Cyber Risk Report

July 19–25, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period was consistent with previous periods. Significant activity for the period includes security updates from Microsoft, Cisco, Mozilla, and Apple. Multiple vendors are reporting on the Stuxnetb worm, reported in IntelliShield alert 20915, which is currently exploiting a Microsoft vulnerability and includes public database credentials for Siemens WinCC SCADA (Supervisory Control And Data Acquisition) systems. Microsoft has released a security advisory with workarounds, but security fixes are not available. IntelliShield alert 20918 contains information about the initial vulnerability in Microsoft Windows that is exploited by the Stuxnet worm. Activity reports suggest that the Stuxnet worm appears to be most active in the region of Iran and India.

Cisco released a security advisory, reported in IntelliShield alert 20853, to address an Internet Streamer Content Delivery System web server directory traversal vulnerability. The Cisco Internet Streamer application is part of the Cisco Content Delivery System (CDS). The directory traversal vulnerability in its web server component allows access to arbitrary files.

Mozilla released multiple security advisories for Firefox, SeaMonkey, and Thunderbird. Mozilla also released Firefox 3.6.7 to address several vulnerabilities. Apple released iTunes version 9.2.1 which addresses a buffer overflow vulnerability that could allow arbitrary code execution. Users are advised to update these frequently targeted applications.

Black Hat USA began this past weekend in Las Vegas, Nevada. Multiple pre-conference reports have appeared over the past period highlighting some of the presentations and topics to be discussed at this year's conference. Cisco Security Intelligence Operations will be presenting the training session, Detecting & Mitigating Attacks Using Your Network Infrastructure. Cisco Security Intelligence Operations information and team members will be available at the Cisco booth.

The Cisco 2010 Midyear Security Report is now available for download. The report examines the "tectonic forces of change" that are currently reshaping the security landscape and includes guidance from Cisco security experts to help businesses improve enterprise security by 2011. The report also highlights:

  • Results and analysis from two new Cisco studies–one focused on employee collaboration and the other on the concerns of IT decision-makers worldwide
  • International trends in cyber-security and their potential impact on business
  • Insight into how hackers penetrate soft spots in enterprise security to steal sensitive data and sell it to the highest bidder
  • An update on global spam trends since late 2009 and spam volume predictions for 2010

IntelliShield published 102 events last week: 66 new events and 36 updated events. Of the 102 events, 75 were Vulnerability Alerts, five were Security Activity Bulletins, three were Security Issue Alerts, 17 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 07/23/2010 15 5 20
Thursday 07/22/2010 13 18 31
Wednesday 07/21/2010 9 4 13
Tuesday 07/20/2010 5 5 10
Monday 07/19/2010 24 4 28
Weekly Total 66 36 102


Significant Alerts for the July 19-25, 2010

Microsoft Windows .lnk File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20918, Version 3, June 21, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. Functional exploit that is a part of the Metasploit framework is publicly available. Microsoft has re-released a security bulletin with updated workarounds and additional information about attack vectors used to exploit the Microsoft Windows .lnk file processing arbitrary code execution vulnerability.

Microsoft Windows .lnk File Vulnerability Used for Malware Outbreak Targeting SCADA Systems
IntelliShield Vulnerability Alert 20915, Version 3, June 20, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-2568

New malware, called W32/Stuxnet-B, has been reported. This malware propagates using USB drives apparently infected with malformed shortcut (.lnk) files. F-Secure detects the LNK exploit as Exploit:W32/WormLink.A. Reports suggest that the malformed shortcuts exploit a remote code execution vulnerability in Microsoft Windows, which has been reported in IntelliShield Alert 20918. Siemens has confirmed that its products are being affected by the malware outbreak targeting SCADA systems.

Previous Alerts That Still Represent Significant Risk

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 5, July 22, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Red Hat has released an additional security advisory and updated packages to address the Oracle Java Web Start Java Development Kit ActiveX control command-line injection vulnerability.

DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services
IntelliShield Vulnerability Alert 20418, Version 2, July 15, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Signed root DNS zones are designated to go into effect during a maintenance window July 15, 2010, establishing the availability of DNSSEC-enabled queries.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 59, July 13, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Microsoft Exchange Server Outlook Web Access Cross-Site Request Forgery Vulnerability
IntelliShield Vulnerability Alert 20854, Version 1, July 9, 2010
Urgency/Credibility/Severity Rating: 2/4/3

Microsoft Exchange Server contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks on an affected site. Proof-of-concept code that exploits this vulnerability is publicly available. Updates are not available.

Multiple Adobe Products Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20625, Version 7, July 1, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1297

Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system or cause a denial of service (DoS) condition. Functional code that exploits this vulnerability is available. Adobe has confirmed this vulnerability and released updated software.

Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability
IntelliShield Vulnerability Alert 20691, Version 6, July 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1885

Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild. Microsoft has confirmed this vulnerability in a security bulletin and released updated software.

Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 3, June 8, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability and released software updates.

Kernel Hook Bypassing Engine Affects Multiple Security Applications
IntelliShield Vulnerability Alert 20433, Version 2, May 13, 2010
Urgency/Credibility/Severity Rating: 2/4/4

A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Microsoft Windows systems and execute arbitrary code with kernel privileges.

Physical

Dell Distributes Motherboards Infected with Malicious Code

Computer manufacturer Dell has confirmed that a number of motherboards shipped to customers were infected with a worm known as SpyBot. The worm resides in the flash memory of replacement motherboards for Dell PowerEdge R310, R410, R510, and T410 systems. Systems shipped directly from the Dell factory are not affected. Additionally, the worm only affects PowerEdge devices running the Windows operating system. More information about the SpyBot worm is available in IntelliShield alert 5989.
Read More
Additional Information

IntelliShield Analysis: Dell has responded to this situation by calling infected customers and scheduling technician visits to replace infected motherboards. Most antivirus products have definition files to detect and clean SpyBot worm infections; however, these products are designed to detect infections on hard drives and other storage media. There is no guarantee that these products will detect infections in a motherboard's flash memory. The bigger problem is that a hardware infection would bypass most security defenses as new hardware is typically considered trusted and safe to install. Organizations that may be impacted should contact Dell for additional information.

Legal

There was no significant activity in this category during the time period.

Trust

Certificates Revoked After use in Stuxnet Malware

Microsoft recently collaborated with Verisign to revoke certificates issued to Realtek and JMicron, two hardware companies whose private keys for their driver-signing signatures were apparently compromised. These companies' signatures were used to sign malicious drivers distributed as part of the Stuxnet malware that has recently targeted SCADA systems via USB drives. Realtek and JMicron were issued new certificates to sign future drivers.
Read More
Additional Information

IntelliShield Analysis: Some reports, which appear to originate with Sophos' Mike Wood, indicate that signed drivers whose certificates have been revoked will continue to function if they were signed prior to the revocation date. Only drivers signed with a revoked certificate after the revocation date will not load. If this is true, then this action by Microsoft and Verisign will apparently only prevent the malware distributors from further signing additional malware with Realtek and JMicron's compromised private keys. If Wood and others are not correct, then organizations using Realtek and JMicron hardware with signed drivers may soon notice that their hardware is not functioning as expected.

Identity

There was no significant activity in this category during the time period.

Human

Trading Privacy for Convenience

During a product demonstration of a real-time GPS tracking program, the smartphone on which the program was actively in use was snatched out of the hands of the user by a thief on a bicycle. Since the program continued to run as the thief was riding away from the victim, police were able to locate and arrest him within ten minutes of the robbery.
Read More
Additional Information

IntelliShield Analysis: While the privacy issues raised by usage of GPS technology in mobile devices (including automobiles) is not new, real life examples continue to renew how the information provided by such devices may have unintended consequences. Excluding bona fide cases involving law enforcement, the ability to track GPS-equipped devices or access repositories of tracking data represent significant risk for end users, vendors, and service providers alike. The accuracy of GPS in the United States, often within three meters, can be used for emergency calls as well as services which can locate GPS-enabled devices. Even though the GPS functionality can be disabled in most cases, end users generally leave it enabled so that applications which use GPS data can function properly. A compromise of any system which captures and stores such data has multiple implications. Companies which market this capability need to ensure that appropriate safeguards are in place and that their customers understand the trade-off of privacy for convenience or, ironically, personal security.

Geopolitical

Israel Woos tech Startups

The government of Israel is offering tax breaks and other sweeteners for technology startups and entities that invest in them, according to Finance Ministry officials. Technology accounts for 40 percent of Israel's exports, so measures to correct the damage done to the sector by the global financial crisis are a government priority. Many of Israel's brightest young entrepreneurs, meanwhile, have been seeking opportunities in Europe and the United States, and the number of technology graduates from Israeli universities is on the decline. Tel Aviv will offer incentives to foreign banks that support financial technology research in-country, guarantees for Israeli pension funds that invest in technology-focused venture capital firms, and income tax breaks for technologists who return to Israel.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Israel is not the only country worried about losing its technological edge. Alarmed over the sheer volume of students graduating with technology degrees from Chinese and Indian universities, incentives for tech companies and entrepreneurs are being offered from Moscow to Canberra to Washington, DC. Government planners are hoping public investment in technology will help offset the numerical advantage enjoyed by these emerging technology powerhouses. For information technology specialists, however, the flood of government money into IT may not only increase costs but also increase the risk that inexperienced employees may be given more responsibility sooner than they can handle it. Trusted foreign engineers may be more likely to be lured away by generous incentives offered in their home countries, bringing away valuable intellectual property and know-how with them, while the influx of public funding for technology may increase the proportion of sensitive national data to be protected by private enterprises.

Upcoming Security Activity

Black Hat USA (Las Vegas): July 24–29, 2010
DEFCON 18: July 29–August 1, 2010
BSides Las Vegas: July 28–29, 2010
USENIX Security: August 11–13, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
Ramadan: August 11–September 8, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top