Cyber Risk Report

Cyber Risk Report: March 25-31, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:28761
Version:1
First Published:2013 April 01 19:33 GMT
Last Published:2013 April 01 19:33 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:This is the Cyber Risk Report for March 25–31, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Identity
Social Media
Cloud
Upcoming Security Activity
Additional Information

 

Listen to the Podcast (9:50 min) 

If you missed Cisco Live London or Cisco Live Melbourne, several of the session recordings are available at www.ciscolive365.com. If you do not have an account, you can create one at no charge. Information and registration for Cisco Live Orlando, June 23–27, is now available. Several members of the Cisco Security Intelligence Operations (SIO) team will be presenting training and security topics.

Cisco released the Cisco Annual Security Report 2013, highlighting global threat patterns and trends, expert analysis and recommendations. Cisco also released the final chapter of the Cisco Connected World Technology Report: Big Data, Big Priority survey that explored the potential and challenges of Big Data and beyond. The survey found that we are still in the early stages of Big Data adoption, and many IT managers feel they are not yet realizing strategic value from their data.

As always, we invite your feedback on the Cyber Risk Reports through the Cisco Security Intelligence Operations portal comment card.


Vulnerability

Vulnerability activity for March 2013 increased and is showing a strong trend of increased activity levels for the first three months of 2013. IntelliShield produced 614 alerts in March 2013, up from 487 alerts produced in March 2012. For the first three months of 2013, IntelliShield produced 1,739 alerts while in the first three months of 2012 there were 1,590 alerts. This continuing trend of increased vulnerability and threat activity challenged security and patch management teams throughout last year and has increased in 2013. Organizations are advised to focus on vulnerability remediation and patch management to prevent exploitation of known vulnerabilities. Recent reports from 2012 activity showed that roughly 80 percent of vulnerabilities and exploits had a patch available within days of discovery; however, installing the patches and updates continues to challenge organizations, leaving them exposed.

For the period March 25–31, Cisco released the Semiannual Cisco IOS Software Security Advisory Bundled Publication, including seven security advisories addressing seven vulnerabilities. Full details of the publication are available in the Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication. A video review and Cisco Security blog post, Today’s the Day: Announcing the Cisco IOS Software Security Advisory Bundle, are also available.

Microsoft released a security advisory addressing a vulnerability in Microsoft Windows Modern Mail that could allow an unauthenticated, remote attacker to conduct spoofing attacks. Digium Asterisk reported multiple vulnerabilities with updates available. HP reported multiple vulnerabilities in HP Intelligent Management Center, including a vulnerability that already has public exploits available. IBM reported multiple vulnerabilities in Lotus Domino and iNotes. Novell reported multiple vulnerabilities in Groupwise and ZENworks. MontaVista released multiple updates for previously reported Linux Kernel vulnerabilities. OpenSSL reported an OpenSSL TLS and AES-NI Denial of Service Vulnerability. Google Chrome released the Google Chrome Stable Channel Update for March 2013 correcting 11 vulnerabilities.

ISC reported a critical vulnerability in BIND 9 (InstelliShield alert 28730) that could allow an attacker to cause excessive memory consumption and potentially cause a crash and denial of service (DoS) condition.

Websense released detailed telemetry on Java versions and exploit toolkits that are currently exploiting various Java vulnerabilities. The telemetry paints a disappointing picture of Java security, and highlights why criminals target the Java vulnerabilities. Following the recent Java zero-day vulnerabilities and exploits, multiple organizations addressed updating, disabling, or removing Java, but the Websense telemetry shows the vulnerable systems and versions are still prevalent. All users and organizations should focus on addressing these Java vulnerabilities to reduce the attack surface of their systems.

The Al Qassam operation Ababil continues to attack US banks and financial institutions. Most recently, reports indicated interruptions at Wells Fargo, Bank of America, and American Express. While these attacks continue, the banks and financial institutions have greatly improved their Distributed Denial of Service (DDoS) attack defenses, reducing the impact of the attacks, and providing important lessons for other businesses and organizations. The DDoS attack has returned to favor with criminals, hacktivists, and other hostile groups and individuals. Although many organizations may not have experienced these attacks, the key to responding to a DDoS attack is preparation. Organizations are advised to review their DDoS response capabilities and planning.

Cisco released the Cisco Security blog post, Chronology of a DDoS: SpamHaus, detailing the recent Spamhaus DDoS attack. In addition to the trending DDoS threat, this case also raised the issue of validating media reports on the attacks. Many security analysts and organizations commented on the media hype and overstated impact of these attacks on the Internet. As with all data and security intelligence collection, analysis, and reporting, security organizations are cautioned to validate their information during the intelligence process to provide timely and accurate security intelligence to their consumers.

IntelliShield published 142 events last week: 79 new events and 63 updated events. Of the 142 events, 93 were Vulnerability Alerts, 3 were Security Activity Bulletins, 2 were Security Issue Alerts, 38 were Threat Outbreak Alerts, and 5 were Applied Mitigation Bulletins. The alert publication totals are as follows:

Day Date
New
Updated
Total
Saturday 03/30/2013
5
2
7
Friday 03/29/2013
2
1
3
Thursday 03/28/2013
12
13
25
Wednesday 03/27/2013
16
14
30
Tuesday 03/26/2013
7
15
22
Monday 03/25/2013
37
18
55

 

Month New
Updated
Total
January 303
224
527
February 386
212
598
March 333
281
614
Totals 1022
717
1739

Significant Alerts for the Time Period

ISC BIND Crafted Regular Expression Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 28730, Version 2, March 30, 2013
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2012-2266
ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Updates are available.

Previous Alerts That Still Represent Significant Risk

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 4, March 26, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service (DDoS) attacks, decreasing availability of those sites to legitimate customers. The DDoS attacks may be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide for protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions

Cisco IOS and Cisco IOS XE Type 4 Passwords Issue
IntelliShield Vulnerability Alert 28621, Version 1, March 18, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Cisco IOS and Cisco IOS XE devices contain an issue that could allow an authenticated, remote attacker to access sensitive information on a targeted device. Functional code that exploits the issue is publicly available. Cisco has confirmed the issue in security response cisco-sr-20130318-type4; however, software updates are not available.

Oracle Java SE Security Bypass Arbitrary Code Execution Vulnerabilities
IntelliShield Vulnerability Alert 28462, Version 5, March 12, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0809, CVE-2013-1493
Oracle Java SE contains vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Reports indicate that CVE-2013-1493 is being actively exploited by the McRat trojan malicious code. Oracle, Apple, IBM, and Red Hat have confirmed these vulnerabilities and released patches.

Adobe Flash Player and AIR Security Updates for March 12, 2013
IntelliShield Vulnerability Alert 28565, Version 2, March 13, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375
Adobe Flash Player and AIR contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available.

Adobe ColdFusion Security Advisory January 2013
IntelliShield Vulnerability Alert 27769, Version 2, March 15, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0629, CVE-2013-0631, CVE-2013-0625, CVE-2013-0632
Adobe ColdFusion for Windows, Macintosh, and UNIX contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions to gain unauthorized access or access to sensitive information. Adobe has released an additional security bulletin and software updates to address multiple vulnerabilities. Reports indicate that these vulnerabilities are being exploited in the wild. The vulnerabilities, CVE-2013-0625 and CVE-2013-0629, affect users who do not have password protection enabled or have no password set on their system.

Oracle Java SE Critical Patch Update Advisory for February 2013
IntelliShield Activity Bulletin 28080, Version 9, March 26, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a DoS condition on a targeted system. The patch update corrects 50 vulnerabilities in multiple components such as Java Runtime Environment (JRE), Java Development Kit (JDK), Software Development Kit (SDK), or JavaFX. Oracle has released additional security advisories and updated packages to address the vulnerabilities in Oracle Java SE critical patch update advisory for February 2013. Apple and Red Hat have also released updated packages to address this vulnerability. Red Hat has released an additional security advisory and updated packages.

Multiple Java Security Explorations
IntelliShield Activity Bulletin 28404, Version 1, March 1, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Security researchers have released details on multiple new instances of certain types of vulnerabilities in Oracle Java. The vulnerabilities result from flaws similar to recent vulnerabilities that take advantage of various Java Virtual Machine (JVM) components such as class loaders, byte code verifiers, security managers, the JVM Runtime execution engine and classes definition, or the garbage collector. Proof-of-concept code that could aid attackers in building functional exploits is publicly available. Although Oracle has addressed many of these vulnerabilities in multiple Java SE critical patch advisories, reports have indicated that a few of these vulnerabilities remain unpatched.

Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 27831, Version 5, March 18, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0156
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Functional code that exploits this vulnerability is publicly available as part of the Metasploit Framework.

Identity

Does Mobility Cost Us Our Privacy?

A study has been released that analyzed data exchanged between mobile devices and network service providers. The researchers concluded that it is possible to uniquely identify a user with as few as four data points. The exchanges assist emergency responders and provide anonymized data that is sold for targeted advertising. In addition, end users can volunteer location information through social media applications that include the data on an opt-in basis.
Anonymity Risk
Fingerprinting Your Movements

Analysis: On the face of it, there is no argument that location data supplied by mobile devices can literally save lives. This recent study highlights a truism for security: every benefit is associated with some level of risk. The technologies we enjoy for convenience or to tailor our experiences online are often capable of delivering data that may be used for purposes other than originally intended. Unfortunately, the burden of determining how much we are sharing at any given moment is often left to the end user. It is up to each of us to decide what level of risk we are willing to take in order to benefit from a feature. Regular review of features, including default levels of privacy, continues to be a best practice.

Social Media

Social Media Tiger by the Tail

Last week, according to the Wall Street Journal, reports surfaced in Chinese state media that listed flaws in after-sales services for U.S. company Apple Inc., and called the company’s policies “arrogant.” As a follow-up, Chinese financial paper, Caijin, polled its Sina Weibo microblog followers to determine which companies they found to be most arrogant. After tallying user feedback, Apple was not among companies most frequently mentioned. Instead, several domestic banks, telecoms companies, and infrastructure providers were targets of popular ire.
Apple Ire Spreads to China SOE’s
How Do You respond to Negative Feedback on Social Media?

Analysis: Once again, social media has provided a fresh outlook and unvarnished public feedback, if not a random sampling of a target population. The unplanned response to the Caijin survey is a reminder—one that any government that has conducted a referendum can relate to—that asking people for their frank opinion is risky business. Media outlets, including corporate websites, blogs, and social media sites, for example, are frequently faced with difficult decisions when online feedback to a corporate blog post or article is negative, damaging, offensive, or intentionally misleading. Removing a comment may appear dishonest, or may even draw unwanted attention to a sensitive issue, because attentive readers can show that a post was removed. Website and corporate social media account owners must set their own policies in this area, based on goals and context, keeping in mind the tradeoffs and understanding that unsolicited, sometimes offensive feedback comes with the territory.

Cloud

Exposing Enterprise and Personal Data in the Cloud

Researchers released a report on the open availability of business data on the Amazon Simple Storage Service (S3), widely used to store and share data. Largely credited to users not configuring the default privacy settings, the research found that from a search of 12,328 Fortune 1000 data stores (buckets), 1,951 had been configured to public settings allowing open access to the files and data. The report also emphasized that the privacy settings are not the responsibility of the Amazon S3 service, but the user.
Sensitive Enterprise Data Exposed in Amazon S3 Public Buckets

Analysis: This report highlights the continuing issues with enterprises and users moving to the cloud services. Many, roughly one in six based on the report, do not either understand the privacy settings or do not configure them correctly. There is also the issue of understanding the responsibilities between the cloud services and the users in protecting the data. While many organizations are moving data and services to the cloud, there is also a risk of those that do not provide employees with cloud services. Multiple reports, including the Cisco Connected World Technology Report, have highlighted that employees will use these services to share and store data where organizational policies may not address or even disallow the use of the services. These businesses and individuals are exposing large volumes of data that they may not be aware are exposed or are not properly addressing in security practices or policies, making them easy targets for intellectual theft and compromises of sensitive data.

Upcoming Security Activity

Interop Las Vegas May 6–10, 2013
Cisco Live, U.S.: June 23–27, 2013
Black Hat 2013: July 27–August 1, 2013
DEFCON 2013: August 1–4, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

U.S. NCAA Men's Basketball Tournament: March 19–April 8, 2013
IMF World Bank Meeting: April 19–21, 2013
G8 Summit: May 17–18, 2013

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original Release Base

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield