Cisco Blogs


Cisco Blog > Security

NCSAM Tip #4: The Hidden Data in JPG Photos

Digital photography has certainly brought considerable joy into the lives of millions of people around the world, but there are also security implications and they may be somewhat different than what many people believe. Many images, including JPGs, can contain metadata, data about the data in the image. To illustrate, I took a picture of the Ike cutout in front of my cube.

ike

Seems harmless enough, but let’s take a look at the EXIF data in this image.

I used http://regex.info/exif.cgi but there are other sites and apps that will let you view and/or manipulate EXIF data. Per regex.info here is some of the EXIF data:

Basic Image Information

Description: SAMSUNG
Camera: Samsung GT-I9000
Lens: 3.5 mm (Max aperture f/2.6)
Exposure: Auto exposure, Program AE, 1/13 sec, f/2.6, ISO 100
Flash: Off, Did not fire
Date: September 15, 2011 9:26:08AM
Location: 37° 24′ 30″N, 121° 55′ 39″WAltitude: 0 m
Timezone guess from earthtools.org: 8 hours behind GMT
File: 1,920 × 2,560 JPEG (4.9 megapixels)
1,542,855 bytes (1.5 megabytes) Image compression: 90%

Look, it put me correctly in Building 17.

Read More »

Tags: , , ,

Top of Mind: Problems with SSL, solved with DNSSEC?

Lately we have seen various attacks against the various SSL/TLS usages that we have in the world. The attacks have not been technical per se, but instead use weaknesses in the procedures that are used to get a certificate. Lets first look at how trust is built up using SSL.

Read More »

Tags: , , ,

Announcing the SCTE IP Challenge

By Daniel Howard, CTO and SVP, Engineering of SCTE

As you know, the Society of Cable Telecommunications Engineers (SCTE) continues to strive to provide new and unique ways to both train and challenge the cable workforce and our members.   Through our Chapters, we have been holding a very successful Olympic-style challenge for field-level employees that includes both hands-on skill assessments and knowledge-based contests, and this continues to be a big hit with our members and the industry.  But one thing I kept hearing in meetings with cable executives, managers and at SCTE chapters was the need for SCTE to provide resources and involvement opportunities for the IP engineers and computer scientists in our workforce who manage an increasingly larger portion of the overall network.

I’m therefore proud and excited to announce the new SCTE IP Challenge that we developed in partnership with Cisco as a response to this need.  This new interactive event was created to drive awareness of the importance of foundational IP knowledge among the cable workforce, and it is designed to promote the benefits of IP expertise in the cable industry, as well as leverage thought leadership around IPv6 in particular. Read More »

Tags: , , , , , , , , , , ,

NCSAM Tip #3: What You Should Consider to be a Secure Password

Passwords are the prevalent means of authentication. Even though there have been many complementary authentication mechanisms and schemes, passwords are used almost everywhere that a user wants to prove that he knows a secret that only he is supposed to know. On the other hand, if someone else can guess that password, along with the username (often easy to find), then he could pretend he is the user and do all sorts of things on his behalf. We have seen multiple examples of corporate executives having their personal email accounts hijacked. We have seen celebrities having their Twitter accounts stolen and posting things they would never do. We also have seen studies that show that a vast majority of users still use standard and pretty easy password to guess.

It is common knowledge that passwords need to be hard to guess; that is a requirement. Andy Balinsky’s post describes some guideliness about choosing numeric passwords (aka for handheld devices). In the same context, David McGrew’s post provides a script that can generate random keys that can be used for pre-shared key authentication. Electronic user passwords are a little different because they involve letters and completely depend on the user (system checks are usually also employed). Users need to be able to chose and remember them in order to use them when needed. But the “hard to guess” and the “easy to remember” requirements don’t go well together and that is the basic challenge.

Read More »

Tags: , ,

Will ‘good enough’ be enough? Take 2

I recently read an article about a “good enough” network. I know this has come up in the past, but this time was in a much different context. Some people might believe that a “good enough” network is enough enough when you are moving data and web servers, but what about when it becomes the lifeline for the power grid? Read More »

Tags: , , , , , , ,