Cyber Risk Report

February 28–March 6, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity levels were consistent with previous periods. This period was highlighted by security updates from Apple for iTunes, and Adobe corrected 13 vulnerabilities in Flash Player, Mozilla corrected 11 vulnerabilities in Firefox, and Google corrected 19 vulnerabilities in Chrome. Additional security updates were released for Wireshark, multiple HP products, Red Hat for the Linux Kernel, Hitachi, Citrix, and GNU Mailman.

These large browser and application updates are suspected to be in advance of the CanSecWest Pwn2Own hacking contest that will occur on March 9, 2011, where researchers will attempt to exploit widely used browsers for a cash prizes. IntelliShield will be monitoring this contest closely for new exploit techniques and vulnerabilities.

Cisco Remote Management Services (RMS) and the SANS Diary noted a spike in botnet activity during the period. This activity was scanning for the Microsoft ASN.1 vulnerability (CVE-2005-1935), reported in IntelliShield Alert 7251. Additional information is not yet available, but organizations may detect this spike in scanning activity and should verify that they have protection in place.

This period also saw a spike in distributed denial of service (DDoS) activity that affected multiple websites in South Korea and the widely used WordPress blogging website. With the recent media coverage of these types of attacks, additional individuals or groups may take interest in launching these attacks. Organizations can help protect against these attacks by having preventive measures and protections in place and coordinating with their service providers. Organizations may consider reviewing their denial of service defenses and procedures because of the increased interest and the availability of botnets to launch the attacks.

Microsoft released the advance notification for the March security bulletins. Microsoft will release three security bulletins on Tuesday, March 8, that affect multiple Windows operating systems and the Office Groove 2007 product. Only one of the bulletins for Windows operating systems is rated as critical.

IntelliShield published 93 events last week: 55 new events and 38 updated events. Of the 93 events, 70 were Vulnerability Alerts, five were Security Activity Bulletins, one was a Security Issue Alert, 16 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 03/04/2011 11 5 16
Thursday 03/03/2011 9 21 30
Wednesday 03/02/2011 24 6 30
Tuesday 03/01/2011 6 3 9
Monday 02/28/2011 5 3 8
Weekly Total       — 55 38 93

 

2011 Monthly Alert Totals

Month New Updated Monthly Total
January 166 237 403
February 224 176 400
Annual Total 390 413 803


Significant Alerts for the Time Period

Adobe Flash Player Content Handling Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 22579, Version 1, March 2, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-0608
Adobe Flash Player contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available.

Previous Alerts That Still Represent Significant Risk

ISC BIND IXFR Transfer or DDNS Update Denial of Service Vulnerability
IntelliShield Vulnerability Alert 22512, Version 1, February 23, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-0414
ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.

Oracle Critical Patch Update for February 2011
IntelliShield Vulnerability Alert 22466, Version 2, February 18, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVE IDs
Oracle has released the February 2011 Critical Patch Update: Oracle Java SE and Java for Business Critical Patch Advisory for multiple products. The update contains 21 new security fixes that address multiple Oracle product families on Windows, Solaris, and Linux operating systems.

Microsoft Windows shimgvw.dll Graphics Library Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22180, Version 4, February 8, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3970
Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the Microsoft Windows shimgvw.dll graphics library arbitrary code execution vulnerability is publicly available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability
IntelliShield Vulnerability Alert 22310, Version 2, January 31, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-0096
Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in a user's browser session. Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not yet available. Proof-of-concept code that demonstrates an exploit of the Microsoft Windows MHTML protocol handler script execution vulnerability is publicly available.

EXIM Mail Transfer Agent Arbitrary Configuration Loading root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 4, January 28, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345
EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed in conjunction with exploits for a vulnerability detailed in IntelliShield Alert 22051 (CVE-2010-4344). CentOS has released updated packages to address the EXIM mail transfer agent arbitrary configuration loading root privilege escalation vulnerability.

Adobe Acrobat, Reader, and Flash Player Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21686, Version 10, January 19, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3654
Adobe has released an additional security bulletin and updated software to address the Adobe Acrobat, Reader, and Flash Player arbitrary code execution vulnerability. Sun has released a security notification and patches.

Oracle Critical Patch Update January 2011
IntelliShield Security Activity Bulletin 22251, Version 1, January 18, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Oracle has released the January 2011 Critical Patch Update Advisory for multiple products. The update contains 67 new security fixes that address multiple Oracle product families. IntelliShield has released multiple significant individual vulnerability alerts from the January CPU.

Mozilla Firefox, Thunderbird, and SeaMonkey DOM Object Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21678, Version 6, January 10, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3765
Mozilla has released updated software to address the Firefox, Thunderbird, and SeaMonkey DOM object processing arbitrary code execution vulnerability. Red Hat, CentOS, and FreeBSD have also released security updates to address the vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Linux Kernel video4linux and compat_mc_getsockopt() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21389, Version 12, February 11, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3081
VMware has re-released a security advisory and updated software to address the Linux Kernel video4linux and compat_mc_getsockopt() privilege escalation vulnerability.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 72, December 16, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555
Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available.

Microsoft Internet Explorer Cascading Style Sheets Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21736, Version 4, December 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3962
Functional code that exploits the Microsoft Internet Explorer Cascading Style Sheets processing arbitrary code execution vulnerability is publicly available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Physical

Physical Thefts of Copper and Equipment

Several stories made the news this week involving physical theft. In the United States and the United Kingdom, two stories about thefts of copper were related to that commodity's rising price. The thefts have been causing disruptions to telephone networks, electric service in California, and rail service in the UK. In another story from Great Britain, a telecommunications carrier reported the theft of networking and computer systems in what they termed a "smash and grab." The theft caused an outage that lasted most of a day and affected 400,000 users.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The cost of repairing the damage from physical thefts, including the loss of service to customers, can far outweigh the amount of money that the thieves gain from the thefts themselves. The value of the equipment or the value from the service provided by that equipment should always be taken into consideration when planning physical security. An enterprise is advised to periodically review physical assets with regard to physical security needs and ensure that the cost to tamper with those assets is greater than the value a thief would hope to gain from the theft.

Legal

Self-Erasing Flash Drives Destroy Court Evidence

Technological developments in storage devices, namely Solid State Drives (SSDs), are making it increasingly difficult to preserve critical data that, in some cases, is needed by forensic analysts for legal purposes. The firmware contained in these SSDs has the ability to permanently clean or erase files that have been previously deleted soon after the SSD is turned on.
Read More

IntelliShield Analysis: On the heels of last week's Cyber Risk Report article: Securely Erasing Solid State Drives Proves Difficult, which reported that a small percentage of data remains on SSDs even after they are wiped clean, we are now presented with information that describes the ability of the SSD to automatically erase previously deleted information. While it is certainly advantageous to be able to permanently remove information from a data storage device, the automated way in which such removal is now possible in these SSDs will certainly cause difficulty in the law enforcement and legal communities. They will now need to take additional chain-of-evidence steps to ensure that data needed for prosecution does not disappear before they are able to present the data in court.

Trust

Malware via Ads on London Stock Exchange Website

A large number of United Kingdom and European Union citizens may have been affected over the February 26–27 weekend by advertisements that contained malware on a number of popular websites. Ad content provided by digital advertising network provider Unanimis caused visitors to the sites to report pop-up windows alerting them that their computers were infected with spyware as part of a larger fake security message. The users were then offered access to download a rogue antivirus solution that collects payment but does not resolve the issue. As this malware was detected, visitors to the site londonstockexchange.com were warned by various browser and computer antivirus software that the site had been reported as an attack page. A statement on the Unanimis website reports that the issue was raised to the company after 6:00 p.m. on Sunday, February 27, and that they responded by removing the ads within 3 hours.
Read More
Additional Information
Additional Information

IntelliShield Analysis: This is not the first digital advertising provider to be attacked. Eyewonder was attacked in mid-2009, causing malware to appear on sites such as Mashable and Icanhascheezburger. In December 2010, the Google ad network was hit and served a similar form of malware. What these attacks have in common is that each delivered malware over weekends; presumably when digital ad services and their customers are enjoying their days off. It is important for publishers and advertisers to be well aware of their digital advertising services' procedures for being able to identify threats, and to contact and escalate security incidents without regard for the hour or day of the week.

