Cyber Risk Report

February 13–19, 2012

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period was increased, highlighted by the scheduled releases from Microsoft, Adobe, and Oracle. Additional security advisories and updates were released for the Google Chrome browser, Novell iPrint Client, Citrix XenServer Web Self Service, and Lenova LANDesk ThinkManagement Console.

Microsoft released the Microsoft Security Bulletin Release for February 2012, including nine bulletins and 21 individual vulnerabilities. Complete and correlated information is available at Cisco Event Response: Microsoft Security Bulletin Release for February 2012, including IntelliShield alerts, IPS signature updates, and an Applied Mitigation Bulletin with recommended network-level mitigations. Insights on the Microsoft Security Bulletin Release for February 2012 are available on the Cisco Security Intelligence Operations (SIO) portal.

Oracle released the February 2012 Java SE Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions, reported in IntelliShield Alert 25191.

Adobe released the Shockwave Player and Flash Player February 2012 Security Update to address multiple vulnerabilities in these products.

Recently released threat research on the Black Hole exploit toolkit reported that this toolkit dominates web vector exploits. Black Hole predominantly attempts to exploit Oracle Java and Adobe vulnerabilities. Although some of these products now include automated update installation, which users should enable, users should be reminded to check those settings and manually update the products if necessary.

Cisco released security advisories and updates for the Cisco NX-OS Software malformed IP packet denial of service (DoS) vulnerability, reported in IntelliShield Alert 25156, and the Cisco IronPort web-based administration interface cross-site scripting vulnerability, reported in IntelliShield Alert 25045.

In threat activity, the Cisco IronPort Threat Operations Center has reported an increase in travel-related spam messages that include malicious documents or hyperlinks. These malicious messages include fraudulent hotel reservations, airline reservations, and casino messages and advertisements. Details of these malicious messages are in the IntelliShield Threat Outbreak Alerts on the Cisco SIO portal.

IntelliShield published 135 events last week: 65 new events and 70 updated events. Of the 135 events, 82 were Vulnerability Alerts, 10 were Security Activity Bulletins, two were Security Issue Alerts, 38 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 2/17/2012 13 15 28
Thursday 2/16/2012 4 10 14
Wednesday 2/15/2012 7 15 22
Tuesday 2/14/2012 27 19 46
Monday 2/13/2012 14 11 25
Weekly Total       — 65 70 135

 

Significant Alerts for the Time Period

Oracle Java SE Critical Patch Update February 2012
IntelliShield Activity Bulletin 25191, Version 1, February 15, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Oracle has released the February 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions. This update remediates 14 vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition on a targeted system.

Previous Alerts That Still Represent Significant Risk

Increased SSH Scanning Activity on Industrial Control Systems
IntelliShield Activity Bulletin 25143, Version 1, February 7, 2012
Urgency/Credibility/Severity Rating: 2/5/3
ICS-CERT has released a security alert to address recent activity involving SSH scanning of Internet-facing control systems that could allow an unauthenticated, remote attacker to access sensitive information.

Oracle Critical Patch Update January 2012
IntelliShield Vulnerability Alert 24972, Version 2, February 9, 2012
Urgency/Credibility/Severity Rating: 2/5/3
Oracle has released the January 2012 Critical Patch Update. The update contains 78 new security fixes that address multiple Oracle product families. The fixes correct multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition on targeted systems. Red Hat has released a security advisory and updated packages to address vulnerabilities listed in the Oracle Critical Patch Update January 2012.

MIT Kerberos 5 Telnet Service Buffer Overflow Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24838, Version 6, February 8, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-4862
MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. MIT has confirmed the vulnerability and released software updates. Cisco, FreeBSD, GNU.org, and Red Hat have released security advisories.

Multiple Products Hash Collisions Denial of Service Vulnerability
IntelliShield Security Activity Bulletin 24871, Version 7, February 7, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4461, CVE-2011-4815, CVE-2011-4885, CVE-2012-0193
Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Updates are available. Apache, Microsoft, CentOS, IBM, ruby, FreeBSD, Red Hat, and HP have released security advisories and updates.

Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability
IntelliShield Vulnerability Alert 24625, Version 5, February 15, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4317
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield Alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available.

OpenSSL Datagram Transport Layer Security Plaintext Recovery Issue
IntelliShield Vulnerability Alert 24893, Version 7, January 31, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4108
OpenSSL versions prior to 0.9.8s and versions prior to 1.0.0f contain an issue that could result in easier recovery of plaintext information from encrypted text. Cisco has discovered a potential issue in the patch for the OpenSSL Datagram Transport Layer Security plaintext recovery issue. OpenSSL, CentOS, FreeBSD, HP, and Red Hat have released security advisories and updates.

Microsoft Windows Media Player MIDI File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24880, Version 3, January 30, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-0003
Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Proof-of-concept code that exploits the Microsoft Windows Media Player MIDI file processing arbitrary code execution vulnerability is publicly available. Reports indicate malware activity exploiting this vulnerability has been observed in the wild.

Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24698, Version 6, January 26, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-2462
Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Targeted attacks against Adobe Reader version 9.4.6 on Microsoft Windows operating systems have been observed in the wild. Adobe has released a security bulletin and software updates to address the Adobe Acrobat and Reader Universal 3D remote code execution vulnerability. Functional code that exploits this vulnerability is available as part of the Metasploit framework. FreeBSD has released a security bulletin and updated technical details.

Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24470, Version 6, January 24, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3544
Multiple versions of Oracle Java contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Oracle and multiple other vendors have confirmed this vulnerability and released updated software. Functional code that demonstrates an exploit is publicly available.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 22, January 24, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin. MontaVista Software has released a security alert and updated software. Cisco has re-released a security advisory and updated software.

ISC BIND Recursive Query Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24590, Version 11, January 4, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4313
ISC BIND version 9 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition on a targeted system. It should be noted that there are external reports that this vulnerability is being actively exploited in the wild, as DNS server crashes have been observed. It is not, however, fully determined that exploitation of this vulnerability is the root cause for the recently observed crashes. ISC and multiple vendors have confirmed this vulnerability and released updated software.

Physical

There was no significant activity in this category during the time period.

Legal

Jeweler Sues IT Firm for Security Breach

A Chicago jeweler has sued an IT firm, stating that the firm's negligence allowed hackers to access confidential customer data. According to the lawsuit filed, the jeweler was having trouble establishing connectivity to its VPN. Although the work was outside the scope of the IT firm's contract with the jeweler, the IT firm acknowledged the issue and concluded the VPN could not be fixed. In addition, the firm recommended the jeweler go around the VPN solution, assuring the company it would be a safe alternative. Subsequently, this circumventing action led to an immediate security breach in which unidentified hackers gained access, installed malicious software on the credit card processing system and other systems, and as a result removed sensitive data from the jeweler's environment.
Read More

IntelliShield Analysis: Just as there are two sides to a coin, analyzing situations such as these immediately provides two viewpoints. The first is ultimately the decisive factor, and that is the fact that the jeweler decided to adhere to the recommendation of the IT firm. This is significant because the second aspect is that the IT firm provided an improper solution to the problem. Moreover, the larger issue is that the customer simply adhered to this bit of bad advice and seemingly did not question the solution provided by the firm. The thought here is how much does an organization trust or rely on its "trusted advisers"? Organizations tend to contract consulting firms and partners to fulfill the areas where they are not as effective or simply lack the expertise. Therefore it stands to reason that when the consulting firm or partner provides advice or solutions, the organization should and likely will trust those solutions because the organization lacks the ability to create solutions on its own. That said, the irony and challenging aspect to this relationship is that the responsibility and accountability for the end customer still fall on the shoulders of the organization.

Trust

An Invisible Window into Your E-mail or Social Media

An opinion article in Wired magazine last week brought to the forefront a commonly used method of gaining access to websites and services using the OAuth protocol. By using OAuth, authorization for third-party websites does not require creation of a new account on the new website or service. Instead, the website where you already have an account will issue a token for authenticating to the third-party website. This protocol eases password administration duties by reusing access you already have, but it can also allow access into your existing account from the third-party site. You may already be using the OAuth protocol if you have ever used your Facebook or Gmail account to access a third-party site or service.
Read More
Additional Information

IntelliShield Analysis: The chain of trust when using such authentication methods can grow long and wide. When we use tokens issued by Facebook, Gmail, or other accounts, those additional applications get access to our Facebook pages or our e-mail accounts. Although no evidence exists of malicious intent, the takeaway from this is to be very careful which services you allow access to using third-party services, particularly those with potential access to sensitive information. It may be better advice to never use your access to a service as credentials to access a different service. And never use weak passwords or reuse a password from one site to another. Myriad programs and applications are available for password management, many of them able to sync across different platforms. These applications both provide auto-login capabilities and can generate strong passwords. The website MyPermissions.org provides shortcuts to each of the authentication settings pages of the major e-mail and social media sites.

Identity

There was no significant activity in this category during the time period.

Human

Shooting of Laptop Serves as Daughter's "Punishment"

The video of the North Carolina father, Tommy Jordan, issuing a rebuttal to his daughter's Facebook post and then shooting her laptop is all the rage these days. Jordan's daughter posted a letter on Facebook, relying on certain Facebook restrictions to prevent her parents from seeing the letter, in which she expressed her frustration with all the chores she has do at home and that her parents are ungrateful. While the daughter had hidden her post from her family group, she failed to account for the fact that her parents would see it through the use of an account that had been set up for the family's dog.
Read More

IntelliShield Analysis: Much of the public focus on this incident has been on the daughter's letter about her parents and the father's subsequent reaction by recording his response, both his verbal diatribe and his firing of .45 caliber bullets into the laptop. However, the more important message here is that it is challenging to ensure that the information posted on social media outlets is restricted to those you intend to see it. Facebook has made progress in providing mechanisms within its Privacy Settings to keep certain information shared only with people you trust, as we highlighted in a recent Cisco Security Blog post. But using these settings alone does not always guarantee your information will not reach an unintended audience. Just ask Tommy Jordan's daughter.

Geopolitical

India Shocks Telecom Investors

India's Supreme Court this month revoked all 2G mobile licenses granted since 2008, amid a corruption scandal that has paralyzed the Indian government for the past year. The licenses are said to have been granted by corrupt telecom officials at below-market prices, ostensibly depriving Indian citizens of billions of dollars in potential government money that could have been used for badly needed infrastructure upgrades, education, and social programs. Foreign companies did not participate in the original license deals, but later partnered with Indian companies that were granted the cheap licenses. Details on how and whether companies whose licenses were revoked will be compensated remain sketchy. Among the foreign companies who stand to lose out are Norway's Telenor, Russia's Sistema, and United Arab Emirates' Etisalat.
Read More
Additional Information

IntelliShield Analysis: The Supreme Court's move cuts both ways. On the one hand, investors see the house cleaning as part of a necessary process, particularly in what many perceive otherwise to be something of a governance vacuum. Long term, it bodes well for accountability and transparency, and should serve as evidence that India is serious about cleaning up corruption and enforcing the rule of law. Shorter term, it calls into question whether investors can be confident that a contract will be honored, and whether activist courts are preferable to reliable legislative bodies. Telecom investments are risky enough without doubts about whether government-granted licenses will be honored. To be fair, this move also may serve as a reminder of the importance of clear-eyed due diligence for foreign investors doing telecom acquisitions, particularly in emerging markets whose laws and business environment may be just coming up to speed. For now, India's telecom sector is in upheaval, foreign investment is down, and India's Congress Party–led government is seen as floundering. With luck, India will re-emerge in a year or two with a stronger government, accountability, and better enforcement of laws so that foreign investors can with confidence bring back the cash that will help boost India's economy.

Upcoming Security Activity

RSA Conference: February 27-March 2, 2012
CanSecWest 2012: March 7–9, 2012
Global Privacy Summit: March 7–9, 2012
Black Hat Europe: March 14–16, 2012
Cisco Live US: June 10–14, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

March Presidential Election in Russia: March 4, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit       Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

 


This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top