Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: September 9-15, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:30820
Version:1
First Published:2013 September 16 19:36 GMT
Last Published:2013 September 16 19:36 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
 
Version Summary:This is the Cyber Risk Report for September 9-15, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Attacks and Compromises
Trust
Mobile
Identity
Geopolitical
Upcoming Security Activity
Additional Information 

Listen to the Podcast (15:19 min)

Cisco will be providing multiple presentations at the (ISC)2 Security Congress 2013, September 24-27, 2013, in Chicago, Illinois, and is a proud sponsor and training provider for SecTor 2013, October 7-9, 2013, in Toronto, Ontario, CA. Cisco will be presenting the Network Threat Defense Hands-on Training session at SecTor 2013 on October 7, 2013. The training will help you learn about securely deploying network services and detecting, classifying, and preventing threats targeting a network. Additional information is available in the Cisco Security blog post: Cisco Network Threat Defense Training at SecTor 2013. Visit the Cisco security engineers at these events for the latest training and information on security threats and recommendations.

Vulnerability

Vulnerability activity increased sharply for the period due to the release of the Microsoft Security Bulletin Release for September 2013 and multiple Adobe product security updates. 

Microsoft published its monthly security bulletin release on September 10, 2013. Microsoft released 13 bulletins that addressed 47 vulnerabilities. The bulletins addressed vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Microsoft Office Access, Microsoft Office Excel, Microsoft Office Outlook, Microsoft Office Word, Microsoft SharePoint Server, and Microsoft FrontPage. The vulnerabilities could allow an attacker to execute arbitrary code, conduct cross-site scripting attacks, cause a denial of service condition, or gain elevated privileges. Full details of the vulnerabilities and IPS signature and Cisco mitigations are available at the Cisco Event Response: Microsoft Security Bulletin Release for September 2013. A short video analysis of the Microsoft security Bulletins for September 2013 is available on the Cisco SIO portal

Adobe released multiple security bulletins addressing vulnerabilities in Reader, Acrobat, Flash Player, AIR, and Shockwave Player. The security advisories addressed eight code execution vulnerabilities in Reader and Acrobat, and two code execution vulnerabilities in Shockwave Player.  Microsoft Internet Explorer and Google Chrome users will receive automated updates for the Flash Player plug-ins included in those browsers.

Apple released a security advisory for Mountain Lion v10.8.5 addressing 32 vulnerabilities in 16 components including Apache, BIND, Certificate Trust, ClamAV, IPSec, the kernel, Mobile Device Management, OpenSSL, PHP, PostgreSQL, QuickTime, and others. Apple also released Safari 5.1.10 correcting two JavaScript vulnerabilities.

Other important security advisories and updated software were released for IBM Lotus iNotes, Junos Pulse Secure Access Service, OpenSSL, Sophos Web Protection Appliance, Wireshark, and Zen Hypervisor. WordPress released version 3.6.1 correcting multiple security vulnerabilities. Additional security updates were released for multiple vulnerabilities in the Feedweb, RLSWordpressSearch, Snazzy Archives, and Traffic Analyzer WordPress plug-ins.

Cisco released the following Security Notices for low and medium-severity security issues:

IntelliShield published 209 events last week: 142 new events and 67 updated events. Of the 209 events, 98 were Vulnerability Alerts, 31 were Security Activity Bulletins, one was a Security Issue Alert, 77 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: 

Day Date
New
Updated
Total
Friday 09/13/2013
   24
      12
   36
Thursday 09/12/2013
   20
      19
   39
Wednesday 09/11/2013
   21
      14
   35
Tuesday 09/10/2013
   61
        4
   65
Monday 09/09/2013
   16
      18
   34

Previous Alerts That Still Represent Significant Risk

Oracle Java ByteComponentRaster Buffer Overflow Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 29855, Version 5, September 9, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2473
Oracle Java Runtime Environment contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that demonstrates an exploit of this vulnerability is publicly available. Updates are available.

VMware Workstation and Player vmware-mount Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 30501, Version 2, August 29, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-1662
VMware Workstation and Player contain a vulnerability that could allow a local attacker to gain elevated privileges. Updates are available. VMware states that the vulnerability is present only when Workstation and Player are installed on Debian-based versions of Linux. Functional code that exploits this vulnerability is available as part of the Metasploit framework.

