Some of you may remember Marathon Man, starring Lawrence Olivier as the evil Nazi dentist Dr. Christian Szell, and Dustin Hoffman as a graduate student nicknamed Babe. Szell has come to New York from his South American jungle hideaway to retrieve a cache of diamonds, but he’s not sure he won’t be walking into a trap. He thinks Babe knows, and tortures him by repeatedly asking, “Is it safe?
Szell: “Is it safe? Is it safe?”
Babe: “You’re talking to me?”
Szell: “Is it safe?”
Babe: “Is what safe?”
Szell: “Is it safe?”
Babe: “I don’t know what you mean. I can’t tell you something’s safe or not unless I know specifically what you’re talking about.”
It’s a scary scene.
I’m reminded of it whenever people ask or say: “Is the cloud secure?” or “Public clouds aren’t secure” or “Multitenant applications aren’t secure.”
So, is your cloud safe? Is it secure?
Read More »
Tags: as a feature, Cloud Computing, Cloud Consumer, Cloud Service Provider, isv, security
Privacy and human rights advocates, technology companies, and trade associations have today called on U.S. political leaders to reform the country’s surveillance laws. We add our voice to those calls. These reforms will help show the world that the U.S. Government is ready to lead the dialogue on global standards of conduct, and wants to further build international trust with citizens – a cornerstone for our industry.
We also see a need for governments to agree on transparent standards of conduct. Building a system with appropriate safeguards and limits will serve both national security objectives and the needs of global commerce. In May 2014, Cisco offered a series of recommendations that support customer confidence in the global internet economy, while respecting the role that governments need to play in ensuring the physical safety and the economic security of their citizens. Governments and industry players need to deliver these outcomes for our future. Cisco is ready to play our part and we believe our peers and colleagues in industry and government are as well.
Tags: national security, security, standards
Today, we released the first ever Cisco IOS Software and IOS XE Software Security Advisory Bundled Publication. As a reminder, Cisco discloses IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year). In direct response to your feedback, we have also included a Cisco Security Advisory addressing vulnerabilities in Cisco IOS XE Software in this publication. We hope this timeline and additional “bundling” continues to allow your organization to plan and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.
Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes seven advisories that affect the following technologies:
Read More »
Tags: Cisco IOS software, psirt, security, security advisories, vulnerabilities
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 45 CVEs. The first 5 bulletins are rated critical and address vulnerabilities within Internet Explorer, Office, Windows, and VBScript. The remaining 9 bulletins are rated important and cover vulnerabilities within Windows Kernel Mode Drivers, Exchange, Task Scheduler, Remote Desktop, SChannel, and the Microsoft Graphics component. Read More »
Tags: 0-day, coverage, ms tuesday, rules, security, Talos
This blog post was authored by Troy Fridley and Omar Santos of Cisco PSIRT.
On Mar 9 2015, the Project Zero team at Google revealed findings from new research related to the known issue in the DDR3 Memory specification referred to as “Row Hammer”. Row Hammer is an industry-wide issue that has been discussed publicly since (at least) 2012.
The new research by Google shows that these types of errors can be introduced in a predictable manner. A proof-of-concept (POC) exploit that runs on the Linux operating system has been released. Successful exploitation leverages the predictability of these Row Hammer errors to modify memory of an affected device. An authenticated, local attacker with the ability to execute code on the affected system could elevate their privileges to that of a super user or “root” account. This is also known as Ring 0. Programs that run in Ring 0 can modify anything on the affected system. Read More »
Tags: cybersecurity, DRAM, Exploit, psirt, row hammer, rowhammer, security