The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support.

Vulnerability

Vulnerability activity was significantly increased for the period, roughly doubling the normal amounts. The increase was primarily due to large security updates from Apple and VMware for multiple products. Other vulnerability activity included Symantec updates for pcAnywhere (reversing their previous recommendations), Mozilla Firefox 10 correcting multiple vulnerabilities, and updates for HP Diagnostics, IBM SPSS Oracle Hash Collisions, PHP, Python, Apache HTTP server, and a sudo local escalation of privilege vulnerability impacting most Linux and Unix based systems.

In threat activity Cisco continues to see scanning and attacks on the Microsoft Media Player vulnerability, reported in IntelliShield alert 24880, and multiple sources are reporting phishing and spam campaigns targeting Facebook changes, Super Bowl XLVI events, and Tax and IRS activity during the current U.S. tax season.

Microsoft is scheduled to release the Security Bulletins for February 2012 on February 14, 2012. The pre-release announcement of the February bulletins is scheduled to be released on February 9, 2012.

In annual and monthly statistics, IntelliShield metrics show that 2011 closed with an increase in vulnerability activity for the year as expected. Throughout 2011, activity levels were running slightly above 2010 levels and finished the year with a total 3 percent increase. While this is a small increase, it does reverse a trend of declining annual vulnerability metrics since 2009. Another significant point of analysis of the 2011 metrics is that the new vulnerability metrics increased significantly over 2010 totals, while updated vulnerability activity showed a decrease. These metrics indicate that the number of vulnerabilities impacting multiple products was decreased, while new vulnerabilities impacting specific products increased. Ultimately for security teams, this means an increase in risk and patch management activity, further complicated by the growing number of virtual and cloud system management and providers. Despite the growing number of vulnerabilities reported, Cisco and other security organizations, continue to report that the major breaches, compromises, and attacks do not usually target or exploit most of these new vulnerabilities, but focus on exploiting users and user errors, and common widely known vulnerabilities such as SQL injection attacks, flooding type denial of service attacks, and cross site scripting vulnerabilities. The other area of significant threat activity is older vulnerabilities that are exploited using attack and exploit toolkits, such as Java vulnerabilities that have updates available.

IntelliShield published 227 events last week: 56 new events and 171 updated events. Of the 227 events, 181 were Vulnerability Alerts, eight were Security Activity Bulletins, 10 were Security Issue Alerts, 27 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

2012 Monthly Alert Totals

Previous Alerts That Still Represent Significant Risk

Microsoft Windows Media Player MIDI File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24880, Version 3, January 30, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4108

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Proof-of-concept code that exploits the Microsoft Windows Media Player MIDI file processing arbitrary code execution vulnerability is publicly available. Reports indicate malware activity exploiting this vulnerability has been observed in the wild.

Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability
IntelliShield Vulnerability Alert 24625, Version 3, February 3, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4317

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available.

Multiple Products Hash Collisions Denial of Service Vulnerability
IntelliShield Security Activity Bulletin 24871, Version 6, January 31, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4461 , CVE-2011-4815 , CVE-2011-4885

Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Apache, Microsoft, CentOS, IBM, ruby, FreeBSD, and Red Hat have released security advisories and updates.

OpenSSL Datagram Transport Layer Security Plaintext Recovery Issue
IntelliShield Vulnerability Alert 24893, Version 7, January 30, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4108

OpenSSL versions prior to 0.9.8s and versions prior to 1.0.0f contain an issue that could result in easier recovery of plaintext information from encrypted text. Cisco has discovered a potential issue in the patch for the OpenSSL Datagram Transport Layer Security plaintext recovery issue. OpenSSL, CentOS, FreeBSD, HP and Red Hat have released security advisories and updates.

Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24470, Version 6, January 24, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3544

Multiple versions of Oracle Java contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Oracle and multiple other vendors have confirmed this vulnerability and released updated software. Functional code that demonstrates an exploit is publicly available.

Oracle Java SE Critical Patch Update October 2011
IntelliShield Vulnerability Alert 24433, Version 8, January 24, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-3389 , CVE-2011-3516 , CVE-2011-3521 , CVE-2011-3544 , CVE-2011-3545 , CVE-2011-3546 , CVE-2011-3547 , CVE-2011-3548 , CVE-2011-3549 , CVE-2011-3550 , CVE-2011-3551 , CVE-2011-3552 , CVE-2011-3553 , CVE-2011-3554 , CVE-2011-3555 , CVE-2011-3556 , CVE-2011-3557 , CVE-2011-3558 , CVE-2011-3560 , CVE-2011-3561

Oracle has released the Oracle Java SE Critical Patch Update for October 2011. The update addresses 20 new security vulnerabilities. An unauthenticated, remote attacker could leverage several of the vulnerabilities to completely compromise an affected system. Oracle, Red Hat, CentOS and Apple have released updates. Oracle, Apple, CentOS, HP and Red Hat have released security advisories and updates.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 22, January 24, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin. MontaVista has released a security alert and updated software. Cisco has re-released a security advisory and updated software.

Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24698, Version 6, January 26, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-2462

Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Targeted attacks against Adobe Reader version 9.4.6 on Microsoft Windows operating systems have been observed in the wild. Adobe has released a security bulletin and software updates to address the Adobe Acrobat and Reader Universal 3D remote code execution vulnerability. Functional code that exploits this vulnerability is available as part of the Metasploit framework. FreeBSD has released a security bulletin and updated technical details.

Oracle Critical Patch Update January 2012
IntelliShield Vulnerability Alert 24972, Version 1, January 18, 2012
Urgency/Credibility/Severity Rating: 2/5/3

Oracle has released the January 2012 Critical Patch Update. The update contains 78 new security fixes that address multiple Oracle product families. The fixes correct multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service condition on targeted systems.

ISC BIND Recursive Query Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24590, Version 11, January 4, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4313

ISC BIND version 9 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. It should be noted that there are external reports that this vulnerability is being actively exploited in the wild, as DNS server crashes have been observed. It is not, however, fully determined that exploitation of this vulnerability is the root cause for the recently observed crashes. ISC and multiple vendors have confirmed this vulnerability and released updated software.

Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24500, Version 3, December 13, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3402

Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425. Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability.

Physical

Securing The Super Bowl using 21st Century Technology

Indianapolis, Indiana has gone to extreme financial and technical lengths in an effort to make the 2012 edition of the Super Bowl (Super Bowl XLVI) the most secure ever. In addition to the use of iPhones, iPads, Gamma ray scanners, and night vision cameras Indianapolis and Marion County has invested $18 million in publicly financed bonds to produce a Regional Operations Center (ROC) which will serve as the centerpiece of security for the Super Bowl.
Read More
Additional Information

IntelliShield Analysis: We now live in such a highly techno-centric world in which increasingly sophisticated technologies and tools are available to both the good guys and the bad guys. In this ever present real life game of cat-and-mouse the law enforcement community has become heavily dependent on these technologies to combat those that wish to bring harm and destruction to our society. We can only hope that, regardless of the outcome on the football field, that the winners of the crime game are those that are using technology for the right reasons. On a visit over the weekend to the Super Bowl Experience in Indianapolis, outside of Lucas Field, we were particularly impressed with the transparency of the security. There were the expected uniformed police officers and people in yellow "Security" shirts, but the technology, other officers and security teams were nearly transparent to the Super Bowl visitor. In the downtown area there were no obvious security checkpoints with bag inspections or metal detectors, and no overly ominous physical security presence. To the trained eye, it was certainly present, but you had to really look for it, or would otherwise not notice. This itself is a major accomplishment for the security teams, and one for which they deserve high credit. Unlike the "security theater" practices most of us now accept, the security transparency while maintaining the high levels required should be the goal for all security organizations, in the workplaces, public venues and transportation.

Legal

Tourists Refused Entry to United States Based on Twitter Content

Two tourists were detained, questioned and subsequently deported by the U.S. Department of Homeland Security (DHS) as a result of comments posted on Twitter by one of the two. The tweets in question alleged that the two were going to "destroy America" and tamper with the grave of Marilyn Monroe. During questioning by the DHS, the pair stated that 'destroy' was British slang for having fun and that the other tweet referred to a quote from the American comedy show 'Family Guy.' DHS officials went so far as to search their belongs for spades and shovels before releasing them onto a return flight to Britain.
Read More
Additional Information

IntelliShield Analysis: The desire to monitor social media feeds by national security agencies including the U.S. is well known. The incident with the two tourists highlights legal questions raised by data flagged as threatening by the monitoring agencies. Beyond the challenges of determining actual intent in the context of cultural nuance and language, there is also the larger issue of whose laws ultimately apply. In this specific instance, it would seem that both Britain and the U.S. would have an interest in the incident. With the issue of free speech additionally considered, resolving any situation of this nature will prove complex if not outright political. Absent of any established precedents upon which agencies can agree, persons using social media need to be mindful that their content could be considered threatening or offensive, particularly if they plan to travel to locations where the laws and cultural idioms differ from their own.

