Cyber Risk Report

February 27–March 4, 2012

The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support.

Vulnerability

Vulnerability activity for the period was decreased, although activity for the first two months of 2012 shows a significant increase over the same period in previous years. While two months does not indicate a trend, the sizable increase does warrant attention to the increased vulnerability and patch activity.

Cisco released multiple product security advisories during the period for Cisco Wireless LAN Controllers, Cisco Unity Connection, Cisco Unified Communications Manager, Cisco TelePresence Video Communication Server, and Cisco Cius software. These security advisories, correlated with individual IntelliShield vulnerability alerts, Applied Mitigation Bulletins and IPS signatures are available on the Cisco Security Intelligence Operations portal.

Other vulnerability activity included security advisories and updates for libxml2, multiple vulnerabilities in PostgreSQL, Red Hat updates for Java and ISC BIND, updates for IBM Personal Communications, and vulnerabilities in the ICS/SCADA systems ABB WebWare and Plesk Control Panel.

Threat activity for the period included exploit code for the Cisco Secure Access Control Server vulnerability reported in IntelliShield alert 15338, and exploit code for the Microsoft Internet Explorer select Element Processing vulnerability (MS11-081) reported in IntelliShield alert 24300. Cisco Security Intelligence Operations has also detected an increase in IPS signature activity related to the Microsoft SharePoint Server vulnerability (MS12-011) reported in IntelliShield alert 25140.

Multiple security organizations have recently released valuable reports: Verizon released the Verizon 2011 Investigative Response (IR) Caseload Review, Akamai released the Q3 2011 State of the Internet report, the S4 Conference released the video presentation of the Stuxnet Deep Dive, and Imperva released the Anatomy of an Anonymous Attack, discussed below in the Miscellaneous section. These reports include significant security details and recommendations, and are worthy of review.

IntelliShield published 83 events last week: 42 new events and 41 updated events. Of the 83 events, 36 were Vulnerability Alerts, four were Security Activity Bulletins, three were Security Issue Alerts, 38 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 03/02/2012 4 6 10
Thursday 03/01/2012 6 12 18
Wednesday 02/29/2012 17 9 26
Tuesday 02/28/2012 5 7 12
Monday 02/27/2012 10 7 17
Weekly Total 42 41 83

 

2012 Monthly Alert Totals

Month New Updated Monthly Total
January 208 344 552
February 234 317 551
Annual Total 442 661 1103

 


Previous Alerts That Still Represent Significant Risk

Multiple Products Hash Collisions Denial of Service Vulnerability
IntelliShield Security Activity Bulletin 24871, Version 8, February 24, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4461 , CVE-2011-4815 , CVE-2011-4885

Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Apache, Microsoft, CentOS, IBM, ruby, FreeBSD, Red Hat and HP have released security advisories and updates.

Trend Micro Control Manager CmdProcessor.exe Arbitrary Code Execution Vulnerability
IntelliShield Activity Bulletin 24728, Version 2, February 23, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-5001

Trend Micro Control Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that demonstrates an exploit of the Trend Micro Control Manager CmdProcessor.exe arbitrary code execution vulnerability is publicly available. Proof-of-concept code that exploits this vulnerability is available as part of the Metasploit framework.

Oracle Java SE Critical Patch Update February 2012
IntelliShield Activity Bulletin 25191, Version 2, February 23, 2012
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the February 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions. This update remediates 14 vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. CentOS and Red Hat have released security advisories and updates.

Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability
IntelliShield Vulnerability Alert 24625, Version 5, February 15, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4317

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available.

Increase SSH Scanning Activity on Industrial Control Systems
IntelliShield Activity Bulletin 25143, Version 1, February 7, 2012
Urgency/Credibility/Severity Rating: 2/5/3

ICS-CERT has released a security alert to address recent activity involving SSH scanning of Internet-facing control systems that could allow an unauthenticated, remote attacker to access sensitive information.

Oracle Critical Patch Update January 2012
IntelliShield Vulnerability Alert 24972, Version 2, February 9, 2012
Urgency/Credibility/Severity Rating: 2/5/3

Oracle has released the January 2012 Critical Patch Update. The update contains 78 new security fixes that address multiple Oracle product families. The fixes correct multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service condition on targeted systems. Red Hat has released a security advisory and updated packages to address vulnerabilities listed in the Oracle Critical Patch Update January 2012.

MIT Kerberos 5 Telnet Service Buffer Overflow Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24838, Version 6, February 8, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-4862

MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. MIT has confirmed the vulnerability and released software updates. Cisco, FreeBSD, GNU.org and Red Hat have released security advisories.

OpenSSL Datagram Transport Layer Security Plaintext Recovery Issue
IntelliShield Vulnerability Alert 24893, Version 7, January 31, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4108

OpenSSL versions prior to 0.9.8s and versions prior to 1.0.0f contain an issue that could result in easier recovery of plaintext information from encrypted text. Cisco has discovered a potential issue in the patch for the OpenSSL Datagram Transport Layer Security plaintext recovery issue. OpenSSL, CentOS, FreeBSD, HP and Red Hat have released security advisories and updates.

Microsoft Windows Media Player MIDI File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24880, Version 3, January 30, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0003

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Proof-of-concept code that exploits the Microsoft Windows Media Player MIDI file processing arbitrary code execution vulnerability is publicly available. Reports indicate malware activity exploiting this vulnerability has been observed in the wild.

Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24698, Version 6, January 26, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-2462

Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Targeted attacks against Adobe Reader version 9.4.6 on Microsoft Windows operating systems have been observed in the wild. Adobe has released a security bulletin and software updates to address the Adobe Acrobat and Reader Universal 3D remote code execution vulnerability. Functional code that exploits this vulnerability is available as part of the Metasploit framework. FreeBSD has released a security bulletin and updated technical details.

Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24470, Version 6, January 24, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3544

Multiple versions of Oracle Java contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Oracle and multiple other vendors have confirmed this vulnerability and released updated software. Functional code that demonstrates an exploit is publicly available.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 22, January 24, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin. MontaVista has released a security alert and updated software. Cisco has re-released a security advisory and updated software.


ISC BIND Recursive Query Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24590, Version 11, January 4, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4313

ISC BIND version 9 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. It should be noted that there are external reports that this vulnerability is being actively exploited in the wild, as DNS server crashes have been observed. It is not, however, fully determined that exploitation of this vulnerability is the root cause for the recently observed crashes. ISC and multiple vendors have confirmed this vulnerability and released updated software.

Physical

Undersea Cable Cut Causes Communications Outages Across East Africa

On February 27, 2012, a ship dropped its anchor five kilometers from Mombasa, Kenya and severed The East African Marine Systems (TEAMS) undersea cable. This cut caused communication outages and traffic slowdowns in Kenya, Rwanda, Burundi, Tanzania, Ethiopia and South Sudan's capital, Juba. Some of the traffic was re-routed over other cables, EASSy and SEACOM, or sent via satellite links. Safaricom, the operator of M-PESA payment system, suffered the most, as its servers are hosted in the United Kingdom. The significance of M-PESA for the Kenyan economy was discussed previously in a Cisco Security Blog post.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Outsourcing can make business sense, but it usually increases reliance on communication lines. If your help center, data center or partners are on a different continent, you must ensure that you have backup links with sufficient bandwidth. Even when other cables exist and are operational, as it was the case in Kenya, the premium for their use may be high and it can take up to a few weeks until the cable is repaired. Moving services into a cloud has potential to exacerbate this dependency on communication links. Not only must your connection to the cloud provider be operational, but if the provider moves your data to a different location, or where it is processed, that link must also be operational. By the very nature of the cloud, this movement of data and processing is dynamical and can happen at any time. Contingency planning is becoming even more important with our ever-increasing reliance on instantaneous and ubiquitous communication.

Legal

There was no significant activity in this category during the time period.

Trust

Facebook Accessing Phone Users' Text Messages

An investigation has revealed that Facebook, admittedly, is accessing the text messages of smartphone users who have downloaded the Facebook social-networking application. Facebook has stated that the information was accessed as a trial test for a launch of its own messaging service, and when launched users will be presented with an option to consent to its use. Furthermore, Facebook contends that "The permission is clearly disclosed on the app page in the Android market place, and is in anticipation of new features that enable users to integrate Facebook features with their texts." It must be stated that Facebook is not the only company accessing users' personal data, specifically text messages. Other companies include Flickr, Badoo, and Yahoo! Messenger. Even more eye opening is the fact that some apps even allow companies to intercept phone calls, and even more concerning are those companies who are capable of remotely accessing and operating a user's smartphone camera to take photographs or videos at random.
Read More
Additional Information

IntelliShield Analysis: It is clear that the issue of privacy extends far beyond that of one organization. Furthermore, it is also clear that as a society, more amicable and secure solutions must be provided to protect everyone. While this is a global topic, the actions of individual organizations provide prime examples to which society needs to be in tune, as the impact of these actions are far reaching and can be quickly exacerbated.

To the contention provided by Facebook imparting that the permission is clearly disclosed in the Android market place: what about the iTunes app store? As verified, there is no such disclosure. Also, to what extent is "disclosure" defined? To clarify, reading the statement seems to suggest (by the mention of "..in anticipation of new features..") that this is an open-ended disclosure that can incorporate various new features presented by the company. How is one to know the bounds of these disclosures? More specific details and clarified disclosure should be provided. Moreover, anytime an organization decides to unveil a new feature in an application, whether in a testing phase or in production, a consent or notice should be provided to all users indicating that such new activities are taking place. Blanket disclosures, and terms and conditions should not be viewed as a reliable means to protecting users or providing them with awareness.

A tell-tale aspect to this is the fact that approximately "70 percent of smartphone users rarely or never read the terms and conditions policy when they download an app." With the app terms and conditions being the new, electronic era "fine print," the challenge has now become the ability to understand and account for the myriad of gray areas covered in the terms and conditions, as new features and options are unveiled all the time.

Herein lies a key problem. When one attempts to download this application, or many others as well, through all the "description" and "what's new" section details, nowhere is there a mention of the privacy policy, the terms and conditions details, or the specific fact that text messages or other details will be accessed. In fact, until you actually launch the app, there are no details or presentation of terms and conditions. Maybe one option is to present such details in the app "research/review" phase, as that is a more opportune time for users to take notice and interpolate the terms and conditions.

Governments and privacy advocate groups across the globe continue to discuss privacy issues and attempt to create regulatory guidelines to protect Internet users. Until these are enacted, and even then, users will ultimately be responsible for protecting their own privacy and should use caution in the applications and account settings they choose.

Identity

New Google Privacy Policy In Effect

About six weeks ago, Google announced a new privacy policy that would consolidate the policies from more than sixty separate Google products into one common policy. That new privacy policy took effect this past week on March 1, 2012. Google states that the reasoning behind this was to present one comprehensible privacy policy to consumers and to better personalize their experience with Google's services. Google will now combine a customer's browsing history, video viewing history, and search data, as well as information gleaned from their e-mail and social network services, to better predict what the customer wants when presenting search results and online advertisements. In the past few weeks, Google has come under fire for ignoring privacy settings on Safari and Firefox browsers, and their new combined policy has run afoul of the European Union's privacy directive.
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: While Google was the company in the news this past week, all of the major web services are in the business of selling targeted advertisement; Apple, Microsoft, and Yahoo! also have quite profitable ad sales divisions. One of the concerns of this new policy is that Google may be able to define a much more accurate profile of its online customers. In a worst-case scenario, everything that an individual does online could be tracked, recorded, and made available for any of Google's customers. While currently they have no plans to disclose or sell this information to any third parties, that is always a future possibility. In that case there should be a modification of their privacy policy and a way to opt out of the sale of personal data. The end result of Google's action may be valuable to some of its customers; for instance, imagine never being presented a non-relevant popup advertisement.

There are several steps a user can take to limit the collection of personally identifiable information. Google provides a privacy dashboard that any of their users with a Google ID can use to configure and limit how information is recorded and used. Since several of Google's services require logins and browser-enabled cookie storage (Gmail, and Google+ for example), a user could choose not to perform Google searches from the browser where their Gmail account is being accessed, instead using a different browser for viewing YouTube videos, and performing searches with cookies disabled on that browser instance. Google will still maintain the originating IP address information, but it will be separated from the actual user ID used for Google's mail or social networking services. A user could perform searches using a service such as DuckDuckGo, which does not maintain or correlate search histories. A user could also make use of a system such as onion routing that anonymizes source addresses. One final thing to keep in mind is that providing these services is not without cost. A general rule is if you are not paying for it, you are not the customer, you are the product being sold.

Human

Auto-Correct of Text Message Blamed for Secondary School Security Incident

The auto-correction feature of a mobile device used to send a text message resulted in the security "lockdown" of a Gainesville, Georgia (U.S.) secondary school. The incident at West Hall middle and high schools was the result of the word "gunna" being auto-corrected to "gunman." In addition, the text message was sent to a wrong number, prompting a member of the community to alert law enforcement. The unintentional threat was taken seriously in light of a separate incident early in the week whereby three students at a high school in Chardon, Ohio (U.S.) were killed by another student.
Read More
Additional Information

IntelliShield Analysis: This unfortunate incident is a story that compels a feature request: if a smartphone is designed to "correct" slang or casual spelling into more formal language, it should also scan the destination address of the intended recipient and match it against a local directory of stored data. Assuming that the details of the person for whom the message was intended were in the sender's address book, this issue could have been averted entirely. Well-intentioned features designed to glean the intent behind input that is seemingly mis-entered should be considered at all levels, as the potential for problems owing to mistaken information -- be it the message or the audience -- will only grow as the complexity and integration of smartphones into daily life continues to expand.

Geopolitical

Iran's leaders Weigh the Benefits and Risks of a Public Internet

Over the weekend, Iran held the first elections since the disputed presidential poll of 2009. Initial results point to a big win for fundamentalists critical of President Ahmadinejad, thanks in part to a concerted effort by government authorities to focus public attention on external threats and suppress burgeoning political activism on the Internet. The Wall Street Journal cited an Iranian government official, who described Tehran's efforts to build a national Internet network closed off from negative outside influences as construction of a halal Internet. In January, the government issued new regulations requiring Internet cafes to install security cameras and begin collecting detailed information about users and their surfing habits, according to the article. Domestic Internet users noted that anonymizers and VPNs had slowed to a crawl, all encrypted e-mail had been blocked, and webmail such as Gmail and Hotmail had become inaccessible. Over recent months, Iranian authorities have stepped up their arrests and trials of bloggers and web developers. It appears that Tehran is mounting not only a defensive but also an offensive capability, with the announcement late last year that it would create a cyber army staffed with some 250,000 hackers. They appear to be getting right down to work, with reports last week that government websites in Azerbaijan had been hacked by a group calling itself the Iran Cyber Army.
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: With a more conservative group of leaders apparently gaining sway in Tehran, Internet controls may not ease much, even after initial public tensions over elections have subsided. However, Iran experts emphasize that power politics inside the country is complicated and opaque. There are probably those in Tehran who are aware that most regimes attempting to turn off the Internet fail in their political aims, even if the tactic is successful. They may also see the value of public Internet skills for economic growth and national security reasons. They no doubt noted the non-violent success of the Stuxnet virus in setting back their nuclear program. With the likely collapse of the Assad regime in Syria, which acted as a strategic buffer against the Arab world, and increased tensions with Israel, Iran's leaders are likely feeling vulnerable. The hijacked landing of an American UAV in Iranian territory last year, meanwhile, hints at growing Iranian offensive cyber skill. For these reasons, information security analysts may want to be on the lookout for Iran cyber army attacks against other Western targets in the near future.

Miscellaneous

The Anatomy of an Anonymous Attack Report

Global data security firm Imperva provided a detailed summary report on a failed security breach by the hacktivist group "Anonymous." The failed attack lasted 25 days and consisted of three distinct phases identified as recruitment, reconnaissance, and attack. Imperva was able to make several observations about the attack and gather useful information about the methodologies and strategies being used by Anonymous. Imperva was also able to identify shifts in the attack strategy, indicating that Anonymous tends to start by attempting to extract data from the target prior to making attempts to disrupt services by way of distributed denial of service (DDoS) attacks. The report concluded with source analysis graphs, as well as detection and mitigation techniques that can be leveraged by organizations to better defend themselves against an attack by Anonymous.
Read More

IntelliShield Analysis: The hacktivist group Anonymous has been in the media lately due to recent attempts to obtain confidential information and to disrupt the computing services of a number of different organizations. While some of their techniques and attack methods are common amongst other hacker or hacktivist groups, advertisement and recruitment play a major role for the group and has been a key to some of their successful attacks. The media attention and active recruitment and advertisement that Anonymous is utilizing appear to be working in their favor for recruiting new members to their cause. Although the number of members in the group is unknown, there is a strong belief that not all are skilled hackers and that the majority are non-technical people willing to support the advertised cause with malicious action. The non-technical members contribute to the malicious activities by installing custom made, easy-to-use software that requires little-to-no technical skills to deploy. This enables the non-technical individuals to participate in DDoS attacks and increase the strength of the Anonymous attack. Anonymous uses various recruitment and advertisement methods, including social media sites such as Facebook, Twitter, or YouTube. Indeed, our very own ways of communicating over the Internet are major contributors to the success of their campaign. The DDoS attacks are usually their second option if they cannot first obtain and expose confidential data. Customers are advised to take a proactive and vigilant attitude in protecting their networks. Common information security practices such as installing updated patches on software, having a good firewall strategy, and actively monitoring router and firewall logs for malicious intent or abnormal activity are critical in mitigating potential threats to their respective organization.

Upcoming Security Activity

CanSecWest 2012: Mar 7–9, 2012
Global Privacy Summit: March 7–9, 2012
Black Hat Europe: March 14–16,2012
Cisco Live US: June 10–14, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top