , ,

Top of Mind: Problems with SSL, solved with DNSSEC?

Lately we have seen various attacks against the various SSL/TLS usages that we have in the world. The attacks have not been technical per se, but instead use weaknesses in the procedures that are used to get a certificate. Lets first look at how trust is built up using SSL.

Read More »

Tags: , , ,

NCSAM Tip #3: What You Should Consider to be a Secure Password

Passwords are the prevalent means of authentication. Even though there have been many complementary authentication mechanisms and schemes, passwords are used almost everywhere that a user wants to prove that he knows a secret that only he is supposed to know. On the other hand, if someone else can guess that password, along with the username (often easy to find), then he could pretend he is the user and do all sorts of things on his behalf. We have seen multiple examples of corporate executives having their personal email accounts hijacked. We have seen celebrities having their Twitter accounts stolen and posting things they would never do. We also have seen studies that show that a vast majority of users still use standard and pretty easy password to guess.

It is common knowledge that passwords need to be hard to guess; that is a requirement. Andy Balinsky’s post describes some guideliness about choosing numeric passwords (aka for handheld devices). In the same context, David McGrew’s post provides a script that can generate random keys that can be used for pre-shared key authentication. Electronic user passwords are a little different because they involve letters and completely depend on the user (system checks are usually also employed). Users need to be able to chose and remember them in order to use them when needed. But the “hard to guess” and the “easy to remember” requirements don’t go well together and that is the basic challenge.

Read More »

Tags: , ,

NCSAM Tip #2: Keeping Your Software Up-to-Date

As software manufacturers fix security vulnerabilities they will often release new versions of their software for their users. This is a good thing and aims to protect us from many potential online threats, such as trojans that steal our personal information, or scareware that serves no legitimate purpose. However, it begs the question: How do we users learn of this newer software so that we can be protected?

Like most things, the answer is, of course: it depends. ;)

Read More »

Tags: ,

NCSAM Tip #1: Social Networking Safety

October 3, 2011 at 5:00 am PST

In today’s Cyber Security Awareness Month Tip of the Day we revisit a past post to once again focus on the fact that millions of individuals are victims of their own carelessness by freely posting information such as vacation plans and family photos on social networks, and by storing Personally Identifiable Information (PII) such as medical records and financial information on mobile devices. Users are sometimes not sufficiently educated when it comes to what types of information should be shared, and with whom they should be sharing this information.

Read More »

Tags: , , , ,