Hello, welcome to the Monday, January 6th, 2020 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

As always with the new year, there are a number of new laws that went into effect with the new year.

Now, one law that affects information security is the California Consumer Privacy Act or short

CCPA.

It is often compared to the European GDPR and sort of a California version of it.

And also, just like for GDPR, if your business is not

located in California, you may still have to comply with it if you are doing business with

California residents. And now Kevin wrote up a very brief sort of two-minute digest of this new law. So if you want to read up on it,

it's probably the quickest way to get sort of the high level of what this law is about.

And Cisco released a total of 12 patches. Now, three vulnerabilities being addressed here are of particular interest in that these are authentication bypass vulnerabilities that allow full administrative access to the Cisco Data Center network manager.

Interesting that it's three distinct vulnerabilities, but they are actually similar in their nature.

One for the Rest API, second one for the SOP API.

Both of them are essentially a static encryption key that's being used to derive

session tokens. So once someone has one of those appliances, they're able to extract

the encryption key and use it against other installations of the same software.

The third one is also very similar.

Now, this one is sort of the web-based management interface,

not the APIs as the first two vulnerabilities.

And in this case, again, it's static credentials.

So very similar vulnerabilities overall.

...