The case of the compromise of a video to Wikileaks and unconfirmed claims of compromised U.S. State Department cables by an Army Intelligence analyst stationed in Iraq from classified government networks has been widely reported and commented upon, highlighting numerous security, ethical, moral, and legal lapses. There is no doubt that the military and government organizations involved have been conducting similar, less public reviews and official investigations are continuing. As a case study for security risks, this incident could easily generate a laundry list of issues to be examined as well as an equally long list of lessons learned. Although many of the details may never be fully disclosed due to the sensitivity of national security, many of the issues are fairly obvious and well known to security professionals and have been highlighted in numerous case studies. Similarly, most of the issues should have been addressed in policies, procedures, and controls in most business and government environments. The elephant in the room that many would prefer not to discuss and that is often overshadowed by discussion of technologies and policies are the people: the most complex of security risks.
Over the last few years, there has been a push to severely limit entire categories of attacks (such as buffer overflows) by incorporating specific hardware functionality with various compiler options to produce more secure code. When developing software, it is easy to mandate that these compiler options be utilized during software development, but how does the end user determine if the options were actually used? Before we can determine what compiler options have been enabled, we must first examine some of the functionality that has been developed to help protect code. Some of the options include:
- Address space layout randomization (ASLR)
- Position independent executable (PIE) or Position Independent Code (PIC)
- Marking data sections as non-executable
- Detecting Stack corruption
With the continuous flow of varying government regulations surrounding IPv6, I’ve been wondering about the impact on security. Just having addressing support isn’t enough. Lucky for us, today Cisco announced the early availability of cloud-based IPv6 support for the Cisco IronPort Email Security portfolio. Cisco email security customers of all form factors — appliance, cloud and hybrid — are able to send and receive IPv6 emails through the Cisco infrastructure. Customers so far are very pleased.
The continuous growth of the Internet requires that its overall architecture evolve to accommodate new technologies to support the growing numbers of users, applications, appliances, and services. As per Cisco and industry estimates, the IPv4 address space will be exhausted in the next two years. This will cause every organization to face the inevitable transition from IPv4 to IPv6.
In recent months, Cisco Security Intelligence Operations (SIO) has witnessed a rise in criminal activity on IPv6, particularly as sources of email threat messages and in channels used by botnet command-and-control infrastructure.
June 2, 2010 will be a day that Armando Galaragga and the fans of Detroit Tigers baseball will not soon forget. That night, Galaragga came one play short of being awarded a perfect game, a Herculean feat that has been accomplished only 20 times in the more than 100-year history of major league baseball. On what would have been the final play of that game, Galaragga’s attempt to keep the final batter from reaching base was ruled unsuccessful, and his perfect game was instead given a less-spectacular distinction of being only one of ten nearly-perfect games to be spoiled by the final batter.
Worse still for Tigers fans, the umpire who called the runner safe admitted upon review of footage after the game that the runner should have been ruled “out,” and Galaragga should have had his perfect game. But in a case that is eerily similar to the one we reported on in this week’s Cyber Risk Report (CRR) about a pedestrian who sued Google, it would be the disgruntled fans eager to seek revenge on the mistaken umpire who would craft the nightmare from which a Toledo man would hope to soon awake.
There isn’t much new or exciting about tabbed web browsing, which has been more or less mainstream for the last 5 years. Likewise, the HTML standard has had the ability to refresh a page to a different URL via meta tags for much longer than that. So what do we make of Aza Raskin’s recent announcement of “tabnabbing” as a new and dangerous in-browser phishing attack? We covered the basic aspects of this threat vector in this week’s Cyber Risk Report, but let’s dive a little deeper here.