Cyber Risk Report

December 14–20, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity during this period declined slightly from previous weeks. The majority of the activity this week involved the Adobe Reader and Acrobat vulnerability that was publicly released with proof-of-concept exploit code. Additional security advisories were reported for Cisco WebEx, IBM DB2, Mozilla, Symantec, Ruby on Rails, Wireshark and ZABBIX.

The Adobe Reader and Acrobat vulnerability is being widely discussed and researched. The proof-of-concept exploit code has been publicly released and Adobe has confirmed the vulnerability, but no updates are available. However, there are workarounds available to prevent the exploit. Due to the high level of exploit activity focused on Adobe product vulnerabilities over the past year, users should be particularly cautious until updates are available.

Mozilla released three advisories correcting vulnerabilities in Firefox versions prior to 3.5.6 and SeaMonkey versions prior to 2.0.1. The vulnerabilities allow an attacker to cause a DoS condition and execute arbitrary code. Attackers are often quick to exploit browser vulnerabilities in drive-by attacks and through compromised websites. Users should be particularly conscious of keeping their browsers updated using the auto-update features.

Spam involving malicious electronic greeting cards is targeting recipients' interest in holiday season topics. One such malicious electronic card was reported in IntelliShield Threat Outbreak Alert 19592. Koobface is also currently distributing Facebook posts that link to a malicious holiday video on YouTube.

Cisco released the Cisco 2009 Annual Security Report on December 8, 2009. The report includes information about global threats and trends from this year, as well as security recommendations for 2010.

On an administrative note, due to the holiday season the Cisco IntelliShield team will be operating minimally from December 24 through January 2, 2010. Cisco's global Security Intelligence Operations teams will continue to collect, monitor and analyze vulnerabilities and threats throughout the period, but will only publish IntelliShield alerts that warrant a high urgency level. The Cisco Cyber Risk Report will not be published on December 28 following the Christmas holiday, or on January 4 following the New Year's Day holiday.

IntelliShield published 124 events last week: 57 new events and 67 updated events. Of the 124 events, 96 were Vulnerability Alerts, 13 were Security Activity Bulletins, 10 were Security Issue Alerts, three were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 12/18/2009 17 6 23
Thursday 12/17/2009 8 25 33
Wednesday 12/16/2009 16 11 27
Tuesday 12/15/2009 3 16 19
Monday 12/14/2009 13 9 22
Weekly Total 57 67 124


Significant Alerts for December 14-20, 2009
Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 3, December 16, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-4324

Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service (DoS) condition. Proof-of-concept code that exploits the vulnerability is publicly available. Adobe has confirmed this vulnerability; however, software updates are not available.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 22, December 21, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Previous Alerts That Still Represent Significant Risk
Microsoft Internet Explorer Cascading Style Sheets Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19468, Version 5, December 10, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3672

Microsoft Internet Explorer versions 6 and 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Proof-of-concept code is publicly available. Microsoft has released security bulletin MS09-072 addressing this vulnerability.
 
Microsoft Windows SMB Client Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 19422, Version 2, November 16, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3676

Microsoft Windows Server 2008 R2 and Windows 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploit code is publicly available. Microsoft has confirmed this vulnerability, but updates are not available.

Gumblar Malicious Code Adopts Additional Exploit Methods
IntelliShield Vulnerability Alert 19237, Version 1, October 20, 2009
Urgency/Credibility/Severity Rating: 3/4/3
Reports indicate additional activity related to the Gumblar malicious code.

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 7, October 13, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-3103

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory and updated software to address the Microsoft Windows SMB2 remote code execution vulnerability. Functional exploit code is publicly available.

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 5, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3023

Microsoft IIS versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges. Microsoft has released a security bulletin with software updates to address the Microsoft Internet Information Services FTPd remote buffer overflow vulnerability.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 12, November 5, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0901

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 6, October 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1136

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. IntelliShield has re-released this alert to clarify the availability of software updates

Physical

There was no significant activity in this category during the time period.

Legal

U.S. Supreme Court to Rule on Privacy of Text Messaging Case
 
A police officer of Ontario, California faces an appeal on a case involving the privacy of his personal text messages on his official work pager. The case is scheduled to be ruled on by the Supreme court in March of 2010. The case revolves around the lack of an official policy for the use of pagers and that a lieutenant communicated to his officers that they could use the pagers for personal use without an audit of sent texts if they paid any costs incurred by exceeding 25,000 characters.
Read More
 
IntelliShield Analysis: Officer Jeff Quon often exceeded the 25,000 character limit but always paid for his overage costs. During an analysis of the pager use to determine if 25,000 characters was enough, the police department requested and received transcripts from the text messaging provider. Quon argued that this violated his fourth amendment right regarding unreasonable search and seizure. The U.S. Court of Appeals for the Ninth Circuit ruled last June in Quon's favor.  This is an interesting case because the police department did not have an official policy on pager user, but did have an unofficial one established by a lieutenant. The city argued that the supervisor was not responsible for making policy decisions in the department, but the court ruled that the police officers had reason to believe that what their supervisor told them would be correct and they need not fear for audits of their personal text messages as long as they paid any overage charges on the pagers.

Trust

RockYou Hack Exposes Names and Passwords of 30M Accounts

Leveraging a major Structured Query Language (SQL) injection error in the database of social networking application provider RockYou, hackers were able to access Personally Identifiable Information (PII) of over 30 million registered users. RockYou was notified of the vulnerability by database security vendor Imperva, Inc. through the active monitoring of several chat rooms used by miscreants. Read More
 
IntelliShield Analysis: The accessing of personal and sensitive online user information, whether it be done maliciously by hackers or inadvertently due to lack of adequate controls and awareness, is certainly nothing new in today's world of ubiquitous and pervasive online access. There are, however, several key items from this incident that should be highlighted. The first is that the passwords of these compromised user accounts were stored in clear text, as opposed to being encrypted and hashed. The proper storing of passwords is a best common practice, and in this case the way that this information was stored drastically lowers the bar in terms of the efforts required to access the personal information contained in the database. Another point of note is the fact that many of the usernames, and likely the passwords, were identical to those used for other online accounts, which means these accounts could end up being compromised as well. The final item of note is that although the information accessed was not directly tied to user financial data, in that it did not consist of credit card numbers or Social Security Numbers (SSNs), the data could potentially be used in future social engineering efforts whereby miscreants leverage knowledge of user information (hometown, date of birth, high school attended, etc.) to gain a level of trust while creating targeted attacks against these individuals.

Identity

Security Expert Questions Data Gathering After Credit Card Deactivated

Security expert Roger Thompson, of AVG Technologies, posted a blog entry about some recent international travel that he took. On his trip, his credit card was suspended for suspicious charges; he had not notified his bank that he would be overseas. However, in his efforts to get the card re-activated, the fraud department for his credit card asked him to verify details about himself that he had not provided to them, specifically the age of his daughter-in-law. Thompson believes that the foremost publicly-available connection he could discern between himself and his daughter-in-law is through the social networking site Facebook. Read More
Additional Information

IntelliShield Analysis: This account represents only anecdotal evidence that banks are collecting information beyond that which is explicitly provided by customers. However, if it is true, the value of such information is questionable. Certainly information that used to be privately and closely maintained (such as mother's maiden name) has become increasingly public through the proliferation of digital traces, such as social networking sites. But the value of a security question such as this is to uniquely identify an individual. If information is public, there can be no assurance that the caller did not themselves extract that information from public sources. Are financial institutions gathering other identifying pieces of information from correlated sources? Are security questions in the traditional sense still valid authenticators? Organizations seeking to verify identity should ensure that they are gathering only information that is permissible, and that they do not mistake more information for valuable information for purposes such as identity verification.

Human

There was no significant activity in this category during the time period.

Geopolitical

Key Events for 2010

Looking toward the New Year, several high-profile political and sporting events, and a host of looming regulatory and political battles, are likely to influence information security in 2010. Some events are fairly certain and may be worth jotting onto calendars now. Ukraine will hold elections in January; other 2010 elections include the United Kingdom, Brazil, Australia, the Palestinian Territories, and mid-term elections in the United States. Vancouver, Canada will host the Winter Olympics in February, and South Africa will hold World Cup football championships in June. In Asia, the Shanghai World Expo is scheduled for May, and in Latin America, several countries will celebrate 200 years of independence, including Argentina, Colombia, and Chile. Read more
Additional Information
Additional Information

IntelliShield Analysis: 2010 promises to be a transitional year, as the disruptions of the global economic downturn clear the way for new technologies, new economic models, and new political realities. In addition to the calendar items listed above, there are a host of likely events that cannot be easily nailed to a time schedule. U.S. federal stimulus funds earmarked for broadband expansion will begin rolling out, for example. Pent-up demand for technology upgrades is likely to get the technology sector moving again. The legal debate over allocation of wireless spectrum in the U.S. is likely to heat up. The emergence of social media as a primary vehicle for political expression will continue, as will the move to cloud computing and virtualization. Criminals bent on stealing data may focus on the multiplicity of platforms and the voluntary surrender of privacy that these technologies require, ensuring that there is plenty of work for information security professionals in 2010.

Upcoming Security Activity

Networkers at Cisco Live 2010, Barcelona: January 25–28, 2010
Cisco Networkers 2010, Bahrain: March 28–21, 2010
Black Hat DC: January 31–February 3, 2010
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:
Christmas: December 25, 2009
New Year's Day: January 1, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top