Cisco and Telenor Group Extend Partnership To Collaborate on Cloud, Security and Open vRAN for 5G

Barcelona – Mobile World Congress – February 27, 2019 – Cisco CEO Chuck Robbins and Telenor Group CEO Sigve Brekke met today to further strengthen the companies’ strategic collaboration by signing a Joint Purpose Agreement 2.0.

Together, Cisco and Telenor Group will expand their joint innovation across cybersecurity, cloud and the digital workplace, and willexplore Open Virtualized RAN (vRAN) solutions for 5G.

“Cisco is focused on innovating to help our customers evolve their networks to be more flexible and programmable as we look to 5G, and the billions of connections this new era will make possible. Telenor Group shares our vision for the digital future, and we look forward to continuing to deliver on our mutual commitments to benefit both of our customers,“ said Chuck Robbins, Chairman and CEO, Cisco.

“We’re in the midst of modernising Telenor, preparing both ourselves and our customers for continued digitalisation. Doing so, we’re happy to further enhance our collaboration with a key technology partner such as Cisco for solutions within cybersecurity, cloud and open vRAN for 5G. We’re already working closely together on a number of innovative projects and are looking forward to a deeper engagement on some of the areas that matter most to our customers: fast, reliable, efficient and secure connectivity,” said Sigve Brekke, President & CEO of Telenor Group.

The collaboration will be governed by a committee chaired by Ruza Sabanovic, Chief Technology Officer in Telenor Group and Jonathan Davidson, Senior Vice President and General Manager, Service Provider Business, Cisco, with the aim of ensuring structured deliveries for the shared goals.

In early 2018, Cisco and Telenor Group initiated the strategic partnership to support digital transformation and have since collaborated on enhancing connected experiences for Telenor customers with improved data analysis, IoT, Smart City, and security solutions.

###

About Cisco

Cisco (NASDAQ: CSCO) is the worldwide technology leader that has been making the Internet work since 1984. Our people, products, and partners help society securely connect and seize tomorrow’s digital opportunity today. Discover more at newsroom.cisco.com and follow us on Twitter at @Cisco. RSS Feed for Cisco: http://newsroom.cisco.com/rss-feeds

About Telenor Group 

Telenor Group connects its 174 million customers to what matters most. Connecting the world has been Telenor’s domain for more than 160 years and we currently operate across Scandinavia and Asia. We are committed to responsible business conduct and driven by the ambition of empowering societies.

Getting Control of Security Controls

he effective deployment of technology depends on a business-level understanding of the organization. Technology on its own solves very few problems. However, when it is part of a comprehensive protection strategy, and truly integrated, operationalized, and measured, then it can deliver positive return on investment. Historically security controls provide a cautionary example.

Whether you insource, outsource, or have blended security operations, it doesn’t change the critical fact that control management, to be seen positively by business leadership, has to answer the following:

  1. How much protection did we actually achieve?
  2. Is this level reasonable?
  3. Did we get this at a reasonable cost?

Rather than have a comprehensive business plan for all aspects of the security control, from goals and strategy, to design, operational, and business plan, to measurement and reporting, too many organizations think of each control as technology first, a firewall or vulnerability scanner, for example. As a result, management is seen as tactical and not strategic, and that can result in misalignment which leads to a host of other problems.

Having spent time on the vendor side, we are partially guilty of creating this ‘technology first’ dogma because we sold technologies as ‘solutions’. As we learned from repeated cases, customers usually had a challenging time achieving strong value from these technology ‘solutions’.

Seen as a tactical technology first, sometimes even a “check-the-box” initiatives, security controls are often in the hands of security managers with technical backgrounds. Therefore, it is not surprising that controls overemphasize technical security resources and tasks to the detriment of classic business management and integration capabilities.

Some controls are under-invested, others over-invested, and some don’t exist at all. Worse still, there is insufficient integration between the controls, which fails to provide a unified ecosystem of protection across the entire environment.

This imbalance dramatically impacts the overall performance of security controls – both in terms of protection results and cost-effectiveness. These realities can expose the organization to greater risk than expected and overall poor investment performance. Furthermore, this reinforces the businesses’ perception that security is a poor place for investment.

To explore this problem a little further, let’s dissect a security control into three dimensions:

  1. Security resources (e.g. people/skills, technology, partners/vendors) – the bulk of investment
  2. The day-to-day operations of ‘doing security’ (leveraging resources to achieve objectives, and integrating into a protection ecosystem)
  3. The background handling of business and political challenges, via management of goals and strategy, design, operational, and business plans, measurement, and reporting

Unfortunately, many organizations have these dimensions wildly out of balance, typically focusing on the security resources and attempting to gain something useful from via the day-to-day operations. However, the translation into business terminology, and business-related metrics and reporting is often a challenge and takes a back seat until it’s too late. This is why we so often see the CISO become the ‘fall guy’.

To greatly increase chances of success, these dimensions should be equally balanced, with initial focus on strategy and business case, then calibrating and scaling the programs people and technology while rolling out and optimizing the day to day security operations.

This imbalance is why you often hear that ‘security is a journey and not a destination’. You need to establish a destination, then go on your journey to achieve it. The greater the level of protection, the greater the cost.

Unfortunately, control shortcomings are often exposed as ‘immaturity’ during a proactive assessment, or far worse, the investigation following a breach. It’s not about a level of maturity against one’s peers or a popular security framework, security controls are meant fundamentally to be a conversion of investment into protection.

Understanding the implementation, integration, and at what level those controls can protect the most critical business assets is paramount.

A focus on technology first, or an imbalanced control implementation, doesn’t necessarily lead to greater protection – and certainly not cost-effectively. Rather than defense in depth, as has been a common moniker for two decades now, we see expense in depth and an inability of the business to truly gain confident and cost-effective control of their security risk with their security controls, and control ecosystems.

CentOS 6 and Red Hat Enterprise Linux 6 Get Important Kernel Security Update

An important kernel security update has been released for the CentOS 6 and Red Hat Enterprise Linux 6 operating system series to address a recently discovered vulnerability and other bugs.

Marked by the Red Hat Product Security team as having an “Important” security impact, the new kernel security update contains a fix for a race condition vulnerability affecting the raw MIDI kernel driver that could lead to a double-free or double realloc, as well as a fix for a bug that caused apps compiled with GCC 4.4.7 to trigger a segmentation fault.

This kernel update removes a 64k limit check in the page fault handler in applications compiled with GNU Compiler Collection (GCC) version 4.4.7, ensuring the smooth running of these applications without triggering a segmentation fault. However, Red Hat noted that fact that removing the limit check has no impact on the integrity of the kernel itself.

“It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation,” reads CVE-2018-10902.

Red Hat Enterprise Linux 6 and CentOS 6 users must update their systems

Users are urged to update their installations to the new kernel versions for their respective systems as soon as possible. The kernel-2.6.32-754.11.1.el6 update is available for all supported architectures, including 32-bit (i386), 64-bit (x86_64), s390x, and PPC64 (PowerPC 64-bit) for both CentOS 6 and Red Hat Enterprise Linux 6 machines, and can be installed through the official repositories.

Affected systems include Red Hat Enterprise Linux Server 6, Red Hat Enterprise Linux Server 6, Red Hat Enterprise Linux Workstation 6, Red Hat Enterprise Linux Desktop 6, Red Hat Enterprise Linux for IBM z Systems 6, Red Hat Enterprise Linux for Power, big endian 6, Red Hat Enterprise Linux for Scientific Computing 6, and CentOS Linux 6.

4G and 5G protocols prone to privacy attacks, new study reveals

  • The issue existed in the cellular paging (broadcast) protocol in the latest generation of mobile communications.
  • An exploit called ToRPEDO was revealed by the researchers to target 4G and 5G-enabled devices.

A new research study has uncovered serious privacy risks associated with 4G as well as the latest 5G protocols. The researchers discovered that attackers could break into devices running on these protocols to conduct denial-of-service attacks.

The study, which was done by scholars from Purdue University and the University of Iowa, analyzed cellular paging in 4G and 5G devices.

