With cyber threats escalating, security has emerged as a critical business driver and competitive differentiator. Organizations that successfully embed security throughout their network infrastructure, policies, processes, and culture are able to reduce risk while creating sustainable business advantage.
At CiscoLive Berlin this year, we will examine how Cisco is building foundational security into the underlying architecture of our solutions as well as throughout our business operations to enhance the security of our products, our customers, and our company.
Read More »
Tags: cisco live, Cisco Live Berlin, Cisco Live Europe, Cisco Security and Trust Organization, security and trust
On January 20, 2016, a new Linux Kernel zero-day vulnerability (CVE-2016-0728) was disclosed by Perception Point. The vulnerability has the potential to allow attackers to gain root on affected devices by running a malicious Android or Linux application.
Our investigation is ongoing; however, at this time we have not identified any Cisco products as exploitable. Should this change, we will publish a Security Advisory on the Cisco Security Portal.
Read More »
Tags: Cisco, CVE-2016-0728, security
Data Privacy Day is January 28, and this year’s theme examines issues around respecting privacy, protecting data and enabling trust. Today more than ever, any global company is a digitized company, which means that every company is grappling with challenges around privacy, security and trust. As a result, these challenges are no longer an IT-only responsibility and now must be addressed by everyone: vendor, customer, partner, board member and end-user alike.
While many security and privacy trends facing global companies today may appear to start out as local, some quickly become global. As many industry observers know, a significant number of these trends are starting in Europe.
For example, the Global Data Protection Regulation announced in October 2015 is one of the biggest legal developments in data privacy and security in the past 20 years. While the law still has to go through the parliamentary process in Europe, it is expected to be a game changer for how privacy is protected legally worldwide. This law is introducing new notions about how both citizens think about their data and how companies are obligated to protect it.
Read More »
Tags: Cisco Security and Trust Organization, Data Privacy, data privacy day
This post was authored by Aleksandar Nikolic, Warren Mercer, and Jaeson Schultz.
MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.
In 2015 Talos identified and reported a buffer overflow vulnerability in client side code of the popular MiniUPnP library. The vulnerability was promptly fixed by the vendor and was assigned TALOS-CAN-0035 as well as CVE 2015-6031. Martin Zeiser and Aleksandar Nikolic subsequently gave a talk at PacSec 2015 (“Universal Pwn n Play”) about the client side attack surface of UPnP and this vulnerability was part of it.
Talos has developed a working exploit against Bitcoin-qt wallet which utilizes this library. The exploit developed by Talos includes a Stack Smashing Protection (SSP) bypass, the details of which we will discuss here.
The vulnerability lies in the XML parser code of the MiniUPnP library in the IGDstartelt function:
Vulnerable XML parser code of the MiniUPnP library
IGDdatas struct definition
Read More >>
Tags: miniupnp, Talos, Threat Research, Vulnerability Research
When dealing with TLS connections, it is important to understand how a client (in most cases this is a web browser) will be acting. Let’s quickly check some of the steps that are happening when a TLS connection is made.
A web server will send its certificate down to the requesting client during the TLS handshake. But it is not only a single certificate but usually a complete chain of certificates.
There is the server certificate , in many cases an intermediate CA certificate and finally a Root CA.
When you check your browser this will look like this:
Read More »
Tags: certificates, cryptography, TLS