Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: July 8-14, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:30091
Version:1
First Published:2013 July 15 19:27 GMT
Last Published:2013 July 15 19:27 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
 
Version Summary:This is the Cyber Risk Report for July 8-14, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Legal
Trust
Security Trends
Geopolitical
Upcoming Security Activity
Additional Information

 

Listen to the Podcast (9:10 min) 

Join Cisco SIO at Black Hat 2013 in Las Vegas for our two-day, hands-on Network Threat Defense, Countermeasures, and Controls course. Courses will be offered on July 27-28 and July 29-30, 2013. Make sure you visit the Cisco booth at Black Hat to meet the Cisco SIO engineers.

Cisco Live 2013 was a huge success, with a major increase in security training and breakout sessions. The majority of the breakout sessions are now available on CiscoLive365, and more are being added daily.

Vulnerability

Vulnerability activity remained at elevated levels, primarily due to the scheduled monthly security updates from Microsoft and Adobe.

Microsoft published its monthly security bulletin release on July 9, 2013. Microsoft released seven bulletins that addressed 34 vulnerabilities. The bulletins address vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Microsoft Defender, Microsoft .NET, Microsoft Silverlight, and Microsoft Windows Media Player. The vulnerabilities could allow an attacker to execute arbitrary code, cause a denial of service condition, or gain elevated privileges. The Microsoft Internet Explorer Memory Corruption Vulnerability included in MS13-055 has public exploit code and targeted exploits have been reported. Full details of the individual vulnerabilities and recommended mitigations are available at the Cisco Event Response: Microsoft Security Bulletin Release for July 2013.

Adobe released the ColdFusion, Flash Player, and Shockwave Player Security Updates for July 2013. Each of the security updates addresses multiple vulnerabilities. Users are reminded that the media players are frequently targeted by attackers, and should be removed if not required, and that these applications often require manual updating.

Google released Chrome Stable Channel Security Update for July 2013 to correct 17 vulnerabilities. As Chrome continues to grow in popularity, users should be reminded to enable the auto-updating feature to ensure they are installing the latest updates.

Cisco released the following Security Notices during the period, which are available at the Cisco SIO Security Advisories, Responses, and Notices website:

  • Cisco Secure Access Control System Error Condition Information Disclosure Issue
  • Cisco Secure Access Control System Admin/View Page Cross-Site Request Forgery Vulnerability
  • Cisco Secure Access Control System Cross-Site Scripting Vulnerability
  • Cisco Secure Access Control System Administration Page Cross-Site Scripting Vulnerability
  • Cisco Secure Access Control System Help Index Cross-Site Scripting Vulnerability
  • Cisco Unified Communications Domain Manager Cross-Site Scripting Vulnerability
  • Cisco TC Software Empty Password Validation Vulnerability
  • Cisco Unified MeetingPlace Web Conferencing XSS Vulnerability
  • Cisco Unified Communications Domain Manager Memory Exhaustion Vulnerability
  • Cisco Unified Communications Management Products Cross-Site Scripting Vulnerability
  • Cisco Virtualization Experience Client Privilege Escalation Vulnerability
  • Cisco Nexus 1000V License Installation Command Injection Vulnerability

Others important updates include proof-of-concept exploit code for the HP StoreOne vulnerability previously reported, multiple new vulnerabilities reported in LibTIFF, and new vulnerabilities reported in cPanel.

An update was released for the previously reported vulnerability in Cryptcat, and a detailed analysis of the error in the cryptographic code provides a look inside the complexities of cryptographic code and how easy it is to make a simple coding mistake that compromises the cryptography.

In upcoming activity, Oracle will release the Critical Patch Update (CPU) on July 16, 2013. In addition, details of the vulnerabilities and attack techniques that will be presented at Black Hat, DEF CON, and BSidesLV are beginning to appear in media reports. Security teams are advised to monitor these activities and presentations for the latest information.

IntelliShield published 172 events last week: 122 new events and 50 updated events. Of the 172 events, 81 were Vulnerability Alerts, 21 were Security Activity Bulletins, two were Security Issue Alerts, 67 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Day Date
New
Updated
Total
Saturday 07/13/2013
   2
      0
   2
Friday 07/12/2013
   7
      14
   21
Thursday 07/11/2013
   20
      12
   32
Wednesday 07/10/2013
   31
      13
   44
Tuesday 07/09/2013
   47
      6
   53
Monday 07/08/2013
   15
      5
   20

Significant Alerts for the Time Period

Microsoft Internet Explorer Memory Corruption Vulnerability
IntelliShield Security Activity Bulletin 29886, Version 2, July 11, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-3163
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional exploit code has been reported to be in use. Microsoft has confirmed the vulnerability in security bulletin MS13-055 and released software updates.

McAfee ePolicy Orchestrator Cross-Site Scripting Vulnerability
IntelliShield Security Activity Bulletin 30063, Version 1, July 15, 2013
Urgency/Credibility/Severity Rating: 3/4/3
CVE Not Available
McAfee ePolicy Orchestrator contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary SQL code or conduct cross-site scripting attacks. Updates are not available.

Previous Alerts That Still Represent Significant Risk

Oracle Java SE Critical Patch Update Advisory for June 2013
IntelliShield Security Activity Bulletin 29704, Version 4, June 18, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition on a targeted system. Updates are available. Apple, Red Hat, and CentOS have released updates.

Microsoft Internet Explorer Use-After-Free Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 29192, Version 2, June 13, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2551
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Microsoft has confirmed the vulnerability in Security Bulletin MS13-037 and released software updates.

Parallels Plesk Remote PHP Command Execution Vulnerability
IntelliShield Vulnerability Alert 29594, Version 2, June 12, 2013
Urgency/Credibility/Severity Rating: 3/5/3
CVE Not Available
Parallels Plesk contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary PHP script on a targeted system. Proof-of-concept code is publicly available. Parallels has confirmed the vulnerability is a variation of the CVE-2012-1823 vulnerability, which is documented in IntelliShield Alert 25816. Parallels has also confirmed that all current supported versions of Parallels Plesk Panel 9.5 or later are not vulnerable from this variation. Additional details are in the Cisco Security Blog post: Plesk 0-Day Targets Web Servers.

Legal

Florida Law Bans Every Electronic Internet Device

Florida and several other states have been pursuing the illegal gambling operations at Internet cafes by creating new laws that have, in many cases, caused the Internet cafes to close completely. While many of these laws are being challenged, the Florida law is being challenged for the broad wording that could be interpreted to have banned all electronic devices that are capable of accessing the Internet.
Did Florida Accidentally Ban All Computers and Smartphones
Internet Cafe Complaint

Analysis: The issue of the illegal gambling at Internet cafes impacts several states, and many are taking regulatory actions to close down the cafes and illegal access to offshore and locally run gambling operations. Unfortunately, as has been seen with multiple attempts to ban various computer applications, tools, and other types of electronic devices that could potentially be used to perform illegal activity, addressing these issues in legislation can be very difficult. This difficulty is also not limited to electronic devices and activity; the U.S. government has struggled for years with attempting to define and ban firearms designated as assault weapons as they were described in the legislation. As we reported in the Cisco Annual Security reports, addressing these types of issues in business policies can be equally difficult and requires organizations to carefully consider exactly what topics to address in policy, consider the potentially legitimate uses, and create policies that address the actions without a long lists of "do not do" items.

Trust

DEF CON Requests That Feds Stay Away

As the DEF CON 21 conference approaches at the end of July, organizers have posted a blog requesting that federal agencies not attend this year's conference. In past years, the DEF CON conferences have been widely attended by both private and government agency employees, even developing into the popular "Spot the Fed" game at the conference. But this year, the organizers posted a softly worded blog saying they needed some time apart.
DEF CON 21 website

Analysis: This is an unfortunate turn in an age when the government and private sectors are attempting to promote and increase information sharing. Several bloggers on both sides have posted opinions and rebuttals to the ban, many calling the ban to be defeating the purpose of the conference. Regardless, the conference will go on and the "Feds" will likely attend, making the spotting that much more interesting this year. It will be interesting to see what actually occurs if a "Fed" is spotted, and how those attending and the conference organizers will respond. There is a particularly high level of distrust this year, based on the recent reports of government monitoring and intelligence operations, but it could be argued that this is all the more reason to invite the "Feds" for discussions of those activities, clear up some of the hype and inaccurate information, and provide an opportunity to voice opinions from across the community.

Security Trends

The ROI of Bug Bounty Programs

Multiple sources released reports supporting the value of the various vulnerability reporting programs (VRP), popularly known as bug bounty and crowd-sourcing vulnerability programs. Researchers from the University of California at Berkeley released a report that found that the ROI for operating the bug bounty programs can provide high economic value when compared to hiring and tasking employees to research vulnerabilities. The report also examines the details of some of the large bug bounty programs and crowd-sourcing vulnerability programs.
UC Berkeley paper: An Empirical Study of Vulnerability Rewards Programs
Bug Bounty Programs Pay Economic Rewards
Bug Crowd

Analysis: Those involved in these programs and vulnerability research and reporting will find high value in the comprehensive research provided in the paper. It is often difficult to put useful and meaningful metrics around a security program such as the bug bounty programs, but this research provides it. While many may be more focused on the payouts that can at times reach thousands of dollars, the comparative costs and limitations of trying to perform these activities on your own as the product vendor are likely always much higher.

Geopolitical

UK Releases Intelligence and Security Annual Report

The Intelligence and Security Committee (ISC) Annual Report 2012-2013 is the latest government report to highlight the cyber threats facing the UK and many nations. While highlighting those cyber threats and the serious risk they present, the report also points out the counter-terrorism remains the priority for the UK security and intelligence agencies. As with other similar reports, the report considers the state-sponsored actors and threats the highest risk. The report also points out the differing and complex possible impacts of these attacks, ranging from the loss of sensitive information to physical damage to critical systems.
UK Intelligence and Security Committee Annual Report 2012-2013
Cyber Threats at Highest Level Ever, Say MPs

Analysis: This report makes several strong points in identifying and defining the risks of the current cyber threats at a national level. While it reinforces some points from previously released reports by other governments, the UK ISC report does a better job of breaking down those threats and looking at the various types of risk that the threats present. An analysis of the risk likely applies to many other nations and governments, as well as private sector organizations. The report also reinforces the likely progression of the governments becoming increasingly intrusive in cyber activity with increased monitoring, regulations, national level government defense, security and intelligence programs, and international agreements and treaties.

Upcoming Security Activity

Black Hat 2013: July 27-August 1, 2013
DEF CON 21: August 1-4, 2013
BSidesLV: July 31-August 1, 2013
22nd USENIX Security Symposium: August 14-16, 2013
(ISC)2 Security Congress 2013: September 24-27, 2013
Interop New York 2013: September 30-October 4, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

Ramadan: July 9-August 7, 2013

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original ReleaseBase

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield