Cisco is a proud sponsor as well as training provider for SecTor 2013, October 7–9, 2013, in Toronto, Ontario, Canada. Cisco will present the Network Threat Defense Hands-On Training session on October 7. The training will help you learn how to securely deploy network services and how to detect, classify, and prevent network threats. Details are available in the Cisco Security Blog post: Cisco Network Threat Defense Training at SecTor 2013.
Vulnerability activity remained consistent with previous periods. Highlights for the period include three Cisco Security Advisories, an updated version of Google Chrome, and continued software updates and new exploits from the Oracle Java SE Critical Patch Update Advisory for June 2013.
HP released additional security advisories and software updates and IntelliShield has identified new proof-of-concept and exploit code for vulnerabilities originally reported in the Oracle Java SE Critical Patch Update Advisory for June 2013. Additional vulnerability activity included the release of Google Chrome version 29 to correct 25 vulnerabilities; multiple vulnerabilities reported in Mambo CMS; and multiple vulnerabilities in the Agora Project.
A researcher also reported identifying a vulnerability in the OAuth authentication system used by third-party applications to access Twitter accounts. The vulnerability may allow attackers to compromise the tokens used by the applications to access the account; however, Twitter responded that no known accounts had been compromised and advised users to review and restrict third-party applications that can access a Twitter account.
IntelliShield published 135 events last week: 71 new events and 64 updated events. Of the 135 events, 60 were Vulnerability Alerts, 22 were Security
Activity Bulletins, 3 were Security Issue Alerts, 47 were Threat Outbreak Alerts, 2 were Applied Mitigation Bulletins, and 1 was a Cyber Risk Report. The alert publication
totals were as follows:
Previous Alerts That Still Represent Significant Risk
Oracle Java IntegerInterleavedRaster.verify() Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 30407, Version 1, August 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE Not Available
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that exploits this vulnerability is publicly available. Oracle has confirmed the vulnerability in a security bulletin and released software updates.
HP LeftHand Virtual SAN Appliance Hydra Remote Code Execution Vulnerabilities
IntelliShield Security Activity Bulletin 28100, Version 4, August 13, 2013
Urgency/Credibility/Severity Rating: 3/5/4
HP LeftHand Virtual SAN Appliance hydra contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. These vulnerabilities were originally reported on February 6, 2013. Functional code that exploits CVE-2013-2343 is available as part of the Metasploit framework. HP has confirmed these vulnerabilities and released updated software.
VMware vCenter Chargeback Manager ImageUploadServlet Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 29643, Version 3, July 23, 2013
Urgency/Credibility/Severity Rating: 3/5/4
VMware vCenter Chargeback Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. VMware has confirmed the vulnerability and released updated software.
Apache Struts action: Parameter Processing Command Injection Vulnerability
IntelliShield Vulnerability Alert 30128, Version 2, June 25, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Apache Struts contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that exploits this vulnerability is publicly available. Reports indicate that this vulnerability is being exploited actively in the wild and are highly automated, which increases the likelihood of widespread attacks. Apache.org has confirmed this vulnerability and released updated software.
Analysis: The attacks on the wire payment switches across multiple banks serve as a reminder of how attackers use multiple attack techniques to accomplish a specific goal. While the main target in this case was the wire payment switches, the attackers diverted the attention of security teams by conducting a DDoS attack while they focused on attacking the wire payment switches. Although it is unclear how the attackers were able to gain access to the wire payment switches, a combination of phishing techniques against bank employees in an attempt to install malicious software on systems in the banks' internal networks could have been a factor. While the physical and logical layout of the banks' network topology is unknown, best practice dictates that these highly critical payment switches be separated from traffic entering the network, possibly placed in their own separate VLAN away from other computing devices on the network and have a defense-in-depth strategy in place.
Analysis: Attackers who take advantage of gaining access to the physical workspace of companies have a wide range of options to choose from for stealing proprietary data. After they are in the physical workspace, perpetrators can use memory sticks to download data; steal hard drives, computers, passwords, and VPN profiles; and map the network infrastructure. Several techniques can be used to help mitigate these attacks such as 802.1x authentication to thwart unauthorized personal computers attempting to log into the network, using hard drive encryption software, and enforcing policies for password protected screen savers on a short timed duration. Organizations should also instruct employees to be aware of potential tailgaters when entering their buildings.
Computer Glitch Opens Prison Doors
Officials are investigating two incidents of cell doors opening unexpectedly. A computer bug may have caused the cell doors to open, although investigators are also looking into other possibilities, such as an insider intentionally or erroneously opening the doors, or an external hacking of the system. The entire maximum-security facility is highly automated including the door locks, surveillance systems, and utilities. Computer Glitch Opens Prison Doors
Analysis: This incident follows a similar one that was investigated and believed to be corrected in May 2013. There are potential risks in the highly automated prison systems where virtually all the systems are controlled through the network and unauthorized access to those systems can have a serious impact. As many organizations move to similar automated systems, the security of the network and systems is critical, requiring an architectural approach with defense-in-depth, network segregation, and strong access controls to the sensitive systems.
Analysis: Few details have been released about the outage except for some unconfirmed reports of connectivity issues with another market that prevented pricing updates from being disseminated. However, the impact across the markets and government shows the continued concerns over the resiliency and stability of the market trading systems. The markets are recognized as high-value targets, with the Al Qassam group claiming credit for a DDoS that caused the outage although no evidence supports their claims. The markets, as with other financials, are frequently attacked and tightly regulated where even minor interruptions can cause a trading halt. All incidents are investigated, and further details may be released, but regardless of the finding, the trust level in markets that experience repeated incidents and outages could cause traders to move to other markets.
Verifying Alleged Chemical Attacks in Syria
Claims surfaced last week that Syrian President Bashar Al-Assad’s regime had killed hundreds of civilians in a chemical weapons attack, not far from Damascus. Coincidentally, a United Nations chemical weapons inspections team had just arrived in the Syrian capital under a UN mandate to verify earlier reports of chemical weapons use, but they had no mandate to investigate the new allegations. Within hours of the first reports of the alleged attack on August 21, over a hundred videos were uploaded to the Internet, showing civilians including very young children gasping for breath. Doubts about the videos’ veracity came almost immediately, with some charging that their time stamps showed they were uploaded before the alleged attack. Others argued that the sheer number of videos, uploaded in such a short time from multiple sources, made it unlikely that the event could have been fabricated. US suspects Syria Used Gas Video Footage of Chemical Weapons Attack Uploaded Before it Happened? Race Against Time to Find Evidence of Syria Gas Attack Russia Calls for UN Probe in Alleged Syria Gas Attack
Analysis: Verifying claims that Assad’s regime used chemical weapons on civilians is vital to gaining international consensus for next steps. Given multiple conflicting stakeholders, samples taken from human tissue and soil in affected locations will have to be tested and re-tested in independent laboratories. Results must be mutually accepted to be above bias. Even if it reliably can be shown that victims died from asphyxiation by a chemical agent, there are further hurdles. For example, evidence may be needed to support claims that the agent was released knowingly by the Assad regime, as opposed to accidentally as the result of a bomb hit on a chemical factory, or even as a self-inflicted attack by anti-Assad forces desperate to force outside intervention. Whether video and other electronic evidence can be trusted is an issue of interest to information security specialists. Computer forensics experts may be called in to determine issues including where and when the videos were uploaded. The extent to which crowd-sourced video evidence is deemed credible in the ensuing investigation may impact how such evidence is weighed in future such tragic events.
New Reports Highlight Trends and Improved Protection
Analysis: These government reports and documents provide both regulatory guidance for those requiring compliance, and sound recommendations for those that do not. The finding from the ENISA report, although the number of incidents investigated was small, may surprise many. The report conducted root cause analysis and separated the incidents in to several categories that provide an insightful examination of the impact, frequency, and probability of the incidents.
The security vulnerability applies to the following combinations of products.
Cyber Risk Report
Original Release Base
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.