Tag Archives: Cisco

Security News Bites for Week Ending August 17, 2018

Hamas Creates Fake Missile Warning App to Hack Israelis

The Times of Israel is reporting that Hamas has created and was distributing a fake Code Red rocket warning app.

The app, according to Clearsky Cyber Security, takes over the phone and is impossible to remove, even if the app is deleted.

Once infected, the app allows the hacker to track the phone, take pictures, record sound, make calls and send messages – everything a normal user would do, except the person doing it, in this case, is a terrorist.

The message here is not just to avoid Hamas, but also to be wary of apps from untrusted sources as they may have unintended side effects.  Source: The Times of Israel.

Cisco and Others Release Patches for VPN Encryption Flaws

Cisco, Huawei, Clavister and ZyXEL network products are susceptible to an attack according to a paper to be presented at the Usenix Security Symposium.  This would allow an attacker to recover the encryption nonce which then would allow an attacker to decrypt all VPN data.

Note this is NOT a flaw in the encryption algorithm, but rather a bug in the software that implements it.  This is why people regularly successfully hack and steal millions in crypto currency – because no software is perfect.

It is interesting that Cisco is the only major player affected.

Cisco has released patches for IOS and IOS XE, but users can only get them if they pay Cisco for software maintenance, the main reason I do not recommend Cisco products.  The other vendors don’t charge users for fixes of security flaws.

For Cisco users that do not have maintenance or are running old, unsupported hardware, *IF* you have the ability to turn off rsa-encr authentication mode, that will solve the problem.  It may break other things, however.  Source: Bleeping Computer.

Oracle Releases Critical Security Patch

Oracle is urging its customers to quickly patch a critical vulnerability in their database installations which can result in a complete compromise of the database and provide shell access to the underlying server.

The attack only affects Oracle versions 11.2 and 12.2, is easy to exploit, can be exploited remotely but does require the attacker to have credentials.  The vulnerability is in the Java virtual machine.

Users running 12.1 on Windows or any version of Linux or Unix should install the July patches.  Source: Helpnet Security.

Yet Another Spectre/Meltdown Style Vulnerability Found

This is a strange security week between Oracle and Cisco.  Now we have news of yet another Spectre/Meltdown style vulnerability.  How is it that for 15 years no one found any of them and this year they have found at least 6, probably more?

This new bug affects the Intel Core- and Xeon families, i.e. the chip in every PC and Mac.  It is called the L1 Terminal Fault.  This new fault affects Intel’s SGX, which is kind of like the iPhone’s secure enclave, allowing an attacker to extract information from it – not good.

To add insult to injury, while the researchers found one attack, which Intel has confirmed, Intel itself says it found two more attacks.

Now here is the bad news.  Intel says that they will have a patch which will eliminate the problem with no performance impact on end user and non- virtualized environments, but for users running in a virtualized environment, especially in the cloud, that is a different story and Intel says that you will have to take additional steps – steps that you probably cannot actually take in a shared host environment like many AWS, Azure or Google environments. Source: Computing.Co .

Bitcoin Speculator Sues AT&T for $240 Million

The speculator is suing AT&T after they allowed a social engineer to port his phone number which he used for two factor authentication for his bitcoin transactions.

A hacker had broken into his account a few months earlier and AT&T had set up an account PIN (this should be standard) and flagged his account as high risk.  None the less, an employee allowed a hacker to port the phone number anyway, without any of that information.

Porting phone numbers to get around two factor authentication is becoming popular;  I was interviewed for a TV piece recently where someone’s number was ported and their bank account emptied out in just a few minutes.

AT&T is fighting the suit saying that they are not required to follow their own security protocols and certainly not responsible for what happens if they do not.  The speculator lost $23+ million in bitcoin.

For those who are in a high risk situation, using text messages for two factor is not sufficient and, in fact, given his account was hacked before, why didn’t HE change to a more secure second factor immediately weakens his case.

Stay tuned.  Source: The Register .

Facebooktwitterredditlinkedinmailby feather

Secure Software Development Lifecycle Process Still Lacking

In late 2015 Juniper announced that it had found two backdoors in the router and firewall appliances that it sells.  Backdoors are unauthorized ways to get into these systems in a way that bypasses security.  Kind of like going around to the back of the house and finding the kitchen door unlocked when no one is home. Researchers said that there were telltale signs that this was the work of the NSA, although they would never say, of course.  If these backdoors were the work of the intelligence community, lets at least hope it was OUR intelligence community and not the CHINESE.  Whether these backdoors were intentionally installed in the software with the approval of Juniper management at the request (and possibly payment) of the NSA is something we will never know (See article in Wired here).

At the time, Cisco, Juniper’s biggest competitor, said that they were going to look through their code for backdoors too.  They claimed that they did and that they didn’t find any.

Fast forward two years and now the shoe is on the other foot.

Cisco has announced the FOURTH SERIES of backdoors in the last FOUR months in May.  Possibly their code audit from 2015 is still going on, but if so, that would be going on for more than 30 months, which seems like a long time.

The most recent SET of bugs includes three bugs which are rated 10 out of 10 on the government’s CVSS3 severity ranking.

The first of the three is a hardcoded userid and password with administrative permissions.  What could a hacker possibly do with that?

The second provides a way to bypass authentication (AKA “we don’t need no stinkin passwords”) in a component of some Cisco software (DNA Center).

The third is a another way to bypass authentication in some of Cisco’s APIs that programmers use.

In fairness to Cisco, they do have a lot of software.

But to beat Cisco up – WHAT THE HELL WERE THEY THINKING TO ALLOW HARD CODED PASSWORDS IN THE SOFTWARE IN THE FIRST PLACE?

Source: Bleeping Computer

Okay, now that I am done beating up Cisco (actually, not quite, I have one more), what lessons should you learn from this?

First (the last time today that I am going to beat Cisco up), in order for a Cisco customer, who paid a lot of money to get the equipment in the first place, to get these security patches – patches that plug holes that should have never been there in the first place – that customer has to PAY for software maintenance.  If you let the maintenance lapse, you can re-up, but Cisco charges you a penalty for letting it lapse.   For this policy alone, I refuse to recommend Cisco to anyone.

Second, if you are a Cisco user, because of this very user unfriendly policy, you must buy software maintenance and not let it expire.  If you do, you will not be able to get any Cisco security patches.  Remember that, as one of the biggest players in the network equipment space, Cisco is constantly under attack, so the odds of bugs turning up is like 100%.

Third, no matter who’s network equipment you use, you must stay current on patches.  These flaws were being exploited within days and since hackers know that many Cisco customers do not pay for maintenance, those holes, which are now publicly known, will be open forever.

Only half in jest, my next recommendation would be to replace the Cisco equipment.  There are many alternatives, some even free if you have the hardware to run it on.

Okay, that handles the end user.

But there is an even bigger lesson for software developers here.

How did these FOUR sets of back doors get in the software in the first place?

Only one possible answer exists.

A poor or non-existent secure software development lifecycle program (known as an SSDL) inside the company.

AS AN END USER CUSTOMER, WHEN IT COMES TO SECURITY SOFTWARE ESPECIALLY, YOU SHOULD BE ASKING ABOUT THE VENDOR’S SECURE SOFTWARE DEVELOPMENT LIFECYCLE PROGRAM.  

IF YOU GET AN EVASIVE ANSWER, FIND A DIFFERENT VENDOR.  VOTE WITH YOUR CREDIT CARD.

As a developer or developer manager, it is your responsibility to make sure that customers don’t vote with their credit cards.

IMPLEMENT a secure software development lifecycle program.

CREATE and MONITOR security standards.

TEST for conformance with those standards.

EDUCATE then entire development team – from analysts to testers  – about the CRITICALITY of the SSDL process.

Advertisement: we can help you with this.

While Cisco is big enough to weather a storm like this, smaller companies will not be so lucky.  The brand damage could be fatal to the company and all of its employees.

