Java, Android were THE wide-open barn doors of security in 2013 - report

Cisco research claims two techs led to nearly all of the exploits


While it was another tough year for network security all around, 2013 was particularly hard on users of Java and Android, new research from Cisco has found.

According to the networking giant's latest Annual Security Report, Java flaws were responsible for 91 per cent of all web-based exploits in 2013. Meanwhile, fully 99 per cent of all mobile malware discovered during the year targeted Android, as did 71 per cent of all web-based attacks on mobile devices.

Attacks targeting Adobe Flash and Adobe Reader/Acrobat – which together once accounted for nearly half of all web-based exploits – paled in comparison to Java exploits in 2013. iOS-specific malware was virtually nonexistent, although fanbois did bear the brunt of 14 per cent of web-based mobile attacks.

That Java should be the source of so many security breaches should come as no surprise to anyone who has followed the seemingly endless series exploits that have been discovered since the fateful summer of 2012.

So many flaws have been found in the Java web plugin now, in fact, that no less than the US Department of Homeland Security has urged Americans to disable Java in their browsers unless it's absolutely necessary, since there are likely to be many more vulnerabilities waiting to be exploited.

Cisco chart comparing exploits targeting Java, Flash, and PDF in 2013

When it came to exploits in 2013, Java made Flash and PDF look like pikers (Source: Cisco)

But these zero-day exploits are only part of the problem. Recent Java 7 releases have plugged many freshly discovered holes, but that only helps if customers are running an up-to-date version.

On the contrary, Cisco says that 76 per cent of customers of its Cisco Web Security services are still running Java 6, which Oracle stopped supporting with fresh security updates in March 2013.

This isn't mere laziness on the customers' part. The same data shows that 90 per cent of those customers are also running Java 7. In many cases, these enterprises run both versions side-by-side because certain of their applications require a specific Java version to run – which unfortunately leaves them vulnerable.

"If security professionals who have limited time to fight web exploits decide to focus most of their attention on Java, they'll be putting their resources in the right place," Cisco's report suggests.

Criminals: These are the droids you're looking for

Similarly, malware developers in the mobile realm seem laser-focused on Android, with Android users experiencing nearly three quarters of all encounters with web-based malware in 2013.

But here the threat profile was a little different. Virtually all malware attacks that were designed to compromise specific handsets targeted Android, but these were actually very rare, accounting for just 1.2 per cent of the total. The vast majority of mobile attacks involved things like phishing, social engineering lures, or forcible redirects to unwanted websites, rather than direct attacks on the device hardware or operating system.

Even so, Android devices were hit 71 per cent of the time. Cisco blames a combination of poor or nonexistent security policies and the popularity of mobile apps for many of these attacks.

"Instituting a formal program for managing mobile devices to help ensure that any device is secure before it can access the network is one solution to improve security for the enterprise," the report states.

Perhaps the most disturbing finding in this year's Cisco report, however, is the overall increase in targeted attacks against businesses, with many attacks aimed at specific industries and vertical markets. For example, while attacks targeting the electronics industry have been seen before, 2013 even saw an increase in attacks against the agriculture and mining sectors, which had previously been seen as low-risk.

Cisco chart showing pervasiveness of malicious traffic types

Wondering if there's dodgy traffic on your network? You're asking the wrong question (Source: Cisco)

Often, Cisco says, criminals will target industry-specific websites to set up "watering holes," malware-spewing sites designed to compromise groups of people with common interests, such as people who work in the same field.

Cisco claims the newest twist is for attackers to target internet infrastructure – including web servers, DNS servers, and data centers – with the goal of using compromised servers to do their dirty work for them, spreading malware far and wide within an organization or an industry.

Given all of this activity, just how prevalent is malware within the typical enterprise? According to Cisco, 92 per cent of the business networks it analyzed showed traffic to websites with no content, which typically host malware. Another 96 per cent showed traffic to hijacked servers. And 100 per cent of the networks surveyed had traffic going to servers that were known malware hosts.

In other words, cyber-crime is now utterly pervasive, and once an attacker manages to gain access to a corporate network, they often hang around for a long time.

"All organizations should assume they've been hacked," Cisco's 2014 Annual Security Report warns, "or at least agree that it's not a question of if they will be targeted for an attack, but when ... and for how long." ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021