The vulnerability was announced by Cisco last week and it affects the IOS, IOS XE and IOS XR software that powers many of its networking devices. The flaw allows hackers to remotely extract the contents of a device’s memory, which can lead to the exposure of sensitive information.
The vulnerability stems from how the OS processes IKEv1 (Internet Key Exchange version 1) requests. This key exchange protocol is used for VPNs (Virtual Private Networks) and other features that are popular in enterprise environments.
Cisco discovered the vulnerability internally after analyzing an exploit for Cisco PIX firewalls that was leaked last month by a hacking outfit called Shadow Brokers. The exploit was part of a larger set of attack tools that Shadow Brokers claimed are being used by a cyberespionage group known in the security industry as the Equation, believed to be linked to the NSA.
Because other hackers could find the same flaw by analyzing the exploit leaked by Shadow Brokers, Cisco decided to inform its customers about it through a security advisory, even though the company is still working on developing and releasing patches.
Many of the affected IOS, IOS XE and IOS XR releases don’t yet have fixed versions, but Cisco released detection signatures for intrusion prevention systems that could be used to protect networks from potential attacks.
The Shadowserver Foundation, an organization that tracks cybercrime and assists with botnet takedowns, has started an internet-wide scan to find Cisco devices affected by this vulnerability — with the goal of reporting them to their owners.
Its latest scan identified devices with 840,681 distinct IP addresses that responded as vulnerable to the probe.
Twitter has said it only takes down accounts when they are reported by other users, but said that it has increased the size of teams monitoring and responding to reports and has decreased its response time “significantly.”
Twitter’s announcement comes as many tech companies – led by Facebook – have taken stronger steps to police controversial content online in the face of threats from legislators to force the companies to report “terrorist activity” on their sites to law enforcement.
Silicon Valley has been wary of engaging with government officials, concerned about endless demands for similar action from countries around the world as well as fears about being perceived by consumers as tools of government.
The announcement was also notable because Twitter has said little about its efforts to combat Islamic State, also known as ISIS, and similar groups even though it has been criticized for not doing enough.
Islamic State, which controls last swathes of Iraq and Syria, has heavily relied on the 300 million-person site, as well as others, to recruit fighters and propagate violent messages.
Seamus Hughes, deputy director of George Washington University’s program on extremism, said Friday’s report showcased an “impressive number” of takedowns, but said that Twitter still appears to police extremist content in a mostly “episodic” way.
Many extremists have migrated toward smaller, less monitored platforms in recent months in response to major Silicon Valley firms stepping up their content policing, Hughes added.
In January, a delegation of top national security officials met tech industry leaders from Twitter, Facebook Inc, Apple Inc, and Google parent Alphabet Inc, but most companies, including Twitter, did not send their chief executive officers.
Rep. Adam Schiff, the top Democrat on the House of Representatives Intelligence Committee, called Twitter’s announcement a “very positive development,” but said more was needed.
“Addressing the use of social media by terrorists will require a sustained and cooperative effort between the technology sector, the Intelligence Community, and law enforcement,” he said.
Still, Twitter said in a blog post that it has cooperated with law enforcement when appropriate.
Quantum cryptography might not be the security secret weapon that the industry has been hoping for. In theory Quantum cryptography might allow you to encrypt a message in such a way that it would never be read by anyone. But recently methods that were once thought to be fundamentally unbreakable have been shown to be anything but.
Physicist Renato Renner from the Institute of Theoretical Physics in Zurich said the problem was that systems were not being built correctly. In 2010, for instance, that a hacker could blind a detector with a strong pulse, rendering it unable to see the secret-keeping photons.
Renner also said that there are many other problems. Photons are generated using a laser tuned to such a low intensity that it’s producing one single photon at a time. There is a certain probability that the laser will make a photon encoded with your secret information and then a second photon with that same information. All an enemy has to do is steal that second photon and they could gain access to your data.
He told Wired that if there were better control over quantum systems than we have with today’s technology then perhaps quantum cryptography could be less susceptible to problems, but such advances are at least 10 years away.
Thanks to a faulty encryption component that failed to encrypt data, the PHP Group advised, as did security organisation the Sans Institute, that users resist their immediate temptation to update to PHP version 5.3.7, which was released on 18 August, and wait instead for the PHP 5.3.8 update.
Today, and earlier than expected, the group alerted users that it was releasing the PHP 5.3.8 update and had fixed the critical encryption bug as well as one other that could have caused SSL connections to hang.
The earlier release, PHP version 5.3.7, fixed many more issues and included 90 bug fixes and performance enhancements as well as at least six security updates, except of course the obvious one that caused the replacement update.
The group added that the PHP 5.2 series is no longer supported and urged all users to upgrade to PHP 5.3.8.
The crack is the work of a trio of researchers at universities and Microsoft, and involved a lot of cryptanalysis – which is somewhat reassuring – and still does not present much of a real security threat.
Andrey Bogdanov, from K.U.Leuven (Katholieke Universiteit Leuven), Dmitry Khovratovich, who is full time at Microsoft Research, and Christian Rechberger at ENS Paris were the researchers.
Although there have been other attacks on the key based AES security system none have really come close, according to the researchers. But this new attack does and can be used against all versions of AES.
This is not to say that anyone is in immediate danger and, according to Bogdanov, although it is four times easier to carry out it is still something of an involved procedure.
Recovering a key is no five minute job and despite being four times easier than other methods the number of steps required to crack AES-128 is an 8 followed by 37 zeroes.
“To put this into perspective: on a trillion machines, that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key,” the Leuven University researcher added. “Because of these huge complexities, the attack has no practical implications on the security of user data.” Andrey Bogdanov told The INQUIRER that a “practical” AES crack is still far off but added that the work uncovered more about the standard than was known before.
“Indeed, we are even not close to a practical break of AES at the moment. However, our results do shed some light into the internal structure of AES and indicate where some limits of the AES design are,” he said.
He added that the advance is still significant, and is a notable progression over other work in the area.
“The result is the first theoretical break of the Advanced Encryption Standard – the de facto worldwide encryption standard,” he explained. “Cryptologists have been working hard on this challenge but with only limited progress so far: 7 out of 10 for AES-128 as well as 8 out of 12 for AES-192 and 8 out of 14 rounds for AES-256 were previously attacked. So our attack is the first result on the full AES algorithm.”
Bogdanov added that the crack works on all versions of AES and dispelled some myths about the technology as well.
“Unlike previous results on AES, we do not need any related keys which was a very strong and unrealistic assumption about the power of the attacker,” he explained.
“Our attacks work in the classical single-key setting and, thus, apply in every context, however, with huge complexities so far. The practical consequence is that the effective key length of AES is about 2 bits shorter than expected – it is more like AES-126, AES-190, and AES-254 instead of AES-128, AES-192, and AES-256. We think it is a significant step toward the understanding of the real security of AES.”
The attack has been confirmed by the creators of AES, Dr Joan Daemen and Professor Dr Vincent Rijmen, who also applauded it.
“TDL-4,” the name for both the bot Trojan that infects PCs and the ensuing collection of compromised computers, is “the most sophisticated threat today,” said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.
“[TDL-4] is practically indestructible,” Golovanov said and others agree.
“I wouldn’t say it’s perfectly indestructible, but it is pretty much indestructible,” said Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, in an interview today. “It does a very good job of maintaining itself.”
Golovanov and Stewart based their assessments on a variety of TDL-4’s traits, all which make it an extremely tough character to detect, delete, suppress or eradicate.
Because TDL-4 installs its rootkit on the Master Boot Record (MBR), it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.
Further,what makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.
“The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,” said Roel Schouwenberg, senior malware researcher at Kaspersky, “The TDL guys are doing their utmost not to become the next gang to lose their botnet.”
Schouwenberg cited several high-profile botnet take-downs — which have ranged from a coordinated effort that crippled Conficker last year to 2011’s FBI-led take-down of Coreflood — as the motivation for hackers to develop new ways to keep their armies of hijacked PCs in the field.
“Each time a botnet gets taken down it raises the bar for the next time,” noted Schouwenberg. “The truly professional cyber criminals are watching and working on their botnets to make them more resilient against takedowns or takeovers.”