Cyber Risk Report

May 3–9, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability and threat activity for this period was below previous periods. The most significant activity may have been around the media reports of root DNS servers making the transition to DNSSEC. However, the headlines and reports may have misled many that have not been closely following this activity. This week the last of the 13 root servers (the J-Root server) began to serve the signed root in the form of the DURZ (Deliberately Unvalidated Root Zone) on May 5, 2010. This is the continuation of the DNSSEC testing that began in January 2010. Additional information on this activity is available in IntelliShield alert 20418.

Another privacy hole was identified in Facebook privacy settings that allowed a user to view another user's information. Ironically, the vulnerable setting was designed as a privacy setting to allow users to view what information they were exposing to other users. As the privacy settings on Facebook continue to evolve, they are also becoming more complex and difficult to understand. Users are reminded to check these settings regularly, and are recommended to minimize their exposure by selecting the most private settings.

Microsoft has released their Security Bulletin Advance Notification for May 2010. According to the notification, Microsoft will release two security bulletins on Tuesday, May 11, 2010.

IntelliShield published 56 events last week: 34 new events and 22 updated events. Of the 56 events, 36 were Vulnerability Alerts, five were Security Activity Bulletins, four were Security Issue Alerts, 10 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 05/07/2010 10 12 22
Thursday 05/06/2010 13 5 18
Wednesday 05/05/2010 2 1 3
Tuesday 05/04/2010 3 1 4
Monday 05/03/2010 6 3 9
Weekly Total 34 22 56


Significant Alerts for the May 3-9, 2010

DNSSEC-enabled Queries to the DURZ Serving Root May Affect DNS Services
IntelliShield Vulnerability Alert 20418, Version 1, May 3, 2010
Urgency/Credibility/Severity Rating: 2/5/3

DNSSEC-enabled queries to the root servers may be affected because the last (J-root) of the 13 root servers will begin serving the DURZ on May 5, 2010.

Previous Alerts That Still Represent Significant Risk

Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 2, April 30, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft SharePoint Server 2007 versions SP2 and prior contains a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability, but software updates are not available.

McAfee VirusScan DAT Update May Cause Microsoft Windows System Failure
IntelliShield Vulnerability Alert 20375, Version 2, April 22, 2010
Urgency/Credibility/Severity Rating: 4/5/3

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems. As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable. McAfee has released a knowledgebase article with various workarounds.

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 3, April 20, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Updates are available.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 48, April 27, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 4, March 30, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability. Functional exploit code is being used in ongoing exploits, and Microsoft has released a security bulletin and updated software.

Mozilla Firefox WOFF Decoder Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 2, March 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has confirmed this vulnerability and has released updated software.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available.


Following Unsuccessful Times Square Bombing, TSA Tightens No-fly Rules

After authorities disarmed an improvised explosive device in New York City on May 1, Transportation Security Administration officials have shortened the interval that airlines are required to check the "no-fly" list to two hours from 24 hours. According to US Attorney General Eric Holder, Faisal Shahzad has admitted involvement in the attack. During the investigation, Shahzad's name was added to the TSA's "no-fly" list that is intended to prevent specific persons from traveling on airlines in the United States. Although investigators did not escalate Shahzad's addition to the list by calling each airline to alert them of the change, Shahzad was nonetheless recognized on the passenger list of a Dubai-bound Emirates Airlines flight by Customs and Border Protection agents at New York's JFK airport. Shahzad's flight, which was in the process of leaving the gate, was delayed and he was removed from the plane and arrested.
Read More
Additional Information

IntelliShield Analysis: Shahzad's capture is being hailed as a victory by law enforcement, who cite the layered security checks as being complementary controls that collectively aided in the detection of this suspect. To the extent that Shahzad was unable to evade capture and flee the United States, and that the capture was directly related to his name appearing on the "no-fly" list, this is true. The capture of Shahzad, however, should be considered a success independent of the failed detonation of the explosive device. The TSA's efforts to adjust its controls show that it is taking the important step of continually improving security according to the results of past incidents. Organizations should likewise include procedural reviews and updates during the post-mortem analyses of incidents.


Report Blames IT Staff for School Webcam Spying

An independent report has found the IT department to be responsible for the privacy concerns of students and their parents in the Lower Merion School District of Philadelphia, Pennsylvania. The report found that the IT department failed to inform the school board or the students of the spying capabilities of their laptops. As a result the capability was abused and a student was shown a snapshot of himself that could only have been taken by the laptop camera.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Because the spying capabilities of the laptops were not explained, the school board did not fully understand the impact of this feature as it might apply to the privacy concerns of the students and their parents. Without understanding the risk of mixing a laptop that is running software that features remote spying capabilities with students who did not know about it, the stage was set for spying to occur and in the end a case was brought forward. Had the school board been properly informed about the potential spying capability, they could have chosen to disable the capability or inform the students that it was only there to help find laptops that had been lost or stolen. This can be a common risk where the decision makers do not have the full technical information needed to make an informed decision. It is incumbent on both the decision makers and the technical advisors to reach that understanding in order to avoid creating unnecessary risk when deploying technologies.


