Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: June 24-30, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:29896
Version:1
First Published:2013 July 01 17:45 GMT
Last Published:2013 July 01 17:45 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
 
Version Summary:This is the Cyber Risk Report for June 24-30, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Security Trends
Trust
Upcoming Security Activity
Additional Information

 

Listen to the Podcast (6:25 min) 

Cisco Live 2013 was held last week, June 23–27, in Orlando, Florida. Several members of the Cisco Security Intelligence Operations (SIO) team presented training and security sessions. The Cisco Security Blog post provides an overview of the Cisco Live security track sessions and those available from Cisco SIO at Cisco Live 2013: Security Training and Breakout SessionsCiscoLive365 provides web access to several of the recorded events and sessions, as well as those from previous Cisco Live conferences. 

We invite you to join Cisco SIO at Black Hat 2013 in Las Vegas this July, for our two-day, hands-on Network Threat Defense, Countermeasures, and Controls course. Courses will be offered on July 27-28 and July 29-30, 2013. Make sure you visit the Cisco booth at Black Hat to meet the Cisco SIO engineers.

Vulnerability

Vulnerability activity remained consistent with previous periods. The activity highlights include multiple Cisco Security Advisories and Security Notices, a new version of Mozilla Firefox correcting multiple vulnerabilities, and the availability of Carberp trojan malicious code.

Cisco released four security advisories correcting multiple vulnerabilities:

Cisco released the Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Multiple Vulnerabilities in Cisco Content Security Management, Web Security, and Email Security Appliances with recommended mitigations for the Cisco security advisory vulnerabilities.
 
Cisco also released the following Security Notices:

Mozilla released a new version of Firefox correcting 14 vulnerabilities, four of which are rated critical. HP released advisories and software updates correcting three vulnerabilities in HP NonStop. Siemens reported multiple vulnerabilities in the Siemens WinCC Web Navigator. Cisco also released the Cisco Applied Mitigation Bulletin: Identifying and Mitigating the Siemens WinCC Web Navigator Vulnerabilities, with recommended mitigations for these vulnerabilities. 

Sources reported the public availability of the Carberp trojan malicious code. The availability of this trojan source code could spark an increase in attempted attacks and compromises. Several security products provide identification and protection against this known threat, but security teams are advised to be observant for an increase in activity. 

IntelliShield published 139 events last week: 81 new events and 58 updated events. Of the 139 events, 42 were Vulnerability Alerts, nine were Security Activity Bulletins, five were Security Issue Alerts, 82 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Day Date
New
Updated
Total
Saturday 06/29/2013
     4
        1
     5
Friday 06/28/2013
   14
        9
   23
Thursday 06/27/2013
   14
      12
   26
Wednesday 06/26/2013
   15
      22
   37
Tuesday 06/25/2013
   14
        5
   19
Monday 06/24/2013
   20
        9
   29

Previous Alerts That Still Represent Significant Risk

Oracle Java SE Critical Patch Update Advisory for June 2013 
IntelliShield Security Activity Bulletin 29704, Version 3, June 20, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition on a targeted system. Updates are available. Apple, Red Hat and CentOS have also released updates.

Microsoft Internet Explorer Use-After-Free Arbitrary Code Execution Vulnerability 
IntelliShield Vulnerability Alert 29192, Version 3, June 20, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2551
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Microsoft has confirmed the vulnerability in Security Bulletin MS13-037 and released software updates.

Parallels Plesk Remote PHP Command Execution Vulnerability
IntelliShield Vulnerability Alert 29594, Version 2, June 12, 2013
Urgency/Credibility/Severity Rating: 3/5/3
CVE Not Available
Parallels Plesk contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary PHP script on a targeted system. Proof-of-concept code is publicly available. Parallels has confirmed the vulnerability is a variation of the CVE-2012-1823 vulnerability, which is documented in IntelliShield Alert 25816. Parallels has also confirmed that all current supported versions of Parallels Plesk Panel 9.5 or later are not vulnerable from this variation. Additional details are in the Cisco Security Blog post: Plesk 0-Day Targets Web Servers.  

ISC BIND Malformed Zone Request Processing Denial of Service Vulnerability 
IntelliShield Vulnerability Alert 29572, Version 2, June 6, 2013
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2013-3919
ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. ISC has confirmed the vulnerability and released software updates.

Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability 
IntelliShield Vulnerability Alert 27831, Version 6, May 29, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0156
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code, originally reported in January 2013. Ruby on Rails has confirmed the vulnerability in a security announcement and released software updates. Event data from Cisco has detected intrusion prevention system signature activity related to this vulnerability. This activity on May 24, 2013, could indicate increased attempts to exploit the vulnerability in Ruby on Rails. Additional analysis is available in the Cisco Security Blog post: Botnets Riding Rails to Your Data Center.

HangOver Malicious Software Used in Targeted Attacks
IntelliShield Security Activity Bulletin 29383, Version 1, May 20, 2013
Urgency/Credibility/Severity Rating: 3/4/3
CVE Not Available
Researchers have identified malicious software used in targeted attacks against government national security organizations and private commercial organizations. The HangOver malicious software, also known as Hanove, is distributed mainly through targeted spear-phishing email campaigns. HangOver exploits known vulnerabilities for which patches exist.

Linux Kernel PERF_EVENT perf_swevent_init() Function Privilege Escalation Vulnerability 
IntelliShield Vulnerability Alert 29336, Version 5, May 21, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-2094
A vulnerability in the Performance Events (PERF_EVENT) implementation in the Linux Kernel could allow an authenticated, local attacker to elevate privileges on a targeted system. Functional code that exploits the vulnerability is publicly available. Kernel.org has confirmed this vulnerability in the git repository and updated software is available.

Security Trends

Google to Include Safe Browsing Data in Transparency Report

Google announced that it will release statistics on infected websites and include the data in their transparency reports. The Google Safe Browsing initiative identifies and blocks infected websites. It has been operating since 2006 to provide warning messages to users when they attempt to visit a website that has been identified as infected. The release of this data, along with the additional information in the transparency reports, shows the growing number of legitimate websites that have been infected or re-infected, which is a growing problem reported by multiple security organizations.
Google Now Sharing Web Security Data 
Transparency Report: Making the Web Safer  
Google Safe Browsing

Analysis: These type of initiatives and reports provide security practitioners with the validated data needed to support what many had identified as a problem, but few could validate. Cisco reported in the 2013 Annual Security Report, and subsequently reported in several cases in the first six months of 2013, that attackers have shifted away from directing users to malicious websites and moved to compromising known and trusted websites with the goal of infecting users as they visit those websites. Whether they are referred to as watering hole attacks, drive-by attacks, or others, these attacks are the top web threat to users. In addition to services such as the Google Safe Browsing initiative, users must keep their browsers updated with the latest versions and updates, as well as enabling the additional security features available on most of the popular browsers. While the update process can be automated, users must be vigilant in keeping the web applications on their systems updated. A free service available to users that can simplify this process is the Qualys Browser Check website, which checks and provides one button updates to assist users. 

Trust

Technology and Immature Security Controls

Private organizations, along with federal, state, and local law enforcement agencies are rapidly deploying data and information gathering systems. Systems such as license plate readers are being deployed by multiple law enforcement agencies and can capture and analyze 1,200 plates per hour compared to 20 to 50 per day using manual methods. However, how these records are retained and secured is unclear. The Electronic Frontier Foundation and the American Civil Liberties Union of Southern California have sued the Los Angeles County Sheriff’s and Los Angeles Police departments to obtain a week of data gathered and maintained in a multi-agency network. At this time, it is not clear who administrates, has access to the database, or how long the data is retained.
Police Collect Millions of Records on Drivers 
EFF and ACLU Sue LA Law-Enforcement Agencies Over Records 
New Tracking Frontier: Your License Plates

Analysis: The fast paced world of technology provides an ever growing arsenal of tools and capabilities stretching across almost every imaginable facet of society. The desire to use these new tools is outpacing the ability to understand the far reaching impact of their capabilities. Never before have private and state organizations had the information gathering and data retention capabilities that they have today. Organizations and individuals participating, or planning information and data gathering and retention efforts should conduct rigorous research, investigation, and implementation of the appropriate access controls to ensure that only appropriate, authorized individuals have access to the information. In the case of personally identifying information or consumer data, extreme care should be utilized to ensure that the data is protected from unauthorized access. Consumer and personally identifying information can be extremely valuable for nefarious entities in targeting users for exploitation.

Upcoming Security Activity

Black Hat 2013: July 27-August 1, 2013
DEFCON 2013: August 1-4, 2013
22nd USENIX Security Symposium: August 14-16, 2013
(ISC)2 Security Congress 2013: September 24-27, 2013
Interop New York 2013: September 30-October 4, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

U.S. Independence Day: July 4, 2013
Ramadan: July 9-August 7, 2013

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original ReleaseBase

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield