This blog post was authored by Troy Fridley and Omar Santos of Cisco PSIRT.
On Mar 9 2015, the Project Zero team at Google revealed findings from new research related to the known issue in the DDR3 Memory specification referred to as “Row Hammer”. Row Hammer is an industry-wide issue that has been discussed publicly since (at least) 2012.
The new research by Google shows that these types of errors can be introduced in a predictable manner. A proof-of-concept (POC) exploit that runs on the Linux operating system has been released. Successful exploitation leverages the predictability of these Row Hammer errors to modify memory of an affected device. An authenticated, local attacker with the ability to execute code on the affected system could elevate their privileges to that of a super user or “root” account. This is also known as Ring 0. Programs that run in Ring 0 can modify anything on the affected system. Read More »
Tags: cybersecurity, DRAM, Exploit, psirt, row hammer, rowhammer, security
In February, Cisco Managed Threat Defense (MTD) security investigators detected a rash of Dridex credential-stealing malware delivered via Microsoft Office macros. It’s effective, and the lures appear targeted at those responsible for handling purchase orders and invoices. Here’s a breakdown of the types of emails we’ve observed phishing employees and inserting trojans into user devices.
Subjects captured from Dridex campaign in February 2015
Read More »
Tags: botnet, Dridex, malware, Managed Threat Defense, security, trojan
In the first of a two-part blog series, The Seven Deadly Sins of User Access Controls, my colleague Jean Gordon Kocienda provided fresh insights into overly-permissive user access controls as a common underlying cause of data breaches. In this blog, I address the solutions to those “Seven Deadly Sins” with a modern twist on the antiquity typically known as the “Seven Wonders.”
Information Security professionals need to address user access control in the context of today’s complex threats, coupled with a fast changing IT landscape. Long gone are the days of only a few with a need to know and key corporate assets being housed behind the enterprise perimeter. We have shifted to an agile, data-centric environment with increasing user populations who may also be third-party suppliers or contractors needing fast access to assets that were previously off limits. And, it’s not just massive volumes of data that need protecting; it’s access to critical work streams and transactions too.
Read More »
Tags: access control, automation, mindfulness, security, training
On March 2 at Mobile World Congress, Robert Franks, Managing Director, Digital Commerce at Telefónica UK and Cisco’s Kelly Ahuja, SVP, Service Provider Business, Products & Solutions, had a standing-room only crowd as part of the “Personalizing the Consumer Experience” keynote.
During their session, they emphasized how they could understand the consumer as a digital stream of information, not simply isolated pieces of information. That stream of information, combined with in-person location details, can help both service providers and enterprises improve the experience for their consumer customers. Both Kelly and Robert recognized that the data has always been available, but it wasn’t easily accessible. Now Telefónica and Cisco are working together to find ways to use that information to provide a better experience for consumers.
Kelly summarized it well by stating that “personalization is going to be the key to determine the consumer experience.” Audience members agreed with what was said in real-time tweets.
Both Robert and Kelly discussed Read More »
Tags: mobile world congress, mwc, privacy, security, Service Provider, wi-fi, wireless
2014 was a terrible year for corporate data breaches. If there is to be any silver lining, information security professionals must draw lessons from the carnage. A good place to start is to identify common denominators.
Several of the most damaging incidents started with phishing emails into office (or contractor) networks. Social engineering has gotten so sophisticated and targeted, we can hardly blame the employees (sometimes high-level executives) for clicking on legitimate-looking links. Once an attacker establishes his credentials as the compromised employee, he potentially can gain access to whatever that employee uses. One attacker got in through a corporate software development network that was not sufficiently segregated from other critical networks. In other cases, disgruntled employees with access to valuable customer data were involved.
Clearly, employee access controls are critical. If we can improve these systems, we will go a long way toward securing our networks. This is not as easy as it sounds, however. When information security teams restrict access or revoke privileges, they get pushback. They become obstructionists, bad cops, bureaucrats. To be fair, we really do run the risk of strangling teamwork, erecting stovepipes, and throttling collaboration. How do we construct robust user access controls without being the bad guys?
Read More »
Tags: access control, data breaches, phishing, security, social engineering