Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: August 19-25, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:30509
Version:1
First Published:2013 August 26 19:11 GMT
Last Published:2013 August 26 19:11 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
 
Version Summary:This is the Cyber Risk Report for August 19–25, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Attacks and Compromises
Physical
Trust
Geopolitical
Security Trends
Upcoming Security Activity
Additional Information

Listen to the Podcast (11:26 min)

Cisco is a proud sponsor as well as training provider for SecTor 2013, October 7–9, 2013, in Toronto, Ontario, Canada. Cisco will present the Network Threat Defense Hands-On Training session on October 7. The training will help you learn how to securely deploy network services and how to detect, classify, and prevent network threats. Details are available in the Cisco Security Blog post: Cisco Network Threat Defense Training at SecTor 2013.

Vulnerability

Vulnerability activity remained consistent with previous periods. Highlights for the period include three Cisco Security Advisories, an updated version of Google Chrome, and continued software updates and new exploits from the Oracle Java SE Critical Patch Update Advisory for June 2013.

Cisco released three security advisories addressing multiple vulnerabilities in Cisco Unified Communications Manager, a Cisco Unified Communications Manager IM and Presence Service Denial of Service Vulnerability, and Cisco Prime Central for Hosted Collaboration Solution Assurance Denial of Service Vulnerabilities.

Cisco also released the following Security Notices for Apache HTTP Server vulnerabilities:

HP released additional security advisories and software updates and IntelliShield has identified new proof-of-concept and exploit code for vulnerabilities originally reported in the Oracle Java SE Critical Patch Update Advisory for June 2013. Additional vulnerability activity included the release of Google Chrome version 29 to correct 25 vulnerabilities; multiple vulnerabilities reported in Mambo CMS; and multiple vulnerabilities in the Agora Project.

A researcher posted a video that showed a new Adobe Acrobat Reader Unspecified Arbitrary Code Execution Vulnerability, but few technical details or active exploits have been identified.

A researcher also reported identifying a vulnerability in the OAuth authentication system used by third-party applications to access Twitter accounts. The vulnerability may allow attackers to compromise the tokens used by the applications to access the account; however, Twitter responded that no known accounts had been compromised and advised users to review and restrict third-party applications that can access a Twitter account.

IntelliShield published 135 events last week: 71 new events and 64 updated events. Of the 135 events, 60 were Vulnerability Alerts, 22 were Security Activity Bulletins, 3 were Security Issue Alerts, 47 were Threat Outbreak Alerts, 2 were Applied Mitigation Bulletins, and 1 was a Cyber Risk Report. The alert publication totals were as follows:

Day Date
New
Updated
Total
Friday 08/23/2013
   9
      7
   16
Thursday 08/22/2013
   11
      19
   30
Wednesday 08/21/2013
   19
      24
   43
Tuesday 08/20/2013
   22
      3
   25
Monday 08/19/2013
   10
      11
   21


Previous Alerts That Still Represent Significant Risk


Oracle Java IntegerInterleavedRaster.verify() Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 30407, Version 1, August 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE Not Available
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that exploits this vulnerability is publicly available. Oracle has confirmed the vulnerability in a security bulletin and released software updates.

HP LeftHand Virtual SAN Appliance Hydra Remote Code Execution Vulnerabilities
IntelliShield Security Activity Bulletin 28100, Version 4, August 13, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2343
HP LeftHand Virtual SAN Appliance hydra contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. These vulnerabilities were originally reported on February 6, 2013. Functional code that exploits CVE-2013-2343 is available as part of the Metasploit framework. HP has confirmed these vulnerabilities and released updated software.

VMware vCenter Chargeback Manager ImageUploadServlet Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 29643, Version 3, July 23, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-3520
VMware vCenter Chargeback Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. VMware has confirmed the vulnerability and released updated software.