Oracle Java IntegerInterleavedRaster.verify() Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 30407, Version 1, August 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE Not Available
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that exploits this vulnerability is publicly available. Oracle has confirmed the vulnerability in a security bulletin and released software updates.

HP LeftHand Virtual SAN Appliance Hydra Remote Code Execution Vulnerabilities
IntelliShield Security Activity Bulletin 28100, Version 4, August 13, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2343
HP LeftHand Virtual SAN Appliance hydra contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. These vulnerabilities were originally reported on February 6, 2013. Functional code that exploits CVE-2013-2343 is available as part of the Metasploit framework. HP has confirmed these vulnerabilities and released updated software.

Attacks and Compromises

Defacements and Failed Operations

During the period, multiple sub-domain websites at NASA were defaced by a group posting messages against U.S. NSA spying and possible strikes in Syria. Multiple Anonymous affiliates had threatened to launch new attacks as part of OpUSA and OpIsrael against U.S. and Israeli websites on the anniversary of 9/11, but the attacks did not materialize or failed to reach a level that caused any significant interruptions. The groups posted a list of what was presented as compromised Israeli personal data, but this was identified as information that had been previously compromised and posted earlier this year. The Syrian Electronic Army (SEA) was more successful in its continued compromises of media Twitter accounts, compromising accounts belonging to FX Australia and FOX TV United Kingdom reportedly through a compromised HootSuite account.
NASA Attack protesting NSA and Syria  
SEA Hack Large Number of Twitter Accounts 
Tracking OpUSA and OpIsrael 
9/11 DDoS Attacks Flop 

Analysis: Anonymous and affiliate groups continue to appear unsuccessful in the execution of their operations, yet are likely to continue to announce campaigns and launch future attacks. The continued operations of the SEA and Al Qassam groups, although the announced phase four of the Al Qassam attacks on U.S. financials appear to also be uneventful to date, have had more success. Like physical activists groups, the cyber activists or hacktivists groups follow similar patterns of difficulty sustaining support and media interest, suffer from internal disagreements, and in the case of Anonymous, the impact of several arrests and flights into hiding of its leading members. While threats from these groups appear to have peaked or are declining, it is likely they will regenerate or new groups will take the spotlight with new agendas, attack methods, and compromises. Fortunately, the one common factor to the majority of these types of groups is their need for publicity, leading them to announce their intentions prior to the attacks.

Trust

NIST Recommendation to Avoid Crytographic Standard

The U.S. National Institute of Standards and Technology (NIST) released a statement on cryptographic standards including the reopening of comments on a specific standard that has come in to question following documents released in the Snowden NSA compromised data case. The cryptographic community has raised questions over whether cryptographic standards may have been intentionally weakened or had backdoors installed to allow the monitoring of encrypted network traffic. As NIST mentioned in their statement, they work very closely with the NSA to develop cryptographic standards but has refuted claims of NSA compromised cryptographic standards.
Cryptographic Standards Statement  
NIST Advises Against Use of Random Bit Generator   
NIST Refutes Allegations NSA Compromised Crypto Standards 

Analysis: The fallout from the NSA compromise has reached another level with NIST reopening the standard for comments and releasing recommendations to not use selected cryptographic standards. The possible compromise of cryptographic standards is particularly concerning because, as NIST points out, these standards are developed, reviewed, and validated by a relatively small group of cryptographic experts, including those from the NSA. The standards are not meant to be kept from public review, the issue is the cryptographic standards development and code is so complex that only a small number of experts have the knowledge and ability to truly validate the standard. Outside of this small group, the rest of the community has to trust the approved standards. If this proves to be true and the standards have been compromised, which NIST refutes, it would be a critical blow to trust required across the Internet and the security community. 

Mobile

Vodafone Reports Breach of 2 Million Records

Vodafone, a German mobile phone operator, reported a security breach of its systems that may have resulted in the compromise of personal information of up to two million of its subscribers. Vodafone reported that although the personal and account information may have been compromised, credit card information was not exposed. Vodafone has alerted customers of the breach and advised them to be alert for criminal phishing attempts, suspicious phone calls, or questionable account activity. The latest information pertaining to the investigation indicates the breach may have included an insider that accessed the systems.
Vodafone Germany Breach Impacts Millions 
Insider Tied to Vodafone Breach 

Analysis: Similar to the threat to health records detailed below, the mobile market continues to see increased threats to mobile users including malicious code, malicious applications, and compromise of the accounts. The main threats currently experienced by most users are malicious applications, SMS text spam, and phishing. It is not unusual that an insider may be involved in the criminal activity. FBI records show that insiders have been regularly identified as stealing sensitive data and attempt to sell it to identity theft criminal groups. In addition to the increased awareness needed by mobile users, organizations and businesses can not overlook or underestimate the threat of insider criminal activity, and have security controls in place to identify suspicious activity within the trusted network and accounts.  

