April 16–22, 2012The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity for the period was increased, primarily due to multiple vendor updates for previously known vulnerabilities. HP, CentOS, and MonteVista released multiple updates for Apache HTTP server, Tomcat, and the Linux kernel. Additional vulnerability activity for the period includes security advisories for McAfee Web Gateway, IBM Tivoli, HP OpenVMS, multiple vulnerabilities in WordPress, and new vulnerabilities in WebKit and OpenSSL. Oracle released the April 2012 Critical Patch Update (CPU). The update contains 94 new security fixes that address multiple Oracle product families. Since the initial release, additional details on some of the vulnerabilities have been publicly released, but currently there is no reported exploit activity that is associated with these vulnerabilities. Reports of Industrial Control System and SCADA vulnerabilities continue to increase, with vulnerabilities reported in Siemens, KOYO, Microsys, and Atvise systems. Details of the Mac OS X FlashBack, and the newer SabPab malicious code, continue to be investigated. Both of these malicious codes target Java vulnerabilities, and Apple has released security updates to correct those vulnerabilities. Additional tools from security vendors are available to identify a compromised system and remove the malicious code. Threat activity also included identification of multiple tax fraud attempts and attacks around the U.S. tax deadline of April 17, 2012. Multiple spam and phishing attempts were reported, primarily targeting the collection or solicitation of personal information needed for criminals to file false tax claims and collect any refunds due. New research on denial of service (DoS) attacks and distributed denial of service (DDoS) attacks reported that attacks targeting the financial services have tripled in the first quarter of 2012, which is also supported by the latest DoS/DDoS report from Arbor Networks showing a focus on application level attacks. IntelliShield published 166 events last week: 57 new events and 109 updated events. Of the 166 events, 124 were Vulnerability Alerts, eight were Security Activity Bulletins, nine were Security Issue Alerts, 23 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for April 16–22, 2012OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. Updates are available. Samba Marshaling Code Remote Code Execution Vulnerability Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. If successful, the attacker could execute arbitrary code with root-level privileges. Previous Alerts That Still Represent Significant RiskMultiple Products Hash Collisions Denial of Service Vulnerability Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Apache, Microsoft, CentOS, IBM, ruby, FreeBSD, Red Hat, Oracle and HP have released security advisories and updates. Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available. HP has released a security bulletin and updated software to address the Apache HTTP Server reverse proxy rewrite URL validation vulnerability. Oracle Java Runtime Environment AtomicReferenceArray Type Violation Remote Code Execution Vulnerability Multiple versions of Oracle Java Runtime Environment (JRE) contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is publicly available. Oracle has confirmed this vulnerability and released software updates. Red hat, HP and Apple have released security advisories. Oracle Java SE Critical Patch Update February 2012 Oracle has released the February 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions. This update remediates 14 vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Oracle, CentOS, Red Hat, IBM, HP and Apple have released security bulletins and updated software. MIT Kerberos 5 Telnet Service Buffer Overflow Arbitrary Code Execution Vulnerability MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. MIT has confirmed the vulnerability and released software updates. Oracle, VMWare, Cisco, FreeBSD, GNU.org and Red Hat have released security advisories. Microsoft Windows Remote Desktop Uninitialized Memory Access Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability in Remote Desktop that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Microsoft has confirmed the vulnerability in a security bulletin and released updated software. Proof-of-concept code that exploits the vulnerability is publicly available. ICS-CERT has released a security advisory to address the Microsoft Windows Remote Desktop uninitialized memory access arbitrary code execution vulnerability. Apple iOS 5.1 Security Update Apple iOS contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to conduct information disclosure, security bypass, denial of service, code execution, or cross-site scripting attacks. Apple has released an additional security update and updated software to address the vulnerability in multiple Apple products security update. Apple added products Apple Safari versions prior to 5.1.4 and Apple Safari for Windows version prior to 5.1.4. Apple iTunes and iTunes for Windows Multiple Memory Corruption Vulnerabilities Apple iTunes and iTunes for Windows contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks, cause a denial of service condition, or execute arbitrary code on the targeted device. Trend Micro Control Manager CmdProcessor.exe Arbitrary Code Execution Vulnerability Trend Micro Control Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that demonstrates an exploit of the Trend Micro Control Manager CmdProcessor.exe arbitrary code execution vulnerability is publicly available. Proof-of-concept code that exploits this vulnerability is available as part of the Metasploit framework. PhysicalTsunami Warning Sensor WeaknessesOn April 14, 2012, Indonesia experienced an 8.6 magnitude earthquake with the epicenter off Sumatra Island. Similarly in 2004, Aceh province was hit by a tsunami that followed that earthquake. Unlike 2004 this current event produced smaller waves and tsunami early warning systems are in place. Unfortunately the tsunami early warning system only partially passed the test. The sirens were sounded 30 minutes after that earthquake, while 10 minutes is the optimal timing. Additionally, not all sirens in Aceh province were in working order and some were too quiet. The data about an earthquake and impending tsunami are collected by buoys floating in the sea. Apparently, only three buoys out of 25 were operational, so not only did the warning come late but the information on which the decision was made was sketchy and very incomplete. IntelliShield Analysis: Earthquakes and tsunamis are infamous for their capability for destruction, so early warning systems are essential to save as many lives as possible. The buoys were apparently damaged by fisherman who used them for mooring. Placing sensors in buoys is a relatively inexpensive option, but being on the sea surface the potential for their damage or destruction increases dramatically. In general, sensors of any kind should be located in places that are protected and hard to access by the general population. Easy access to sensors increases chances that someone may inadvertently damage them. If sensors must be placed in easily accessible places, a separate system must be in place to report operational status of sensors, combined with an effective maintenance procedure to ensure their working condition and repair. LegalThere was no significant activity in this category during the time period. TrustGoogle Security Information SharingGoogle sent a message to 20,000 web sites warning that they appeared to be infected with malicious code. The web sites were identified as performing redirections to known malicious sites, possibly linked to malicious JavaScript or compromised configuration pages on their servers. The attackers may also be using search engine poisoning to inflate the infected web sites in search results and direct users to the compromised websites. Initial research also indicates the attackers may be using cloaking to limit when the redirects are performed, also making it harder to identify and remove the infections. IntelliShield Analysis: Initial evaluations following the Google warning indicate the infections are related to a mass SQL injection attack that was used to compromise the web sites and upload the malicious JavaScript that is used to perform the redirects. While Google is not a "security company," they certainly have the ability to detect and assist in these situations by sharing this type of information with the web site administrators. Additional research and investigations from credible sources can provide additional details and aid website administrators and users. While some have used the Google warnings to point out Google's own security issues, Google should be credited with supporting the community, providing the information they have, and leading others to further investigate the attacks and share their information. IdentityRevised Passenger Data Agreement Provides Improved Privacy ProtectionAfter nearly five years of debate, the European Parliament passed a revised agreement for sharing airline passenger data on flights from Europe to the United States of America (U.S.). The revised agreement addressed the controversial previous agreement that allowed the U.S both access and storage of the data. Under the new agreement the U.S. will mask names and contact information in the data after six months, may store the data for five years, and will then move the data to a dormant database for another 10 years. The other key point of debate was the U.S. accessing passenger data directly in the airline computer systems, which will now only be done in exceptional circumstances. The European commissioner for home affairs, Cecilia Malmstrom, said "the deal provided a stronger right to citizens' privacy as well as more legal certainty for airlines." IntelliShield Analysis: Similar to other security agreements and provisions implemented after 9/11, this agreement has been reviewed, debated, and refined with the intent of providing improved individual privacy rights. Also similar to the continuing debates over social media privacy rights and tracking of individuals on the Internet, these debates are all shifting toward improved privacy protections and are likely to continue moving in that direction. While businesses and governments must still attempt to comply with a range of standards and agreements across the globe, the continued debates are bringing these disparate standards and regulations more closely aligned, and may eventually result in international standards that apply to all simplifying practices and providing uniform privacy rights. HumanThere was no significant activity in this category during the time period. GeopoliticalOverturn of 2010 Economic Espionage Act ConvictionThe United States Second Circuit Court of Appeals in New York has overturned a 2010 conviction of software engineer Sergey Aleyknikov under the Economic Espionage Act. Aleynikov, a former Goldman Sachs employee, downloaded source code for the company's high-frequency trading (HFT) system. The conviction was overturned after Aleynikov served one year of his 8-year sentence, on grounds that he had not deprived Goldman Sachs of the code by assuming physical control of it, and because the code was not destined for interstate commerce, according to the courts written opinion, published last week. IntelliShield Analysis: The reversal of the Goldman Sachs Economic Espionage Act (EEA) case may be of particular interest to information security companies because of the increasing problem of software-related intellectual property theft. In this case, the appeals court found that the definition of theft in EEA–the taking of a physical object–was not violated. The opinion reads, "We decline to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age." In other words, under the EEA, downloading of code is not the same as theft of a physical object. Secondly, because Goldman Sachs did not intend to sell the code, but instead planned to use it internally, it could not be deemed as destined for interstate commerce. The 2010 conviction never included the definition of economic espionage, which would have required that the stolen code be intended to benefit a foreign government. Information security professionals may want to take note of this ruling and watch for revisions to the EEA that might provide stronger legal protections in the U.S. for their valuable intellectual assets, however "intangible" they may be. Upcoming Security ActivityInterop: May 6–10, 2012 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following: Mexico General Elections: July 1, 2012 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
