Paul Ohm’s recent paper about the failures of anonymization brought to light some very compelling arguments against the practice. The goal of anonymization is to remove personally identifying details without removing other usefulness from a dataset. As an example, a company might take out names, social security numbers, day and month of birth, street address and credit card information from their customer dataset, but leave purchase history. Such an anonymized dataset might be useful to a marketing partner to identify trends in some generalized demographics that could help them to make more effective decisions in marketing products to future and returning customers.
It is almost that time of year again. Our Product Security Incident Response Team (PSIRT) is readying the release of the next bundle of security advisories for Cisco IOS. As stated in the original announcement, bundles are released on the fourth Wednesday in March and September; the next bundle is scheduled for September 23rd. With that in mind, I wanted to take the opportunity to explain some of the wording that is used in advisories.
I can assure you that there is a large effort applied to every security advisory by our technical, legal, and public relations teams to make sure the advisory is both clear and concise. At the same time though, I think reinforcing some key phrases will help you do the important work—assessing your risk due to an advisory—instead of working to understand the words themselves.
Unless you live and breathe security, you might find phrases such as “the improper handling of a crafted packet may allow an unauthenticated attacker to perform remote code execution” to be confusing. Along the same lines, what are mitigations and how are they different than workarounds? What in the world are CoPP and iACLs and can they buy time before an upgrade is required?
The news this week that Japanese researchers have devised a practical method to attack Wi-Fi Protected Access (WPA) with Temporal Key Integrity Protocol (TKIP) encryption in about a minute should not come as earth-shattering news to anyone. Just as earlier encryption methods have been compromised, the contest between security standards and the methods to defeat those standards is a continuously advancing process. The evolving speed of computing equipment has also made attacks much quicker as that equipment has become faster.
Wired Equivalent Protection (WEP), the earliest standard for Wi-Fi encryption was an interim solution that lasted about four years before it was rendered useless by attacks on the protocol and the encryption method used, Rivest Cipher Four (RC4). Since the initial weaknesses in WEP were discovered, additional methods of attack have been developed and CPU speed has increased, further aiding the attacker.
In the first part of 2008 we announced that we would be following a new disclosure schedule for Cisco IOS Security Advisories. This was done in response to customer feedback and the desire to make our advisory announcements more deterministic and less burdensome.
This new schedule means that we now aim to announce groups of Cisco IOS Security Advisories, called “bundles”, only twice a year: on the fourth Wednesdays in March and September. However, as mentioned in the announcement, our policy remains flexible in allowing for out-of-cycle publications where we feel extraordinary circumstances warrant. For example, we might announce issues that required industry coordination or if our assessment indicates that an earlier publication would reduce risk to our customers.
Today, on the 8th of September we did exactly that: we notified our customers of how they may be impacted by a vulnerability disclosed by a third-party coordinator. While not ideal, I believe that out-of-cycle advisories like this one are a good thing.
I’ve talked to many small business owners about security over the last several years, first as a professional serving that segment and later in casual conversation with friends and business owners in my local community. One question that comes up time and again is “Why would someone hack our computers? Who would even know we exist?” That question has had different answers over the years, and varies depending on the likelihood of targeted attacks versus untargeted ones. Some businesses get by just fine with automatic software updates, strong passwords, and a firewall. Others need more control over their environments, but the attackers have never lost sight of their goal. For the intruders, it’s all about getting what they want and finding out who they can get it from as easily as possible. And these days, they may be taking aim at small business. Read More »