Cyber Risk Report

April 26–May 2, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity was decreased this period from previous periods. Similarly, the vulnerability and threat levels for April 2010 was decreased from the previous 2010 monthly periods. Following the elevated month of March, largely due to the increased activity around the CanSecWest hacking contest, the decrease may allow vulnerability and patch management teams to catch up with updates across their environments.

The period was highlighted by a Microsoft Sharepoint server cross-site scripting vulnerability that can allow an unauthenticated, remote attacker to obtain sensitive information, user authentication cookies, and take actions with the privileges of the compromised user accounts. Proof-of-concept exploit code has been publicly reported, and Microsoft has confirmed the vulnerability and released a security advisory; however, updates correcting the vulnerability are not available. This vulnerability is being widely discussed, and although there have not been reported attacks, the focused interest indicates working exploits will likely be developed and deployed. The vulnerability was reported in IntelliShield alert 20415.

Microsoft and Symantec have released their latest threat reports providing high-level analysis and metrics for 2009. While both reports reflect similar findings, the reports differ in perspective from the methods used to collect data and vulnerability and threat focus. The reports are available at Microsoft Security Intelligence Report Volume 8 and Symantec Internet Security Threat Report Volume XV: April 2010.

The Open Web Application Security Project (OWASP) has released an updated Top 10 Web Application Security Risk for 2010. The updated list contains two changes: the return of the previously removed Security Configuration risk and the addition of the Unvalidated Redirects and Forwards risk.

IntelliShield published 75 events last week: 34 new events and 41 updated events. Of the 75 events, 55 were Vulnerability Alerts, two were Security Activity Bulletins, 17 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows

Weekly Alert Totals

Day Date New Updated Total
Friday 04/30/2010 1 16 17
Thursday 04/29/2010 9 2 11
Wednesday 04/28/2010 8 8 16
Tuesday 04/27/2010 8 10 18
Monday 04/26/2010 8 5 13
Weekly Total 34 41 75

 

2010 Monthly Alert Totals

Month New Updated Monthly Total
January 158 259 417
February 177 253 430
March 194 324 518
April 208 167 375
Annual Total 737 1003 1740


Significant Alerts for April 26–May 2, 2010

Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 2, April 30, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability, but software updates are not available.

Previous Alerts That Still Represent Significant Risk

McAfee VirusScan DAT Update May Cause Microsoft Windows System Failure
IntelliShield Vulnerability Alert 20375, Version 2, April 22, 2010
Urgency/Credibility/Severity Rating: 4/5/3

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems. As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable. McAfee has released a knowledgebase article with various workarounds.

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 3, April 20, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Updates are available.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 47, April 23, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 4, March 30, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0806

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability. Functional exploit code is being used in ongoing exploits, and Microsoft has released a security bulletin and updated software.

Mozilla Firefox Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 2, March 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has confirmed this vulnerability and released updated software.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0483

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available.

Physical

New York City Subway Master Key Gets Into Wrong Hands

Master keys to New York City subway entrances inadvertently found their way into the hands of those who should have not had access, including those who are criminally inclined. The keys, which allow emergency officials (such as police, emergency medical services, and city transit) to enter special gates during times of crisis, are apparently being sold to willing buyers on the black market. While honest riders are rejecting the advances of those illegally selling these keys, the expected increase in New York City transit fares could sway those who normally would not take to such dishonest acts. Read More

IntelliShield Analysis: In the computer networking world, the concept of a physical master key could be equated to that of an administrator password for a device or application. Issues resulting from the use of default, lost or stolen administrator passwords have, for years, driven many companies to look for additional levels of security when protecting their networks, end hosts and proprietary data. These additional levels of protection include such technologies and policies as 2-factor authentication consisting of something you know (PIN) and something you have (key card), one time passwords (OTPs), the use of complex and frequently changed passwords, biometrics, separation of privileges and role-based access controls. While the implementation of some of these concepts may not be applicable in this scenario, or in many cases would increase the complexity and cost of protection for the New York City subway system, the net result would be a more difficult barrier of entry to those that should not be riding the subway for free, while giving those legitimately riding the subway a greater sense of safety.

