Cisco Blogs

Cisco Blog > Threat Research

Dangerous Clipboard: Analysis of the MS15-072 Patch

This post was authored by Marcin Noga with contributions from Jaeson Schultz.

Have you ever thought about how security researchers take a patch that has been released, and then reverse it to find the underlying security issue? Well, back In July Microsoft released security bulletin MS15-072, titled: “Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege (3069392)”. According to Microsoft, this vulnerability “could allow elevation of privilege if the Windows graphics component fails to properly process bitmap conversions.” Talos decided to have a deeper look at this vulnerability in order to better understand it, and this post describes the details of this process so that our readers may gain a better understanding of how this is done.

To read the full post, please visit the blog by clicking here.


Tags: , , ,

Connected Analytics: Learn to Live on the Edge – and Love It!

Not surprisingly, as a networking company Cisco frequently publishes predictions on the growth of Internet traffic. Bragging unintended, typically the forecasts are pretty accurate. In a 2012 report we predicted that by 2017 there would be 2.5 devices and related connections for every person on earth, while there would be 5 devices and related connections for every Internet user in the same year. In the same report, we also predicted that this burst in hyperconnectivity – including machine to machine connections that are increasingly prevalent with growth of the Internet of Things (IoT) – would create more global network traffic in 2017 alone than in all prior “Internet years” combined.

How correct were our predictions? You don’t have to wait until 2017 for an answer. Welcome to the early arrival of the future of networked communications – a future where the hyper-distribution of information is driving new business demands, and where the old rules of data management and analytics no longer apply. Data is no longer passive. Central stores of stale information aren’t sufficient. Analytics can’t be an afterthought. The new rules require that you live your business daily on the edge of your network, where vital customer and market data is created. And you need to be prepared to respond to what you learn immediately. Are you ready to live on the edge?

The Future is Now . . . Like it or Not Read More »

Tags: , , , , , , , ,

Apple iOS 8 and MAC Randomization: What It means for Cisco’s Connected Mobile Experiences (CMX) Solution

As you may have read, Apple’s iOS 8 will come with some changes to the way MAC addresses are exposed in Wi-Fi probe requests. Apple’s intent was to provide an additional layer of privacy for consumers and target those companies that offer analytics without providing any value to the end consumer. We’ve been getting some questions about what this means and how it impacts our Connected Mobile Experiences (CMX)  solution, so we wanted to clear this up for our customers.

What does this mean for you? 

First and foremost, Cisco has always been dedicated to privacy for our customers and their end-users. There are four aspects of privacy that are built into our CMX solution:

1. Anonymous Aggregate Information: All analytics are based on aggregate, anonymized location data.

2. Permission-based: Users have to opt-in to join a Wi-Fi network or download an app

3. MAC Address Hash: Users’ MAC addresses can be hashed before exposing to 3rd party apps

4. Opt Out: End-users are always presented with the option to opt out of location-based services

The true value of CMX analytics for organizations is in aggregate location data to be used for business analysis to improve the customer experience for end-users. Providing customers with high performing Wi-Fi not only keeps always-on mobile users happy and opens the doors to delighting customers with more personalized experiences, but also helps provide more granularity to those aggregate trends to feed back into the experience creation machine. Win-win.

What does this mean for our CMX value proposition? Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Attack Analysis with a Fast Graph

TRAC-tank-vertical_logo-300x243This post is co-authored by Martin Lee, Armin Pelkmann, and Preetham Raghunanda.

Cyber security analysts tend to redundantly perform the same attack queries with different input data. Unfortunately, the search for useful meta-data correlation across proprietary and open source data sets may be laborious and time consuming with relational databases as multiple tables are joined, queried, and the results inevitably take too long to return. Enter the graph database, a fundamentally improved database technology for specific threat analysis functions. Representing information as a graph allows the discovery of associations and connection that are otherwise not immediately apparent.

Within basic security analysis, we represent domains, IP addresses, and DNS information as nodes, and represent the relationships between them as edges connecting the nodes. In the following example, domains A and B are connected through a shared name server and MX record despite being hosted on different servers. Domain C is linked to domain B through a shared host, but has no direct association with domain A.

graph_image_1 This ability to quickly identify domain-host associations brings attention to further network assets that may have been compromised, or assets that will be used in future attacks.

Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , ,

Angling for Silverlight Exploits

VRT / TRACThis post is co-authored by Andrew Tsonchev, Jaeson Schultz, Alex Chiu, Seth Hanford, Craig Williams, Steven Poulson, and Joel Esler. Special thanks to co-author Brandon Stultz for the exploit reverse engineering. 

Silverlight exploits are the drive-by flavor of the month. Exploit Kit (EK) owners are adding Silverlight to their update releases, and since April 23rd we have observed substantial traffic (often from Malvertising) being driven to Angler instances partially using Silverlight exploits. In fact in this particular Angler campaign, the attack is more specifically targeted at Flash and Silverlight vulnerabilities and though Java is available and an included reference in the original attack landing pages, it’s never triggered.

Rise in Angler Attacks

HTTP requests for a specific Angler Exploit Kit campaign

Exploit Content Type

Angler exploit content types delivered to victims, application/x-gzip (Java) is notably absent


Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,