United States Treasury Department Websites Victim of iFrame Injection Attack

Multiple websites associated with the United States Treasury Department were discovered to contain malicious code in the form of an HTML iFrame. The iFrame would redirect users to a website hosted in the Ukraine, which would serve malicious code to visitors. This attack is known to have affected visitors of the,, and websites. Roger Thompson, the Chief Research Officer for AVG, initially disclosed this attack in a blog post on May 3, 2010.
Read More
Additional Information

IntelliShield Analysis: This type of attack can be especially damaging to legitimate businesses and users alike. Users are at risk of having their systems compromised and personal information stolen, while businesses can suffer financial losses through a damaged reputation. Compromised websites often go undiscovered until users report unexpected behavior by their web browser. Companies can combat these attacks by conducting thorough audits of website code and web server activity. These audits should be carried out by qualified security personnel. Regular IT staff or web developers may not be aware of the most current exploits in use by attackers or how to detect or diagnose them.


There was no significant activity in this category during the time period.


Fun With Secret Questions & Answers

A popular security blog picked up the notice that a bank has implemented custom questions and answers for its identity verification system. The fact that they have taken this action shows that the bank is truly security aware. Many sites that require a password have implemented automatic password recovery of sorts by using an answer to a common question asked to the user as proof that they are indeed that user. The problem with these questions is that many times the information asked, things like your mother's maiden name, your place of birth, the name of your high school, etc., are well known, or at the very least somewhat publicly available. Facebook is a treasure trove of such information (you have tightened up your Facebook privacy settings haven't you?) as well as past newspaper articles that are now available online and other public records.
Read More
Additional Information
Additional Information

IntelliShield Analysis: It is a fairly trivial matter to discover a person's user ID for a website and masquerade as that user during a password recovery attempt, and some individuals have done it very successfully. When answering these questions, thought should be given as to whether or not the answer is publicly available through either normal or malicious means. If the answer is yes, an incorrect answer should be supplied. It does not matter what the answer is as long as the same answer is given later on. However, now the onus is on the user to remember these incorrect answers. This is no longer an easy task since incorrect information was provided as the answer and the likelihood that many different websites required this type of information. Secure password storage programs have come to the rescue in this regard. The answer given can be stored securely for later use in the case of a legitimate password recovery action. Many of these programs will also automatically fill out a form on a web page. Another good practice is to never encourage an operator to override their default secure actions by revealing or resetting a password without the proper answers or authorization, this will only encourage weaker security actions later on. And remember to make backups.


British Elections Leave IT Policy in Doubt

Millions of UK citizens went to the polls last Thursday to vote in historic general elections, bringing in 306 seats for the Conservative Party, 258 for Labor, and 57 seats for the Liberal Democrats. Turnout was the biggest in 30 years, according to the BBC, leading many queued voters to be turned away when polls closed, and prompting calls for a rethink of outdated polling laws. Since no party gained a majority in the House of Commons, Britain is now faced with its first hung parliament since 1974. Conservative Party leader David Cameron has offered the Liberal Democrats an opportunity to form a coalition government, and Prime Minister Gordon Brown has announced his intention to step down as leader of the Labour Party. The British pound declined as election results firmed up on Friday, indicating market discomfort with the prospect of a weakened British government facing challenging fiscal problems.
Read More
Additional Information
Additional Information

IntelliShield Analysis: What follows next is most likely a period of political horse-trading, in which the Conservatives attempt to cobble together a coalition government, or opt to stick with a minority government. There are fears that, absent a clear majority, the United Kingdom will lack the mandate and voting muscle it needs to push through polices un-muddied by compromise. On technology policy, it appears likely that earlier commitments to making broadband available to all will move forward, although how to pay for it given high fiscal deficits may slow progress toward this goal. Conservatives and Liberal Democrats agree that cuts in government spending on public IT contracts may be necessary to rein in the deficit. Britain's Digital Economy law, which passed Parliament just before the election and which codifies the so-called three strikes scheme against repeat copyright offenders, is opposed by Liberal Democrats and many in the Conservative Party, so aspects of it may be reconsidered. Conservative aversion to closer relations with the European Union, meanwhile, may not be good news for proposals such as the EU's data rights charter, which would strengthen privacy laws.

Upcoming Security Activity

AusCERT2010: May 17–20, 2010
Gartner Security & Risk Management Summit: June 21–23, 2010
Cisco Live 2010 (Las Vegas): June 27–July 1, 2010
Black Hat USA (Las Vegas): July 24–29, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China):May 1–October 31, 2010
Poland Elections: June 20, 2010
G20 Summit (Toronto, Canada): June 26–27, 2010
FIFA World Cup (South Africa): June 11–July 11, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top