The Cisco 2014 Annual Security Report has been released following months of collaboration between threat researchers and other cybersecurity experts at Cisco and Sourcefire. As promised, it provides a "warts-and-all analysis" of security news from 2013 and our perspective for the year ahead based on the data collected through Cisco security products and analyzed by our researchers. Multiple Cisco subject matter experts have provided additional detail and insights in multiple posts on the Cisco Security Blog.
Vulnerability activity was increased for the period, and slightly increased compared to February 2013. The highlight for the period was the Apple OS X security updates, but the period also included significant security updates for Google Chrome, Juniper Networks, IBM, Symantec, and multiple ICS/SCADA products.
Apple released security updates correcting multiple vulnerabilities in OS X Mavericks, Mountain Lion, and Lion versions. While the media reporting focused on the Secure Transport vulnerability, the security updates included updates for as many as 17 vulnerabilities. Apple no longer supports the Snow Leopard OS X version, which surveys indicate is still being used by 20 percent of Apple OS X users. Apple also released an update for QuickTime, which corrected multiple vulnerabilities and impacted multiple platforms.
Significant security updates were also released for multiple vulnerabilities in Google Chrome, Juniper Networks Security Threat Response Manager, and Symantec Endpoint Protection Manager. IBM released security updates for Platform Symphony Servlet, InfoSphere, QRadar, and Rational Focal Point. Red Hat released security updates for JBoss and RubyGems.
In open source products, vulnerabilities and security updates were released for LibTIFF, OpenLDAP, OpenSSH, OpenSSL, OpenX plugin, and PostgreSQL. ESET also released a detailed analysis of the OpenSSH backdoor and credential stealer malware named Linux/Ebury.
In ICS/SCADA systems, security updates included the GE Proficy gefebt.exe Path Traversal Vulnerability which has functional exploit code available, as well as updates for Rockwell RSLogix, Schneider Electric products, and Siemens RuggedCom.
In spam and phishing activity, the latest activity includes campaigns using employment themes.
IntelliShield published 211 events last week: 134 new events and 77 updated events. Of the 211 events, 106 were Vulnerability Alerts, 15 were Security Activity Bulletins, six were Security Issue Alerts, 83 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:
Significant Alerts for the Time Period
Apple OS X Mavericks Security Updates For February 2014
IntelliShield Security Activity Bulletin 33051, Version 1, February 25, 2014
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2014-1245, CVE-2014-1246, CVE-2014-1247, CVE-2014-1248, CVE-2014-1249, CVE-2014-1250, CVE-2014-1254, CVE-2014-1255, CVE-2014-1256, CVE-2014-1257, CVE-2014-1258, CVE-2014-1259, CVE-2014-1260, CVE-2014-1261, CVE-2014-1262, CVE-2014-1263, CVE-2014-1265
Apple has released a security and feature update to correct multiple vulnerabilities in Apple Mac OS X 10.9.1, and security updates for Mountain Lion 10.8.5 and Lion 10.7.5.
Previous Alerts That Still Represent Significant Risk
Adobe Flash Player and AIR Security Advisory for February 20, 2014
IntelliShield Security Activity Bulletin 32953, Version 2, February 20, 2014
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2014-0498 , CVE-2014-0499 , CVE-2014-0502
Adobe Flash Player and AIR contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available.
Microsoft Internet Explorer Use-After-Free Vulnerability
IntelliShield Vulnerability Alert 32870, Version 2, February 20, 2014
Urgency/Credibility/Severity Rating: 3/5/4
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Exploits observed in the wild target Internet Explorer 10 with Adobe Flash. Reports also indicate that installing Microsoft's Experience Mitigation Toolkit (EMET) or updating to Internet Explorer 11 prevents the exploit. Microsoft has confirmed the vulnerability in a security bulletin; however, software updates are not available.
Apache Commons FileUpload Content-Type Header Parsing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 32760, Version 2, February 12, 2014
Urgency/Credibility/Severity Rating: 2/5/3
A vulnerability in Apache Commons FileUpload could allow an unauthenticated, remote attacker to cause a denial of service condition. Proof-of-concept code that exploits the Apache FileUpload Content-Type HTTP header parsing denial of service vulnerability is publicly available. Apache confirmed the vulnerability in software change logs; however, stable release software updates are not yet available.
Adobe Flash Player Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 32718, Version 4, February 20, 2014
Urgency/Credibility/Severity Rating: 3/5/4
Adobe Flash Player contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Reports indicate that the vulnerability is related to the previously reported zero-day attack. Adobe reports that attacks targeting this vulnerability have occurred in the wild. Adobe has confirmed the vulnerability in a security bulletin and released software updates.
Mt. Gox Under Investigation
Japan and the U.S. Department of Justice are investigating the recent activity with the Bitcoin exchange, Mt. Gox. The Mt. Gox website reportedly came under attack, stopped transactions, and then was apparently shut down. Various reports suggest that the attacks on Mt. Gox allowed criminals to steal millions in bitcoins, while other reports suggest that the owners of the site may still be holding millions in bitcoins that belong to their customers, but with the shutdown in place, customers cannot access their accounts. Mt. Gox Implodes Theft at Mt. Gox Shakes Bitcoin World Mt. Gox Situation Crisis Strategy
Analysis: As many business and online e-commerce websites are considering allowing and supporting bitcoin transactions, the latest developments with Mt. Gox raises cause for concern and reconsideration. The bitcoin markets and values have generally been very volatile, but multiple governments, banking and commerce organizations have been reviewing the potential of the new currency and risk and were moving toward its more general acceptance. Mt. Gox, which is located in Japan, is under investigation by both Japan and the U.S., which could push the bitcoin markets and general acceptance in either direction, depending on the findings and details. The bitcoin markets and exchanges continue to be volatile and high risk.
"Black" Mobile Phones Blitz
One of the hot topics at both the RSA Conference and the Mobile World Congress last week were the announcements by multiple vendors of new high privacy and security mobile phones, marketed as "Black" phones. Some of these phones are already available, while others were announcements of phones soon to be released. While they vary slightly by vendor, these phones are designed to provide high levels of encryption, security, privacy, and identity protection to prevent monitoring, information leaks, and compromise, both from a electronic and physical perspective. Boeing Extra Secure Phone Reaches FCC Blackphone Plans More Secure Devices
Analysis: It may be too early in this market development to determine if these high security devices will be widely adopted, or only reach a niche market. These developments may be good news for Blackberry as it attempts to recapture market shares, and customers in general as other vendors could develop higher security models. While these more secure phones will likely cost more and have higher service costs, those that determine they want the higher levels of security might consider these offerings. And of course, the criminal groups will likely also be interested in protecting their communications from law enforcement and security intelligence organizations. The phones could also challenge businesses and organizations in monitoring their networks and enforcing their BYOD policies. Businesses should be proactive and address this developing market by becoming familiar with these devices and consider how they will impact their policies and practices.
Turkey Tightens Internet Controls Amid Uptick in Political Unrest
In February, the Turkish government approved a new law weakening the courts and strengthening its ability to censor the Internet, according to a variety of reports. The move angered many Turkish citizens and prompted thousands of protesters to take to the streets of Istanbul, where they were dispersed by police using water cannons and tear gas. Not all English language reports on the topic agree, so details are difficult to confirm, but under the new law, it appears that law enforcement authorities would be authorized to block websites without a court order. Permission to obtain "Internet data" would require a court order. In recent weeks, Turkish language social media has been flooded with leaked recordings and documents purportedly exposing high-level corruption related to the administration of Prime Minister Recep Tayyip Erdogan. Laws governing websites and social media in Turkey are already tight, and speech freedoms have been strictly curtailed for years, according to a variety of reports. Turkey's Gul Approves Law Tightening Internet Controls Turkey's Internet Crackdown Turkish Police Clash with Protesters over Internet Restriction Laws
Analysis: The law comes amid an intensifying standoff between political rivals in Turkey, and during an election year. The new law is seen as an effort to counter the growing influence of Pennsylvania-based cleric Fethullah Gulen, a former political ally-turned-rival of Prime Minister Erdogan. Gulen is said to virtually control the courts and police forces in Turkey, and supporters of Prime Minister Erdogan see the recent corruption revelations implicating him as orchestrated by Gulen. From an information security perspective, the intensifying standoff in Turkey merits watching. After a decade of relative political stability and strong economic growth, Turkey appears to be entering a volatile period. Given the role of social media and mobile communications in Turkey's protest flare-up last summer, coupled with Turkey's history of censorship of speech and journalism, it is likely that the government will continue to use Internet controls as a tool in asserting control over protests. Companies with network assets in-country may want to consider contingency plans in the event of prolonged outages or in case of government moves to censor outward-facing websites and content.
Upcoming Security Activity
CanSecWest: March 12-14, 2014
Cisco Live Melbourne: March 18-21, 2014
Cisco Partner Summit: March 24, 2014
Black Hat Asia: March 25-28, 2014
Interop: March 31, 2014-April 4, 2014
Infosec World: April 5-11, 2014
Cisco Live 2014: May 18-22, 2014
Black Hat USA: August 2-7, 2014
DEF CON 22: August 7-10, 2014
(ISC)2 Security Congress and ASIS 2014: September 29-October 2, 2014
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:
ITU 6th World Telecom Development Conference: March 31-April 11, 2014
2014 FIFA World Cup Brazil: June 12-July 13, 2014
For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.
For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.
The security vulnerability applies to the following combinations of products.
Cyber Risk Report
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.