Worth Noting

  • Paging protocol balances the device’s energy consumption for different processes (for example, phone calls) running in the device.
  • Attackers can inject malicious paging messages into this protocol to perpetrate denial-of-service attacks.
  • Information such as device location, phone number, Twitter handles etc., could be compromised in 4G and 5G devices.
  • ToRPEDO, short for Tracking via Paging Message Distribution, is the method proposed by the researchers to exploit privacy.
  • IMSI-Cracking and PIERCER were the other two methods devised in the study.

Why it matters?

  • The development of 5G — the soon-to-be norm for mobile network protocols — will vastly be affected by this privacy issue.
  • Identities of 4G and 5G phone users could be exposed.
  • Sensitive information such as payment data of users could also be at risk.

The bottom line – Though the paper details loopholes in the telecommunication protocols, it also delineates the limitations associated with their attack methods.

“For ToRPEDO to be successful, an attacker needs to have a sniffer in the same cellular area as the victim. If the number of possible locations that the victim can be in is large, the expense of installing sniffers (i.e., $200 each) could be an impediment to carrying out a successful attack.”

Similarly, PIERCER would require a separate base station for the attack to be successful. The IMSI-Cracking attack only works when the victim does not realize that notifications are deactivated as part of the attack. In fact, this method was checked for 4G devices only and is not validated on 5G Networks.

The 25 Passwords Leaked Online in 2018

SkOUT Secure Intelligence has released the top 25 passwords that were leaked online in 2018.

The top 25 included perennial favorites such as ‘123456’ and “password” at number one and two places, respectively, as the most common. This was followed by ‘123456789’, ‘12345678’ and ‘12345’, rounding out the top five. The list also included other obvious passwords such as “admin” and “qwerty”. New entrants to the top 25 obvious passwords include the “Princess” and “Donald”, which SkOUT says is a reference to President Donald Trump.

The 25 most commonly used passwords of 2018

  1. 123456 (Unchanged)
  2. password (Unchanged)
  3. 123456789 (Up 3)
  4. 12345678 (Down 1)
  5. 12345 (Unchanged)
  6. 111111 (New)
  7. 1234567 (Up 1)
  8. sunshine (New)
  9. qwerty (Down 5)
  10. iloveyou (Unchanged)
  11. princess (New)
  12. admin (Down 1)
  13. welcome (Down 1)
  14. 666666 (New)
  15. abc123 (Unchanged)
  16. football (Down 7)
  17. 123123 (Unchanged)
  18. monkey (Down 5)
  19. 654321 (New)
  20. !@#$%^&* (New)
  21. charlie (New)
  22.  aa123456 (New)
  23. donald (New)
  24. password1 (New)
  25. qwerty123 (New)

“A good password is the first line of defence between your data and an attacker, so it is vitally important that you make password security a priority in your personal and business life,” said Skout chief technology officer Jessvin Thomas. “If you are guilty of reusing, rotating, or using notoriously weak passwords, you are making yourself or your business an easy target for attackers.”

Cisco Network Assurance Engine (NAE) contains password vulnerability

A default password vulnerability in Network Assurance Engine (NAE) could allow an unauthenticated, local attacker to gain unauthorized access or cause a Denial of Service (DoS) condition on the server.

A flaw in NAE’s password management system can be exploited by authenticating with the default administrator password via the CLI of an affected server. Version 3.0.(1) is vulnerable to the flaw, according to a Feb. 12 security advisory.

Cisco has released an update to address the vulnerability and offers the work around of allowing users to change the default administrator password from the CLI by setting a new password with the passwd command.

Those wishing to use the workaround are instructed to contact Cisco Technical Assistance Center (TAC) so the default password can be entered securely over a remote support session.

Computers vulnerable to attack through USB ports, report

University of Cambridge and Rice University researchers have created a platform that allows cyberattacks to be conducted through a variety of computer peripherals through their USB-C port.

The platform, called Thunderclap, an open-source platform created to study the security of computer peripherals and their interactions with operating systems in computers with Thunderbolt ports, reportedScientific Daily. Computers running Windows, macOS, Linux and FreeBSD were all found vulnerable through their USB-C port.

The specific vulnerability derives from the fact that peripherals have direct memory access to the unit they are connected to which allows them to bypass the operating system’s security policies. While such attacks are not new and the systems feature input-output memory management units to protect against such attacks these are often turned off and can be bypassed Scientific Daily reported.

In addition, Thunderbolt 3 which combine power input, video output and peripheral device DMA over in the same port have greatly increased the threat from malicious devices. The researchers believe vendors need to do more to fix these issues and consumers also have to do their part by ensuring their devices are fully patched.

Chips may be inherently vulnerable to Spectre and Meltdown attacks

Most malware exploits coding errors and poor design. But Google security researchers say a fundamental flaw in the nature of computing could make some threats impossible to defeat.

Malicious software represents an ongoing threat to modern life, attacking everything from databases and cameras to e-commerce, power stations, and hospitals. In its more insidious forms, malware can steal sensitive information without anyone knowing a leak has taken place.

The fight against these attacks rests on an important assumption: that suitably powerful and well-designed software can guarantee the security of any information. Indeed, vast cybersecurity businesses are based on this idea.

But today, Ross McIlroy and colleagues at Google say this assumption is dangerously wrong. Their work focuses on a new generation of malicious attacks that have forced them to reconsider the nature of cybersecurity and how it works.

The new attacks, known as Spectre and Meltdown, have been studied since early 2018. But their broader significance is only now becoming clear.

Google’s shocking discovery is that they exploit a foundational flaw in the way information processors work. And because of this, security experts may never be able to protect these devices—even in principle.

The Google team say the threat affects all chipmakers, including Intel, ARM, AMD, MIPS, IBM, and Oracle. “This class of flaws are deeper and more widely distributed than perhaps any security flaw in history, affecting billions of CPUs in production across all device classes,” say McIlroy and co.

In the past, malware has tended to exploit poorly designed code and the errors it contains.  These errors provide malicious actors with ways to disrupt calculations or access confidential information. So an important approach is to fix these errors with software patches before they can be exploited.

But when the flaw is in the foundations of computer design, software patches offer meager protection. The challenge is that the very nature of computation allows information to leak via mechanisms called side channels.

One example of a side channel is the blinking lights on a modem, router or even a PC. Various security researchers have pointed out that the flashing is correlated with data transfer and that a malicious actor can simply watch the flashes to eavesdrop. Indeed, security researchers have demonstrated similar attacks with a bewildering array of side channels, including energy consumption, microphones, and high-resolution cameras.

The new threat is more insidious because it exists at the interface between hardware and software, known as the machine architecture. At this level, a processor treats all programming languages in the same way. It executes commands one after the other without regard for which program requested them.

Computer scientists have always assumed that these commands can be separated in a way that guarantees confidentiality. The thinking is that some suitably advanced software ought to be able to marshal the commands in a way that keeps them separated.

But the Google team’s key result is to show that this assumption is wrong. A processor cannot tell the difference between a good command and a malicious one—even in principle. So if a command tells it to send information to an area of the memory that can be easily accessed later, the machine obeys.

It’s easy to imagine that this can be prevented with software that separates good commands from bad ones. But the Google team show that this just adds another layer of complexity to the challenge, along with a new set of potential side channels.

To show the ubiquity of threat, the Google team constructed a “universal read gadget.” This is the ultimate eavesdropper—a routine that can read all addressable memory in a processor, unknown to the user.

It is by no means a perfect piece of software. It sometimes operates probabilistically and so can fail. But there is no way  to prevent it from working when it does.

McIlroy and co created four variants of this gadget. “We developed proofs of concept in C++, JavaScript, and WebAssembly for all the reported vulnerabilities,” say the team. They found that these read gadgets leaked information at rates of up to 2.5 kilobytes per second.

Variant 4 of the universal reading gadget is particularly worrying. McIlroy and co say they were unable to find an effective a way to combat it or reduce its threat. “We do not believe that variant 4 can be effectively mitigated in software,” they say.

The team’s attempts to combat these attacks had a significant impact on computing performance. For example, one form of mitigation for the first variant of the universal read gadget led to a 2.8X slowdown, as measured by a Java benchmarking program called Octane.

During the last year, Intel has redesigned its chips in attempt to mitigate the most serious threats from Spectre and Meltdown attacks. But this has reportedly come at the cost of a performance drop of up to 14%. And the modifications are unlikely to be fail-safe.

One reason for Google’s concern is the threat to e-commerce. It’s not hard to imagine an attack that reveals the cryptographic keys used to secure transactions, thereby allowing large-scale theft.

So the company has already shipped versions of Chrome with the first lines of defense. Releases 64 to 67 prevent attacks in the browser via JavaScript.

But the threat goes much deeper. Many of the problems come about because of the complex architecture of devices based on intellectual property that is carefully guarded.

This complexity is itself part of the problem. The designs are based on abstract models that have become more complex as manufacturers have pursued the goal of faster computation. McIlroy and co show that these abstract models always have side channels that exist outside the model. “We have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels,” they say. “This puts arbitrary in-memory data at risk, even data ‘at rest’ that is not currently involved in computations and was previously considered safe from side-channel attacks.”

There is a little good news, however. So far there are no known attacks that exploit Spectre or Meltdown. For the moment, the threat is confined to the labs of cybersecurity researchers like McIlroy and his colleagues.

But that provides little comfort to chip makers and security experts. It is not hard to imagine that malicious actors—including state-sponsored teams—might be developing ways to exploit this vulnerability. This is a problem, as McIlroy and co say, that “seems destined to haunt us for a long time.”

DNC issues cybersecurity guidance for 2020 election

Stung by Russian hackers intent on swaying the 2016 presidential election, the Democratic National Committee (DNC) has put considerable resources into shoring up cybersecurity and on Friday releases a checklistmeant to secure campaign and candidate devices.

“The checklist is exactly that: a list of steps you can complete and then check off,” DNC CSO Bob Lord said in a blog post. “The goal is to print it out, and run through it line by line.”

The guidance covers encryption, passwords, PINs, two-factor authentication, email safeguards and the importance of security updates.  “If you are working in a political party or on a campaign, and you have a personal Gmail account, please enroll in Google’s Advanced Protection program,” the DNC advised, explaining the program “uses a physical key to log you into your Gmail account, and dramatically reduces the risk of getting phished.”

The advisory touches on other protections beyond the checklist, such as Facebook privacy settings,secure chat, setting up security questions and reducing the attack surface by using a Chromebook or iPad.

Malvertising attacks using polyglot images spotted in the wild

The malvertising space may be seeing an influx of more advanced threat actors according one research report that found polyglot images now being used to disguise malvertising attacks.

Polyglot images, which differ from their near cousins steganographic images primarily by not needing an external script to extract the payload, have been spotted in the wild, said researchers at Devcon. The researchers noted that using polyglot images is not a new method of attack. Similar JS/GIF polyglots have been shown in proof of concept tests to work around a server’s Content Security Policy to execute XSS attacks.

“This may indicate that more advanced groups are now moving into the ad fraud space to exploit users,” the report said.

The incidents spotted by Devcon saw the malicious actors using .bmp images as their camouflage and trick a system into accepting the image by manipulating the size of the image and hexadecimal characters by making the computer believe it is looking at something benign.

“The attacker here has changed the size of the image bytes so that they happen to also be the character codes for /**. This combination of characters creates a JavaScript comment. JavaScript comments are used to make the JavaScript Interpreter ignore everything in-between these characters. i.e  /* ignore me */ ,” the report said.

After the “ignore me” code the attacker adds the characters = and ` effectively turning the .bmp file into a JavaScript variable. This allows the file to be run in the browser two different ways as an <img src=”polyglot.jpg”/> will show the user an image and ignore the JavaScript and <script src=”polyglot.jpg”></script> will execute valid JavaScript and ignore the image data. Also included in the JavaScript is a highly obfuscated decoder script that launches cloudfront URL into the browser that will redirect the victim off of the page. Once away from their destination a series of other redirects will take place until the user lands on a spin the wheel-type game with the hope of winning a gift card.

“This attack has many layers and new techniques to attempt to hide what it’s true nature is and to hinder white hat reverse engineers from figuring out exactly how it works,” Devcon said.