Cisco Blogs


Cisco Blog > Threat Research

Research Spotlight: Exploiting Use-After-Free Vulnerabilities

This blog post was authored by Earl Carter & Yves Younan.

Talos is constantly researching the ways in which threat actors take advantage of security weaknesses to exploit systems. Yves Younan of Talos will be presenting at CanSecWest on Friday March 20th. The topic of his talk will be FreeSentry, a software-based mitigation technique developed by Talos to protect against exploitation of use-after-free vulnerabilities. Use-after-free vulnerabilities have become an important class of security problems due to the existence of mitigations that protect against other types of vulnerabilities, such as buffer overflows.

Read More »

Tags: ,

Talos Discovery Spotlight: Hundreds of Thousands of Google Apps Domains’ Private WHOIS Information Disclosed

This post was authored by Nick Biasini, Alex Chiu, Jaeson Schultz, and Craig Williams. Special thanks to William McVey for his contributions to this post.

Table of Contents

Overview
WHOIS Privacy Protection
Why Does This Exist
The Issue
Implications for the Good/Bad Guys
Current State and Mitigations
Disclosure Timeline
Conclusion
Footnotes

Overview

In mid-2013, a problem occurred that slowly began unmasking the hidden registration information for owners’ domains that had opted into WHOIS privacy protection. These domains all appear to be registered via Google App [1], using eNom as a registrar. At the time of writing this blog, there are 305,925 domains registered via Google’s partnership with eNom. 282,867 domains, or roughly 94% appear have been affected [2]. (Google reports that new domains which have not faced a renewal period are not affected and many businesses do not opt into their privacy service.) The information disclosed included full names, addresses, phone numbers, and email addresses for each domain. The information was leaked in the form of WHOIS records.

The graphic above illustrates the drastic shift in domains utilizing privacy protection (dark green) to those with WHOIS information exposed (light green). At its peak at least 90% of the domains registered were utilizing privacy protection which plummeted to less than 1%. The grey circle indicates the initial shift occurring. The arrow notes when resolution had occurred.

The graphic above illustrates the drastic shift in domains utilizing privacy protection (dark green) to those with WHOIS information exposed (light green). At its peak at least 90% of the domains registered were utilizing privacy protection which plummeted to less than 1%. The grey circle indicates the initial shift occurring. The arrow notes when resolution had occurred.

Read More »

Tags: , , , ,

Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK Patched

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products.  This month’s release sees a total of 14 bulletins being released which address 45 CVEs.  The first 5 bulletins are rated critical and address vulnerabilities within Internet Explorer, Office, Windows, and VBScript. The remaining 9 bulletins are rated important and cover vulnerabilities within Windows Kernel Mode Drivers, Exchange, Task Scheduler, Remote Desktop, SChannel, and the Microsoft Graphics component. Read More »

Tags: , , , , ,

Mitigations Available for the DRAM Row Hammer Vulnerability

This blog post was authored by Troy Fridley and Omar Santos of Cisco PSIRT.

On Mar 9 2015, the Project Zero team at Google revealed findings from new research related to the known issue in the DDR3 Memory specification referred to as “Row Hammer”. Row Hammer is an industry-wide issue that has been discussed publicly since (at least) 2012.

The new research by Google shows that these types of errors can be introduced in a predictable manner. A proof-of-concept (POC) exploit that runs on the Linux operating system has been released. Successful exploitation leverages the predictability of these Row Hammer errors to modify memory of an affected device. An authenticated, local attacker with the ability to execute code on the affected system could elevate their privileges to that of a super user or “root” account. This is also known as Ring 0. Programs that run in Ring 0 can modify anything on the affected system. Read More »

Tags: , , , , , ,

AMP Threat Grid Empowers Law Enforcement to Fight Cybercrime

Recognizing the critical need for state and local law enforcement agencies to have state-of-the art technologies to effectively fight digital crime, Cisco is creating the AMP Threat Grid for Law Enforcement Program. The program is designed to empower those working to protect our communities from cybercriminals with its dynamic malware analysis and threat intelligence platform.

Computers are central to modern criminal investigations, whether as instruments to commit the crime, as is the case for phishing, hacking, fraud or child exploitation; or as a storage repository for evidence of the crime, which is the case for virtually any crime. In addition, those using computers for criminal activity continue to become more sophisticated, and state and local law enforcement agencies struggle to keep up with their internal computer forensics / digital investigation capabilities. Malware analysis is also a critical part of digital investigations: to prove or disprove a “Trojan Defense” for suspects, wherein the accused rightly or falsely claims a malicious software program conducted the criminal activity and not the user; and to investigate unknown software and suspicious files on the computers of the victims of cybercriminal activity for evidence of the crime.

Read More »

Tags: , , , , , , , ,