The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.
Vulnerability activity for the period was decreased. Similarly, the activity levels for November 2012 decreased significantly from previous months in 2012. This is typical for this time of year, as activity levels tend to decrease approaching the end of the year. Vulnerability activity for 2012 is significantly higher than 2011, with a total of 5,916 alerts, compared to 4,938 at this time in 2011. This year has reversed the trend of declining vulnerability activity levels, with an increase of 19 percent. While end-user system updating and patching has become highly automated and easier for users to maintain, the combination of the virtual and cloud environment changes along with the significant increase in patch and upgrade volume has seriously challenged IT and security staffs. Organizations will likely need to review and make major changes to their vulnerability management practices to address these changes.
Significant activity for the period includes a Samsung printer hard-coded default password, multiple vulnerabilities reported in Skype, and security updates for Apple QuickTime and Google Chrome. There are reports of a new Java vulnerability that impacts current versions and is available for sale in underground communities. While details of the Java vulnerability were not released, users should continue to ensure their Java installations are updated to the latest versions and consider additional mitigations such as removing Java if it is not required and disabling Java capabilities in the browser options.
Spam and phishing activity continues to increase, with 51 Threat Outbreak Alert updates during this period and reports of new and updated variations on previously reported themes: electronic transactions, package shipping and tracking, bank alert confirmations, order notifications, and travel spam. New fraud attempts were identified that exploit the release of Microsoft Windows 8 with fraudulent offers for free software and software updates. As discussed in the online shopping topic in the "Human" section that follows, during this time of increased online and fraud activity, users should ensure they have updated antivirus software, enabled the reputation and other security features in their browsers and e-mail applications, and remained cautious of potentially malicious e-mail messages and websites.
Organizations, particularly financial institutions, are advised to continue to closely monitor for distributed denial of service attacks. The groups conducting these attacks have stated the attacks will return, following the pause of the attacks for the Muslim holiday. A recent interview with a reported member of the group has stated they will return to conducting these attacks in continued protest of the posting of the anti-Islam video movie trailer until the video is removed.
On an administrative note, the Cisco Cyber Risk Report will not be published on December 24 or 31, 2012, due to the holidays. We will return to publishing the reports on January 7, 2013.
IntelliShield published 90 events last week: 53 new events and 37 updated events. Of the 90 events, 28 were Vulnerability Alerts, seven were Security Activity Bulletins, three were Security Issue Alerts, 51 were Threat Outbreak Alerts, and one was an Applied Mitigation Bulletin. The alert publication totals are as follows:
Weekly Alert Totals
2012 Monthly Alert Totals
Significant Alerts for the Time Period
Apple QuickTime for Windows Security Update for Multiple Vulnerabilities
IntelliShield Security Activity Bulletin 27384, Version 2, November 26, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-3752, CVE-2011-1374, CVE-2012-3753, CVE-2012-3754, CVE-2012-3755, CVE-2012-3756, CVE-2012-3757, CVE-2012-3758, CVE-2012-3751
Apple QuickTime for Windows versions prior to 7.7.3 contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code on a targeted system. Proof-of-concept code that exploits a vulnerability with CVE ID 2012-3752 is available as part of the Metasploit framework. Apple has released a security advisory and updated version.
Previous Alerts That Still Represent Significant Risk
Oracle Java Applet JAX-WS Class Processing Security Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 27404, Version 1, November 13, 2012
Urgency/Credibility/Severity Rating: 3/5/4
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and execute arbitrary code on a targeted system. Oracle Java Runtime Environment (JRE) 7 Update 7 and prior are vulnerable. Functional code that demonstrates an exploit of this vulnerability is available as a part of the Metasploit framework.
Oracle Java SE Critical Patch Update October 2012
IntelliShield Security Activity Bulletin 27210, Version 6, November 26, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a DoS condition on a targeted system. Reports indicate these vulnerabilities are being exploited successfully in the wild. Oracle, Apple, Red Hat, and IBM have released security advisories and software updates.
Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 2, October 4, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed DoS (DDoS) attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service Attacks. Cisco has released an Applied Mitigation Bulletin at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions
Samba Marshaling Code Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 25650, Version 10, October 17, 2012
Urgency/Credibility/Severity Rating: 3/5/4
Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Functional code that demonstrates an exploit in the Samba marshaling code remote code execution vulnerability is publicly available. Samba has confirmed this vulnerability and released updated software. Samba, Apple, FreeBSD, HP, Oracle, and Red Hat have released security advisories. Oracle has re-released a security notification and patches.
Oracle Java Security Manager Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26751, Version 10, October 19, 2012
Urgency/Credibility/Severity Rating: 4/5/4
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the vulnerability is publicly available as part of the Metasploit framework. The Black hole toolkit is also reported to include an exploit, and multiple threats have been reported targeting this vulnerability. Oracle has confirmed the vulnerability and released software updates. Oracle, Apple, FreeBSD, Red Hat, IBM, and HP have released security advisories and updated software.
Oracle Java Multiple Unspecified Vulnerabilities Update
IntelliShield Security Activity Bulletin 26831, Version 6, November 16, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-0547, CVE-2012-1682, CVE-2012-3136, CVE-2012-4681
Java SE 7 Update 7 mitigates a widely reported vulnerability, CVE-2012-4681, as described in IntelliShield Alert 26751. The update also mitigates two remote code execution vulnerabilities that are due to unspecified errors in the affected software. The three vulnerabilities can be exploited only through untrusted Java Web Start applications and untrusted Java applets on client deployments of the affected software. In addition, a security-in-depth issue in the Abstract Window Toolkit (AWT) has also been addressed. Direct exploitation of the AWT security-in-depth issue is not possible; however, the issue can be used to aggravate security vulnerabilities that can be directly attacked. Oracle, Apple, Red Hat, and IBM have released security advisories and software updates. HP has released a security bulletin and updated software.
OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability
IntelliShield Vulnerability Alert 25706, Version 18, October 12, 2012
Urgency/Credibility/Severity Rating: 3/5/3
OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. OpenSSL, FreeBSD, Red Hat, HP, Oracle, MontaVista, IBM, Balabit, and VMware have released security advisories and updates. MontaVista Software has re-released a changelog and updated software.
Defeating Hotel Room Locks, Revisited
Recent reports of thefts from locked hotel rooms, with no apparent signs of forced entry, have been linked to vulnerabilities in Onity hotel room door locks first reported publicly in July in a presentation at Black Hat USA 2012 by researcher Cody Brocious, "My Arduino Can Beat Up Your Hotel Room Lock." The presentation identified multiple vulnerabilities: the ability to open the door the lock is securing from the outside; access to the complete memory history of the device using an access port at the bottom of the outside casing of the lock; and a predicable memory address for the sitecode, a 32-bit code randomly assigned by the manufacturer which uniquely identifies a hotel property and is used as the basis for the entire security of the lock. Using these two vulnerabilities in concert made it possible for an individual, using commonly available parts, to access and decode the memory history of the device and open the lock.
IntelliShield Analysis: As surmised in the July 23-29, 2012, Cyber Risk Report, subsequent to the original presentation at Black Hat, the exploitation technique has been refined and enhanced by the security community to be significantly more reliable, and is reportedly able to open the majority of the affected Onity locks. Onity has issued several fixes for the vulnerabilities, including physical caps to cover the data access port so that the port is accessible only by opening the lock case, more secure Torx screws to secure the lock case, and new circuit boards and firmware updates that are available for customers, reportedly at a nominal fee. The author of the original presentation has questioned whether the fixes by Onity completely address the vulnerabilities. Due to the large install base of Onity locks and the challenges presented to property owners and managers to implement the fixes, the likelihood that the vulnerabilities will be addressed in a timely manner is questionable. Travelers and guests using hotels employing Onity locks should remain aware of the threat and are urged to contact their hotel management to determine if the property uses Onity locks and if whether they have been fixed. Travelers and guests are also urged to employ secondary and tertiary door locks or security mechanisms when staying at a facility employing Onity locks and to take additional precautions when securing property on premises.
Facebook Copyright Posting Goes Viral
For the second time on Facebook, users were posting copyright notices on their walls and advising others to do the same. The copyright statements declared that the users' content and photos on their pages are the property of the individual, copyright protected, and could not be reused without the individuals' permission. Many users continued to post these very legal-sounding posts on protecting Facebook content and to distribute the postings to their friends.
IntelliShield Analysis: While the copyright, trademark, and patent legal issues continue to be redefined and challenged in court cases, it is not surprising that many users do not fully understand these legal terms. However, it is critical that business, IT, and security professionals understand them and monitor precedent-setting legal cases involving these protections. In the case of the Facebook posting, legal experts nearly unanimously agree that these copyright postings have no legal impact because the users have agreed to the Facebook user license, which allows Facebook and other users to share and distribute their content. However, it does raise the important point of understanding these legal terms and definitions to not only properly protect organizational and individual intellectual property, but also to avoid legal issue around the challenged or illegal use of others' copyright, trademark, or patent property. As we have seen with many recent legal cases challenging these definitions across the globe, professionals should consult their legal teams for current guidance involving these protections. To further support the importance of having security professionals understand these terms, you will likely see them in certification training and testing.
ENISA Report Highlights Coordination and Cooperation Issues
The European Network and Information Security Agency (ENISA) released a report examining operational and legal issues with European Computer Emergency Response Teams (CERTs) in the Member States and Law Enforcing Agencies (LEA). The report details several of the issues in detail, discusses changes that have been implemented to address the challenges, and provides practices and recommendations that apply not only to the European organizations, but also to those across the globe.
IntelliShield Analysis: The ENISA report findings, presented as a work in progress to address the issues, points out not only the legal and operational issues but the underlying trust and human issues. The report found that the initial mindsets of the CERT and LEA organizations are very different, which continues to impact coordination and cooperation throughout investigations and responses. The "Good Practice Guide" provides professionals in both these types of organizations an insight into the others' operations and describes how they can address or work around the differences. While many of these types of reports and organizations have attempted to address these types of issues with policy, procedures, and organizational changes, few have taken or presented an examination of the underlying trust and human issues. Understanding these basic differences provides a greater insight into developing the successful working relationships all these organizations are attempting to accomplish.
Apple's iOS 6 Resumes User Tracking for Ad Purposes
Following Apple's actions earlier this year to disallow applications on mobile devices from tracking users via Unique Device Identifier (UDID), a similar and reportedly anonymous technology has appeared in the latest major release of Apple's mobile device operating system. Enabled by default, the technology can be turned off by the user on a per-device basis, albeit not as easily as would be expected.
IntelliShield Analysis: Balancing between privacy concerns and ad optimization in a manner which satisfies everyone, including government regulators, continues to prove challenging. Facebook is the most widely known case, having received unwelcome attention from a number of global governmental agencies charged with regulating and maintaining privacy for citizens. While Apple's approach is improved from the past, the manner in which it was implemented in iOS 6 seems more like Facebook—particularly for Apple, whose strengths are consistency and simplicity. At a minimum, Apple should state up front that the ad tracking occurs by default and can be disabled, even if doing so is not presently intuitive.
Cyber Security Survival for the Holidays
Cisco released a live broadcast interview with John Stewart, Cisco SVP and Chief Security Officer of Global Government and Corporate Security. From mobile to social and all the shopping that happens in between, John Stewart shared the information you need to stay safe online this holiday shopping season. John took questions and addressed everything from how to stay safe while shopping online, tips for securely setting up gifts you receive, and how to safely bring your new devices to work and school in the new year. A recording of the live event is available at Online Shopping.
IntelliShield Analysis: The 30-minute recorded interview addressed several online shopping best practices, as well as current threats and ways to protect yourself through the holiday shopping period. The three primary threat vectors are spam and phishing, the web, and mobile. Users are advised to review the current IntelliShield Threat Outbreak Alerts on the Cisco SIO portal for current spam threats. Users should ensure their browsers and application software are updated prior to shopping. One easy and automated method to do this is to use the Qualys BrowserCheck, which not only checks the browser for updates, but also looks for updates to related Adobe, Apple, and Java applications associated with web content. To avoid mobile threats, users are reminded that mobile devices do not include the more robust security features of an updated personal computer, and to use their personal computer for the majority of their shopping, ordering, and payments. Mobile users should avoid likely vectors of malicious content by not following links in e-mail, advertisements, or search engines, and by minimizing web surfing on mobile browsers. Mobile users are also advised to use only necessary and well-reviewed applications from trusted providers.
Syria's Internet Goes Dark
Last Thursday, all Internet traffic from Syria to the rest of the world abruptly stopped, according to a variety of Western Internet monitoring firms. Mobile phone services were cut in key areas where anti-Assad forces are strong; the government blamed rebel forces for the outages. The main airport road adjacent to Damascus was also closed on Thursday, probably due to fighting nearby, although it reopened Friday. According to Renesys, all 84 of Syriaâ€™s IP blocks were unreachable starting on Thursday, and any remaining IP blocks going into Syria were hosted overseas. According to official Syrian government representatives, the outage was due to terrorist sabotage, although outside experts say it is unlikely that a terrorist strike could have brought down connections across the country almost simultaneously.
IntelliShield Analysis: According to analysis by content delivery network CloudFlare, the Internet outage was probably achieved through updates in edge router configurations, rather than a physical cable cut or series of cuts. It seems likely that the outages were a strategic move by the regime loyal to President Bashar Al-Assad to cripple the Free Syrian Armyâ€™s ability to coordinate military action and report the situation to the outside world. Recent experience shows, however, that cutting Internet access may be tactically effective but strategically counterproductive. When Egyptian President Hosni Mubarak shut down Internet and mobile phone communications during the February 2011 uprising in Egypt, the result was to redouble domestic and international outrage, while creative workarounds quickly negated the effectiveness of the outages. At the same time, as anti-Assad forces advance toward Damascus, a turning point in the 18-month-long struggle may be at hand. Information security specialists may want to watch closely in coming days as Syrians and sympathetic supporters create workarounds, such as the voice-to-tweet system that allows users to create microblog postings via voice. We may also want to watch the strategic impact of communications outages on the political situation, as Internet and mobile phone access move toward popular acceptance as basic human rights.
Upcoming Security Activity
Black Hat Abu Dhabi: December 3–6, 2012
Cisco Live London: January 28–February 1, 2013
ShmooCon: February 15–17, 2013
RSA Conference 2013: February 25–March 1, 2013
Cisco Live ANZ: March 5–8, 2013
Cisco Live US: June 23–27, 2013
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:
ITU World Conference on International Telecommunications (WCIT-12): December 3–14, 2012
EU Summit: December 13–14, 2012
Japan general elections: December 16, 2012
North Korea possible missile launch: December 17, 2012
South Korea presidential election: December 19, 2012
World Economic Forum: January 23–27, 2013
For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service
For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
Back to Top