Identity

Medical Data Hubs Certified as Theft Increases

Following reports several weeks ago that the Affordable Care Act (ACA) health insurance Data Hubs are not ready for deployment, they recently have been security certified and ready to go operational by the October 1, 2013 deadline. As these repositories of electronic medical information are deployed, many are continuing to raise concerns over the security, access controls, and the authorized use of their sensitive personal health data. Recently, a survey found that medical data and identity theft has increased twenty percent in the U.S., affecting millions of Americans and costing the industry billions. 
Obamacare Data Hubs Secure and Ready 
2013 Survey on Medical Identity Theft
Health Care Theft Class Action

Analysis: Recently, the value of sensitive personal health information has been increasing in the underground and criminal online communities and forums. It is now the most expensive records offered on many of these sites. The value of these records can not be underestimated for criminals attempting identity theft or the persons whose information may be compromised. One of the factors driving up the value of this information is its persistence. Sensitive health information does not change or expire, and cannot be voided like a compromised financial account or credit card. Unlike financial accounts or other data stores, the health records contain a wide variety of sensitive information, which can provide the attacker with many options for exploiting the owners identity. The protection of these records is critical to the success of the Affordable Care Act, the industry, and consumer confidence in the new programs. In related report, Advocate Health Care had a class action law suit filed against them following the physical theft of computers from its offices that may have contained an estimated four million unencrypted health records.

Geopolitical

Kim Jong-Un and the Importance of Being Well Informed

According to various reports, former U.S. basketball player Dennis Rodman will return to North Korea in January 2014 to oversee two exhibition basketball games between the U.S. and the Democratic People’s Republic of Korea (DPRK). Rodman visited the DPRK early this year, evoking bemusement and anger from many outside the reclusive country, given the young leader’s governing tactics, which are being compared to his father’s and grandfather’s brutality. Recently, reports surfaced that Kim had executed a former girlfriend and her family. Rodman, for his part, said that the young leader would like to improve relations with the U.S., and sees the games as a way to build trust, even as new satellite imagery indicates that the DPRK may have restarted its Yongbyon nuclear reactor.
Rodman Meets with North Korean Leader, Courtside 
Satellite Images Suggest North Korea Restarted Nuclear Reactor  
Kim Jong-Un’s Ex-lover Executed by Firing Squad 
Dennis Rodman Plans North Korea Return

Analysis: For those with free access to information, the pairing of the flashy former U.S. athlete and the repressive leader may seem bizarre and puzzling. It is difficult to understand why Kim Jong-Un would spend time with a former athlete known for his body piercings, tattoos and hair dyes, given that he did not find time to meet with Google founder Eric Schmidt, when he visited North Korea this year looking to improve Internet access for North Korea’s citizens and discuss business opportunities. It may be an indicator of how little Kim actually knows about the outside world. Kim may believe Rodman has the ear of the White House or may believe the rest of the world takes the basketball player more seriously than we do. Perhaps he is simply more interested in enjoying a game of basketball than improving the lives of his country’s citizens. Kim hears entirely what he wants to hear from those around him, who may fear his reaction to unfavorable information. Those of us tempted to read only blogs and articles by those we agree with may want to take note, lest we end up appearing fools ourselves. Information security specialists may want to watch for an uptick in cyber events connected to the exhibition games in January.

Upcoming Security Activity

Oracle OpenWorld: September 22–26, 2013
(ISC)2 Security Congress 2013: September 24-27, 2013
Interop New York 2013: September 30-October 4, 2013
SecTor 2013: October 7-9, 2013
Seoul Conference on Cyber Space: October 17-18, 2013
Cloud Security Alliance Congress 2013: December 4-5, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

United Nations General Assembly: September 17-October 2, 2013
Germany Parliament Elections: September 22, 2013
World Economic Forum: January 22-25, 2014
Winter Olympics: February 7-23, 2014

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original ReleaseBase

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield