Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: September 2-8, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:30689
Version:1
First Published:2013 September 09 17:49 GMT
Last Published:2013 September 09 17:49 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
 
Version Summary:This is the Cyber Risk Report for September 2-8, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Physical
Legal
Internet of Things
Privacy
Geopolitical
Upcoming Security Activity
Additional Information

Listen to the Podcast (12:38 min)

Cisco is a proud sponsor as well as training provider for SecTor 2013, October 7-9, 2013, the seventh annual security conference in Toronto, Ontario, CA. Cisco will be presenting the Network Threat Defense Hands-on Training session at SecTor 2013 on October 7, 2013. The training will help you learn about and securely deploy network services and to detect, classify, and prevent threats targeting a network. Additional information is available in the Cisco Security blog post: Cisco Network Threat Defense Training at SecTor 2013.

Vulnerability

Vulnerability activity for the period remained consistent with previous periods. The highlights for the period include the Microsoft Security Bulletin Advance Notification for September 2013 and continued Java exploit activity. 

Microsoft released the Microsoft Security Bulletin Advance Notification for September 2013 that includes 14 Security Bulletins. The large number of September bulletins impacts Microsoft Office, Microsoft Server Software, Microsoft Windows, Internet Explorer, and the Microsoft .NET Framework. Microsoft has rated four of the bulletins as Critical, and the other ten as Important. The bulletins will be released on Tuesday September 10, 2013, and Cisco SIO will provide full details in IntelliShield alerts and recommendations in an Applied Mitigation Bulletin and Cisco IPS signatures.

Other vulnerability activity included continued proof-of-concept and public exploits for previously reported oracle Java vulnerabilities, Apple WebKit updates, multiple vulnerabilities in EMS RSA eGRC, and a vulnerability in Apache OpenJPA that could allow a remote attacker to inject malicious JavaScript.

Oracle reported an Oracle E-Business Suite Password Disclosure Issue that could allow passwords to be stored in plain text in log files. This appears to be a trending type of issue, being identified more frequently as organizations are increasing their logging and their log monitoring. Organizations should be aware of these types of issues and ensure they are not creating sensitive information exposures in their logging activity.

As indicated by the high number of Threat Outbreak Alerts recently, Cisco Email Security analysts continue to identify an increasing number of spam and phishing threats. The majority of these are modified versions of previously reported malicious messages using the common themes of fake electronic invoices, fake order receipts, fake shipping notices and tracking messages, and fake messages related to the confirmation of account information. Users should be advised to increase their vigilance for potentially malicious spam messages and are reminded not to click on web links provided the messages or open file attachments. 

Cisco released the Security Advisory: Multiple Vulnerabilities in the Cisco WebEx Recording Format and Advanced Recording Format Players, addressing five vulnerabilities.

Cisco also released the following Security Notices:
IntelliShield published 118 events last week: 72 new events and 46 updated events. Of the 118 events, 35 were Vulnerability Alerts, three were Security Issue Alerts, 79 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Day Date
New
Updated
Total
Friday 09/06/2013
  11
       4
  15
Thursday 09/05/2013
  15
     20
  35
Wednesday 09/04/2013
  23
     15
  38
Tuesday 09/03/2013
  23
       7
  30
Monday 09/02/2013
    0
       0
    0

Previous Alerts That Still Represent Significant Risk

VMware Workstation and Player vmware-mount Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 30501, Version 2, August 29, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-1662
VMware Workstation and Player contain a vulnerability that could allow a local attacker to gain elevated privileges. Updates are available. VMware states that the vulnerability is present only when Workstation and Player are installed on Debian-based versions of Linux. Functional code that exploits this vulnerability is available as part of the Metasploit framework.

Oracle Java ByteComponentRaster Buffer Overflow Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 29855, Version 5, August 28, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2473
Oracle Java Runtime Environment contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that demonstrates an exploit of this vulnerability is publicly available. Updates are available.

Oracle Java IntegerInterleavedRaster.verify() Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 30407, Version 1, August 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE Not Available
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that exploits this vulnerability is publicly available. Oracle has confirmed the vulnerability in a security bulletin and released software updates.

HP LeftHand Virtual SAN Appliance Hydra Remote Code Execution Vulnerabilities
IntelliShield Security Activity Bulletin 28100, Version 4, August 13, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2343
HP LeftHand Virtual SAN Appliance hydra contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. These vulnerabilities were originally reported on February 6, 2013. Functional code that exploits CVE-2013-2343 is available as part of the Metasploit framework. HP has confirmed these vulnerabilities and released updated software.

Physical

Increased Security for 9/11 Anniversary

The 12th anniversary of the September 11, 2001 attacks, coinciding this year with the increasing global tensions over Syria, have multiple governments and private sector organizations issuing elevated security alerts and warnings. On September 11, 2012, the anniversary was marked with attacks on the American diplomatic mission in Benghazi, Libya, that resulted in the death of the U.S. ambassador and three others. Only one month ago, the U.S. closed 22 Embassies and Consulates due to detected threat. Yet the U.S. Department of Homeland Security released an assessment stating there have been "no credible or specific information that points to any terror plot tied to the anniversary of the September 2001 attacks."
FBI, DHS: No Specific Threat to 9/11 Anniversary 
Benghazi Timeline 

Analysis: This anniversary continues to cause elevated security measures across the U.S. and at multiple locations across the globe. Again this year there are elevated tensions across many areas with known Al Qaida affiliates and influences, and that have been targets of previous attacks and threats. Despite the lack of any known threats, organizations and all individuals are advised to increase their vigilance leading up to and on this anniversary date for suspicious physical and cyber activity. Individuals and organizations should also be aware that such event themes are commonly used in malicious spam, phishing and SEO poisoning attacks, and are advised to avoid email messages and web links associated with 9/11 anniversary themes. 

