Come see Cisco at Interop New York, September 30 to October 4, 2013. Visit Interop NY and learn how to transform and create new opportunities to claim your share of the Internet of Everything economy. Join us on Wednesday, October 2, for a keynote with Cisco Chairman and CEO John Chambers.
Vulnerability activity returned to previous levels this period. The highlights for the period were the Cisco IOS Software Security Advisory Bundled Publication, Oracle security updates for third-party software, and updates on threat activity targeting the Microsoft September Security Bulletin vulnerabilities.
Oracle released multiple security advisories and updated software for third-party products affecting Oracle products. The security advisories include updates for MIT Kerberos, MySQL, PERL, Ruby, Wireshark, and others.
Other vulnerability reports included updates from Image Magic and Red Hat.
IntelliShield published 172 events last week: 89 new events and 83 updated events. Of the 172 events, there were 78 Vulnerability Alerts, 3 Security Activity Bulletins, 4 Security Issue Alerts, 85 Threat Outbreak Alerts, an Applied Mitigation Bulletin, and a Cyber Risk Report. The alert publication totals are as follows:
Significant Alerts for the Time Period
Microsoft Windows Theme File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 30577, Version 3, September 23, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of the Microsoft Windows theme file handling arbitrary code execution vulnerability is publicly available. Updates are available.
Previous Alerts That Still Represent Significant Risk
Microsoft Internet Explorer Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 30843, Version 1, September 17, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not available.
Oracle Java ByteComponentRaster Buffer Overflow Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 29855, Version 5, September 9, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Oracle Java Runtime Environment contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that demonstrates an exploit of this vulnerability is publicly available. Updates are available.
VMware Workstation and Player vmware-mount Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 30501, Version 2, August 29, 2013
Urgency/Credibility/Severity Rating: 3/5/4
VMware Workstation and Player contain a vulnerability that could allow a local attacker to gain elevated privileges. Updates are available. VMware states that the vulnerability is present only when Workstation and Player are installed on Debian-based versions of Linux. Functional code that exploits this vulnerability is available as part of the Metasploit framework.
Drone Incident Raises Physical Security Risks
German Chancellor Angela Merkel was attending a political event when a small, multiple rotor drone flew in and hovered within close proximity to the podium. After several minutes, the security personnel for the event grabbed it out of the air. Germany's Pirate Party later claimed responsibility in an apparent protest and effort to disrupt the political rally. Drone In Front Of German Chancellor
Analysis: This incident demonstrates the growing threat that small Unmanned Aerial Vehicles (UAVs), otherwise known as drones, present at public gatherings. We tend to focus on the larger UAVs that the military uses in combat areas, but overlook the potential physical and privacy threat that small UAVs the public can be exposed to represent. One way to mitigate the threat of small, hobby-type UAVs at public events is to jam the signal they use. Signal ranges include 72Mhz, 800Mhz, 900Mhz, 1100Mhz, 5GHz. In addition, they can use WIFI and GPS. This signal jamming will disable nearby devices using the frequency ranges; however, security and public safety can justify the jamming. GPS can be used which does not use any of the aforementioned wavelengths; therefore, additional protective measures would need to be in place to protect public events against drone threats.
Attacks and Compromises
ID Theft Service Infiltrated Major Data Aggregators
Analysis: The reports by Brian Krebs indicate that several of the largest commercial aggregators have been compromised, and many others are likely to have been breached. This not only highlights the growing criminal focus on identity theft and fraud operations, but the shift to higher level targets for their data. While the threat to individual users and organizations through the known compromise methods still exists, the criminals have shifted to higher-level targets with large repositories of this information to support their criminal activity. Considering the potential scale of these compromises, it is not surprising that they would shift to these targets, similar to the way criminals performing attacks have shifted to using the web infrastructure to add resources for their attacks. Businesses and organizations are already bound by regulatory requirements to protect personally identifiable information (PII), but individual users must understand this threat and take active measures to protect it, such as monitoring accounts, credit monitoring services, and restricting the amount of personal information they share on the Internet. Individuals should assume at least some of their PII has been compromised, and shift their actions to preventing criminal identity fraud and misuse.
October Cyber Security Awareness Month
October is designated Cyber Security Awareness Month in multiple countries across the globe including the United States. The U.S. Department of Homeland Security (DHS) and several other government and private companies and organizations will be releasing information and updates to increase cyber security awareness. Cisco will be providing several security blog posts throughout the month to highlight the latest threats, trends, and recommendations. Cyber Security Awareness Month
Analysis: While cyber security awareness is an ongoing process, security teams can use this month to focus on the topic. While many continue to debate the effectiveness of awareness training and programs, this opportunity should not be overlooked. Providing regular training, presentations, and awareness updates at a minimum keeps cyber security top of mind and can reduce the human factor risks to an organization. Security teams are advised to pass along the wealth of information that will be released throughout the month, and take this opportunity to meet and speak with their users.
Middle East Game Changers, Implications For Infosec
Three recent, major developments in the Middle East should be considered for their potential impact on cyber risk. First, over the summer, U.S. Secretary of State John Kerry pushed for a revitalization of peace talks between Israel and the Palestinian Territories, bringing representatives of both parties to the table for the first time in several years. Second, the apparent use of chemical weapons by the Assad regime against Syrian opposition forces resulted in an unexpected U.S.-Russian diplomatic effort to resolve the Syrian crisis. And third, new Iranian President Hassan Rouhani indicated at the United Nations General Assembly in New York this month that he wants to work to resolve the impasse over Iran's nuclear program, leading to the first high-level talks between the parties in almost 30 years. Iran, US Talks Seen As Good Start Iran-backed Hackers Infiltrated US Navy Computers BRICs Bond Over Syria, Cyber Security
Analysis: Of the three, only the second development—the diplomatic effort to resolve the chemical weapons crisis in Syria—was unexpected. A second-term U.S. presidential push to broker an Israeli-Palestinian agreement has become a familiar recurrence, and the legitimate election in June of Iran's new President, a Western-educated lawyer and former nuclear negotiator, presaged change. However, the coincidence of these three developments, and the rededicating of US foreign policy toward them, may affect the cyber context in unexpected ways. First, as diplomatic efforts get underway, there is likely to be a pause, as the various parties assess the new landscape and allow time for the dust to settle. While it is tempting to be optimistic that solutions will emerge that benefit all parties, that outcome is less likely than the coalescence within a few weeks or months of winners and losers. Perceptions of United States weakness and Russian assertiveness may benefit Syria's Assad, while the charm offensive of Iran's president may lead some regional players, particularly Israel, Saudi Arabia, or Qatar, to worry that the United States has been hoodwinked, and spur them to unilateral action. Cyber has proven to be a relatively low-cost, high-impact way to make a point and demonstrate power, so government or ideologically-led attacks may tick upward after the first of the year in the event that initial hopes for diplomatic breakthroughs prove unrealistic.
Upcoming Security Activity
Interop New York 2013: September 30–October 4, 2013
SecTor 2013: October 7–9, 2013
Seoul Conference on Cyber Space: October 17–18, 2013
Cloud Security Alliance Congress 2013: December 4–5, 2013
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:
United Nations General Assembly: September 17–October 2, 2013
Al Adha Holiday: October 14, 2013
First of Muharram: November 4, 2013
US Election Day: November 5, 2013
Ashura Holiday: November 15, 2013
Hanukkah Holiday: November 27, 2013
World Economic Forum: January 22–25, 2014
Winter Olympics: February 7–23, 2014
For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.
For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.
The security vulnerability applies to the following combinations of products.
Cyber Risk Report
Original Release Base
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.