When Fox-IT published their report regarding malvertisements coming from Yahoo, they estimated the attack began on December 30, 2013, while also noting that other reports indicated the attack may have begun earlier. Meanwhile, Yahoo intimated a different timeframe for the attack, claiming “From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware.”
With so much uncertainty regarding this attack, Cisco TRAC decided to review what data we had to see if we could sort out some of the competing claims. Cisco Security Intelligence Operations data regarding the Yahoo incident supports the conclusion that the attack against Yahoo began on December 31. However, the malicious advertisements were just one attack in a long series of other attacks waged by the same group.
Read More »
Tags: malware, TRAC
One of the things I like best about Cisco’s focus on security is the internal SecCon conference we put on each year. It focuses on security threats, defenses, and innovation. Although I participate as a trainer, organizer, and reviewer, my favorite role this year was as an attendee. The conference theme, The State of the Hack, encompassed many elements, but the key one for me was trust and the human element.
The two external keynotes set the tone for talking about trust. Bruce Schneier started by pointing out that trust is an inherent element of living in a society of humans. It allows people to work together, and enables banking, transport, commerce, government, and all the elements necessary for a society to function. Without it, we’d have to raise our own food, and live independently of electricity, money, and even neighbors. Bruce mentioned the four mechanisms that enforce trust: morals, reputation, institutional (rules), and security systems. As security practitioners, we tend to focus on the latter, but should remember the first three as well. Reputation is the currency of trust, and is what allows us to trust financial institutions, police, friends, and our food supply. Reputation takes a long time to build up, over many interactions. Banks and stores need to be in business for years to build trust. You trust your friends and neighbors gradually with money, keys, and babysitting. But trust can be destroyed in just one action, as many transgressing politicians and security-breached vendors can attest.
Read More »
Tags: SecCon, security
There are many advantages in outsourcing functions to specialist providers that can supply services at lower cost and with more functionality than could be supplied in-house. However, companies should be aware that when buying services, you may also be buying risk. Organisations that have successfully implemented strategies to reduce the probability of experiencing a breach, and to decrease the time required to discover and remediate breaches, may still encounter embarrassing public breaches via third parties. Within the past two weeks, we have seen two examples of companies having their websites defaced apparently due to security lapses in service providers.
Read More »
Tags: dns, TRAC
The website of the OpenSSL project, which provides a widely-used SSL/TLS implementation, was breached on 29th December and defaced (OpenSSL.org announcement). This defacement only affected the website of the project, however. The OpenSSL project has since checked the cryptographic hashes of the OpenSSL source code and confirmed that the source code has not been modified or compromised in any way. A compromise of the source code could result in a backdoor or other vulnerability being introduced. This is an important point since the Debian release of OpenSSL in 2006 had a bug which weakened the random number generator (wikipedia). However, the most worrying development of this breach is the way that the website was compromised, which was through the virtualization infrastructure of their hosting provider IndIT Hosting.
Whilst there are many potential avenues of attack against a website, what makes this attack notable is that instead of attacking the website directly, they attacked the hosting infrastructure of the website itself. In this case, it was the Virtual Machine hosting infrastructure operated by the openssl.org hosting provider. VMWare, whose products were used to host the OpenSSL website issued the following statement:
Read More »
It’s December and the 2013 cyber security news cycle has just about run its course. We’ve seen more and increasingly virulent attacks, continued “innovation” by adversaries, and a minor revival of distributed denial of services (DDOS) actions perpetrated by hacktivists and other socio-politically motived actors.
Against this, Cisco stood up tall in recognizing the importance of strong security as both an ingredient baked into all Cisco products, services, and solutions, and a growing understanding of how to use the network to identify, share information about, and defeat threats to IT assets and value generation processes. I can also look back at 2013 as the year that we made internal compliance with the Cisco Secure Development Lifecycle (CSDL) process a stop-ship-grade requirement for all new Cisco products and development projects. Read More »
Tags: asr, CSDL, CSO, cyber security, DDoS, John Stewart, security