Cyber Risk Report

Cyber Risk Report: September 16-22, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:30935
Version:1
First Published:2013 September 23 14:19 GMT
Last Published:2013 September 23 14:19 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:This is the Cyber Risk Report for September 16-22, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Attacks and Compromises
Trust
Identity
Human
Geopolitical
Upcoming Security Activity
Additional Information

Listen to the Podcast (11:46 min)

Cisco will be providing multiple presentations at the (ISC)2 Security Congress 2013, September 24-27, 2013, in Chicago, Illinois, and is a proud sponsor and training provider for SecTor 2013, October 7-9, 2013, in Toronto, Ontario, CA. Cisco will be presenting the Network Threat Defense Hands-on Training session at SecTor 2013 on October 7, 2013. The training will help you learn about securely deploying network services and detecting, classifying, and preventing threats targeting a network. Additional information is available in the Cisco Security blog post: Cisco Network Threat Defense Training at SecTor 2013. Visit the Cisco security engineers at these events for the latest training and information on security threats and recommendations.

You can also see Cisco at Interop New York, September 30-October 6, 2012. Visit Interop New York and learn how to transform and create new opportunities to claim your share of the Internet of Everything economy. On Wednesday October 2, 2013, join us for a keynote with Cisco Chairman and CEO John Chambers.

Cisco will release the scheduled Cisco IOS Software Security Advisory Bundled Publication on September 25, 2013. Additional information is available at the Cisco Security Blog post: 7-Day Forecast: Bundle Up!

Vulnerability

Following the high levels of vulnerability activity last period, the high levels continued in to this period. Additional information was released on several of the Microsoft Security Bulletin Release for September 2013 vulnerabilities. There are also reports of issues with the updater programs not recognizing that an update has been installed and continuing to prompt the user to install the update. Microsoft confirmed that one of the fixes broke Office 2010 Starter Edition by changing the file associations of already-created documents.

A new Microsoft Internet Explorer memory operations vulnerability was identified, impacting all current versions, that allows an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security advisory with mitigations. The vulnerability is currently being exploited by providing a malicious link and persuading the user to view a malicious website or follow the malicious link. Details are available in IntelliShield Alert 30843.

Mozilla released security advisories and updated versions addressing multiple vulnerabilities in Firefox, Firefox ESR, Thunderbird, Thunderbird ESR, and SeaMonkey. The 24 security updates in Firefox correct 17 vulnerabilities in previous versions.

Apple released iOS 7 for iPhones, iPads, and iPods, correcting 80 vulnerabilities. Several sites reported a 20-80 percent increase in network traffic levels as users downloaded the 750 megabyte upgrade for iPhones and iPods, and the 950 megabyte upgrade for iPads. While the focus of many has been on the new fingerprint biometric access control on the new Apple iPhone 5s, a video has been posted demonstrating how the passcode lockscreen can be bypassed.

Cisco released two Security Advisories and multiple Security Notices:

IntelliShield published 216 events last week: 134 new events and 82 updated events. Of the 216 events, 118 were Vulnerability Alerts, 8 were Security Activity Bulletins, 7 were Security Issue Alerts, 81 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Day Date
New
Updated
Total
Friday 09/20/2013
   32
      17
   49
Thursday 09/19/2013
   28
        6
   34
Wednesday 09/18/2013
   29
      15
   44
Tuesday 09/17/2013
   13
      18
   31
Monday 09/16/2013
   32
      26
   58


Significant Alerts for the Time Period

Microsoft Internet Explorer Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 30843, Version 1, September 17, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-3893
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not available.

Previous Alerts That Still Represent Significant Risk

Oracle Java ByteComponentRaster Buffer Overflow Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 29855, Version 5, September 9, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2473
Oracle Java Runtime Environment contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that demonstrates an exploit of this vulnerability is publicly available. Updates are available.

VMware Workstation and Player vmware-mount Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 30501, Version 2, August 29, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-1662
VMware Workstation and Player contain a vulnerability that could allow a local attacker to gain elevated privileges. Updates are available. VMware states that the vulnerability is present only when Workstation and Player are installed on Debian-based versions of Linux. Functional code that exploits this vulnerability is available as part of the Metasploit framework.

Oracle Java IntegerInterleavedRaster.verify() Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 30407, Version 1, August 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE Not Available
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that exploits this vulnerability is publicly available. Oracle has confirmed the vulnerability in a security bulletin and released software updates.

HP LeftHand Virtual SAN Appliance Hydra Remote Code Execution Vulnerabilities
IntelliShield Security Activity Bulletin 28100, Version 4, August 13, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2343
HP LeftHand Virtual SAN Appliance hydra contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. These vulnerabilities were originally reported on February 6, 2013. Functional code that exploits CVE-2013-2343 is available as part of the Metasploit framework. HP has confirmed these vulnerabilities and released updated software.

Attacks and Compromises

International SOS Traveler-Tracking Breach

International SOS reported detecting a breach of its Traveler-Tracking System and has notified law enforcement and clients that may have been impacted. The International SOS systems works with corporate travel management companies to provide security services and claims customers from more than 70 percent of the Fortune 500 companies. The information provided to companies like International SOS may include personal and contact information, travel itineraries, and medical data.
Travel Security Firm Victimized By Cyber-Attack

Analysis: While many may not be familiar with companies like International SOS, criminals are becoming increasingly skilled at identifying and breaching sites that contain large repositories of sensitive data. Once compromised, this data can be used to perform a variety of criminal activities including espionage, blackmail, ransom demands, and sale of the data in criminal forums. While this breach appears to have been identified quickly and handled effectively, it serves as a warning to companies with large repositories of sensitive data that they can not rely on security through obscurity theories; they must assume they will be identified and targeted, requiring them to provide the highest levels of security to protect the sensitive data from compromise .

Trust

Security Screening Reliability Questioned

Following the U.S. Navy Yard shootings in Washington DC, and going back to the Manning and NSA incidents, many are raising major questions about the reliability of the security clearance background checks performed by organizations. In review of these incidents, several factors and information have come to light that were apparently not detected or reported, which might have prevented the issuing of a clearance or employment. President Obama has now called for a full review of the security screening process.
Senators Demand Review of Security Clearance Screening
Obama Orders Security Review
USIS Under Federal Investigation

Analysis: These recent incidents and criminal investigations have highlighted several serious concerns in the number of individuals that hold government security clearances and the background checks performed in awarding those clearances and employment. The large increase in required clearances has caused the government to outsource the majority of the background checks and screenings, much like private businesses also have. The trust in a third party contractor or service to perform this function raises several questions around security practices, liability, human resources, and hiring practices. Organizations should consider reviewing their own screening practices, including the legal and HR issues, and the internal security practices, to detect suspicious activity once an employee is hired.

Identity

Social Security Web Portal Targeted for Fraud

The U.S. Social Security Administration (SSA) reported that criminals performing fraud and identity theft have changed tactics to transfer funds using the "my Social Security Web portal." The new portal allows SSA recipients to create online accounts to track and manage their SSA accounts, including setting up direct deposit transfers. Criminals have targeted the portal by creating fraudulent accounts to have the payments sent to accounts they control. The SSA recommends recipients create a legitimate account, and monitor the account to prevent fraud.
Crooks Hijack Retirement Funds Via SSA Portal

Analysis: As recommended in this case, creating legitimate accounts to prevent criminals from creating fraudulent accounts is recommended to detect and prevent identity theft and fraud. Similarly, children are often exploited because they have no financial accounts, tax records, or credit histories to monitor, cause red flags, or expose fraudulent activity until several years later when they attempt to open an account. Users should also consider account alert services for notifications of fraudulent activity and credit monitoring services that provide alerts when changes occur. Criminals are increasingly targeting government services websites, increasing the user's need for vigilance when accessing these websites as with other types of sensitive information and highly targeted websites.

Human

Commuters, Mobile, and Cloud Users Raising Risks

Two new studies were released focusing on mobile devices and commuters in the UK, as well as users of cloud services to store potentially sensitive data. The UK study found that employees commuting to and from work regularly connect to public Wi-Fi networks. Responses to the survey included 46 percent saying they regularly use public Wi-Fi as a primary means of Internet access, while 52 percent admitted they are concerned about the security of the public Wi-Fi networks. In the second survey, 41 percent of users responded that they regularly use unauthorized cloud services for storing files, while 87 percent recognized that their use was forbidden by company policies.
UK Commuters Put Data at Risk
Deliberately Leaking Confidential Data

Analysis: Hopefully, neither of these reports are surprising; Cisco, and others, have reported similar finding in the Cisco Annual Security Report and Cisco Connected World Technology Report. But, as these surveys show, companies are still not addressing the way employees work and the blending of business and personal activity with the technologies and policies to manage the security. Smartphones and tablets are now the primary devices for many employees and the device security and while enterprise integration is improving, many appear to still be challenged to manage how these devices connect to the network and the services employees use. As Cisco reported, forbidding these activities will not likely be effective; companies need to manage the activity with the technologies that provide employees a way to perform their mobile work in a secure environment.

Geopolitical

Brazil Reacts to NSA Leaks

Brazilian President Dilma Rousseff has postponed her planned October trip to the United States in protest over leaked information suggesting that the U.S. National Security Agency (NSA) has been spying on high-level Brazilian government communications. The leaks also suggest that the NSA may also have tapped communications of Brazil's state oil company, Petrobras. President Dilma, who faces a tight re-election race in 2014, submitted to Brazil's Congress several proposals to curb what some perceive as excessive U.S. control over the Internet. They include expediting the construction of undersea communications cables circumventing the U.S., creating an encrypted email service for citizens that would be controlled by Brasilia, requiring local service providers to use domestically made equipment, and mandating that Brazilian citizens' personal information be stored on servers located in Brazil.
Brazil’s Controversial Plan to Extricate the Internet from US Control
NSA Spying Gives Advantage to Brazil's Local Tech Firms

Analysis: The strong reaction is partly due to Brazil's longstanding desire to assert greater regional leadership and broaden both economic and political independence from the United States. Given that China surpassed the U.S. as Brazil's largest trading partner last year, this process clearly is already underway—but recent foreign exchange volatility brought on by uncertainty over U.S. Federal Reserve Bank intentions may have provided an unwelcome reminder of the economy's continued interdependence.

Internet technology specialists will be watching closely to see whether President Dilma's proposals gain traction in Brazil's Congress, and whether her calls for more balkanization of the Internet are taken up at the United Nations General Assembly this week. Many argue that erecting barriers through encryption and differing standards would disadvantage rapidly growing economies like Brazil's, as well as disrupt the democratizing free flow of information. Whatever happens in the next few weeks between Brazil, the U.S., and the United Nations, we are very likely witnessing only the early stages of a long and broad-reaching international conversation.

Upcoming Security Activity

Oracle OpenWorld: September 22-26, 2013
(ISC)2 Security Congress 2013: September 24-27, 2013
Interop New York 2013: September 30-October 4, 2013
SecTor 2013: October 7-9, 2013
Seoul Conference on Cyber Space: October 17-18, 2013
Cloud Security Alliance Congress 2013: December 4-5, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

United Nations General Assembly: September 17-October 2, 2013
World Economic Forum: January 22-25, 2014
Winter Olympics: February 7-23, 2014

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.
 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original Release Base

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield