Listen to the Podcast (11:46 min)
The Cisco 2014 Annual Security Report has been released following months of collaboration between threat researchers and other cybersecurity experts at Cisco and Sourcefire. As promised, it provides a "warts-and-all analysis" of security news from 2013 and our perspective for the year ahead based on the data collected through Cisco security products and analyzed by our researchers. Cisco Senior Vice President, Chief Security Officer John Stewart has posted a blog with highlights and insights on the Cisco 2014 Annual Security Report.
Cisco Live Milan is scheduled for January 27–31. Multiple online resources will be available for guests that are unable to attend live.
Vulnerability activity remained at consistent levels. Highlights for the period include the small but significant Microsoft Security Bulletin release, security updates from Adobe, and the Oracle Critical Patch Update with security updates for multiple Oracle products and Java.
Oracle released the Oracle Critical Patch Update Advisory for January 2014. The update contains 144 new security fixes that address multiple Oracle product families. The oracle CPU also included a Java security update correcting multiple vulnerabilities. As highlighted in the Cisco 2014 Annual Security Report, Java continues to be actively exploited by multiple attack toolkits and direct attacks. Users and administrators should update their Java version to prevent a large number of these exploits.
Adobe released security advisories for Flash Player, AIR, and Reader addressing multiple vulnerabilities. The Flash Player updates require users to update the plug-ins in all popular browsers. Adobe has also reported ongoing phishing activity involving malicious email messages that claim to deliver license keys for a variety of Adobe products. These email messages attempt to persuade users to follow malicious URLs or download malicious file attachments.
Multiple sources are reporting increased threat activity related to PHP global variable overwrite attacks that allow attackers to modify global variables and can be used to exploit latent vulnerabilities in PHP application code. The Cisco Remote Management Services (RMS) team has reported a spike in signature 7212 traffic, which may indicate that attackers are actively attempting to conduct PHP global variable overwrite attacks. Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
IntelliShield published 133 events last week: 86 new events and 47 updated events. Of the 133 events, there were 78 Threat Outbreak Alerts, 40 Vulnerability Alerts, 11 Security Activity Bulletins, 2 Security Issue Alerts, 1 Applied Mitigation Bulletin, and 1 Cyber Risk Report. The alert publication totals are as follows:
Significant Alerts for the Time Period
Microsoft Windows NDProxy Local Code Execution Vulnerability
IntelliShield Vulnerability Alert 31948, Version 3, January 14, 2014
Urgency/Credibility/Severity Rating: 3/5/4
Microsoft Windows contains a vulnerability that could allow a local attacker to execute arbitrary code. Proof-of-concept code that exploits this vulnerability is publicly available. Reports indicate that the vulnerability is being actively exploited in the wild. Microsoft has confirmed the vulnerability and released software updates.
Previous Alerts That Still Represent Significant Risk
Samba DCE-RPC Packet Processing Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 32103, Version 1, December 10, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges or cause a denial of service condition. Updates are available.
Attacks and Compromises
Target Point-of-Sale Malware Identified
As the investigation into the Target compromise continues, researchers and investigators have released information on specific malware that appears to have been involved in the compromise. The malware is similar to previously reported point-of-sale (POS) malware that captures card data and transmits it to the criminals' external systems. Sources also report the Target compromise may have been a part of a larger criminal operation that compromised multiple retailers throughout the holiday period. Target Intrusion Malware A Closer Look at the Target Malware Fraud Patterns Suggest New Breaches
Analysis: The investigation and now reported fraud activity suggests that multiple businesses in addition to Target and Nieman Marcus have also been compromised. This highlights a few security issues that may have aided in the detection and prevention of this and similar events. First, is the increased monitoring and incident response that all organizations need to focus more effort on in 2014. It is assumed that your organization will be attacked and compromised, making detection and response key to limiting and controlling the incidents. The second issue is sharing information across industries. Ideally, the indicators of the compromise would have been detected, alerting other retailers and businesses to the activity. In turn, they could check their systems and the scale and breadth of the attack would have been known earlier to allow for a response. Focusing on these capabilities, and where the industry needs to improve, is worth noting and putting on our agendas for the coming year.
Analysis: The Sochi Olympic games has one of the highest security profiles and threat levels of any recent games. While the security will likely be downplayed throughout the games, observant viewers are challenged to look in the background of the televised events for signs of the security activity. With clear threats to the games, there are likely to be incidents that will deserve careful review. Unfortunately, the security activity and incidents could overshadow the actual athletes and competition at these games, but provide security professionals with insights and lessons learned to consider for their own future deployments.
Analysis: The actual anniversary of Swartz's suicide was January 11, 2014, but the online protest movement is planned for February 11. While the majority of these groups are calling for peaceful protest activities, the hacktivists groups joining the protest have performed attacks on at least one website. Organizations should monitor this event for indicators of attacks against their networks, indications that their network is being used to perform or participate in the protests and attacks, or compromised systems.
Analysis: It is no longer noteworthy to observe that social media played a role in the organization of these protests. In 2014, that is a fairly safe assumption. Instead, enough data representing a broad sampling of different countries over several years now exists to allow us to analyze how social media impacts popular protests, and what the implications may be for information security professionals and multinationals. For example, social media makes grass roots organization easier, less accountable, and less focused on a pre-planned outcome or set of demands. It may be a raw expression of popular anger or frustration, making it, on the face of things, less likely to pose an existential threat to governments or local authorities, and more likely to fizzle. On the other hand, because of the viral nature of social media, calls to action can go national or even international within hours. It is difficult if not impossible for authorities to control, without unplugging the Internet entirely (Egypt's Mubarak did this, and it only served to enflame anger further).
This brings to mind the situation in North Korea, where a recent documentary aired by Frontline confirms that even in the most isolated state on earth, laptops and thumb drives are being smuggled in, giving North Koreans incentive to resist and question their repressive regime. Information security specialists will continue to face the challenges of viral information and misinformation—and over the short term may want to keep an eye on Internet-fed popular movements growing in Brazil and Ukraine.
Analysis: While much of the Internet of Everything is yet to come, the keynotes provided a strong insight into its existing state, current uses and deployments, and details of how those deployments are developing across multiple sectors. Those not directly involved in these operations will likely be surprised how many of these technologies are already in operation. From a security perspective, the Internet of Everything will alter the way security is planned, applied, and the services required to maintain the security of the "Everything" as it traverses the network.
Upcoming Security Activity
Cisco Live Milan: January 27–31, 2014
Network and Distributed System Security (NDSS) Symposium: February 23–26, 2014
RSA Conference USA 2014: February 24–28, 2014
CanSecWest: March 12–14, 2014
Cisco Live Melbourne: March 18–21, 2014
Cisco Partner Summit: March 24, 2014
Interop: March 31, 2014–April 4, 2014
Infosec World: April 5–11, 2014
Cisco Live US 2014: May 18–22, 2014
Black Hat USA: August 2–7, 2014
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:
World Economic Forum: January 22–25, 2014
Winter Olympics in Sochi: February 7–23, 2014
ITU 6th World Telecom Development Conference: March 31–April 11, 2014
For information and commentary from the experts in Cisco Security, please visit the Cisco Security Blog.
For timely information from across Cisco Security, please consider following @CiscoSecurity on Twitter.
The security vulnerability applies to the following combinations of products.
Cyber Risk Report
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.