Trust

Twitter Censorship and Transparency

Twitter has become very transparent in its operations regarding DMCA and removal of content based on requests, posting that information and their responses publicly, and has now announced the country-by-country policy, to the ire of many activists and persons in more tightly censored countries. Twitter has clarified and explained its position on the policy, but many are countering it as censorship of the Internet.
Read More
Additional Information

IntelliShield Analysis: Twitter has grown to a site which processes over a billion tweets per day. Twitter will continue to try and avoid legal risk and physical security risk to employees by selectively blocking tweets on a per-country basis. Freedom advocates are correctly pointing out the investment influence of Saudi billionaire Prince Alwaleed bin Talal; however, in the end Twitter's transparency should deflect criticism from freedom advocates. Universal Music Group and others who request the tweets be taken down should take the blame. DMCA Takedown requests have actually dropped since the Twitter policy change. Is this because of the transparency? Other entrants may fill the tweet void if there are wholesale changes.

Identity

How to Prevent Google from Tracking You

Many online users have communicated concerns regarding Google's new privacy policy set to go into effect on March 1, 2012. The concern is the potential misuse of personal information (including information sharing) by Google. This concern has many wondering how much information is being tracked by Google amongst other constituents (advertisers and marketers)? How much can they determine about a person? Who is tracking whom?

Organizations such as the Electronic Frontier Foundation, in addition to programs and applications such as the Network Advertising Initiative's opt-out program, various browser extensions, add-ons, and apps including Google themselves, are available to aid in alleviating various facets of tracking. These techniques range vastly, from cookie deletion or non-storing to de-personalizing searches while also providing the ability to block (white list) or unblock individual sites.
Read More

IntelliShield Analysis: The saga of convenience and meaningful concepts vs. security (specifically privacy in this case) continues. Years ago these very concepts were viewed as Web and Internet enhancements to the user experience. The continuing evolution of security and society's education on the matter continues to exacerbate the fear, uncertainty, and doubt (FUD) factor.

There is always a proverbial flag to be raised in an attention grabbing fashion when one of the solutions offered is by the same company or organization that has a stake in the issue set forth. Does the organization truly mean well and simply want to provide the users the rightful experience and options they desire, or is there more at play? By the same token, the irony continues in that it only takes an instant (a seamless one at that) to gather such information and details on users (i.e. track them), yet the solutions are more inconvenient in that the users must download and install software and apps not to mention configure and specify options, requirements, and details for proper provisioning based on their needs. While the saga indeed continues, the fact that it is even a discussion and point of contention is proof positive that society's eyes and ears are open and the education curve in the security realm continues to grow.

Human

There was no significant activity in this category during the time period.

Geopolitical

New Censorship Policies by Social Media Sites Raise Hard Questions

Last week, Google's Blogger service announced that it would block posts in countries where the content violates the laws of that country. According to a Q&A section on the Google website, the company is migrating to the use of country-code top-level domains (ccTLDs) in order to facilitate country-by-country management of content. The announcement is similar to a policy change late last month by Twitter. The microblogging site announced that it would reactively withhold content from users in a specific country, while keeping it available in the rest of the world. According to Twitter, followers will be informed when and where a tweet has been withheld. Twitter will also publicly record tweet removals, which will take place after company review. Activists and privacy advocates, including Amnesty International and the OpenNet Initiative were critical of the announcement. The policy was criticized in some articles as a turnabout from last spring, when activists in the Arab world used Twitter, among other communication methods, to organize protests, record the unfolding of events, and gather public and international support.
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: The announcements by Google and Twitter are probably less of a turnabout than an evolution, and one that information communications companies around the world may watch closely. Social media, propelled by globalization, has in its short lifespan clashed spectacularly with diverse cultures and government systems. Ultimately, multinational companies must abide by the laws of the countries in which they operate. These companies supporters argue that it may be preferable, both from a business perspective as well as a free-speech perspective, for a social media company to remain operational in a country and comply with censorship requests, than to be banned outright, as both Twitter and Google are in some countries. As these fundamental questions are debated, information specialists at multinational companies may want to prepare for possible vigilante attacks against corporate network infrastructure when new policies are announced, while brand protection specialists can expect to field head-on reputation challenges.

Upcoming Security Activity

RSA Conference: February 27–March 2, 2012
CanSecWest 2012: Mar 7–9, 2012
Global Privacy Summit: March 7–9, 2012
Black Hat Europe: March 14–16,2012
Cisco Live US: June 10–14, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following, FreeBSD dates:

Presidential Election in Russia: March 4, 2012
World IPv6 Launch: June 6, 2012
2012 Summer Olympics: July 27–August 12, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top