Legal

U.S. State Privacy Laws

Montana is the latest U.S. state to create its own privacy legislation, joining a growing list of states that have now passed their own regulations. The states are moving forward and passing legislation despite the lack of federal action on the working updates to the Electronic Communications Privacy Act (ECPA) legislation, and creating regulations that only apply at an individual state level. While most of this state legislation is similar, varying versions address email, text messages, and geolocation information.
Montana a leader on Privacy  
Federal Electronic Communications Privacy Act 

Analysis: As the states move forward, independent of federal updates, the regulations are causing confusion for both local and inter-state law enforcement and businesses. If this continues without federal action that would take precedent over the local regulations it could further increase the confusion, similar to the widely varying international laws and regulations that many countries and international organizations have been working to align and consolidate. Law enforcement, businesses and individuals are already forced by regulatory requirements to comply with a variety of regulations regarding privacy, sensitive information protection, and compromise notifications to name only a few. Businesses are required to comply with the regulations in the areas in which they operate: local, national and international. To meet these requirements, businesses will have to continue to track these actions closely and ensure their compliance with all levels of regulation. 

Internet of Things

Camera Vendor Settles FTC

The U.S. Federal Trade Commission (FTC) complaint against TRENDnet was reported as the first case of "an everyday product with connectivity to the Internet." The complaint was filed after it was discovered that the cameras could be accessed from the Internet, with web links posted to cameras that allowed anyone on the Internet to view live camera feeds. Although the cameras were marketed as secure, the complaint alleged that the cameras allowed open access, transmitted clear login credentials, and stored the login information in clear text.
Vendor Negligence Harms Customers Privacy 

Analysis: As the Internet moves to the Internet of Things, security must be a consideration for development, businesses, and individuals to prevent these types of incidents and legal actions. As continues to be reported with industrial control system vulnerabilities, it is fairly simple to scan, identify and exploit devices that do not have even the most basic and common security controls implemented. When considering these new and developing Internet of Things devices, organizations and individuals should consider the security of these systems, and select devices that have had their security tested and validated. For those capable, test these systems and monitor the related network activity to ensure they are not exposing sensitive information or video.

Privacy

Focus on Internet Privacy

The Pew Research Center recently released a survey focused on what users were doing to protect their privacy. The survey found 86 percent of U.S. Internet users attempt to use one or more methods to protect their online activity. The survey found that high numbers of users cleared their browser history and cookies, removed social media posts, avoid providing personal information on websites, use temporary accounts with fake names and information, or provide fake information when asked.  A majority of users responded to the survey that they attempt to use anonymity when on the Internet, but similarly few have high confidence in that privacy.
We've All Practically Given Up On Internet Privacy
Anonymity, Privacy, and Security Online

Analysis: It is good news that users are increasingly aware of their privacy and taking steps to protect it online, and have realistic expectations of that privacy. Other recent reports noted a major increase in the Tor network, although some activity may be credited to bot activity. While the security measures mentioned in the survey are all worthy, users should understand that the fake account and information is not likely effective due to the ability of many to perform data mining on accounts and social media. And it was disappointing to see only 14 percent used encryption of communications. This may indicate that encryption programs continue to be too difficult for most users to install, configure and use effectively. Along with those security controls provided in a work environment, users should consider similar controls on their private systems. Since many are likely using the same systems for both work and personal activity, having these controls can provide a high level of privacy. And users can go further and report to government agencies organizations that seem to abuse users' privacy through tracking, information gathering, or unclear privacy end-user agreements. 

Geopolitical

Government Transparency in the Internet Era

In late August, China’s .cn domain was hit by a Distributed Denial of Service (DDoS) attack. According to the China Internet Network Information Center, the attack lasted several hours and resulted in a 32 percent drop in domestic Internet traffic. Major websites including Weibo, the Bank of China, and Amazon.cn were affected, but there was no discussion of who might have been behind the attack, leaving observers to speculate.
Who Hacked China’s Internet Yesterday? 
China Hit By ‘Biggest Ever’ Cyber Attack 
NSA Able to Foil Basic Safeguards of Privacy on Web 

Analysis: Governments are often reticent to provide information following embarrassing incidents or revelations, sometimes for good reasons.  China is by no means the only country featured in the news recently for being slow to discuss sensitive issues.  The U.S. intelligence community has been taken to task frequently this summer over leaked information related to the National Security Agency’s surveillance techniques.  Traditionally, many governments have refused to confirm or deny leaks and rumors, but in the era of politically motivated hacks, this has become more difficult.  Never before has it been so easy (or cheap) to uncover and disseminate information never meant to be made public, and never before has it been so easy to fabricate rumors and lies.  A world without privacy or government secrecy may not be realistic or even desirable, but the revelations of 2013 point to a new world where everyone seems to have less control over their private information—individuals, companies, and governments.  If this trend continues, information security specialists tasked with protecting data should be prepared to work closely with communications specialists who handle messaging related to data breaches.

Upcoming Security Activity

Oracle OpenWorld: September 22–26, 2013
(ISC)2 Security Congress 2013: September 24-27, 2013
Interop New York 2013: September 30-October 4, 2013
SecTor 2013: October 7-9, 2013
Seoul Conference on Cyber Space: October 17-18, 2013
Cloud Security Alliance Congress 2013: December 4-5, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

September 11, 2001 Attack Anniversary: September 11, 2013
Germany Parliament Elections: September 22, 2013
United Nations General Assembly: September 17-October 2, 2013 
World Economic Forum: January 22-25, 2014
Winter Olympics: February 7-23, 2014

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity  on Twitter.

 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original ReleaseBase

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield