Cisco Live 2013 was a huge success with a major increase in security training and breakout sessions. The majority of the breakout sessions are now available on CiscoLive365 and more are being added daily.
Vulnerability activity was lower for the period, although spam and phishing levels have increased. Highlights for the period included two Cisco Security Advisories, a vulnerability in VMware vCenter, and an Apache Struts vulnerability; both having active exploit activity.
Other activity included additional information on multiple alerts included in the Microsoft Security Bulletins for July 2013, and multiple vulnerabilities reported in Sybase, SAP, Apache HTTPD, and Symantec products.
Media sources reported new research and possible vulnerabilities that will be presented at Black Hat including vulnerabilities in smart home systems, the compromise of RFID data from increased ranges, and the compromise of SIM card encryption. There have also been multiple pre-conference reports on presentations and recommendations to protect electronic devices while at the Black Hat, DEF CON, and BSidesLV conferences.
In threat activity, the period had an increased level of spam and phishing activity, including the continued themes of Product Orders and requests, attached pictures and video, and the new themes of Australian taxes and the birth of the UK royal baby.
Researchers also reported details on a new banking trojan named KINS, which is reported to be available in underground markets and includes several new capabilities to rival the existing Zeus and Citadel trojans.
IntelliShield published 129 events last week: 81 new events and 48 updated events. Of the 129 events, 37 were Vulnerability Alerts, 18 were Security Activity Bulletins, two were Security Issue Alerts, 70 were Threat Outbreak Alerts, and two were Cyber Risk Reports. The alert publication totals are as follows:
Significant Alerts for the Time Period
Apache Struts action: Parameter Processing Command Injection Vulnerability
IntelliShield Vulnerability Alert 30128, Version 2, June 25, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Apache Struts contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. Proof-of-concept code that exploits this vulnerability is publicly available. Reports indicate that this vulnerability is being exploited actively in the wild and are highly automated, which increases the likelihood of widespread attacks. Apache.org has confirmed this vulnerability and released updated software.
VMware vCenter Chargeback Manager ImageUploadServlet Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 29643, Version 3, June 23, 2013
Urgency/Credibility/Severity Rating: 3/5/4
VMware vCenter Chargeback Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. VMware has confirmed the vulnerability and released updated software.
Previous Alerts That Still Represent Significant Risk
Apple QuickTime dref Atoms Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 29429, Version 2, June 19, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Apple QuickTime Player for Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or a denial of service condition on a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework.
Apple has confirmed this vulnerability and released updated software.
McAfee ePolicy Orchestrator Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 30063, Version 1, July 15, 2013
Urgency/Credibility/Severity Rating: 3/4/3
CVE Not Available
McAfee ePolicy Orchestrator contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary SQL code or conduct cross-site scripting attacks. Updates are not available.
Microsoft Internet Explorer Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 29886, Version 2, July 11, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional exploit code has been reported to be in use. Microsoft has confirmed the vulnerability in security bulletin MS13-055 and released software updates.
Oracle Java SE Critical Patch Update Advisory for June 2013
IntelliShield Security Activity Bulletin 29704, Version 6, July 17, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition on a targeted system. Updates are available. Apple, Red Hat, and CentOS have released updates.
Operation Ababil and Syrian Electronic Army Return
After a period of relative quiet from the Al Qassam Operation Ababil Distributed Denial of Service (DDoS) attacks and attacks from the Syrian Electronic Army (SEA), both are returning to active attacks. The Al Qassam group posted a message stating the pending return of DDoS attacks on U.S. financial institutions, now in what is being reported as Phase 4 of this operation. The Syrian Electronic Army continued with attacks that compromised thousands of user accounts at the Viber and Tango systems. Operation Ababil Phase 4 Announced Viber Hacked by SEA Tango Chat App Hacked by SEA
Analysis: The attacks by the SEA were focused on compromising volumes of user accounts, followed by messages to change the account passwords. While that may be sufficient for compromised accounts, it does not address the compromised information now in the hands of the SEA, which will likely be used or sold to further attack and exploit those users. After securing the potentially compromised accounts, users should use increased vigilance when using those accounts and check for unusual activity, phishing attempts, and spam messages attempting to gain additional user information. Once an account is compromised, it can be used to further exploit the user with attempts to install malicious code to gather sensitive information, or use the account to send spam.
