Cisco Blogs


Cisco Blog > Security

Adding Data Segment Cross References in IDA

Recently I was working on reverse engineering a 16-bit MS-DOS binary to better understand a network transport protocol used for modem communication in some software I was looking at. I was using the IDA Pro tool for this purpose.

However, to my dismay, after looking at the string table and finding a string that seemed relevant to the particular section of code which I was interested in, I noticed that none of the strings in the string table contained cross reference information, and I was therefore unable to easily jump to the instructions in which it was used.

Upon further analysis, I determined that the reason the cross reference information for the strings in the table was not populated is because the strings resided in the data segment and referenced using the ds segment register.

Read More »

Tags:

Tracking Malicious Activity with Passive DNS Query Monitoring

Ask anyone in the information security field they will tell you:

Security is not fair. There is essentially an unlimited supply of attackers that can test your defenses with impunity until they eventually succeed.

As a member of the Cisco Computer Security Incident Response Team (CSIRT) I’ve seen this asymmetry up close, so I can tell you that good security is really hard. Besides the normal security practices like deploying firewalls, IDS sensors, antivirus (AV), and Web Security Appliances, CSIRT is increasingly looking to the network as a data source. We have been collecting NetFlow for years but we have always wanted additional context for the flow data. While it is true that the Internet is built on TCP/IP, Internet services—both good and bad—are found by name using the Domain Name System (DNS). For years infosec has been network-address-centric and the attackers have adapted. Today it is very common to see malware command and control (C&C) use domain generation algorithms (DGAs), Peer-to-Peer (P2P), or even fast-flux DNS to evade IP address-based detection and blocking. It has become absolutely clear that to keep up with the latest attacks and attackers you must have a view into the DNS activity on your network.

CSIRT has been struggling with limited DNS information for a while now, so I am pleased to say we finally have comprehensive visibility into the DNS activity on our network. Before I dive into how we tackled this problem I should back up and explain a bit more about DNS…

Read More »

Tags: , , , , ,

SIO Portal: Tell Us What You Think!

The Cisco Security Intelligence Operations (SIO) Portal is the primary outlet for Cisco’s security intelligence and the public home to all of our security-related content. This content ranges from Event Responses () to IntelliShield Alerts () to Cisco product Security Advisories (). The SIO Portal is intended to be the first place you visit when looking for security information from Cisco.

Customer input is very important to us. With this in mind, we’ve launched two new customer listening tools on the SIO Portal: an enhanced feedback mechanism and a short six-question survey.

Read More »

Tags: , , , , ,

Student project collaboration with NC State University

It was about a year ago that Dr. Yannis Viniotis, Professor of the Electrical & Computer Engineering (ECE) department at North Carolina State University (NCSU), met with senior Cisco Engineers and agreed to collaborate on several small, hands-on projects with Cisco Engineers and NCSU students.

The NCSU ECE department partners with the industry as part of their Senior Design Project Program, where various vendors serve as sponsors and offer several projects for NCSU students to complete. That is also how the Cisco-NCSU collaboration started. Students get to work on real networking industry problems guided by engineers that already work in the industry. The students gain experience that can be later used in their professional lives. The Cisco engineers get to work with future engineers, mentoring and preparing them for their professional lives and solving some real world technical challenges. It is fun and educational for both sides.

Read More »

Tags: , , ,

Sniffing Out Social Media Disinformation

The raw, edgy nature of social media is part of its charm, and its value. As Cisco’s global threat analyst, I often look at my Twitter feed in the morning before I check mainstream media sites because it provides quick, frequently expert, irreverent analysis on breaking news. In fact, my own concerns about press freedom and objectivity stemming from concentration of mass media ownership arguably strengthens the case for a lively, unregulated social media space. It can serve as a fact checker and whistle blower on traditional news sources. In societies where news outlets may be closely monitored or controlled by the state, social media may provide the only online outlet for uncensored public opinion.

Unfortunately, social media is frequently inaccurate or misleading, with the potential for real-world damage. It isn’t hard to imagine a scenario in which a terrorist coordinates on-the-ground attacks with misleading tweets with the intent to clog roads or phone lines, or send people into the path of danger. Several recent incidents underscore the ease with which social media rumors can compound the impact of real events.

Read More »

Tags: , , ,