Cyber Risk Report

January 2–8, 2012

The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support.

Vulnerability

Vulnerability activity for this period and the prior holiday period remained at normal levels. Significant activity included the release of an out-of-cycle Microsoft security advisory and patches correcting four vulnerabilities in .NET, and multiple advisories from other vendors for the hash collisions vulnerability also reported in the Microsoft advisory. A weakness was reported in the Wi-Fi Protected Setup PIN authentication method used in multiple wireless routers that could result in a denial of service or compromise of the device.

In other vulnerability activity, advisories and updates were released for Apache Struts, HP Database Archiving, IBM Rational Rhapsody, Siemens SIMATIC and Tecnomatix Industrial Control Systems, WordPress, and Google Chrome. OpenSSL released new updated versions correcting multiple vulnerabilities, and multiple vendors continued to release updates for previously reported OpenSSL vulnerabilities.

In threat activity, researchers continue to investigate the similarities of the Duqu and Stuxnet worms, and reported that some now believe the code can be tied to the Tilded toolkit. Additional research suggests that other variants may also be related, and that the toolkit could continue to be used to create new targeted attacks using variations of the malicious code. In other attacks, multiple sources are reporting the mass SQL injection attacks tied to lilupophilupop.com that some have estimated to be in the millions of compromised web pages. These attacks have been occurring since November 2011, and continued into the new year, although Cisco sources indicate the level of activity is now much lower.

IntelliShield published 102 events last week: 57 new events and 45 updated events. Of the 102 events, 64 were Vulnerability Alerts, seven were Security Activity Bulletins, three were Security Issue Alerts, and 28 were Threat Outbreak Alerts. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 01/06/2012 14 7 21
Thursday 01/05/2012 7 5 12
Wednesday 01/04/2012 7 13 20
Tuesday 01/03/2012 29 18 47
Monday 01/02/2012 0 2 2
Weekly Total 57 45 102

 

Significant Alerts for January 2-8, 2012

Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24698, Version 4, January 6, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-2462

Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Targeted attacks against Adobe Reader version 9.4.6 on Microsoft Windows operating systems have been observed in the wild. Adobe has released a security bulletin and software updates to address the Adobe Acrobat and Reader Universal 3D remote code execution vulnerability. Functional code that exploits this vulnerability is available as part of the Metasploit framework.

Multiple Products Hash Collisions Denial of Service Vulnerability
IntelliShield Security Activity Bulletin 24871, Version 1, January 6, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-4461 , CVE-2011-4815 , CVE-2011-4885

Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.

Previous Alerts That Still Represent Significant Risk

ISC BIND Recursive Query Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24590, Version 11, January 4, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4313

ISC BIND version 9 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. It should be noted that there are external reports that this vulnerability is being actively exploited in the wild, as DNS server crashes have been observed. It is not, however, fully determined that exploitation of this vulnerability is the root cause for the recently observed crashes. ISC and multiple vendors have confirmed this vulnerability and released updated software.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 19, January 3, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin.

Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24500, Version 3, December 13, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3402

Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425. Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability.

Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24470, Version 4, December 1, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3544

Multiple versions of Oracle Java contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Oracle and multiple other vendors have confirmed this vulnerability and released updated software. Functional code that demonstrates an exploit is publicly available.

Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability
IntelliShield Vulnerability Alert 24625, Version 1, November 28, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4317

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available.

Oracle Java SE Critical Patch Update October 2011
IntelliShield Vulnerability Alert 24433, Version 4, November 28, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561

Oracle has released the Oracle Java SE Critical Patch Update for October 2011. The update addresses 20 new security vulnerabilities. An unauthenticated, remote attacker could leverage several of the vulnerabilities to completely compromise an affected system. Oracle, Red Hat, CentOS and Apple have released updates.

Adobe Flash Player and AIR Multiple Vulnerabilities
IntelliShield Vulnerability Alert 24582, Version 2, November 14, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456, CVE-2011-2457, CVE-2011-2458, CVE-2011-2459, CVE-2011-2460

Adobe Flash Player and AIR contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Adobe, Red Hat and FreeBSD have release security advisories and updates.

Apache HTTP Server mod_proxy Module Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 24327, Version 6, November 15, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3368

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain access to sensitive information. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Apache, Red Hat, IBM, and FreeBSD have released have released security advisories and software updates.

Microsoft Windows UDP Packet Processing Integer Overflow Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24490, Version 2, November 14, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-2013

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that demonstrates an exploit of the Microsoft Windows UDP packet processing integer overflow arbitrary code execution vulnerability is publicly available. Microsoft has released a security bulletin and updates.