 

 

Facebooktwitterredditlinkedinmailby feather

What Happens When Your Firewall Loses the War and Joins the Other Side?

Cisco released an announcement that a high severity vulnerability affecting many Cisco ASA firewalls and Firepower security appliances has a proof of concept available in the wild.  This means that even amateurs can take that code, modify it a bit and successfully either force your firewall to randomly reboot or to steal credentials from that firewall.

Cisco is “recommending” that customers patch their firewalls.

The attack can be executed remotely – such as from China – and does not require the attacker to have any valid credentials.

The bug affects ASA 5500 and 5500-X firewalls, Firepower 2100, 4100 and 9300 appliances and several other models.

There are no workarounds for this flaw other than to power off your firewall and take down your Internet connection.

So what should you do?

While this bug patch was updated just a couple of days ago, it was released several weeks ago.

Users should always keep on top of patches for equipment that they have installed.

Cisco, as just one of many vendors that customers likely use, has a security advisory page at https://tools.cisco.com/security/center/publicationListing.x  .  Each vendor announces patches in a different way.

One of the benefits of buying Cisco is that you can only download patches if you have a current, valid, support agreement.  If you do not subscribe to Cisco’s model for making them rich, you cannot obtain security patches.  This is different than most vendors who distinguish between security patches and new features.

If you do not have a support contract, Cisco will be happy to sell you one.

Information for this post came from Help Net Security.

Facebooktwitterredditlinkedinmailby feather

US Cyber Command Spends 90% on Offensive Cyber

Earlier this month the folks at Cisco were sent into a frenzy when Wikileaks disclosed Cisco exploits in their Vault 7 CIA tool data dump.

Wikileaks disclosed that the CIA had been hacking Cisco Internet switches for over a year to eavesdrop on users, but didn’t disclose how.  Wikileaks and a number of the tech vendors are at odds regarding revealing the details of the hacks because of conditions Wikileaks is imposing prior to giving the manufacturers the details.

Given the resources at John Chambers disposal, Cisco reassigned teams of engineers, working around the clock for days first trying to figure out how the CIA did it – without any help from Wikileaks.  Then they had to craft a warning to customers regarding the 300 products affected.  Finally, they had to come up with fixes, test them and get them into the distribution channel.

Due to the way the government (in the form of the NSA and CIA particularly) prioritize cyber risk, offensive cyber is much more important than defensive cyber (more about this later).

So even though the CIA had known about these bugs for at least a year, they prioritized using the bug against their surveillance targets over protecting U.S. citizens.

This has been the argument since the creation of USCYBERCOM.  USCYBERCOM is headed by the same person as the NSA –  Admiral Mike Rogers.

The problem is that the NSA’s mission is to hack into targets of interest and Cybercom’s mission is to protect the U.S.  In case of a ‘conflict of interest’, who wins?

The original idea was to help USCYBERCOM get off the ground by being able to leverage NSA’s considerable cyber expertise, but for the last year or two, there have been calls to split the two (see Washington Post article here.)  In fact, there were conversations about President Obama separating the two toward the end of his term.  This idea was endorsed by both Defense Secretary Ash Carter and Director of National Intelligence James Clapper.  President Obama signed a bill bars the splitting until the Joint Chiefs of Staff certify that splitting it would not be harmful.  We have no idea what President Trump thinks about the subject.

Laura Pfeiffer, a former senior director of the White House situation room suggested that now that our adversaries’ cyber capabilities were catching up to ours, we might ought to think about reconsidering our strategy.

According to Reuters, 90 percent of all spending on cyber across the federal government is dedicated to offensive cyber.

President Trump is proposing to spend $1.5 billion on defensive cyber inside DHS.  Compare that to $50 billion for the U.S. Intelligence budget in 2013 – about 3 percent.

Departing NSA Deputy Director Rick Ledgett confirmed that 90% number and said that it needed to be adjusted.

In a recent NSA reorg, IAD, the division of the NSA responsible for defensive cyber was buried inside a new operations division, meaning even less attention may be given to defense.

In early 2014 President Obama issued a directive that said that the NSA had to disclose bugs unless they have clear national security or law enforcement value, in which case they can be kept secret.  Almost any serious cyber bug could be said to have clear national security or law enforcement value.

In any case, it is possible that our adversaries were also aware of and using the Cisco bugs against us and our allies.  Such is the conflict the USCYBERCOM faces every day – use the bug or disclose it?  Are we (USCYBERCOM) the only ones who know about the bug or do our adversaries know also.

Whether we think what Wikileaks did was right or wrong, it is clear that a number of potentially serious bugs will be patched as a result.

From the CIA’s standpoint, it is possible that even if our adversaries knew about some of the same bugs that they knew about, our ability to exploit them or the value in keeping the bugs in place and continuing to collect data for as long as possible might outweigh the disadvantage that our enemies were using the same bugs against us.

This is clearly a mess and I am not confident that politicians understand the problem well enough to actually fix it, but we can hope.

 

Information for this post came fro Reuters.

Facebooktwitterredditlinkedinmailby feather

Cisco, Juniper Hardware Flaw May “Brick” Firewalls in 18-36 Months

First it was Cisco; now it is Juniper and apparently there are a number of other vendors who will be affected by this flaw.

While no one is saying who the vendor of the flawed hardware inside Cisco and Juniper products is, it is believed that it is Intel’s Atom C2000 chip.  Intel has acknowledged problems with that chip which seem to match the description that Cisco and Juniper are saying exists in their hardware.  Stay tuned.

Cisco has set aside $125 million to pay for repairs for faulty equipment.

So what, exactly, is the problem?

Juniper and Cisco are saying that there is a flaw in a hardware clock component that is used in their switches, routers and security devices that may cause the device to crash and die starting about 18 months.  The device is not rebootable and not recoverable.  It is, as we geeks like to say, “bricked”.

Cisco says certain models of its series 4000 Integrated Service Routers, ASA security devices, Nexus 9000 switches and other devices are affected.

Juniper said that 13 models of switches, routers and other products are affected.

Juniper says it is not possible to fix the devices in the field.  They also said that they started using this component in January 2016, so the 18 month lifetime is rapidly approaching.  They say they are working with affected customers.

HP has announced that some of their products use the Intel C2000 and may be affected as well.   Expect more manufacturers to make announcements as they analyze their product lines.

For users, it seems like if your product is under warranty or a service contract dated as of November 16, 2016, Cisco will replace the device proactively.  They say that they expect the failure rate to have limited failures at 18 months, but a more significant failure rate as it reaches the three year age range.

For customers that are not under warranty or a service contract, well ……… I think you may be on your own.

If you have products that use this component, you should work with your suppliers to understand the risk and figure out how to mitigate it.

 

Information for this post came from Network World and CIO.

[TAG:ALERT]

Facebooktwitterredditlinkedinmailby feather

Follow On To Last Week’s Posts On Patching And CERT Alert

As a follow on to last week’s posts on why patching is critical and the CERT alert on The Shadow Broker’s release of a whole raft of firewall hacks, this week Cisco is announcing that their software is vulnerable to attack, there is no workaround and they are working on patches.  BUT, there is a silver lining.

First, the problem.  There is a bug in their implementation of the IKE key exchange protocol that is used by their VPN access routines.

Now the good news.

  • The bug affects IOS XR versions 4.3.x to 5.2.x, but releases 5.3 x and newer are not affected
  • The bug also affects PIX firewalls version 6.x and prior, but versions 7.0 and later are not affected.

IOS XR 5.3 was released last January.

Cisco PIX has reached end of life status and is not supported anymore.

So first, we are already seeing fallout from the Shadow Broker release and Cisco, at least, is starting to issue patches.

Second, if you are being good about patches and not running obsolete software,  at least in this case, you would not be vulnerable to this particular exploit.

This just reinforces my comment from last week to be religious about patching.  It is critical.

Information for this post came from Network World.

For a complete list of all software affected, read the Cisco announcement here.

 

Facebooktwitterredditlinkedinmailby feather