Apache Struts action: Parameter Processing Command Injection Vulnerability
IntelliShield Vulnerability Alert 30128, Version 2, June 25, 2013
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2013-2251
Apache Struts contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that exploits this vulnerability is publicly available. Reports indicate that this vulnerability is being exploited actively in the wild and are highly automated, which increases the likelihood of widespread attacks. Apache.org has confirmed this vulnerability and released updated software.

Attacks and Compromises

Millions Stolen from U.S. Banks After Wire Payment Switch Attack

Gartner reported financial attacks on the wire payment switches at multiple banks that allowed attackers to extract millions of dollars from those banks. The attacks used a low-level distributed denial of service (DDoS) attack as a diversion, and then transferred funds through the wire applications.
U.S. Banks Wire Payment Switch Targeted

Analysis: The attacks on the wire payment switches across multiple banks serve as a reminder of how attackers use multiple attack techniques to accomplish a specific goal. While the main target in this case was the wire payment switches, the attackers diverted the attention of security teams by conducting a DDoS attack while they focused on attacking the wire payment switches. Although it is unclear how the attackers were able to gain access to the wire payment switches, a combination of phishing techniques against bank employees in an attempt to install malicious software on systems in the banks' internal networks could have been a factor. While the physical and logical layout of the banks' network topology is unknown, best practice dictates that these highly critical payment switches be separated from traffic entering the network, possibly placed in their own separate VLAN away from other computing devices on the network and have a defense-in-depth strategy in place.

Physical

Cyber Attacks Get Physical

The Wall Street Journal highlighted growing concerns about cyber attacks starting at the front door which allows the attacker a number of choices to get sensitive data.
Companies Neglect Physical Threat in Cyber Attacks

Analysis: Attackers who take advantage of gaining access to the physical workspace of companies have a wide range of options to choose from for stealing proprietary data. After they are in  the physical workspace, perpetrators can use memory sticks to download data; steal hard drives, computers, passwords, and VPN profiles; and map the network infrastructure. Several techniques can be used to help mitigate these attacks such as 802.1x authentication to thwart unauthorized personal computers attempting to log into the network, using hard drive encryption software, and enforcing policies for password protected screen savers on a short timed duration. Organizations should also instruct employees to be aware of potential tailgaters when entering their buildings.

Computer Glitch Opens Prison Doors

Officials are investigating two incidents of cell doors opening unexpectedly. A computer bug may have caused the cell doors to open, although investigators are also looking into other possibilities, such as an insider intentionally or erroneously opening the doors, or an external hacking of the system. The entire maximum-security facility is highly automated including the door locks, surveillance systems, and utilities.
Computer Glitch Opens Prison Doors

Analysis: This incident follows a similar one that was investigated and believed to be corrected in May 2013. There are potential risks in the highly automated prison systems where virtually all the systems are controlled through the network and unauthorized access to those systems can have a serious impact. As many organizations move to similar automated systems, the security of the network and systems is critical, requiring an architectural approach with defense-in-depth, network segregation, and strong access controls to the sensitive systems.

Trust

NASDAQ Trading Stopped

NASDAQ identified a problem with the Securities Industry Processor (SIP), which consolidates and disseminates industry pricing, forcing NASDAQ to issue a regulatory halt for all trading in NASDAQ-listed securities. NASDAQ reported that they quickly corrected the problem and coordinated the re-opening of the market. The total outage lasted nearly three hours before trading was resumed.
NASDAQ Statement
NASDAQ in Fresh Market Failure
Pricing Problem Suspends NASDAQ for Three Hours
Iranian Hacker Group Claims DDoS Attack on NASDAQ

Analysis: Few details have been released about the outage except for some unconfirmed reports of connectivity issues with another market that prevented pricing updates from being disseminated. However, the impact across the markets and government shows the continued concerns over the resiliency and stability of the market trading systems. The markets are recognized as high-value targets, with the Al Qassam group claiming credit for a DDoS that caused the outage although no evidence supports their claims. The markets, as with other financials, are frequently attacked and tightly regulated where even minor interruptions can cause a trading halt. All incidents are investigated, and further details may be released, but regardless of the finding, the trust level in markets that experience repeated incidents and outages could cause traders to move to other markets.