Trojan: W32.Duqu
IntelliShield Vulnerability Alert 24425, Version 3, November 2, 2011
Urgency/Credibility/Severity Rating: 3/5/3

W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide back door access to a remote attacker. Virus definitions are available. IntelliShield has updated this alert to include information about a vulnerability in the Microsoft Windows platform that the W32.Duqu trojan could leverage to infect a targeted system. ICS-CERT and multiple anti-virus vendors have also released security alerts with virus descriptions for this trojan.

Physical

Robberies Prompt Police to Warn Restaurants About Mobile Phone Orders

Following a series of incidents in Chicago, IL (U.S.), police have warned area restaurants to avoid taking delivery orders from mobile callers. Criminals have placed orders and provided addresses for delivery whereby they subsequently rob the driver of the food and/or cash. Police have provided a list of specific numbers associated with previous robberies to the neighborhoods of Chinatown and Hyde Park in Chicago. Similar incidents have been reported in other metropolitan areas in North America.
Read More
Additional Information

IntelliShield Analysis: Utilization of phone numbers to identify mobile devices will ultimately prove to be ineffective against attempts to alleviate criminal incidents. Increasing availability of so-called "number portability" from landlines to Voice over IP (VoIP) or mobile service providers makes confident identification of any phone number less certain. In addition, the "single number reach" feature of some telephony providers further obfuscates where calls originate. The security of people and resources for delivery on demand of food and other goods would be best protected through screening of the physical locations instead of the method used to place the order. With the availability of online ordering for delivery from restaurants, filtering by order destination may be the only option left to firms that provide such services.

Legal

Former Employee Sued Over Twitter Account Followers

South Carolina Internet company, PhoneDog LLC, has filed a lawsuit against a former employee. The employee, Noah Kravitz, left the company and changed his Twitter account name from PhoneDogNoah to his own name, NoahKravitz, retaining the roughly 17,000 Twitter followers at the end of his employment. PhoneDog LLC maintains that those followers belong to the company and not to the individual. Mr. Kravitz began work for a competitor and now has over 24,000 Twitter followers, further clouding the issue. Extenuating circumstances include a lawsuit over back pay and ad revenue against PhoneDog LLC by Mr. Kravitz.
Read More
Additional Information

IntelliShield Analysis: Social media can provide an effective way to gauge customer sentiment and maintain contact with customers. The use of social media in the name of an enterprise should also be subject to an approved corporate policy. When an enterprise uses social media for customer contact and communication, that enterprise is advised to create IDs associated with and in the name of the enterprise. Those IDs should be the responsibility of a group of employees that manages the IDs and would remain with the enterprise in the event of employee turnover.

Trust

Government Advisory Board Recommends Censorship to Journals

Taking an unprecedented step, the U.S. National Science Board for Biosecurity recommended that the journals Nature and Science censor specific details before publishing reports by two teams of researchers who produced dangerous mutations of H5N1 (bird flu). In particular, the government advisory board wants the journals not to print details that could help terrorists replicate the research to weaponized proportions. Scientists and researchers have objected, claiming that censoring the reports could curtail academic discourse and hinder the people who create vaccines and seek ways to protect humans from pandemics. The board has said that the full version of the research could be shared with selected scientists, but that figuring out how to distribute the sensitive information is the job of other government agencies.
Read More

IntelliShield Analysis: While the editors of Nature and Science consider the ramifications, the board's action has spurred debate over publication of sensitive material, as well as highlighted naiveté in believing the material will not wind up on the Internet. Concerns over government censorship of scientific information may pale beside the ethical implications of publishing the methodology for creating an airborne virus, or publication may lead other researchers to a cure for this strain of influenza. The board cannot force the journals to censor the material. The research is already public knowledge. One of the research teams has said that no fewer than 100 labs and 1000 scientists should have access to the material, virtually guaranteeing rapid Internet dissemination by those with differing opinions on the use of this information. With a Pandora's Box already open, security experts should continue to educate users about data classification; however, ethics may prove more of a multiple choice exam.

Identity

Strafor, Qihoo 360, and ONE Join Latest Websites Compromised

Between Christmas and the first days of 2012, attackers compromised several high-profile websites, including Strategic Forcasting, Inc. (Stratfor), the Beijing-based search site Qihoo 360, and the Israeli ONE sports website. Attackers recovered millions of usernames and passwords from these sites, with thousands of those from Strafor's site, which were posted publicly. Stratfor remains offline following the breach.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Although website compromises are often worrying, several factors increase the impact surrounding these incidents. Account credentials on several sites were stored with either weak or no encryption in compromised databases, allowing trivial recovery and reuse. Additionally, because each of the compromises may have been politically motivated, attackers have attempted to cause the most amount of damage possible and posted recovered information publicly, rather than attempt to profit financially themselves. Site owners are advised to put into place effective mitigations, such as database encryptions using salts, auditing exposed interfaces, and ensure backup and recovery options to avoid becoming the next target or mitigating the damage in case of exposure.

Human

Cyberbaiting on the Rise

Cyberbaiting is the practice of taunting or motivating others for the purpose of entertainment to be posted on the web. Cyberbaiting is on the rise, with the most prevalent arena being school teachers. In these situations, students often provoke teachers to their wits end, at such point the students record the ensuing tantrums and post them online, most often on YouTube. The Norton cyber security company recently reported that 21 percent of teachers worldwide have either experienced cyberbaiting personally or know a colleague who has. Taken a step further, Norton's research indicates that only 51 percent of teachers said their schools have guidelines in place for social media communication. Teachers feel threatened. Some say mob mentality, among other psychological aspects, is to blame. At its core, cyberbaiting is seen as a form of bullying.
Read More

IntelliShield Analysis: Personal and social responsibility are the first things that come to mind when reading such things. What happened to treat thy neighbor as thy self? The security engineer in us may jump to the conclusion that, in a society where everyone now has recording capabilities (among many other options) in their phones, these aspects should be addressed in policies for said environment. At the very least it can surely be considered. With that same train of thought, you encounter the fact that only 51 percent of teachers said their schools have guidelines in place for social media communication. Firstly, does or will this even apply to students? Or is it just for teachers? How could it be enforced? You can suspend or terminate a teacher's job, but what about a student?

There are many reasons for such behavior to ensue. Teachers feel they are under attack, cyber experts say it's simply "new tools in the hands of impulsive teens." Massachusetts Aggression Reduction Center's Executive Director Elizabeth Englander may have hit the nail on the head when she stated, "the real problem is that we are not teaching our children how to think about and to control the use of technology."

The trend continues to grow as the Internet provides a "seemingly" anonymous medium to post and share events, be it positive or negative. Some may view this as nothing major, nothing that impacts them, as they are not in a classroom, but let's ask the question in a more general sense: what stops this trend from being focused on teachers only? How many others are susceptible to being baited, and finding their worse "self" posted on the Internet? Anyone could be next, hence why it is imperative that as a society and a security force, education surrounding these events, and the proper use of technology and behavior be bestowed and instilled in today's society.

Geopolitical

Tech Companies Watching Close Taiwan Presidential Election

A major Taiwan electronics manufacturer is offering its mainland China-based expat employees extra time off and a free flight home to Taiwan for the annual spring holidays in hopes that they will vote for incumbent Ma Ying-Jeou in the January 14th presidential elections, according to the Sydney Morning Herald. President Ma looked set for easy reelection a few months ago, but unhappiness over the global economy and Ma's accommodative stance toward the mainland, along with the late entrance of a third candidate, could siphon just enough votes away from President Ma to hand victory to the pro-independence Democratic Progressive Party candidate.
Read More
Additional Information

IntelliShield Analysis: Taiwan's success as an electronics design and manufacturing powerhouse – producing more than half of the world's microchips, nearly 70 percent of computer displays, and 90 percent of portable computers, according to The Economist – is due in part to its close working relationship with mainland China. Taiwan's electronics firms continue to benefit from labor and operating costs that are still comparatively low on the mainland. The global electronics supply chain now depends upon improved communications and travel links between Taiwan and China. At the same time, the status of Taiwan remains one of the People's Republic of China's most sensitive political issues, as well as a bone of contention between the PRC and the United States. While the close economic interdependence between Taiwan and China militates against a dramatic cooling of relations, should the opposition DPP candidate Tsai Ying-Wen pull out a victory, technology firms may need to monitor future impact on trade law, cyber threats, supply chain, and military priorities.

Upcoming Security Activity

International Conference on Cyber Security (ICCS 2012): January 9–12, 2012
Cyber Defence & Network Security conference: January 24–27, 2012
RSA Conference: February 27–March 2, 2012
CanSecWest 2012: Mar 7–9, 2012
Black Hat Europe: March 14–16, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Taiwan Elections: January 14, 2012
World Economic Forum (Davos): January 25–29, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top