Identity

Internet Crime Complaints Center 2010 Internet Complaint Report

The Internet Crime Complaints Center (IC3) has released its annual report on complaints about Internet activity to be investigated. The report shows a decrease of complaints filed compared to last year, but the number is the second highest in the history of the report. IC3 analysis shows that nondelivery of payment or merchandise, scams impersonating the United States Federal Bureau of Investigation, and identity theft account for almost 40 percent of the complaints. The top ten list includes computer crimes, miscellaneous fraud, advance fee fraud, spam, auction fraud, credit card fraud, and overpayment fraud. The highest reported complaint rates in the United States were from Alaska, while the state with the most complaints filed was California. Other affected locations in the reports include Canada, the United Kingdom, Australia, India, and more. As far as demographics are concerned, most perpetrators were men, while men also filed the most victim reports.
Read More

IntelliShield Analysis: IC3 annual reports have been showing a steady Internet crime increase for the past decade. Even though this year's number decreased compared to 2009, it is of proportional magnitude. As technology is penetrating consumer markets worldwide, as users increase, as there are more and more technologies going online, Internet crime will continue to increase. Criminals have also shown increasingly innovative ways to exploit product or service flaws or poor personal judgment. It is the evolution of Internet crime; users get more and more suspicious, and thus more innovative ways need to be developed for a scam to succeed. However, the number of reports being filed is not always proportional to the number of actual crimes taking place, and not all activity is filed. The trend shows that incidents are increasing, but slight variations per year should not be used as proof that criminal activity is stable or decreasing. There are many factors that can affect the number. Organizations and individuals alike are advised to follow best practices for securing their infrastructure against malicious Internet activity. Raising awareness and educating users about potential threats and the mechanisms the "bad guys" use, and making them aware of IC3 and the filing process will also help protect them from criminals and provide information about where security officials and technologies should focus.

Human

Android Pulls 50 Malicious Apps That Contain Malware

On March 1, 2011, a user alerted Google to suspicious software hosted in the Android Market, which hosts smartphone applications for the Android platform. The user initially noticed about 20 applications that seemed to be copies of popular titles, and upon further inspection found that they contained malware. Further investigation uncovered three accounts that posted some 50 apps, all of which contained root exploits. Google has since removed these apps. The malware, known as DroidDream, relied on the "rageagainstthecage" exploit to gain root access, and it was capable of downloading and installing additional malware on compromised devices.
Read More
Additional Information

IntelliShield Analysis: Security experts have noted that Google's more permissive application publishing model would allow attackers to distribute malware in this way. While the openness of the platform does allow more freedom in deploying applications that fully utilize all the functionality of a device, that same freedom comes with a cost of vigilance and a need to trust application developers. The average smartphone user cannot be expected to fully understand the ramifications of application installation, especially if this sort of content can be freely published to the "official" app marketplace. Whether Google takes steps to further control the content posted to the marketplace, or whether users begin to go directly to application developers they trust to acquire smartphone apps, without some increased fidelity, the risks to smartphone users will likely continue to increase.

Geopolitical

Ireland Looks Like a Bargain

Fine Gael leader Prime Minister Enda Kenny, who is expected to become Ireland's next prime minister in a coalition government following general elections last week, is calling for restructuring of the European Union (EU) and International Monetary Fund (IMF) loan package that was provided to Ireland late last year. Once known as the Celtic Tiger, Ireland now has an unemployment rate in the double digits, and young graduates are emigrating in large numbers to continental Europe and beyond in search of better job prospects. Its banks have been pulled back from the edge of insolvency by cash infusions, raising the specter of more bankruptcies, less public sector spending, and more taxes.
Read More
Additional Information
Additional Information

IntelliShield Analysis: While economic news from Ireland, and much of the EU, sounds dire, technology companies may see bargains, as governments eager to welcome offshoring and high-tech business offer favorable terms. The corporate tax rate in Ireland continues to be one of the most attractive in the developed world. Ireland and other fiscally challenged economies in the EU, including Spain and Portugal, enjoy relatively low levels of corruption, stable political structures, mature governance and regulatory structures, reliable infrastructure, and highly educated workforces. The primary cause of Ireland's debt crisis was a housing market bubble, which left banks badly exposed when the bubble burst in 2008 but, because of EU and IMF support, there are few who doubt that Ireland will see its way through the crisis. For information security specialists, new offshoring or operations in the region may require sensitivity to the stressed labor market, which may lead to elevated levels of cyber crime and data leakage as workers struggle over the medium term to make ends meet.

Upcoming Security Activity

CanSecWest: March 9–12, 2011
Pwn2Own Hacking Contest: March 9, 2011
Black Hat Europe: March 15–18, 2011
CiscoLive Melbourne: March 28–31, 2011
CiscoLive Bahrain: Postponed
HITBSecConf2011 Amsterdam: May 17–20, 2011
23rd Annual FIRST Conference: June 12–17, 2011

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Carnival/Mardi Gras 2011: March 4–8, 2011
United States NCAA Tournament: March 15–April 4, 2011
Nigeria Presidential Elections: April 9, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top