Services

Cisco has provided a patch to address a remote hijacking vulnerability in its Cloud Services Platform (CSP).

Switchzilla said that all customers who run CSP 2100 software should install the 2.1.0 update to close a remote code execution flaw it considers to be a high security risk.

Designed as an efficient way to manage virtualized network services and components, CSP is installed as a Linux x86 virtual machine built into a Cisco network appliance. The system includes a web-based GUI for device management.

Cisco says that the flaw (CVE-2016-6374) allows an attacker to send malformed HTTP requests to achieve remote code execution.

Specifically, Cisco warns, the attacker will be able to shoot the targeted system a poisoned DNS-lookup request through the CSP web interface. That attacker could then execute commands on the server without the need for further authentication.

Cisco noted that, aside from installing the update, there are no known mitigations for the vulnerability. No other Cisco appliances or hardware are believed to be subject to the flaw, and Cisco says it is not aware of any attempts to exploit the vulnerability in the wild.

The patch comes just three days after Cisco issued a fix for another high-severity flaw in its IOS platform.

That flaw, spotted during the "Shadow Brokers" review, allowed for a cock-up in the handling of IKE requests to open up memory contents to a remote attacker, potentially allowing for information disclosure. ®

Sponsored: Fast data protection ROI?


The Register - Security

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am

Necurs Botnet is Back, Updated With Smarter Locky Variant

June 23, 2016 , 4:10 pm

Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye

June 29, 2016 , 8:19 am

WordPress Security Update Patches Two Dozen Flaws

June 23, 2016 , 8:00 am

Apple Leaves iOS 10 Beta Kernel Unencrypted: Pros and Cons

June 27, 2016 , 5:13 pm

Voter Database Leak Exposes 154 Million Sensitive Records

June 24, 2016 , 10:14 am

iOS 9.3.4 Patches Critical Code Execution Flaw

August 8, 2016 , 9:00 am


Threatpost | The first stop for security news


Assaf Regev

Assaf Regev serves as the product marketing manager for the web fraud portfolio of Trusteer, an IBM Company, part of IBM’s Security Systems division. Assaf holds a BS.c in...

See All Posts

According to data from IDC, the worldwide smartphone market is in excess of 2 billion units. By 2017, the smartphone market share will reach 70.5 percent, up more than 10 percent compared to 2013.

In addition to IDC’s findings, the recent “Consumers and Mobile Financial Services 2016” report stated that 43 percent of mobile phone owners perform online banking via a mobile device, up from 39 percent last year. Additionally, 53 percent of smartphone owners use mobile banking.

A Stake in the Ground

It’s evident that consumers expect to interact with services such as e-commerce, gaming and online banking through their mobile devices. As a result, organizations offering new services must keep up with the ever-growing mobile landscape and any associated regulatory guidelines.

The Federal Financial Institutions Examination Council (FFIEC) recently issued guidance that focused on risks associated with mobile financial services (MFS). The publication also emphasized an enterprisewide risk management approach for more effective risk mitigation.

The agency put a stake in the ground, issuing a new set of security guidelines for mobile banking in late April 2016. This was an important update to the organization’s previously released handbooks. With these new guidelines, the FFIEC set the foundation for 24/7 online banking services of all types, including a set of detailed, actionable directives.

Read the white paper to learn to how to protect Mobile Financial Services

Protecting Mobile Financial Services

More generally, financial institutions looking into protecting existing and new MFS should consider the following:

  • The main channels for mobile banking, such as SMS messaging, mobile-enabled websites, mobile applications and wireless payments;
  • The risks and potential implications on the various aspects of the offered service, including strategic, operational, compliance and reputational risks;
  • The means of identifying, measuring, assessing and mitigating the risks across all applicable categories, which includes the likelihood and impact of such risks and their potential effect on the service and the organization; and
  • The processes and systems in place to help validate and report whether the offered product or service meets operational expectations.

Financial institutions looking to address the above issues must make sure these objectives can be aligned with their short- and long-term strategic plans. To help address security concerns related to mobile financial services, financial institutions can embed the IBM Security Trusteer Mobile SDK in proprietary mobile banking applications via a dedicated security library for Apple iOS and Google Android platforms.

For more information, download the white paper to see how IBM solutions can help protect mobile financial services and provide effective and sustainable fraud prevention.

Topics: Banking, Mobile, Mobile Banking, Mobile Devices, Mobile Security, Risk Management


Security Intelligence