Cyber Risk Report

April 4–10, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity remained low for the period, which is consistent with the previous period. The period highlights included an ISC DHCP dhclient remote code execution vulnerability, updates from Red Hat for multiple vulnerabilities, a Novell File Reporter agent XML arbitrary code execution vulnerability, and a denial of service vulnerability in Microsoft Windows.

Microsoft released the Security Bulletin Advance Notification for April 2011, which will include 17 bulletins addressing 64 vulnerabilities. Several of the updates are rated critical, and the size of the update impacting most windows systems will likely challenge support teams.

Cisco released the latest security blog post in the continuing series on Securing IPv6 deployments. This post discusses several of the security considerations for deploying IPv6 and considerations for controlling the risks while running IPv4 and IPv6 networks. Additional blog posts for the period include details of the LizaMoon SQL Injection attack with data collected by Cisco ScanSafe, and a look at the Epsilon breach and implication to cloud environments.

IntelliShield published 63 events last week: 28 new events and 35 updated events. Of the 63 events, 36 were Vulnerability Alerts, four were Security Activity Bulletins, three were Security Issue Alerts, 19 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 04/08/2011 3 14 17
Thursday 04/07/2011 6 4 10
Wednesday 04/06/2011 4 5 9
Tuesday 04/05/2011 9 1 10
Monday 04/04/2011 6 11 17
Weekly Total 28 35 63


Significant Alerts for April 4-10, 2011

LizaMoon SQL Script Injection Attacks
IntelliShield Vulnerability Alert 22869, Version 2, April 8, 2011
Urgency/Credibility/Severity Rating: 3/4/3

Multiple SQL script injection attacks have been detected. These attacks are designed to modify targeted sites and redirect users to malware distribution sites. A Cisco IPS signature that detects SQL script injection attacks is available.

Previous Alerts That Still Represent Significant Risk

Multiple Vendor Issue Revocation for Fraudulent SSL Certificates
IntelliShield Vulnerability Alert 22740, Version 2, March 24, 2011
Urgency/Credibility/Severity Rating: 2/5/3

Multiple vendors have revoked several fraudulent SSL certificates to protect users from spoofing attacks.

RSA Breach Exposes SecurID Information
IntelliShield Vulnerability Alert 22689, Version 1, March 18, 2011
Urgency/Credibility/Severity Rating: 1/5/3

RSA has issued a security announcement about data compromises related to SecurID two-factor authentication products.

Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability
IntelliShield Vulnerability Alert 22310, Version 3, March 14, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-0096

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in a user's browser session. Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not yet available. Proof-of-concept code that demonstrates an exploit of Microsoft Windows MHTML protocol handler script execution vulnerability is publicly available.

Oracle Critical Patch Update for February 2011
IntelliShield Vulnerability Alert 22466, Version 5, March 18, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs

Oracle has released the February 2011 Critical Patch Update: Oracle Java SE and Java for Business Critical Patch Advisory for multiple products. The update contains 21 new security fixes that address multiple Oracle product families on Windows, Solaris, and Linux operating systems. Red Hat has released an additional security advisory and updated packages to address multiple vulnerabilities in Oracle Java products.

Multiple Apple Products Security Update on March 2, 2011
IntelliShield Vulnerability Alert 22583, Version 2, March 10, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs

Apple has released security notifications and updated software to address multiple Apple products vulnerabilities.

Linux Kernel video4linux and compat_mc_getsockopt() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21389, Version 13, March 9, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3081

VMware has re-released a security advisory and updated software to address the Linux Kernel video4linux and compat_mc_getsockopt() privilege escalation vulnerability. Kernel.org has released a changelog and updated software.

ISC BIND IXFR Transfer or DDNS Update Denial of Service Vulnerability
IntelliShield Vulnerability Alert 22512, Version 1, February 23, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-0414

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.

Microsoft Windows shimgvw.dll Graphics Library Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22180, Version 4, February 8, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3970

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the Microsoft Windows shimgvw.dll graphics library arbitrary code execution vulnerability is publicly available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

EXIM Mail Transfer Agent Arbitrary Configuration Loading Root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 4, January 28, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345

EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed, in conjunction with exploits for a vulnerability detailed in IntelliShield alert 22051 (CVE-2010-4344). CentOS has released updated packages to address the EXIM mail transfer agent arbitrary configuration loading root privilege escalation vulnerability.

Adobe Acrobat, Reader, and Flash Player Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21686, Version 10, January 19, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3654

Adobe has released an additional security bulletin and updated software to address the Adobe Acrobat, Reader, and Flash Player arbitrary code execution vulnerability. Sun has released a security notification and patches.

Oracle Critical Patch Update January 2011
IntelliShield Security Activity Bulletin 22251, Version 1, January 18, 2011
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the January 2011 Critical Patch Update Advisory for multiple products. The update contains 67 new security fixes that address multiple Oracle product families. IntelliShield has released multiple significant individual vulnerability alerts from the January CPU.

Mozilla Firefox, Thunderbird, and SeaMonkey DOM Object Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21678, Version 6, January 10, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3765

Mozilla has released updated software to address the Firefox, Thunderbird, and SeaMonkey DOM object processing arbitrary code execution vulnerability. Red Hat, CentOS, and FreeBSD have also released security updates to address the vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Physical

LightSquareds New 4G Network and Potential GPS Interference

LightSquared, a company planning to roll out a 4G satellite and terrestrial network received Federal Communications Commission approval to move ahead with their plans earlier this year. The FCC approval contains the condition that LightSquared will work with the community of GPS users to resolve any conflicts. This is a departure from the normal FCC approval process where extensive testing is first conducted prior to the approval of a new service. The band of frequencies allocated to LightSquareds system (1525 - 1559 MHz) lies just below the frequency band (1560 - 1610 MHz) used by the L1 signal that is transmitted by Global Positioning System satellites. Initial testing by both LightSquared and GPS manufacturers have provided conflicting results.
Read More
Additional Information

IntelliShield Analysis: GPS receivers are widely deployed, with many enterprises dependent on this service. Most of these receivers are consumer grade devices that have spared some expense in the front ends of the receiving circuitry in order to reduce costs. However, even most commercial grade devices lack the circuitry and selectivity necessary to reject the strong signals that will be transmitted by the up to 40,000 ground stations of the LightSquared 4G network. Although this issue is not strictly the fault of the LightSquared network, the choice of frequencies used perhaps could have been better planned. Questions as to which party will assume the responsibility for the upgrade of currently deployed GPS devices still remain.

Legal

There was no significant activity in this category during the time period.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

India Graduates Millions, but Too Few are Fit to Hire

Despite the overwhelming population size and the increasingly large number of college graduates being produced in India, a high percentage of these graduates are considered unemployable by many of India's rapidly growing global industries. One of the main contributing factors to this problem is that the students coming out of the Indian universities lack the skills that are needed to read, write, and converse in English. An article from the Wall Street Journal (referenced in the link below) stated that not enough high school and college graduates can communicate effectively in English and that many graduates do not fully understand educational basics, essentially causing a company to hire just three out of every 100 applicants.
Read More

IntelliShield Analysis: While on the surface it appears that India is doing its part to supply highly technical candidates to match the demand of the growing economy, it has become apparent that there is a lack of focus on behalf of some of the universities in the non-technical, yet critical, skills that are required to succeed in certain corporate environments. There are several possible explanations for this lack of non-technical training. Perhaps with the emphasis on growing the process for teaching technical content, the non-technical content has not seen as much support. Other explanations could be that low budgets and low teacher salaries fail to deliver, or that the curriculum may not be aligned with business needs. There could also be a general approach toward education by certain institutions, without the resources to ensure quality, whose primary focus is on graduating a large number of students. These are all common issues when education systems, businesses, or governments attempt to grow programs too quickly in an environment where the needed individuals or skills do not exist. The receiving organizations (those that are receiving the newly graduated students) may not recognize the issues and risks that the issues represent and need to be prepared to provide on-going education, training, and on-the-job experience to develop the graduates. Organizations should consider these risks in the development of their programs and take measures to initially minimize the risks with available resources while continually working to reduce the risks through additional measures.

Geopolitical

Georgian Copper Scavenger Highlights Wealth Inequalities

A Georgian woman scavenging for scrap copper last week reportedly disrupted Internet access for the entire country of Armenia for several hours when she dug up and cut critical cables, according to sources quoting the Georgian Interior Ministry. The underground cables, owned by the Georgian railway authority, are generally hidden from view, but may have been exposed by rain erosion or landslides. The woman was arrested and then released because of her advanced age, according to reports.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Various aspects of copper theft have been addressed in this publication over the years, including most recently in early March. This is the first time that we know of, however, that a copper theft incident caused an entire nation to lose Internet access. Indeed, this incident highlights not only the unintended consequences of rapidly rising prices for otherwise abundant metals such as copper and tin, but it also highlights continued gaps in wealth and access to basic services that make the Internet seem an unnecessary luxury in comparison. Moreover, even the basic redundancy that has made the World Wide Web successful remains precarious in some markets if damage to a single line can interrupt connectivity for an entire nation. Multinational technology companies may want to bear such issues in mind as they work with emerging market governments to build out modern infrastructure with the hope of raising living standards.

Miscellaneous

Using Smartphone and GPS Data to Rank Commute Times

A recent article on Newsweek's site 'The Daily Beast' lists the fifty worst commutes in the United States. The information was gleaned from GPS and smartphone data from four million vehicles collected by INRIX, a company that provides technologies for motor vehicles and public sector organizations, among others. Using a metric titled 'Travel Time Tax,' the study conflates congested areas and drive times to produce the list.
Read More
Additional Information

IntelliShield Analysis: The report from The Daily Beast was possible due in part to publicly available data that is collected from millions of enabled devices. Whether or not each of the device's owners gave permission of any sort to be tracked is not stated in the article. According to the Texas Transportation Institute, "INRIX anonymously collects traffic speed data from personal trips, commercial delivery vehicle fleets and a range of other agencies and companies and compiles them into an average speed profile for most major roads," leaving the reader to intuit from which devices that data was collected. In addition, short of any deliberate effort to anonymize it, data from smartphones can easily be associated to a particular number or device. As the power of aggregating data from seemingly public sources is realized, so must the potential trade-offs in individual or collective privacy be weighed. Many smartphones and their associated applications allow the user to opt out of location-aware tracking. Both users and corporations should establish policies and practices that commensurate with their risk tolerance and privacy goals.

Upcoming Security Activity

CiscoLive Bahrain: Postponed
InterOp Las Vegas: May 8–12, 2011
HITBSecConf2011 (Amsterdam): May 17–20, 2011
23rd Annual FIRST Conference: June 12–17, 2011
CiscoLive 2011: July 10–14, 2011
Black Hat USA 2011: July 30- August 4, 2011
DEFCON 19: August 4–7, 2011

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Nigeria Presidential Election: April 16, 2011
British Royal Wedding: April 29, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top