Geopolitical

Verifying Alleged Chemical Attacks in Syria

Claims surfaced last week that Syrian President Bashar Al-Assad’s regime had killed hundreds of civilians in a chemical weapons attack, not far from Damascus. Coincidentally, a United Nations chemical weapons inspections team had just arrived in the Syrian capital under a UN mandate to verify earlier reports of chemical weapons use, but they had no mandate to investigate the new allegations. Within hours of the first reports of the alleged attack on August 21, over a hundred videos were uploaded to the Internet, showing civilians including very young children gasping for breath. Doubts about the videos’ veracity came almost immediately, with some charging that their time stamps showed they were uploaded before the alleged attack. Others argued that the sheer number of videos, uploaded in such a short time from multiple sources, made it unlikely that the event could have been fabricated.
US suspects Syria Used Gas
Video Footage of Chemical Weapons Attack Uploaded Before it Happened?
Race Against Time to Find Evidence of Syria Gas Attack
Russia Calls for UN Probe in Alleged Syria Gas Attack

Analysis: Verifying claims that Assad’s regime used chemical weapons on civilians is vital to gaining international consensus for next steps. Given multiple conflicting stakeholders, samples taken from human tissue and soil in affected locations will have to be tested and re-tested in independent laboratories. Results must be mutually accepted to be above bias. Even if it reliably can be shown that victims died from asphyxiation by a chemical agent, there are further hurdles. For example, evidence may be needed to support claims that the agent was released knowingly by the Assad regime, as opposed to accidentally as the result of a bomb hit on a chemical factory, or even as a self-inflicted attack by anti-Assad forces desperate to force outside intervention. Whether video and other electronic evidence can be trusted is an issue of interest to information security specialists. Computer forensics experts may be called in to determine issues including where and when the videos were uploaded. The extent to which crowd-sourced video evidence is deemed credible in the ensuing investigation may impact how such evidence is weighed in future such tragic events.

Security Trends

New Reports Highlight Trends and Improved Protection

New reports this period form the National Institute of Standards and Technology (NIST), the U.S. Food and Drug Administration (FDA), the European Network and Information Security Agency (ENISA), and McAfee highlight security trends on both the attack and prevention sides. NIST released updated documents on enterprise patch management and malware avoidance; the FDA released a draft guidance on wireless network security for medical devices; and on threat activity, ENISA released its Annual Report for 2012, which provided details on incidents reported and investigated, and analysis of the incidents.
Guide to Enterprise Patch Management Technologies .
Guide to Malware Incident Prevention and Handling for Desktops and Laptops
FDA Encryption and Authentication Rules
ENISA Major Incidents in 2012

Analysis: These government reports and documents provide both regulatory guidance for those requiring compliance, and sound recommendations for those that do not. The finding from the ENISA report, although the number of incidents investigated was small, may surprise many. The report conducted root cause analysis and separated the incidents in to several categories that provide an insightful examination of the impact, frequency, and probability of the incidents.

Upcoming Security Activity

VMWorld 2013: August 25–29, 2013
Oracle OpenWorld: September 22–26, 2013
(ISC)2 Security Congress 2013: September 24–27, 2013
Interop New York 2013: September 30–October 4, 2013
SecTor 2013: October 7–9, 2013
Seoul Conference on Cyber Space: October 17–18, 2013
Cloud Security Alliance Congress 2013: December 4–5, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

G20 Summit: September 4–6, 2013
Australia Federal Elections: September 7, 2013
United Nations General Assembly: September 17–October 2, 2013
World Economic Forum: January 22–25, 2014
Winter Olympics: February 7–23, 2014

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original ReleaseBase

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield