Cyber Risk Report

August 6–12, 2012

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period was consistent with previous periods. Highlights for the period included vulnerabilities in Oracle Business Transaction Management Server, Novell GroupWise Messenger, HP Network Node Manager, and Ruby on Rails. Apple reported multiple cross-site scripting vulnerabilities in WebKit that affect Safari and other WebKit-based browsers.

Threat activity for the period included the reporting of multiple new trojans and spyware. Rapid 7 released research on the FinFisher commercial spyware that has now been identified in ten countries and may be increasing. Zeus malware has been attempting to target BlackBerry devices as well as the previously known Android systems. Symantec released information on the Shylock trojan, which injects attacker phone numbers into banking websites.

The Trojan-Spy.Win32.Gauss is a cyber-espionage toolkit that is designed to steal sensitive data such as passwords, banking credentials, and cookies on infected systems. Gauss shares characteristics with malware discovered earlier known as Flame. The similarities include architectural platforms, module structures, and communication with command-and-control servers.

The U.S. National Institute of Standards and Technology (NIST) released the final revision 2 of the Computer Security Incident Handling Guide with only minor changes from the revision 1 draft. Akamai released the State of the Internet Report for Q1 2012, which requires registration to download.

In upcoming activity, Microsoft released the Advance Notification for August 2012. The release will include nine security bulletins to address 14 individual vulnerabilities that impact Microsoft Windows, Internet Explorer, Microsoft Exchange, Microsoft Office, Microsoft SQL Server, Microsoft Server Software, and Microsoft Developer Tools. Five bulletins are rated critical. The Microsoft security bulletins will be released on August 14, 2012.

IntelliShield published 104 events last week: 45 new events and 59 updated events. Of the 104 events, 62 were Vulnerability Alerts, four were Security Activity Bulletins, two were Security Issue Alerts, 35 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Saturday 08/11/2012 3 0 3
Friday 08/10/2012 13 7 20
Thursday 08/09/2012 10 13 23
Wednesday 08/08/2012 3 15 18
Tuesday 08/07/2012 4 11 15
Monday 08/06/2012 12 13 25
Weekly Total 45 59 104

 

Significant Alerts for the Time Period

Oracle Java SE Java Sandbox Remote Security Bypass Vulnerability
IntelliShield Security Activity Bulletin 26159, Version 3, August 7, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1723
Oracle Java SE contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Oracle has confirmed the vulnerability and released software updates. Apple and Red Hat have released security advisories and software updates.

Previous Alerts That Still Represent Significant Risk

OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability
IntelliShield Vulnerability Alert 25706, Version 11, August 9, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-2110, CVE-2012-2131
OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. OpenSSL, FreeBSD, Red Hat, HP, Oracle, MontaVista Software, and IBM have released security advisories and updates.

Microsoft Internet Explorer colspan Element Processing Arbitrary Code Execution Vulnerability
IntelliShield Security Activity Bulletin 26057, Version 3, August 1, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-1876
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Apple Safari Security Update July 2012
IntelliShield Security Activity Bulletin 26494, Version 1, July 25, 2012
Urgency/Credibility/Severity Rating: 2/5/3
Multiple CVEs
Apple Safari contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive information or conduct cross-site scripting and spoofing attacks on an affected system. Updates are available.

Oracle Critical Patch Update July 2012
IntelliShield Security Activity Bulletin 26420, Version 2, July 23, 2012
Urgency/Credibility/Severity Rating: 3/5/4
Multiple CVEs
Oracle has released the July 2012 Critical Patch Update. As part of the security response, Oracle has released updates to correct 90 vulnerabilities in multiple products that could allow attackers to gain unauthorized access to targeted systems, gain access to sensitive information, or cause a denial of service (DoS) condition. Proof-of-concept code that demonstrates an exploit of the Oracle Critical Patch Update July 2012 is publicly available. Proof-of-concept code that demonstrates an exploit for Oracle Outside In Technology is publicly available.

Microsoft XML Core Services Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 26148, Version 4, July 10, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1889
Microsoft XML Core Services contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Reports indicate that exploitation of the Microsoft XML Core Services memory corruption vulnerability has been observed in the wild. Microsoft has released a security bulletin and software updates to address the Microsoft XML Core Services memory corruption vulnerability.

PHP Hash Collisions Fix Regression max_input_vars Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 25100, Version 5, June 29, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-0830
PHP 5.3.9 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition on the affected system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. PHP has confirmed this vulnerability and released updated software. Apple, FreeBSD, Red Hat, and HP have released security advisories and updated software.

PHP php5-cgi Binary Setup Remote Unsanitized Command-Line Parameter Processing Vulnerability
IntelliShield Vulnerability Alert 25816, Version 11, June 29, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-1823
PHP contains a vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information, cause a DoS condition, or execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. PHP has confirmed this vulnerability and released updated software. FreeBSD, Red Hat, and HP have released security advisories and updated software.

Microsoft Internet Explorer Property ID Processing Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 26056, Version 3, June 15, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1875
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24470, Version 9, June 15, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3544
Multiple versions of Oracle Java contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is available as a part of the Metasploit framework. Oracle has confirmed this vulnerability and released updated software. Apple, HP, IBM, Red Hat, and Xerox have released security advisories and updated software.

Physical

NYPD and Microsoft Deploy Near-Real-Time CCTV System

The New York Police Department and Microsoft announced the release of the Domain Awareness System (DAS), which incorporates thousands of closed-circuit television (CCTV) cameras, license plates readings, radiation detection, and intelligence from numerous criminal databases in near–real time. The announcement indicated video will be held for 30 days, metadata and license plate readings for 5 years, and environmental data indefinitely. Similar systems are deployed in Baltimore and the United Kingdom, and New York City and Microsoft will be licensing DAS to other cities.
Read More

IntelliShield Analysis: This new system seems to be the state of the art in surveillance systems, although it is yet to be seen whether it lives up to its billing. The keys to all surveillance systems are not only the technology and incorporation of data from multiple sources, but also highly trained staff, monitoring, and coordinated response to events the system identifies. The staff's skill and monitoring are often the downfall of these systems, where the value of the systems drops to providing only a partial record of what happened after the fact. This can still be a valuable tool for police investigations, but detecting and responding in near–real time is a goal seldom reached.

Legal

Banning Employers from Requiring Disclosure of Social Network Passwords

Illinois has become the third state to enact legislation banning employers from collecting social network credentials from employees. A teacher's aide in Michigan was terminated from her position for refusing to disclose her Facebook credentials, and a Department of Corrections officer in Maryland was required to provide his Facebook credentials during a recertification exercise. State legislatures are beginning to pass these laws to combat this growing trend. Several U.S. legislators have called on the U.S. Department of Justice to investigate whether the practice violates the Stored Communications Act or the Computer Fraud and Abuse Act.
Read More
Additional Information

IntelliShield Analysis: In addition to an outright invasion of privacy, revealing personal access credentials is also against the usage policy of most popular social media sites. The revelation of any personal credentials to a third party also exposes the person to a possible identity compromise. Using access to one service and simple social engineering techniques, access to other accounts and services is usually easily obtained. Employers will always have the ability to view public profiles on social media and monitor computer usage in the workplace. If pictures or activities are viewable by the public on your social media sites and that information is potentially embarrassing, perhaps some thought should be given to your use of social media.

Trust

Additional Transparency of Government Data Requests

Following the Google Transparency Report, Twitter and now wireless service providers are publicly releasing data on the numbers of requests they receive, act on, and challenge from governments and law enforcement agencies. This data is fueling additional and ongoing debates throughout the governments regarding privacy and legal protections of the users and the organizations that are responding to the requests.
Read More
Additional Information
Additional Information

IntelliShield Analysis: In many ways, these data requests and privacy issues are only a sign of the times and the connected world we now live in. The government and law enforcement agencies have a legitimate point in that almost every situation under investigation includes an electronic device (smart phone, tablet, laptop, storage device) that is likely to contain information important to the investigation. On the other side of the debate, the governments and law enforcement agencies need to follow strict requirements that protect individuals’ rights, and in many cases create these requirements where they do not yet exist. From a service provider’s perspective, there is another important aspect: the sheer volume of these requests and workload created to handle them has caused many to increase staff, develop more streamlined procedures, and increase legal staff to review the requests. In many cases, they remain in the middle of this debate, between the proverbial rock and a hard spot. A service provider must meet the legal requirements of the countries in which they operate, but that guidance is often limited or nonexistent. In many cases, the best they can do is expose the situation through these transparency reports to drive the debates in governments and public forums.

Identity

The Epic Hacking of Mat Honan

A writer for Wired had a major portion of his digital life compromised and erased. Mat Honan describes his tale of woe in an article in Wired, telling how the attackers used a bit of social hacking to gain some initial access to an e-mail account, and then elevated that privilege via a commonly used password recovery procedure to access other accounts. After the attackers had accessed his Apple Store account, the miscreants used that access to reset his iPhone to factory defaults and delete the contents of the hard drive on his Macintosh, including treasured family photographs.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Mat's story points out how an attacker can be successful in a purely malicious, arbitrary attack against an individual. Although Mr. Honan mentions the two services that he used and that were vulnerable in the attack, this attack could have been successful using any of the commonly available free e-mail services and a configuration and practices similar to Mat's. Users are advised never to use easily guessed passwords, to use a secure method of storing password information, and to make backups. Backups should also be checked periodically to ensure they are correct and complete. Consider commonly used security questions and answers, such as a mother's maiden name, to be publicly available information. When it comes time to choose and answer these questions, provide answers with a word or phrase that is not available anywhere and back up those answers.

Human

There was no significant activity in this category during the time period.

Geopolitical

The Tipping Point Games

Initial analysis of the viewing and access to Olympics information is showing that mobile phones are taking the lead. Google reported a ten-fold increase in Olympic topic searches from mobile phones, and NBC and the BBC reported that viewing from mobile devices accounted for 45 percent and 41 percent of online video stream traffic, respectively. Throughout the games there were multiple reported cases of athletes who got into trouble over tweets, pictures, and posts, and security sources reported the expected increase in Olympics-related spam, phishing, and malicious websites.
Read More
Additional Information

IntelliShield Analysis: This may prove to be the first social media and mobile Olympic games. Multiple sources have reported the increasing use and reliance on mobile devices, particularly in emerging markets where personal computers and Internet access are limited. With the end of the games, and once the numbers are all crunched, this Olympics could be the benchmark event that was the long-debated and anticipated "tipping point" where mobile device usage passed that of personal computers. Of course, criminal activity similarly shifted toward mobile devices, with malicious content available as application downloads or streaming video and with tweets and postings that led users to infected websites. Unfortunately, security of these devices is far behind that of personal computers, and many new users do not have or apply the same user awareness to mobile devices as they do to personal computers. As many organizations across the globe address mobile device and bring-your-own-device (BYOD) issues, security teams may already be engaged or will likely find this topic high on their lists of upcoming priorities.

Upcoming Security Activity

8th Annual GFIRST National Conference: August 19–24, 2012
VMWorld 2012: August 26–30, 2012
ISSA International Conference: October 25–26, 2012
Cisco Live Cancun: November 6–8, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

Ramadan: July 20–August 18, 2012
U.S. Republican Convention (Tampa, FL): August 27–30, 2012
U.S. Democratic Convention (Charlotte, NC): September 3–6, 2012
United Nations General Assembly: September 18, 2012
U.S. Presidential Election: November 6, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top