Legal

U.S. Federal Trade Commission Receives Suggestions From Senators and Facebook Executives

The United States Federal Trade Commission (FTC), expected to release a set of best practices to address business concerns about online privacy by September 2010, met with aides to U.S. Senators and staff from Facebook, the social networking website, to discuss online privacy concerns. Lawmakers have requested that the FTC issue guidelines that will help ensure that users' personal information is protected by social media companies. Officials from Facebook announced at a subsequent news conference that they would support FTC guidelines that companies could align with voluntarily.
Read More
Additional Information

IntelliShield Analysis: Regardless of pending FTC guidelines, concern over the safeguarding of users' privacy continues to grow. Social networking sites such as Facebook that force users to opt out of frequent innovations for sharing personal data, particularly with third-party advertisers, are attracting more attention from lawmakers for a number of reasons, one being that third-party advertisers are allowed to store user information indefinitely. As the tension between what users share voluntarily and what is shared involuntarily and harvested for profit increases, users are advised to keep an eye on the security settings of their accounts and to stay abreast of policy changes to the social websites they frequent.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

French Researchers Expose BitTorrent Privacy Threats

In a series of papers published over the last few months, researchers from the French National Institute for Research in Computer Science and Control (INRIA) have exposed various aspects that threaten the privacy of BitTorrent users. Among their findings, the INRIA researchers described how a single computer on the Internet could log and track the download and upload history of most BitTorrent users, over a long period of time (103 days in their study). They also showed that even 70% of the BitTorrent users who utilized the Tor anonymizing proxy network were able to be identified, and how that identification could lead to further de-anonymizing their other traffic over the Tor network. Read More

IntelliShield Analysis: While BitTorrent has shown to be a very efficient method to distribute large media files quickly, it has taken quite a bit of criticism from content authors whose material can be easily shared illegally. This research goes beyond the controversy, however, to show that even if BitTorrent is used only to distribute content legally, it presents a privacy risk to users. These privacy concerns have been shown in traditional torrent tracker networks, as well as trackerless Distributed Hash Table (DHT) networks that aim to be more privacy-oriented. Users and organizations that rely on BitTorrent or underlying concepts like DHT for peer-to-peer communication and file transfer should review the researchers' findings and assess any risks that may arise from them.

Geopolitical

Greek Debt Crisis Threatens to Spread

Eurozone finance ministers, along with European Central Bank and International Monetary Fund officials, agreed over the weekend on the basics of a bailout plan for debt-ridden Greece. The agreement includes tough austerity measures, including a three-year freeze on public sector wages, tax hikes, and a raising of the retirement age. It was hoped that the measures pitched to skeptical Eurozone taxpayers as protective of the Euro rather than as a Greek bailout would be enough to allay investor concerns over the risk of the debt contagion spreading. Besides being slow to take shape, the plan has many critics, who argue that without a basic restructuring of sovereign debt, Greece cannot hope to avoid default down the road. Asian countries argued that the measures were too lenient, compared with the austerity measures shouldered by countries like Thailand during the Asian financial crisis. At the same time, a downgrading of Spain and Portugal's sovereign debt last week seemed to confirm some fears that slow-moving financial authorities had already failed to contain the crisis.
Read More
Additional Information

IntelliShield Analysis: Given the relatively small size of the Greek economy, Athens debt crisis on its own may have been manageable. What has elevated it to a global concern is the widening of the problem to larger European economies such as Spain and Portugal, whose debts may be difficult for weakened Eurozone banks to absorb. Slow progress toward a bailout package is also of concern, as it casts doubt on the ability of EU countries to set aside individual national concerns in pursuit of regional solutions. Information security professionals can expect continued disruptions across Europe in coming weeks as Berlin seeks Bundestag approval for the financial package, $11 billion dollars in Greek debt comes due in mid-May, and planned general strikes take place. More broadly, factors that affect the debt crisis like the chaos that followed Iceland's volcanic eruption and the closing of European airspace recently are other examples of the region's struggle to establish effective mechanisms for solving such problems. Over time, these problems increasingly will include crucial information technology issues, such as copyright enforcement, cross-border data privacy, anti-counterfeiting, and cyber security.

Upcoming Security Activity

AusCERT2010: May 17–20, 2010
Gartner Security & Risk Management Summit: June 21–23, 2010
Cisco Live 2010 (Las Vegas, Nevada, U.S.): June 27–July 1, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
United Kingdom Elections: May 6, 2010
Poland Elections: June 20, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top