The announcement from the Al Qassam group on the return of Operation Ababil has been expected for months. Like the announcement, the Phase 4 attacks are expected to be more of the same; with the group continuing to call for the removal of the offensive video from hosting sites, and use of the Brobat and known tools to launch DDoS attacks. It is likely that additional sources have been compromised, providing additional strength and bandwidth for the attacks, and based on the trend toward the end of the Phase 3 attacks, the attacks will shift from the largest financials who have developed methods to handle these attacks, to smaller financial institutions that may not have the experience or resources to defend against the attacks as effectively.
Following the posted request for "Feds" to stay away from DEF CON this year, a similar strain appeared following the U.S. Federal Drug Administration requests for additional research and reporting on vulnerabilities in medical devices. Researchers presenting at the conferences this week in Las Vegas touching on some of these devices reported concerns over potential actions under the Computer Fraud and Abuse Act (CFAA). There were no reports of presentations being canceled or suspended, but tensions and mistrust are currently high between researchers and the U.S. government. FDA Asks Hackers to Expose Holes in Medical Devices Feds Not Welcome at DEF CON
Analysis: As many of the bug bounty programs are showing improved results and participation from researchers, and the U.S. government continues to call for increased information sharing and hiring of experienced security researchers, the researcher community is responding to the arrest and death of Aaron Schwartz, the reporting of increased government monitoring and intelligence collection, and the way the Computer Fraud and Abuse Act (CFAA) has been used and interpreted that many believe is well outside the intent of the law. While rebuttals to the DEF CON ban are calling for the researchers and government to mend the fences and work together, the current state of mistrust is straining that relationship. General Alexander will be presenting the keynote at Black Hat, and the government will be present at the Black Hat conference, but that appears to be the extent of it.
European Union Calls for Stricter Data Privacy Rules
Revelations about the U.S. National Security Agency's (NSA) PRISM surveillance program have led European Union (EU) Justice Commissioner Viviane Reding to call for more robust EU data protection standards, according to various reports. Facing political pressure ahead of elections this fall, German Chancellor Angela Merkel has also said tighter EU laws, as well as an international framework, may be necessary. This could impact so-called "Safe Harbor" rules, which allow for differences between EU and U.S. data protection standards. A group of German data protection officials reportedly are calling for the entire Safe Harbor program to be suspended. Meanwhile, other groups—notably in countries that do not have elections looming—have reacted differently. Ireland's Data Protection Commissioner commented last week that American tech companies named in some of the leaked NSA documents had met their Safe Harbor legal requirements. Reaching for the Clouds EU Justice Chief Vows New Data Protection Laws
Analysis: Tension between the U.S. and the EU over differing data protection standards is nothing new, and wide-ranging revisions to existing laws were already on the agenda before the NSA story came to light. There is no guarantee that revisions proposed in the immediate wake of the scandal will be considered without public sensationalism, or with the kind of even-handed approach that might ensure they can be effective and resilient well into the future. The full impact of the revelations on companies in the U.S. and the EU will likely require many months, if not years, to play out. In the meantime, striking a balance between privacy and security, with regard to the often-conflicting perceptions of rights and privileges of corporations, governments, and individuals, will be a key battleground and area of significant risk for technology companies for the foreseeable future.
Black Hat 2013: July 27-August 1, 2013
DEF CON 21: August 1-4, 2013
BSidesLV: July 31-August 1, 2013
22nd USENIX Security Symposium: August 14-16, 2013
(ISC)2 Security Congress 2013: September 24-27, 2013
Interop New York 2013: September 30-October 4, 2013
Cloud Security Alliance Congress 2013: December 4-5, 2013
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:
The security vulnerability applies to the following combinations of products.
Cyber Risk Report
Original Release Base
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.