Feeds

Java, Android were THE wide-open barn doors of security in 2013 - report

Cisco research claims two techs led to nearly all of the exploits

Internet Security Threat Report 2014

While it was another tough year for network security all around, 2013 was particularly hard on users of Java and Android, new research from Cisco has found.

According to the networking giant's latest Annual Security Report, Java flaws were responsible for 91 per cent of all web-based exploits in 2013. Meanwhile, fully 99 per cent of all mobile malware discovered during the year targeted Android, as did 71 per cent of all web-based attacks on mobile devices.

Attacks targeting Adobe Flash and Adobe Reader/Acrobat – which together once accounted for nearly half of all web-based exploits – paled in comparison to Java exploits in 2013. iOS-specific malware was virtually nonexistent, although fanbois did bear the brunt of 14 per cent of web-based mobile attacks.

That Java should be the source of so many security breaches should come as no surprise to anyone who has followed the seemingly endless series exploits that have been discovered since the fateful summer of 2012.

So many flaws have been found in the Java web plugin now, in fact, that no less than the US Department of Homeland Security has urged Americans to disable Java in their browsers unless it's absolutely necessary, since there are likely to be many more vulnerabilities waiting to be exploited.

Cisco chart comparing exploits targeting Java, Flash, and PDF in 2013

When it came to exploits in 2013, Java made Flash and PDF look like pikers (Source: Cisco)

But these zero-day exploits are only part of the problem. Recent Java 7 releases have plugged many freshly discovered holes, but that only helps if customers are running an up-to-date version.

On the contrary, Cisco says that 76 per cent of customers of its Cisco Web Security services are still running Java 6, which Oracle stopped supporting with fresh security updates in March 2013.

This isn't mere laziness on the customers' part. The same data shows that 90 per cent of those customers are also running Java 7. In many cases, these enterprises run both versions side-by-side because certain of their applications require a specific Java version to run – which unfortunately leaves them vulnerable.

"If security professionals who have limited time to fight web exploits decide to focus most of their attention on Java, they'll be putting their resources in the right place," Cisco's report suggests.

Criminals: These are the droids you're looking for

Similarly, malware developers in the mobile realm seem laser-focused on Android, with Android users experiencing nearly three quarters of all encounters with web-based malware in 2013.

But here the threat profile was a little different. Virtually all malware attacks that were designed to compromise specific handsets targeted Android, but these were actually very rare, accounting for just 1.2 per cent of the total. The vast majority of mobile attacks involved things like phishing, social engineering lures, or forcible redirects to unwanted websites, rather than direct attacks on the device hardware or operating system.

Even so, Android devices were hit 71 per cent of the time. Cisco blames a combination of poor or nonexistent security policies and the popularity of mobile apps for many of these attacks.

"Instituting a formal program for managing mobile devices to help ensure that any device is secure before it can access the network is one solution to improve security for the enterprise," the report states.

Perhaps the most disturbing finding in this year's Cisco report, however, is the overall increase in targeted attacks against businesses, with many attacks aimed at specific industries and vertical markets. For example, while attacks targeting the electronics industry have been seen before, 2013 even saw an increase in attacks against the agriculture and mining sectors, which had previously been seen as low-risk.

Cisco chart showing pervasiveness of malicious traffic types

Wondering if there's dodgy traffic on your network? You're asking the wrong question (Source: Cisco)

Often, Cisco says, criminals will target industry-specific websites to set up "watering holes," malware-spewing sites designed to compromise groups of people with common interests, such as people who work in the same field.

Cisco claims the newest twist is for attackers to target internet infrastructure – including web servers, DNS servers, and data centers – with the goal of using compromised servers to do their dirty work for them, spreading malware far and wide within an organization or an industry.

Given all of this activity, just how prevalent is malware within the typical enterprise? According to Cisco, 92 per cent of the business networks it analyzed showed traffic to websites with no content, which typically host malware. Another 96 per cent showed traffic to hijacked servers. And 100 per cent of the networks surveyed had traffic going to servers that were known malware hosts.

In other words, cyber-crime is now utterly pervasive, and once an attacker manages to gain access to a corporate network, they often hang around for a long time.

"All organizations should assume they've been hacked," Cisco's 2014 Annual Security Report warns, "or at least agree that it's not a question of if they will be targeted for an attack, but when ... and for how long." ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.