The news this week that Japanese researchers have devised a practical method to attack Wi-Fi Protected Access (WPA) with Temporal Key Integrity Protocol (TKIP) encryption in about a minute should not come as earth-shattering news to anyone. Just as earlier encryption methods have been compromised, the contest between security standards and the methods to defeat those standards is a continuously advancing process. The evolving speed of computing equipment has also made attacks much quicker as that equipment has become faster.
Wired Equivalent Protection (WEP), the earliest standard for Wi-Fi encryption was an interim solution that lasted about four years before it was rendered useless by attacks on the protocol and the encryption method used, Rivest Cipher Four (RC4). Since the initial weaknesses in WEP were discovered, additional methods of attack have been developed and CPU speed has increased, further aiding the attacker.
Read More »
In the first part of 2008 we announced that we would be following a new disclosure schedule for Cisco IOS Security Advisories. This was done in response to customer feedback and the desire to make our advisory announcements more deterministic and less burdensome.
This new schedule means that we now aim to announce groups of Cisco IOS Security Advisories, called “bundles”, only twice a year: on the fourth Wednesdays in March and September. However, as mentioned in the announcement, our policy remains flexible in allowing for out-of-cycle publications where we feel extraordinary circumstances warrant. For example, we might announce issues that required industry coordination or if our assessment indicates that an earlier publication would reduce risk to our customers.
Today, on the 8th of September we did exactly that: we notified our customers of how they may be impacted by a vulnerability disclosed by a third-party coordinator. While not ideal, I believe that out-of-cycle advisories like this one are a good thing.
Read More »
I’ve talked to many small business owners about security over the last several years, first as a professional serving that segment and later in casual conversation with friends and business owners in my local community. One question that comes up time and again is “Why would someone hack our computers? Who would even know we exist?” That question has had different answers over the years, and varies depending on the likelihood of targeted attacks versus untargeted ones. Some businesses get by just fine with automatic software updates, strong passwords, and a firewall. Others need more control over their environments, but the attackers have never lost sight of their goal. For the intruders, it’s all about getting what they want and finding out who they can get it from as easily as possible. And these days, they may be taking aim at small business. Read More »
A bank in the United States, USAA, recently announced a new way their customers can deposit a check into a bank account: capture images on an iPhone and transmit them using an application provided by the bank. In fact, USAA has offered the capability to deposit checks using an ordinary document scanner for several years. Of course, scanners don’t fit in your pocket or purse and are connected to a more traditional personal computer — hence most of us are likely to trust the security of the scanner-based solution because it utilizes technology that has become familiar through regular usage in a variety of ways. More specifically, few people question the security of the transaction when they are able to view the lock icon in their browser while connected to their bank.A cursory read of USAA’s terms and conditions suggest that the security (and potential misuses) of the iPhone application have been duly considered. Indeed, USAA is planning to expand the capability to other popular ‘smart’ phones as well. Given the number of publicized security incidents at financial institutions in the last couple of years, does this have the potential to become another vector for miscreants? Read More »
It seems like the amount of security information about new vulnerabilities, threats, and attacks is increasing weekly. Staying on top of this information while still getting other work done can become a real challenge. Network World rated the Cisco Security Intelligence Operations Portal one of the top twenty IT Security resources last year, but we want to make it even better. You can help; in just a few minutes, you can complete an online survey and tell us what you want and expect from a security site. We value your input. Read More »