February 28–March 6, 2011The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity levels were consistent with previous periods. This period was highlighted by security updates from Apple for iTunes, and Adobe corrected 13 vulnerabilities in Flash Player, Mozilla corrected 11 vulnerabilities in Firefox, and Google corrected 19 vulnerabilities in Chrome. Additional security updates were released for Wireshark, multiple HP products, Red Hat for the Linux Kernel, Hitachi, Citrix, and GNU Mailman. These large browser and application updates are suspected to be in advance of the CanSecWest Pwn2Own hacking contest that will occur on March 9, 2011, where researchers will attempt to exploit widely used browsers for a cash prizes. IntelliShield will be monitoring this contest closely for new exploit techniques and vulnerabilities. Cisco Remote Management Services (RMS) and the SANS Diary noted a spike in botnet activity during the period. This activity was scanning for the Microsoft ASN.1 vulnerability (CVE-2005-1935), reported in IntelliShield Alert 7251. Additional information is not yet available, but organizations may detect this spike in scanning activity and should verify that they have protection in place. This period also saw a spike in distributed denial of service (DDoS) activity that affected multiple websites in South Korea and the widely used WordPress blogging website. With the recent media coverage of these types of attacks, additional individuals or groups may take interest in launching these attacks. Organizations can help protect against these attacks by having preventive measures and protections in place and coordinating with their service providers. Organizations may consider reviewing their denial of service defenses and procedures because of the increased interest and the availability of botnets to launch the attacks. Microsoft released the advance notification for the March security bulletins. Microsoft will release three security bulletins on Tuesday, March 8, that affect multiple Windows operating systems and the Office Groove 2007 product. Only one of the bulletins for Windows operating systems is rated as critical. IntelliShield published 93 events last week: 55 new events and 38 updated events. Of the 93 events, 70 were Vulnerability Alerts, five were Security Activity Bulletins, one was a Security Issue Alert, 16 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
2011 Monthly Alert Totals
Significant Alerts for the Time PeriodAdobe Flash Player Content Handling Memory Corruption Vulnerability Previous Alerts That Still Represent Significant RiskISC BIND IXFR Transfer or DDNS Update Denial of Service Vulnerability Oracle Critical Patch Update for February 2011 Microsoft Windows shimgvw.dll Graphics Library Arbitrary Code Execution Vulnerability Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability EXIM Mail Transfer Agent Arbitrary Configuration Loading root Privilege Escalation Vulnerability Adobe Acrobat, Reader, and Flash Player Arbitrary Code Execution Vulnerability Oracle Critical Patch Update January 2011 Mozilla Firefox, Thunderbird, and SeaMonkey DOM Object Processing Arbitrary Code Execution Vulnerability Linux Kernel video4linux and compat_mc_getsockopt() Privilege Escalation Vulnerability Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability Microsoft Internet Explorer Cascading Style Sheets Processing Arbitrary Code Execution Vulnerability PhysicalPhysical Thefts of Copper and EquipmentSeveral stories made the news this week involving physical theft. In the United States and the United Kingdom, two stories about thefts of copper were related to that commodity's rising price. The thefts have been causing disruptions to telephone networks, electric service in California, and rail service in the UK. In another story from Great Britain, a telecommunications carrier reported the theft of networking and computer systems in what they termed a "smash and grab." The theft caused an outage that lasted most of a day and affected 400,000 users. IntelliShield Analysis: The cost of repairing the damage from physical thefts, including the loss of service to customers, can far outweigh the amount of money that the thieves gain from the thefts themselves. The value of the equipment or the value from the service provided by that equipment should always be taken into consideration when planning physical security. An enterprise is advised to periodically review physical assets with regard to physical security needs and ensure that the cost to tamper with those assets is greater than the value a thief would hope to gain from the theft. LegalSelf-Erasing Flash Drives Destroy Court EvidenceTechnological developments in storage devices, namely Solid State Drives (SSDs), are making it increasingly difficult to preserve critical data that, in some cases, is needed by forensic analysts for legal purposes. The firmware contained in these SSDs has the ability to permanently clean or erase files that have been previously deleted soon after the SSD is turned on. IntelliShield Analysis: On the heels of last week's Cyber Risk Report article: Securely Erasing Solid State Drives Proves Difficult, which reported that a small percentage of data remains on SSDs even after they are wiped clean, we are now presented with information that describes the ability of the SSD to automatically erase previously deleted information. While it is certainly advantageous to be able to permanently remove information from a data storage device, the automated way in which such removal is now possible in these SSDs will certainly cause difficulty in the law enforcement and legal communities. They will now need to take additional chain-of-evidence steps to ensure that data needed for prosecution does not disappear before they are able to present the data in court. TrustMalware via Ads on London Stock Exchange WebsiteA large number of United Kingdom and European Union citizens may have been affected over the February 26–27 weekend by advertisements that contained malware on a number of popular websites. Ad content provided by digital advertising network provider Unanimis caused visitors to the sites to report pop-up windows alerting them that their computers were infected with spyware as part of a larger fake security message. The users were then offered access to download a rogue antivirus solution that collects payment but does not resolve the issue. As this malware was detected, visitors to the site londonstockexchange.com were warned by various browser and computer antivirus software that the site had been reported as an attack page. A statement on the Unanimis website reports that the issue was raised to the company after 6:00 p.m. on Sunday, February 27, and that they responded by removing the ads within 3 hours. IntelliShield Analysis: This is not the first digital advertising provider to be attacked. Eyewonder was attacked in mid-2009, causing malware to appear on sites such as Mashable and Icanhascheezburger. In December 2010, the Google ad network was hit and served a similar form of malware. What these attacks have in common is that each delivered malware over weekends; presumably when digital ad services and their customers are enjoying their days off. It is important for publishers and advertisers to be well aware of their digital advertising services' procedures for being able to identify threats, and to contact and escalate security incidents without regard for the hour or day of the week. IdentityInternet Crime Complaints Center 2010 Internet Complaint ReportThe Internet Crime Complaints Center (IC3) has released its annual report on complaints about Internet activity to be investigated. The report shows a decrease of complaints filed compared to last year, but the number is the second highest in the history of the report. IC3 analysis shows that nondelivery of payment or merchandise, scams impersonating the United States Federal Bureau of Investigation, and identity theft account for almost 40 percent of the complaints. The top ten list includes computer crimes, miscellaneous fraud, advance fee fraud, spam, auction fraud, credit card fraud, and overpayment fraud. The highest reported complaint rates in the United States were from Alaska, while the state with the most complaints filed was California. Other affected locations in the reports include Canada, the United Kingdom, Australia, India, and more. As far as demographics are concerned, most perpetrators were men, while men also filed the most victim reports. IntelliShield Analysis: IC3 annual reports have been showing a steady Internet crime increase for the past decade. Even though this year's number decreased compared to 2009, it is of proportional magnitude. As technology is penetrating consumer markets worldwide, as users increase, as there are more and more technologies going online, Internet crime will continue to increase. Criminals have also shown increasingly innovative ways to exploit product or service flaws or poor personal judgment. It is the evolution of Internet crime; users get more and more suspicious, and thus more innovative ways need to be developed for a scam to succeed. However, the number of reports being filed is not always proportional to the number of actual crimes taking place, and not all activity is filed. The trend shows that incidents are increasing, but slight variations per year should not be used as proof that criminal activity is stable or decreasing. There are many factors that can affect the number. Organizations and individuals alike are advised to follow best practices for securing their infrastructure against malicious Internet activity. Raising awareness and educating users about potential threats and the mechanisms the "bad guys" use, and making them aware of IC3 and the filing process will also help protect them from criminals and provide information about where security officials and technologies should focus. HumanAndroid Pulls 50 Malicious Apps That Contain MalwareOn March 1, 2011, a user alerted Google to suspicious software hosted in the Android Market, which hosts smartphone applications for the Android platform. The user initially noticed about 20 applications that seemed to be copies of popular titles, and upon further inspection found that they contained malware. Further investigation uncovered three accounts that posted some 50 apps, all of which contained root exploits. Google has since removed these apps. The malware, known as DroidDream, relied on the "rageagainstthecage" exploit to gain root access, and it was capable of downloading and installing additional malware on compromised devices. IntelliShield Analysis: Security experts have noted that Google's more permissive application publishing model would allow attackers to distribute malware in this way. While the openness of the platform does allow more freedom in deploying applications that fully utilize all the functionality of a device, that same freedom comes with a cost of vigilance and a need to trust application developers. The average smartphone user cannot be expected to fully understand the ramifications of application installation, especially if this sort of content can be freely published to the "official" app marketplace. Whether Google takes steps to further control the content posted to the marketplace, or whether users begin to go directly to application developers they trust to acquire smartphone apps, without some increased fidelity, the risks to smartphone users will likely continue to increase. GeopoliticalIreland Looks Like a BargainFine Gael leader Prime Minister Enda Kenny, who is expected to become Ireland's next prime minister in a coalition government following general elections last week, is calling for restructuring of the European Union (EU) and International Monetary Fund (IMF) loan package that was provided to Ireland late last year. Once known as the Celtic Tiger, Ireland now has an unemployment rate in the double digits, and young graduates are emigrating in large numbers to continental Europe and beyond in search of better job prospects. Its banks have been pulled back from the edge of insolvency by cash infusions, raising the specter of more bankruptcies, less public sector spending, and more taxes. IntelliShield Analysis: While economic news from Ireland, and much of the EU, sounds dire, technology companies may see bargains, as governments eager to welcome offshoring and high-tech business offer favorable terms. The corporate tax rate in Ireland continues to be one of the most attractive in the developed world. Ireland and other fiscally challenged economies in the EU, including Spain and Portugal, enjoy relatively low levels of corruption, stable political structures, mature governance and regulatory structures, reliable infrastructure, and highly educated workforces. The primary cause of Ireland's debt crisis was a housing market bubble, which left banks badly exposed when the bubble burst in 2008 but, because of EU and IMF support, there are few who doubt that Ireland will see its way through the crisis. For information security specialists, new offshoring or operations in the region may require sensitivity to the stressed labor market, which may lead to elevated levels of cyber crime and data leakage as workers struggle over the medium term to make ends meet. Upcoming Security ActivityCanSecWest: March 9–12, 2011 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Carnival/Mardi Gras 2011: March 4–8, 2011 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
