April 30–May 6, 2012The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity for the period increased to higher than normal levels. The April monthly and 2012 annual-to-date metrics show a significant increase in vulnerability and threat activity for the first four months of 2012, further extending the slight increases seen in 2011. The majority of the activity this period was related to updates from multiple vendors for previously released vulnerabilities. New security advisories and updates were released for Citrix Provisioning Services; McAfee Virtual Technician ActiveX Control; Symantec Web Gateway and pcAnywhere; multiple vulnerabilities in HP Insight Management; multiple vulnerabilities in VMware ESX and ESXi Server; Google Android SQLite; and multiple vulnerabilities in Google Chrome. Oracle released a security advisory for the Oracle Database Server TNS Listener vulnerability reported in IntelliShield alert 25764. A researcher inadvertently released details of this vulnerability, believing that it had been patched in the previous Oracle April CPU. Oracle has released a workaround but no patch is available. In threat activity, a vulnerability was identified in OpenX that is reportedly being used to compromise advertising servers and inject malicious advertisements into the advertising feeds of multiple websites. Website administrators are advised to closely monitor their website pages and coordinate with advertising partners. Steganography returned to the news with media reports on the release of documents collected in the raid on the Osama bin Laden compound. United States (U.S) intelligence agencies reported that multiple videos included embedded files regarding Al Qaida operations. While steganography methods have been widely discussed, these were primarily limited to demonstrations and theories of potential methods that could be used to embed and hide files in images and video. This is the second recent example, including the Anne Chapman Russian Spy case, where steganography was positively identified in active use. Two spam campaigns are reported to be bypassing spam filtering systems. An updated Threat Outbreak Alert has been released for the Fake Friendship Information E-mail Messages, first reported in IntelliShield alert 25651, and the Fake Personal Photo, first reported in IntelliShield alert 25258. Users should be aware of these spam campaigns and avoid these messages. Microsoft released the Advance Notification for May 2012, which includes seven bulletins that address 23 vulnerabilities in Microsoft products. The Microsoft bulletins are scheduled for release on May 8, 2012. Microsoft has also released the Microsoft Security Intelligence Report version 12. The report contains extensive data and analysis of current threats and vulnerability activity related to Microsoft systems. IntelliShield published 125 events last week: 40 new events and 85 updated events. Of the 125 events, 81 were Vulnerability Alerts, five were Security Activity Bulletins, four were Security Issue Alerts, 34 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
2012 Monthly Alert Totals
Significant Alerts for April 30–May 6, 2012OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. OpenSSL, FeeBSD and Red hat have released security advisories and updates. PHP php5-cgi Binary Setup Remote Unsanitized Command-Line Parameter Processing Vulnerability PHP contains a vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information, cause a denial of service (DoS) condition, or execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. PHP has confirmed this vulnerability and released updated software. Adobe Flash Player Object Confusion Arbitrary Code Execution Vulnerability Adobe Flash Player contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. At the time of publication, reports indicate exploitation is ongoing in the wild. Previous Alerts That Still Represent Significant RiskOracle Database Server TNS Listener Remote Registration Vulnerability Oracle Database Server contains a vulnerability that could allow an unauthenticated, remote attacker to modify configuration parameters on a targeted system. Oracle has released a security advisory and patches to address the Oracle database server TNS listener remote registration vulnerability. Proof-of-concept code that demonstrates this vulnerability is publicly available. Microsoft .NET Framework GraphicsPathIterator Validation Arbitrary Code Execution Vulnerability Microsoft .NET Framework contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are available. Proof-of-concept code to exploit the Microsoft .NET Framework parameter validation arbitrary code execution vulnerability is publicly available. Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution Vulnerability Microsoft software MSCOMCTL.OCX ActiveX control contains a vulnerability that could allow an unauthenticated, remote attacker to execute code on a vulnerable system. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability in a security bulletin and has released updated software. Multiple versions of Oracle Java Runtime Environment (JRE) contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is publicly available. Oracle has confirmed this vulnerability and released software updates. Red hat, HP and Apple have released security advisories. Red Hat has released an additional security advisory and updated packages. Oracle Java SE Critical Patch Update February 2012 Oracle has released the February 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions. This update remediates 14 vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Oracle, CentOS, Red Hat, IBM, HP and Apple have released security bulletins and updated software. Red Hat has released an additional security advisory and updated packages. Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available. HP has released a security bulletin and updated software to address the Apache HTTP Server reverse proxy rewrite URL validation vulnerability. Oracle has released an additional security advisory and patches. Multiple Products Hash Collisions Denial of Service Vulnerability Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Apache, Microsoft, CentOS, IBM, ruby, FreeBSD, Red Hat, Oracle and HP have released security advisories and updates. Samba Marshaling Code Remote Code Execution Vulnerability Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. If successful, the attacker could execute arbitrary code with root-level privileges. MIT Kerberos 5 Telnet Service Buffer Overflow Arbitrary Code Execution Vulnerability MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. MIT has confirmed the vulnerability and released software updates. Oracle, VMWare, Cisco, FreeBSD, GNU.org and Red Hat have released security advisories. Microsoft Windows Remote Desktop Uninitialized Memory Access Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability in Remote Desktop that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Microsoft has confirmed the vulnerability in a security bulletin and released updated software. Proof-of-concept code that exploits the vulnerability is publicly available. ICS-CERT has released a security advisory to address the Microsoft Windows Remote Desktop uninitialized memory access arbitrary code execution vulnerability. Apple iOS 5.1 Security Update Apple iOS contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to conduct information disclosure, security bypass, denial of service, code execution, or cross-site scripting attacks. Apple has released an additional security update and updated software to address the vulnerability in multiple Apple products security update. Apple added products Apple Safari versions prior to 5.1.4 and Apple Safari for Windows version prior to 5.1.4. PhysicalChicago Police and U.S. Coast Guard Support Security Efforts of the U.S. Secret ServiceMultiple security organizations that are being led by the U.S. Secret Service have released plans for the upcoming NATO Summit to be held May 20-21, 2012, in Chicago, Illinois. The plans outline security zones for the city, waterways, air space, major roadways, tourist areas, and O'Hare International Airport. The security organizations expect to face groups of protesters, disruptions, and potentially higher-severity attacks from militant groups who wish to disrupt the summit. IntelliShield Analysis: The security zone for the NATO Summit is expanding in downtown Chicago to include waterways and airspace. Civil aviation is banned for three days and 10 nautical miles and includes unmanned aerial vehicles (UAV). A comparative event was the 1999 summit in Washington, D.C. At the time, NATO was engaged in a war and the meeting was held on the 50th anniversary of the organization. Washington, D.C., schools and government agencies were closed for one day and the public was warned about SWAT police units on rooftops and long motorcade delays. But there were no aviation bans, or warnings from the Coast Guard to avoid the Potomac River. The Metro transit system remained open. Security planning has increased from that of past events. The 2008 attacks in Mumbai, India, were carried out from waterways, and the implications of aviation as a weapon are also clear. Old threats remain on the top of the threat list today; however, police need to give protestors a smaller footprint. Expanding the security zone meets this need. In 2009, NATO protestors in France set fires, looted stores, and destroyed cars and shops. Similar events occurred at the World Trade Organization meeting in Seattle in 1999. Chicago police officials recently ordered 8,500 face shields with instructions for deliver on May 15. The Chicago police force is supporting the efforts of the other security forces, who are protecting more than 60 dignitaries. President Obama has hundreds of armed security guards. The support could reverse direction if crowds swell. The coordination demonstrates the extensive preparations and change requirements needed for protecting executives and sensitive sites during these types of events. LegalThere was no significant activity in this category during the time period. TrustThere was no significant activity in this category during the time period. IdentityAn IP Address Doesn't Identify a PersonIn one of the mass-BitTorrent lawsuits that dates back more than two years, a New York judge residing over a BitTorrent Adult Film Copyright Infringement case has ruled that an IP address cannot provide sufficient evidence to identify copyright infringers. While many of the copyright holders in these cases provide nothing more than an IP address as evidence of identifying copyright infringers, Judge Gary Brown provided detailed reasoning behind his ruling and concluded that it is simply unknown whether the person who is linked to an IP address had anything to do with alleged copyright infringements. This ruling means that copyright holders in these cases may have wrongfully accused several individuals. Read More IntelliShield Analysis: There are several reasons why an IP address shouldn't be used to identify a person. An IP address is a numerical identifier assigned to a device that is participating in a computer network and using the Internet Protocol for communication. A person cannot determine who is using a particular device that is participating on a network unless they are physically in the user's presence and monitoring their activity. In other words, if your friend visits an unauthorized website from your computer while you are not present, who is to blame for any illegal actions that may have taken place? In certain situations, such as in a corporate environment, the person owning a computing device is ultimately responsible for any actions; however, this type of environment usually has an allocated block of IP addresses that is tightly controlled by technical and administrative controls outlined by corporate policy. Networks such as the Internet, where the casual user is free to surf the web, present the challenge of nonrepudiation to any device (or person operating a device) connected to the Internet with an IP address. Devices connected to the Internet are more vulnerable to attacks such as IP spoofing, where an attacker can easily impersonate another device that is connected to the Internet, making associating an IP address to a particular person impossible. It is possible to use an IP address to track down the location of a device and the information in turn used to help authorities catch a criminal. Without further concrete evidence, however, that criminal may be able to walk away from the crime. HumanOnline Identities After DeathAs more and more services move online or into the cloud, more of our lives appear online. What happens to those identities after we die is the subject of a blog post appearing on a U.S. government website. In addition to social media sites, consideration should be given to our other online accounts, such as financial and cloud service sites like Google Docs, Microsoft's Azure, and cloud storage sites such as DropBox. Are important documents and information stored online that would assist your survivors? Facebook now has an application specifically written to deal with online life after death. IntelliShield Analysis: Prior to the ubiquitous use of digital cameras, boxes of photographs were often the only way to show and tell others about dead relatives. Social media can now hold and make sharable many times the amount of pictures and information that could be stored in boxes by previous generations. Do you want your social media sites to become a memorial to your life and a place for friends and relatives to visit and remember the time spent together? If so, the time to think about it and plan a social media will is while you are still alive. Security settings on our accounts prevent open information sharing to people in our extended networks for security and privacy reasons. Users of password storage services, such as 1Password, that assist in security enhancement can assist after a user's death. The escrow of passwords and account information and responsible disclosure after death are now details that should be included in wills and testaments. GeopoliticalSpecial 301 Report Names Top IPR ViolatorsThe United States Trade Representative (USTR) has released its annual report on trading partners intellectual property rights (IPR) protection and enforcement. USTR reviewed 77 countries for its Special 301 report, placing 40 of them on watch lists. The Priority Watch List of worst offenders continues to include Canada along with other major trading partners, including Israel, Russia, India, and China. Ukraine has been returned to the Priority Watch List, while Spain and Malaysia have been taken off, thanks to progress these governments have made in creating and enforcing new laws focused specifically on copyright violations and Internet piracy. IntelliShield Analysis: This report causes annual consternation among otherwise valued and friendly trading partners and one can argue that the exercise may do more harm than good. However, as with many policy tools, the art of trade negotiation sometimes requires the oversimplification of highly nuanced issues (such as policies and actions of trading partners). For private sector information security professionals, the value of the report may be in the annual assessment of industry trends and comparative weighting of the IPR protection environment in various countries. For example, the report describes an increase in shipping of counterfeit products separately from their official markings and packaging to evade law enforcement. The report also calls out the surge in consumer online sales that has led to an increase in small shipments over large container shipments of counterfeit goods that frequently were blocked at ports of entry by border inspectors. Such tidbits, along with the broad overall survey of the state of intellectual property protection from the U.S. government's perspective, make it worth a read. Upcoming Security ActivityInterop: May 6–10, 2012 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following: Mexico General Elections: July 1, 2012 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
