Cyber Risk Report

November 2–8, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability and threat activity for this period remained elevated, but consistent with recent periods.  The period was highlighted by the public disclosure of a vulnerability in the SSL/TLS implementations that can allow a man-in-the-middle attack to compromise the encrypted communications.  Vendors have been aware of the vulnerability since September 2009, but details of the vulnerability began leak publicly during this past week.  The Industry Consortium for the Advancement of Security on the Internet (ICASI) has been working with the researcher and coordinating with vendors.  This vulnerability will impact a very large number of applications and platforms.  There are some possible mitigations while vendors work to provide updates to correct the vulnerability in their products.  OpenSSL has released an updated version that corrects the vulnerability.

Important vulnerabilities were also reported in IBM Tivoli, the Sun Java Runtime Environment (JRE), RIM Blackberry, and Adobe Shockwave.  Users are advised to use the software update features to install the latest updates.

A vulnerability was also reported in multiple social networking websites and applications that allows the potential compromise of private information on these sites.  The vulnerability occurs due to the methods used by browsers to set cookies on domains and subdomains using a crossdomain.xml procedure.  Users are particularly cautioned when using the applications on these websites.

Microsoft released the advanced notification for the November 2009 Security Bulletins.  Microsoft announced that they will be releasing six bulletins, with three rated critical and three rated important on Tuesday, November 10, 2009.  The vulnerabilities are reported to impact Microsoft Windows and Office.

On an administrative note, the Cisco Cyber Risk Report will not be published on the usual Monday schedule following the upcoming holidays.  It will not be published on November 30 following the U.S. Thanksgiving holiday, December 28 following the Christmas holiday, or January 4 following the New Year's Day holiday.

IntelliShield published 147 events last week: 56 new events and 91 updated events.  Of the 147 events, 121 were Vulnerability Alerts, five were Security Activity Bulletins, ten were Threat Outbreak Alerts, ten were Security Issue Alerts, and one was a Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 11/6/2009 9 4 13
Thursday 11/5/2009 10 16 26
Wednesday 11/4/2009 14 22 36
Tuesday 11/3/2009 10 9 19
Monday 11/2/2009 13 40 53
Weekly Total 56 91 147


Significant Alerts for the Time Period

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 3, November 6, 2009
Urgency/Credibility/Severity Rating: 2/5/3
Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack.  Proof-of-concept code that exploits this vulnerability is publicly available.

Previous Alerts That Still Represent Significant Risk

Gumblar Malicious Code Adopts Additional Exploit Methods
IntelliShield Vulnerability Alert 19237, Version 1, October 20, 2009
Urgency/Credibility/Severity Rating: 3/4/3

Reports indicate additional activity related to the Gumblar malicious code.

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 7, October 13, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.  Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability.  Microsoft has released a security advisory and updated software to address the Microsoft Windows SMB2 remote code execution vulnerability.  Functional exploit code is publicly available.

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 5, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft IIS versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges.  Microsoft has released a security bulletin with software updates to address the Microsoft Internet Information Services FTPd remote buffer overflow vulnerability.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 12, November 5, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Microsoft has re-released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 6, October 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.  This vulnerability is due to an unspecified error in the Office Web Components ActiveX control.  Reports indicate that exploits of this vulnerability are ongoing.  Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability.  IntelliShield has re-released this alert to clarify the availability of software updates.

ISC BIND Dynamic Update Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 18730, Version 10, September 22, 2009
Urgency/Credibility/Severity Rating: 3/5/3

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition.  This vulnerability is being exploited in the wild.  Exploit code is publicly available.  ISC has confirmed this vulnerability and updated software is available.

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 18847, Version 11, October 15, 2009
Urgency/Credibility/Severity Rating: 2/5/4

The Linux Kernel versions 2.4 through contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a DoS condition.  Proof-of-concept exploit code is publicly available. has confirmed the vulnerability in a changelog and released updated software.


There was no significant activity in this category during the time period.


Anti-Counterfeiting Trade Agreement Talks to Set Standard

Countries and partnerships, including the United States, the European Union, Canada, South Korea, and Australia, have been conducting talks to negotiate a trade agreement that could hold Internet service providers (ISPs) accountable for the actions of their users.  The Anti-Counterfeiting Trade Agreement (ACTA), if it is accepted and becomes law, would allow record companies and other copyright holders to sue an ISP if there is a finding that one of its customers has illegally downloaded copyrighted material.  Read More

IntelliShield Analysis: Current laws in the entities involved in the talks do not hold ISPs accountable for the actions of their subscribers.  If this trade agreement is accepted, it could mean that the entities would need to pass new legislation to hold ISP accountable for the actions of their users.  Such laws could meet with a great deal of resistance from the populace at large.  Asking the ISPs to do the policing of their users would be an extra burden on these companies.  More likely the ISPs would receive letters of warning from the copyright holder who wishes to prosecute a particular user.  However, if ISPs are expected to closely monitor their customers so that the ISPs can produce evidence of copyright infringement, that too will meet resistance from the ISPs and from Internet privacy advocates.  Some countries have already enacted requirements on ISPs, while others are considering regulations.  The outcome of these talks could help to establish an international guideline for domestic regulations.


Internationalized Domain Names

Last week the Internet Corporation for Assigned Names and Numbers (ICANN) removed the final barrier for people using non-Latin characters in their native languages to access the Internet.  The Internationalized Domain Names (IDN) will now make it possible for most users to access the Internet using just their native language.  The application process for IDNs begins on November 16.  It is hoped that this will prevent individual registrars from setting up their own alternate root servers that would support characters in native languages, and the Internet name space will remain one name space with one authoritative set of root name servers.
Read More 
Additional Information

IntelliShield Analysis:  This is very welcome news for people whose native languages do not use the Latin alphabet, and it removes a barrier for them in Internet access.  Although this change is good news for more than half the world, it may cause some confusion and opportunities for miscreants to spread phishing attempts and malware.  Many non-Latin characters look very similar to each other and others look very similar to Latin characters.  This is something that most of the world has dealt with for a long time.  Now is the time for people who use only Latin characters in their native languages to become familiar with using non-Latin characters.  Additional attention should be given when clicking a URL or search engine results, and as always users are advised to avoid URLs received from an unverified or suspicious source.


Using the Collective Power of Cloud Computing to Crack Passwords

On October 30, Electrical Alchemy (EA) posted a report on its blog detailing the results of harnessing cloud computing to crack passwords, providing examples of the exponential cost burden as a password increases in length and complexity.  For example, if 12 characters are used for a password that contains case-sensitive alphanumeric characters and nonalphanumeric characters, the estimated cost of using Amazon's EC2 cloud service would be over US$8.6 billion to compromise a single password.
Read more
Additional information

IntelliShield Analysis: As noted in EA's post, the collective power available through cloud computing can be used for projects that would otherwise take much longer if fewer resources are used.  Brute-force cracking of passwords is a compelling application of cloud computing power because this capability could be used by white hats (for example, as part of a law enforcement investigation) as well as black hats, provided that adequate resources exist or the funding needed to use commercially available resources is obtainable.  Longer passwords require more time and more resources to be cracked, and some of those resources may be expensive, reinforcing the good practice of using passwords that are at least ten characters in length and contain nonalphanumeric characters.  IT administrators should consider policies that require longer passwords. Administrators should also consider making tools available to users to help manage multiple unique passwords so that an attacker who learns one password cannot use it to access multiple sensitive resources.


Insider Threats Attributed to Net Generation and Benign Motives

Writing for CSO Online, Jim Routh and Gary McGraw investigate a recent trend in threats from employees inside organizations.  Instead of uncovering malicious or disgruntled employees who intentionally aim to circumvent security controls and cause harm, Routh and McGraw are finding that many incidents are being traced to a younger generation of workers seeking to be productive with familiar tools.  The authors argue that while firms block access to media and social networking sites because of productivity concerns, new employees from the Net Generation are breaching security controls to access entertainment, social websites, and collaborative tools they believe will help them multitask and be more productive. Read More

IntelliShield Analysis:  Organizations are going to be experiencing the "growing pains" of incorporating Web 2.0 technologies for some time.  From the examples cited by Routh and McGraw, some companies may be erring more on the side of perceived productivity loss than actual risk or potential productivity gains.  However, monitoring and measuring the effect of these policies could prove difficult.  Companies will need to consider how they expect such services to be leveraged and will need to adopt an acceptable use policy that permits productivity enhancement but does not allow abuse, intellectual property theft, or other such behavior.  Ultimately, organizational security should not stand in the way of business success.  As the world adapts to the opportunities and challenges of social media, security policies will need to remain flexible and relevant to the changing environment.


Iranian Media Crackdown Is a Reminder of the New Communications Paradigm

Demonstrations in Tehran commemorating the 30th anniversary of the Iranian revolution last week took an unexpected turn when some marchers reportedly began protesting against the government instead of joining in the customary chants of death to America.  Advance notice of the antigovernment protests were distributed using graffiti and messages written in green ink on local currency, and also via the Internet, according to a variety of reports.  TV stations carried footage of a student who openly criticized Supreme Leader Ayatollah Khamenei at a university forum this week; Khamenei's apparent tolerance of the outburst is so unprecedented that some observers are asking whether the incident was staged.  Indeed, the Iranian government is taking aggressive steps to quash the opposition movement by arresting journalists, breaking up public gatherings, and shutting down newspapers and websites.
Read more
Additional Information
Additional Information

IntelliShield Analysis:  Iran's internal opposition movement is worth watching for many reasons, including the potential repercussions across the region if it succeeds.  From an information technology perspective, these events are a reminder of the critical role of electronic communications in mobilizing public action.  Not only oppressive regimes but also democratically elected governments and indeed large corporations grapple with how to handle periodic political protests, a dilemma that becomes more acute as the speed and ease of communication increase.  Information-intensive corporations, in particular, are at risk not only of being physically targeted but also of politically motivated direct targeting of, or collateral damage to, networks and data.

With this in mind, information security professionals may want to monitor planned protests around the APEC summit in Singapore this week, the tenth anniversary of antiglobalization protests in Seattle at the end of November, and mid-December climate talks in Copenhagen.  Information security specialists may wish to keep tabs on planned protests that could pose a threat to the enterprise through the ethical use of web crawling and social media analysis tools that are increasingly available, some of them free of charge.

Upcoming Security Activity

Interop New York: November 16–20, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

The Hajj: November 25–30, 2009
Copenhagen Climate Change Summit: December 7–18, 2009
Hanukkah: December 11, 2009
Christmas: December 25, 2009
New Year's Day: January 1, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top