February 6–12, 2012The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity decreased significantly for the period. The previous period, January 30–February 5, 2012, had nearly doubled the level of activity normally recorded. With the current period, activity returned to more normal levels. The highlight for the period is the Microsoft Security Bulletin Advance Notification for February 2012. Microsoft will release nine security bulletins that address more than 20 individual vulnerabilities in Windows, Internet Explorer, Office, .Net, and Silverlight. The bulletins will be released on February 14, 2012. Significant alerts included an ICS-CERT alert for SSH scanning and attacks that targeted ICS/SCADA networks and are reported in IntelliShield alert 25143. While SSH brute force scanning and attacks are common and continuous for many sites, the ICS-CERT alert reported that multiple attacks were identified that targeted critical infrastructure networks. While these SSH attacks are targeting SCADA systems, the known best practices for identifying, mitigating, and preventing these types of attacks also apply to SCADA networks. One key to identifying and preventing these attacks is monitoring these networks and establishing a baseline of activity to enable the identification of new or increased threats. Cisco has re-released a security advisory and updated software to address the MIT Kerberos 5 Telnet service buffer overflow arbitrary code execution vulnerability, reported in IntelliShield alert 24838. Other vulnerability activity included security updates from Red Hat JBoss, ISC BIND, RealNetWorks RealPlayer, and Google Chrome. In threat activity, a new report released by M86 identified the Black Hole toolkit responsible for 95% of infected websites that attempt to exploit users who visit those pages, primarily by Java and Adobe exploits. With such a high percentage of threats coming from one toolkit threat, web administrators and users are advised to become familiar with the toolkit and check websites regularly for infections or the presence of toolkit exploits. Arbor Networks released the Seventh Annual Worldwide Infrastructure Security Report that highlights trends in distributed denial of dervice (DDoS) attacks and how those attacks have evolved from financial and criminal attacks to domination by activist attacks. The report also found that DDoS attacks have changed in duration, frequency, and bandwidth size. The report includes information on the widespread availability of DoS tools, the similarities among them, and recommended defenses. Because these attacks continue to increase, organizations should consider reviewing their DDoS response plans and adjust plans where necessary for likely types of attacks and attackers. IntelliShield published 98 events last week: 36 new events and 62 updated events. Of the 98 events, 44 were Vulnerability Alerts, 11 were Security Activity Bulletins, five were Security Issue Alerts, 37 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for February 6–12, 2012Increase SSH Scanning Activity on Industrial Control Systems IntelliShield Activity Bulletin 25143, Version 1, February 9, 2012 Urgency/Credibility/Severity Rating: 2/5/3 ICS-CERT has released a security alert to address recent activity involving SSH scanning of Internet-facing control systems that could allow an unauthenticated, remote attacker to access sensitive information. Previous Alerts That Still Represent Significant RiskOracle Critical Patch Update January 2012 Oracle has released the January 2012 Critical Patch Update. The update contains 78 new security fixes that address multiple Oracle product families. The fixes correct multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service condition on targeted systems. Red Hat has released a security advisory and updated packages to address vulnerabilities listed in the Oracle Critical Patch Update January 2012. MIT Kerberos 5 Telnet Service Buffer Overflow Arbitrary Code Execution Vulnerability MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. MIT has confirmed the vulnerability and released software updates. Cisco, FreeBSD, GNU.org, and Red Hat have released security advisories. Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Apache, Microsoft, CentOS, IBM, Ruby, FreeBSD, Red Hat, and HP have released security advisories and updates. Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368 and is documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available. OpenSSL Datagram Transport Layer Security Plaintext Recovery Issue OpenSSL versions prior to 0.9.8s and versions prior to 1.0.0f contain an issue that could result in easier recovery of plaintext information from encrypted text. Cisco has discovered a potential issue in the patch for the OpenSSL Datagram Transport Layer Security plaintext recovery issue. OpenSSL, CentOS, FreeBSD, HP, and Red Hat have released security advisories and updates. Microsoft Windows Media Player MIDI File Processing Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Proof-of-concept code that exploits the Microsoft Windows Media Player MIDI file processing arbitrary code execution vulnerability is publicly available. Reports indicate malware activity exploiting this vulnerability has been observed in the wild. Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Targeted attacks against Adobe Reader version 9.4.6 on Microsoft Windows operating systems have been observed in the wild. Adobe has released a security bulletin and software updates to address the Adobe Acrobat and Reader Universal 3D remote code execution vulnerability. Functional code that exploits this vulnerability is available as part of the Metasploit framework. FreeBSD has released a security bulletin and updated technical details. Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability Multiple versions of Oracle Java contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Oracle and multiple other vendors have confirmed this vulnerability and released updated software. Functional code that demonstrates an exploit is publicly available. Oracle Java SE Critical Patch Update October 2011 Oracle has released the Oracle Java SE Critical Patch Update for October 2011. The update addresses 20 new security vulnerabilities. An unauthenticated, remote attacker could leverage several of the vulnerabilities to completely compromise an affected system. Oracle, Red Hat, CentOS, and Apple have released updates. Oracle, Apple, CentOS, HP, and Red Hat have released security advisories and updates. Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin. MontaVista has released a security alert and updated software. Cisco has re-released a security advisory and updated software. ISC BIND Recursive Query Processing Denial of Service Vulnerability ISC BIND version 9 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. It should be noted that there are external reports that this vulnerability is being actively exploited in the wild, as DNS server crashes have been observed. It is not, however, fully determined that exploitation of this vulnerability is the root cause for the recently observed crashes. ISC and multiple vendors have confirmed this vulnerability and released updated software. Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425. Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability. PhysicalSecurity Camera Flaw Exposes Live FeedsA flaw found in home security cameras made by Trendnet allows access to vulnerable cameras by anyone who knows or discovers the IP address. While password protection is a configurable option, the vulnerability still exposes the live video feed. The exposure was discovered by a blog author who posted the details online, including information on leveraging the simplistic search engine Shodan, which allows users to locate vulnerable cameras. As a result, readers around the globe have accessed and posted the details of hundreds of exposed cameras streaming video from businesses to childrens' bedrooms. Additionally, many of these exposures were linked to Google Maps to identify the exact location of the cameras. Read More IntelliShield Analysis: Irony surfaces when security devices become the exploitable entity. This irony is not humorous, but highlights the need for added concern as severity and risk factors rise. While there are many questions yet to be answered, it is clear that in this case, the lessons learned must be prevalent and acted upon. The company first learned of the problem on January 12, 2012, but the vulnerability was introduced in code added in 2010, raising questions such as how did the vulnerability go suppressed for so long? And how could the unique net address, which is a combination of the IP address and a 15-digit sequence that Trendnet uses to identify the camera, share the same 15-digit sequence across the product line? The takeaway is to understand that while attacks are continuously evolving and many are becoming more sophisticated with packet and protocol details, there are still many vulnerabilities that simply remain untapped. The impact of this specific vulnerability is quite personal because these cameras are found in various locations, including private quarters such as a child's bedroom. Once again, a simple reminder not to take technology for granted. Because technology has become more tightly integrated into society, it is imperative that the human factor and trust levels are not compromised as a result. LegalThere was no significant activity in this category during the time period. TrustThere was no significant activity in this category during the time period. IdentitySmartphone Applications Surreptitiously Uploads Contact InfoTwo independent testers have discovered two different smartphone applications uploading user contact information without user permission. The contact information was supposedly uploaded to assist with sharing photographs with a user's contacts. Neither application used encryption and in one case, the user's password was also uploaded. IntelliShield Analysis: This news demonstrates that even though applications appear in the marketplace, occasionally the applications are not tested thoroughly or their behavior is not understood prior to being placed in respective applications stores. The old saying caveat emptor (let the buyer beware) applies here. Be wary of being the first user to install a new application appearing from your phone's marketplace. It is advisable to wait until an application has been tested and rated by a number of users before installing it on your device with the potential to expose personal information. A wide variety of security software is now available for all of the popular smartphone operating systems. Many of these have remote locating and remote wipe abilities. For parents with children who use smartphones, several applications are available that allow parental control and monitoring of the child's smartphone use. HumanThere was no significant activity in this category during the time period. GeopoliticalEven Authoritarian Despots Use Weak PasswordsSyrian President Bashar Al-Assad, who has earned international criticism for his bloody repression of an internal antigovernment rebellion, was the target of a hacking attack that exposed hundreds of e-mail messages last week. According to Haaretz, hackers gained access to the mail server of the Syrian Ministry of Presidential Affairs, pilfering the inboxes of Assad's staff, including the Minister of Presidential Affairs and Assad's media advisor. Internet access in Syria has always been closely policed and since the beginning of the protests connectivity has been spotty or non-existent, according to a variety of reports. It came as something of a surprise, then, to discover that staff used weak passwords including 12345, which made it relatively easy for the hackers to access to the information. IntelliShield Analysis: The public airing of Assad's official e-mail messages is the latest high-profile example of the disconnect between the real capabilities of information communications technologies and the assumptions of security made by users. The democratizing side effects of Internet security weaknesses are also proving effective in grass roots activist efforts to publicly humiliate public authority figures. For information security specialists, another reminder about using strong passwords may be unnecessary, but the shaming of President Assad may be a useful anecdotal reminder for busy executives who may find the use of strong passwords and other security precautions to be a time-consuming distraction. Upcoming Security ActivityRSA Conference: February 27–March 2, 2012 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: March Presidential Election in Russia: March 4, 2012 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
||||||||||||||||||||||||||||||||||||||||||
