The week of November 10 was filled with learning and excitement for security technology enthusiasts at Cisco’s Bangalore campus as people gathered for SecCon-X 2014, Cisco’s largest annual cross-company security conference. The event scaled in scope and content compared to last year, starting with a dedicated customer engagement event, and was followed by two days of conference activities, including 21 presentations and 2 panel discussions by a varied mix of speakers and panelists from industry, academia, and Cisco. All the sessions were packed with 250+ participants and 350+ IP TV viewers each day, which was proof of how the Cisco community in Bangalore relished the event. The huge buzz around the vendor expo booths and the poster walls was heartening to see.
What was new this year?
- 11 boot camp and training sessions on a wide range of security technology topics.
- The Customer Engagement Event was a huge success with 20+ customers participating in the event, which enabled Cisco to communicate our vision, demonstrate our solutions, and hear from customers on the challenges they faced in the evolving threat landscape.
- Events like Hack Your Device (7 teams filed security defects on various products), Capture The Flag (116 participated and 10 captured all the flags), and a Lunch & Learn session for Cisco Women in Cyber Security, were well arranged and much appreciated by all attendees.
Tags: Bangalore, Capture the Flag, Cisco Women in Cyber Security, SecCon 2014, security
The ELK stack is a set of analytics tools. Its initials represent Elasticsearch, Logstash and Kibana. Elasticsearch is a flexible and powerful open source, distributed, real-time search and analytics engine. Logstash is a tool for receiving, processing and outputting logs, like system logs, webserver logs, error logs, application logs and many more. Kibana is an open source (Apache-licensed), browser-based analytics and search dashboard for Elasticsearch.
ELK is a very open source, useful and efficient analytics platform, and we wanted to use it to consume flow analytics from a network. The reason we chose to go with ELK is that it can efficiently handle lots of data and it is open source and highly customizable for the user’s needs. The flows were exported by various hardware and virtual infrastructure devices in NetFlow v5 format. Then Logstash was responsible for processing and storing them in Elasticsearch. Kibana, in turn, was responsible for reporting on the data. Given that there were no complete guides on how to use NetFlow with ELK, below we present a step-by-step guide on how to set up ELK from scratch and enabled it to consume and display NetFlow v5 information. Readers should note that ELK includes more tools, like Shield and Marvel, that are used for security and Elasticsearch monitoring, but their use falls outside the scope of this guide.
In our setup, we used
- Elasticsearch 1.3.4
- Logstash 1.4.2
- Kibana 3.1.1
For our example purposes, we only deployed one node responsible for collecting and indexing data. We did not use multiple nodes in our Elasticsearch cluster. We used a single-node cluster. Experienced users could leverage Kibana to consume data from multiple Elasticsearch nodes. Elasticsearch, Logstash and Kibana were all running in our Ubuntu 14.04 server with IP address 10.0.1.33. For more information on clusters, nodes and shard refer to the Elasticsearch guide.
Read More »
Tags: Big Data, big data analytics, netflow, security
This post was written by Marcin Noga with contributions by Earl Carter and Martin Lee.
New vulnerabilities for old operating systems may not seem particularly interesting, until you consider the large number of legacy machines running outdated versions of Windows. Windows XP has reached its end of life, meaning that new vulnerabilities will not be patched. In this post we will show that a recent vulnerability can be used as a platform for exploiting Windows XP.
In October, Microsoft released a bulletin for a privilege escalation vulnerability in the FASTFAT driver that was released as:
MS14-063 — Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579), CVE-2014-4115.
Let me present some of the most interesting parts of the advisory and add some details from my own research.
When the bug kicks in…
In the advisory, Microsoft indicates that the following OS’s are vulnerable:
- Microsoft Windows Server 2003 SP2
- Vista SP2
- Server 2008 SP2
The Microsoft bulletin does not mention Windows XP, since Windows XP is no longer supported. According to my research, however, this vulnerability is also present in the Windows XP FASTFAT driver.
See the following video.
This vulnerability can be exploited on Windows XP SP3 using a malicious usb stick with a malformed FAT32 partition. Let’s examine the reaction when the USB is inserted into the system.
Read More »
Tags: CVE-2014-4115, Fat32, MS14-063, Talos, vulnerability, Windows XP
This post was authored by Alex Chiu with contributions from Joel Esler.
Advanced persistent threats are a problem that many companies and organizations of all sizes face. In the past two days, information regarding a highly targeted campaign known as ‘Regin’ has been publicly disclosed. The threat actors behind ‘Regin’ appear to be targeting organizations in the Financial, Government, and Telecommunications verticals as well as targeting research institutions in the Education vertical. Talos is aware of these reports and has responded to the issue in order to ensure our customers are protected. Read More »
Tags: AMP, APT, clamAV, Regin, Snort, Talos
Let’s face it, malware is everywhere now, and it’s here to stay. The statistics are staggering. According to the 2014 Cisco Annual Security Report, “100 percent of the business networks analyzed by Cisco had traffic going to websites that host malware” and 96 percent of the business networks analyzed had connections to known hijacked infrastructure or compromised sites. It’s a pretty scary reality for organizations and the security teams that are tasked with protecting these organizations from threats.
Not only is malware abundant and pervasive, but it comes in all shapes and sizes, including trojans, adware, worms, downloaders, droppers, ransomware, and polymorphic malware to name a few. Furthermore, it’s attacking us on all fronts, regardless of the device or operating system that we are using.
Read More »
Tags: AMP, cisco annual security report, malware, security