basketball1Are you excited about March Madness? Turn on a TV and it will be hard to avoid the games, the news, the commentaries, and the jokes about it. If you eavesdrop in any restaurant, bar, or office conversation, I can assure you that you will hear something about it. Even U.S. President Barack Obama filled out a March Madness bracket. Productivity in many offices drops significantly as employees search and watch videos to see how their bracket picks are progressing. At Cisco, we have an open policy and employees can watch and search the scores of their favorite teams. Watch this video posted by CNN where Kip Compton, Cisco’s Video Collaboration Group CTO, talks about March Madness.

During the last couple of years, the industry saw a spike in web malware during the March Madness season. SQL injection attacks, iframe injections, JavaScript, and Java malware were some of the most prevalent. A few months ago, I provided details about some of today’s cyber-criminal tools— exploit kits—and some of the weapons of choice like Blackhole, RedKit, Styx, CrimeBoss, and Cool.

A few things to keep in mind:

  • Legitimate business sites may have vulnerabilities that allow a hostile site to deliver malware.
  • In most drive-by downloads, the victim is willing to dismissively click pop-ups and warnings as they navigate to the desired content. In this case, users may just click on pop-ups or ads to watch videos about their favorite team.
  • Most drive-by downloads can be prevented by keeping software up to date.

Java is one of the major targets nowadays and cyber-criminals are currently leveraging several of its vulnerabilities in preparation for March Madness. This timeline includes some of the recent vulnerabilities. Information on the most recent vulnerabilities is available at the Cisco Security Intelligence Operations (SIO) portal:

Additionally, security researchers recently released details on multiple new instances of certain types of vulnerabilities in Java. It is still recommended that you disable Java in web browsers. The following links provide instructions on how to disable Java in various web browsers:

If you are using Java 7 Update 10 or later, you can execute the Java installer with the WEB_JAVA=0 command-line option. Oracle’s Java documentation has more detailed information about this feature.

Beyond Java

Java vulnerabilities are certainly not the only challenge. Every day exploit-kits and other “crimeware” tools are used by cyber-criminals to attack other vulnerable and outdated browser plug-ins, as well as client software such as Adobe Flash, Acrobat Reader, ColdFusion, and many others. For instance, you might remember the Adobe Reader and Acrobat sandbox bypass arbitrary code execution vulnerabilities (CVE-2013-0640 and CVE-2013-0641) back in February. These vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on affected systems. The ColdFusion vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631, and CVE-2013-0632) are recent examples that are still being exploited in the wild.

Regarding web browser plugins, please keep in mind that many of them don’t always update automatically. You can use tools such as Mozilla’s plug-in check  to verify that you are running the latest versions of plug-ins installed in your browser.

Note: For those of you that may be interested in learning how web browser plug-ins work on a more technical level, Google has a great document that describes Chrome plug-in architecture and Mozilla has one that describes the plug-in architecture in Firefox.

Mobile Devices Are Not Immune! 

Mobile device malware is increasing at a very rapid pace. For example, Android malware grew 2577 percent over 2012 (more information in our Annual Security Report).  In other words, the post-PC malware threat is already happening and it is here to stay. Mobile devices have become the favorite target for many cyber-criminals because unfortunately things as simple as password management have become very weak. A large number of users simply do not even use basic and common sense password protection on their handsets or tablets.

It might not be the most groundbreaking bit of advice, but staying up on all the security updates for Android, Apple iOS, and others is extremely important. Download apps from respected sources! Mobile device users must try to avoid malicious and compromised mobile apps. That may be common sense, but folks are currently bypassing vendor marketplaces such as Google Play and Apple Store to download “free games and free apps.” Many times, these free apps come with other gifts (i.e., malware).

Enterprise Security Professionals Look Out!

Command and Control (C&C) is the interface between the victims and the attackers. The attacker commands the C&C, and the C&C commands the malware installed on victims’ systems. Historically, these have been controlled using Internet Relay Chat (IRC) because of its simplicity, flexibility, and ease of administration. However, these days, a lot of C&C is happening over encrypted channels (TLS/HTTPS) and Tor.

DNS monitoring is one of the few things that can be done in that case. Many of these attacks leverage dynamic DNS. Passive DNS monitoring is a great tool for finding additional malicious IP addresses and hostnames.  Even if you don’t have the expertise and capability of deploying elaborate techniques such as deploying your own ISC DNS Data Base, at the very least, you should only allow DNS queries to go through internal recursive servers. Prevent clients to direct query external DNS servers (i.e., only permit known “safe” servers).

Most of these attacks can leave a trail that can be used to identify subsequent attempts to perform the same or similar actions. There are many best practices that can be used to protect against some of these attacks. The following are a few resources that can help you maintain a good level of security within your network and your users:

Whether your team is Duke, Memphis, Oregon, or Michigan State, regardless of whether they play good defense, you must always maintain a good defense against the bad guys out there. Comments are welcome about your favorite team or favorite best practice to combat the bad guys these days.


Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations