Cisco encryption, API security and more: first officer's blog - week 62

Cisco encryption vulnerability, API security risks, and more. Here are the latest stories from the world of cyber risk.

Mike Parkin | July 24, 2023

The ongoing voyages of the Federation Support Ship USS [REDACTED] 

First Officer’s log, Terrestrial date, 20230717, Officer of the Deck reporting.  

A handful of our officers and a couple of security personnel beamed over the Dauntless to accept her captain’s invitation. Captain Max, as he told us to call him, met us in the transporter room and it was apparent in a moment that we were not aboard a proper Starfleet vessel. 

While the transporter room itself was Starfleet standard for a ship of that vintage and class, and the markings were appropriate and largely intact, the crew was anything but. The transported operator was a [REDACTED] who seemed aloof and amused, if it was possible to read anything correctly with their vivid blue complexion. The operator with them was of an insectoid species none of us recognized, and the officer accompanying Captain Max was a [REDACTED], casually hefting an ornately carved Bat’leth over her shoulder. 

None of them were in anything that could be construed as a uniform. None of them had rank insignia and, in fact, the only thing that was common on the wildly varied and somewhat flashy clothing was an identical comm-badge. Like the one each Starfleet officer wore, and quite likely identical in operation, theirs had the ship’s crest rather than that of Starfleet. 

Their captain stepped forward, offering a cheerful forearm grip to our XO. “Welcome! Welcome! Good to see you. I’m Max. These are my crew, and you’re the [REDACTED]’s executive officer yes? Come along, we’ve got food and drink prepared. And real food! Not that Targ kibble your replicators produce.” 

Our XO accepted the greeting, nodded, and nodded to the rest of our crew to treat it as normal, though one of our security team was eyeing Bat’leth carrying officer, who was eyeing him in return with an expression that was hard to gauge. 

Within a few minutes we’d walked from the transporter room to the ship’s mess, which had more the feeling of a tavern than even the 10 Forward lounge aboard a [REDACTED] class cruiser. All of the crew in the lounge, and, in fact, all of the crew we’d seen walking here shared the same eccentric lack of uniform and common comm-badge. 

After settling in at a table and accepting a round of drinks, our XO started the questions. “You mentioned there was a story to how you came to have this ship, Captain. Would you care to elaborate?” 

Of course! And be careful with that. It’s real Terrestrial whisky. None of that synthehol here. Now, where was I? Oh yes. Just starting. See, about 40 years ago, the Federation decided to repurpose some of these old warships by essentially giving them to a few of the Frontier colonies.” Max explained as he worked on his drink. 

This ship wound up the in the hands of a colony who used her for a decade or so, then kind of forgot about it after the hostilities died down. Starfleet and the Federation forgot about her too. Everyone forgot about her. Until about five years ago.” He went on with a bit of animation. 

Things were starting to heat up a bit again, and here they were, with a [REDACTED] class warship in mothballs and no one able to run her. Which is where we come in. See, I was an Acadamy graduate, recently retired from Starfleet myself, and knew enough people who knew how to run a fighting ship to get her back on line. All it took was the planetary council to say yes, issue a Letter of Marque, and the Dauntless was back.” 

“Not what you were expecting, was it, Commander?” 

Our XO nodded, tentatively enjoying the drink he’d been offered. “No. Not at all. You know we’ll have to confirm this with Starfleet command, Captain. And then, maybe, we can discuss your request.” 

Of course. Of course. Expected no less. Now, eat!” Max replied, just as the food arrived. 

Turn off the encryption to be safe? Wait. What? 

What happened 

A vulnerability has been discovered in Cisco Nexus 9000 series switches that could let an attacker, in a position to intercept traffic, potentially break the encryption to read and modify traffic. The vulnerability only affects fabric switches running a specific configuration, however Cisco has indicated that no patch is forthcoming and there is no workaround. Users have been advised to turn of the affected encryption feature and, if necessary, contact Cisco support for help with alternative secure communications options. 

What they said 

There’s nothing encrypted about the attention this story is getting.

Well, that doesn’t inspire confidence 

What happened 

A recent report has shown that over 2/3 of financial services and insurance companies have suffered rollout delays due to API security concerns, while over 90% have documented security issues with production APIs. These numbers are higher than reported by other industries. Over 4 out of 5 indicated that attacks were originating from “authenticated” sources, appearing legitimate when they were in fact hostile. 

Why it matters 

API security is becoming a bigger deal, though it should have been one all along. In many cases, secure development protocols aren’t being used. It’s worse with internal-facing API’s where the developers may make the unsafe assumption that they are operating in an environment that’s clear of threat actors. The fact is that while an inside environment is less likely to face serious threats, the reality is “assumed safe” is not safe. 

One of the bigger takeaways from this report though, is how many of the attacks came from authenticated sources. That’s an indication that there is still a serious problem on the authentication side, whether it is user authentication or application-level authentication, something is not providing the level of security it should. 

What they said 

This one got plenty of coverage.


Want to get ahead of the stories?

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy