Cyber Risk Report

February 15–21, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Alert levels decreased overall from last week and the same period last year. More new vulnerabilities were released during the period; the bulk of events were new publications rather than updates from past weeks.

News surrounded a supposedly new botnet called Kneber, in actuality an offshoot of the Zeus botnet that uses existing Zbot malicious software.

Cisco released updates to address vulnerabilities in the Cisco ASA 5500 Series Adaptive Security Appliances and in Cisco Security Agent. Most were potential denial of service vulnerabilities. However, one vulnerability in Cisco Security Agent, detailed in IntelliShield alert 19912, could allow an attacker to conduct a SQL injection attack and possibly gain unauthorized access to the system.

An unspecified 0-day vulnerability in Mozilla Firefox, as described in IntelliShield alert 19968, was released that could allow attackers to execute arbitrary code. No patches or vendor announcements were available.

Both Adobe and Symantec announced potential code execution vulnerabilities related to flaws in ActiveX controls supplied with their products. These vulnerabilities are detailed in IntelliShield alerts 19979 and 19970, respectively. In each case, an attacker could execute code on a user's system by convincing the user to view a malicious website.

IntelliShield published 90 events last week: 54 new events and 36 updated events. Of the 90 events, 76 were Vulnerability Alerts, three were Security Activity Bulletins, two were Security Issue Alerts, seven were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 02/19/2010

  18

6

24

Thursday 02/18/2010

  6

12

18

Wednesday 02/17/2010

19

9

28

Tuesday 02/16/2010

7

  2

9

Monday 02/15/2010

  4

7

11

Weekly Total 54 36 90


Significant Alerts for February 15–21, 2010

Mozilla Firefox Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 1, Feb 19, 2010
Urgency/Credibility/Severity Rating: 2/3/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has not confirmed this vulnerability and updated software is not available.

Multiple Symantec Products ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19970, Version 1, Feb 19, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0107

Multiple Symantec products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the target system. Symantec confirmed this vulnerability and released software updates.

Adobe Download Manager Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19979, Version 1, Feb 19, 2010
Urgency/Credibility/Severity Rating: 2/4/4

Adobe Download Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Adobe has not confirmed this vulnerability and updated software is not available.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 4, January 26, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed this vulnerability and released software updates. Additional information is available regarding mitigations and exploit code related to the Internet Explorer remote arbitrary code execution vulnerability.

Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 8, January 22, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-4324

Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service condition. Proof-of-concept code that exploits the vulnerability is publicly available. Adobe has confirmed this vulnerability, and updates are available. This vulnerability is being actively exploited through directed phishing attacks.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 35, February 16, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Physical

Mock Cyber Attack Shows U.S. Unpreparedness

The U.S. failed a mock cyber attack exercise in a staged event this week. The Washington D.C. think tank Bipartisan Policy Center staged the event named "Cyber Shockwave" to evaluate the ability of the country to cope with an attack and to identify and investigate the policy issues that the government would have in dealing with such an event. The role playing game included a list of players acting as National Security Advisor, Director of National Intelligence, Secretaries of State, Defense, Treasury, and Department of Homeland Security and Attorney General. The exercise began with simulated malware that was downloaded onto 20 million smart phones during March Madness and was triggered the following July. The malware then proceeded to incapacitate cell phone networks, land lines and then the Internet. The event also included simulated explosions at two generating stations and a hurricane that came ashore on the east coast.
Read More
Additional Information 1
Additional Information 2
Additional Information 3

IntelliShield Analysis: While the players should be commended for their efforts, the outcome of the scenarios were somewhat unrealistic. The ability of a rogue virus on cell phones to disable the electric power grid is fairly far-fetched. The participants seemed to conclude that since they did not have the policies in place or ability to shut down cell phone networks and the Internet, the U.S. government was unprepared for such an attack. The take-away from this should be that governments in non-totalitarian states have a somewhat limited ability both in policy and in technical know-how to prevent and remediate attacks. Individual companies and individuals themselves should keep disaster recovery in their minds, and take steps to prevent the disruption that could occur during such an event. These steps include things as simple as properly placed firewalls and updated antivirus programs to more involved plans such as uninterruptible power supplies and backup generator systems.

Legal

Nigerian Okpako Mike Diamreyan Convicted of Wire Fraud Charged by U.S. Jury

Nigerian Okpako Mike Diamreyan has been convicted on wire fraud charges by a U.S. jury and faces up to 20 years in prison for the crimes. Diamreyan was running what is called an advance free fraud where victims are asked to send money to the perpetrator on the promise that they will see even more money in return. Diamreyan could also face a fine of US$250,000 for each of the three wire fraud charges. Read More
 
IntelliShield Analysis: Advance free fraud scams have been around for some time, but with the advent of the Internet and the availability of huge numbers of e-mail addresses for spamming, their use has increased. Such scams can be very profitable even with only a small number of spam recipients falling for the fraud. According to Ultrascan, a Dutch private investigations company, the U.S. has lost US$2.1 billion, the UK has lost US$1.2 billion and China US$936 million. These are estimates and since losses are not always reported the actual amount of money lost in the scams may be even higher. Organizations should continue to educate users about the details of emerging scams and fraud practices, and should participate whenever possible in the collection and retention of evidence to make cases such as this one a deterrent to fraudsters.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

ScanSafe Finds Over 80% of Exploits in 2009 Targeted Users Through PDF Files

ScanSafe, a Software-as-a-Service (SaaS) provider of web security, released their 2009 Annual Global Threat Report. The report highlighted many trends in web exploits, including the prevalence of the ZeuS banking trojan, the Gumblar malware family, and the use of compromised websites to deliver malware. Most significant in ScanSafe's report was that malicious PDF files comprised 80% of online exploits by the end of 2009. The ubiquity of Adobe Reader and Adobe Acrobat for PDF viewing and authoring, as well as a sharp increase in vulnerabilities targeting Adobe products, were cited as the main drivers in the surge of PDF-related exploits. Cisco completed its purchase of ScanSafe in December, 2009. Read more

IntelliShield Analysis: Over the course of a year, ScanSafe noticed that PDF exploits grew from 56% of web threats to 80%. This rapid rise in a common file format as a vector, resulting in this vector completely dominating web-based exploits, represents a confluence of human factors. Adobe's software does not have a robust automatic update feature, and instead relies on users to initiate updates; PDF has become the standard of choice for exchanging documents, and has until recently been a trusted format; attackers have noticed these trends and have focused efforts on finding and exploiting flaws in the PDF format and in Adobe's software. Organizations should not only take steps to protect their users from PDF-based exploits, but also look for ways to move quickly toward protection from the next trend in exploitation. Awareness and education are two good, transferable efforts that will apply broadly to most human factors threats.

Geopolitical

Dubai Assassination Serves as a Warning on Reputation Management

Following the assassination of senior Hamas commander Mahmoud al-Mabhouh in Dubai last month, a UK investigation is being launched into how fraudulent passports were used to conceal the identities of the assassins. Dubai authorities have released names, photographs and hotel security camera video of 11 suspects involved in the killing. UAE officials have said that the passports were cloned copies of the originals, with photographs and signatures modified. At least six of the identities belonged to real-life Israeli citizens with dual nationalities. The incident is being elevated into a diplomatic dispute, as the sophistication of the passport fraud raises questions about the level of support for the murder.
Read more
Additional Information 1
Additional Information 2
 
IntelliShield Analysis: Transnational crime and targeted assassinations are nothing new, but technology is increasing their sophistication and providing powerful and potentially invasive new tools for law enforcement. The individuals whose identities were stolen are now faced with the long-term prospect of their names being associated with an assassination. The potential damage is compounded by the long life and broad reach of the Internet. These victims may face delays when traveling because of watch listings, new employer doubts during background screening, and difficulty in obtaining credit, not to mention personal humiliation. Steps can be taken to protect one's online identity, including setting up persistent searches on one's name, doing periodic credit checks, and beefing up passwords. But faced with sophisticated transnational entities whose authority and resources were considerable, there may be little that could have been done to prevent the theft of these identities. Even with recent enhancements in passport technology, we are vulnerable as members of a trust-based, globally mobile society. These victims' only recourse may be changing their names and starting over.

Upcoming Security Activity

RSA Conference 2010, San Francisco: March 15, 2010
Security B-sides, Austin, TX: March 13, 2010
GRC Summit: March 14, 2010
CanSecWest 2010, Vancouver: March 24–26, 2010
Cisco Networkers 2010, Bahrain: March 28–21, 2010
InfoSec World 2010: April 17–23, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

XXI Olympic Winter Games, Vancouver, British Columbia, Canada: February 12–28, 2010
Iraq, Parliamentary Elections: March 7, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top