Cyber Risk Report

February 8–14, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity remained consistent with the previous period; however, the activity has increased from the same period last year. Most of the activity surrounded the Microsoft security updates for February, released on February 9, totaling 27 published events.

Several alerts from the Microsoft security release have the potential for high levels of exploitation, including flaws in Microsoft Office, PowerPoint, Direct Show, and the Windows SMB server. Administrators should put effective mitigation into place for these vulnerabilities immediately.

Adobe released a pair of security bulletins (APSB10-06, APSB10-07) to address flaws in Adobe Reader and Acrobat and Adobe Flash and AIR as documented in IntelliShield alerts 19929, 19930, and 19931. The vulnerabilities could allow attackers to view sensitive information or execute arbitrary code.

Other high levels of activity were related to a security update released by HP to fix Java clients in HP OpenView Network Node Manager.

Cisco also released an update to address several flaws in Cisco Ironport devices.

IntelliShield published 144 events last week: 58 new events and 86 updated events. Of the 144 events, 122 were Vulnerability Alerts, six were Security Activity Bulletins, two were Security Issue Alerts, ten were Threat Outbreak Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 09/29/2007 14 12 26
Thursday 09/28/2007 0 4 4
Wednesday 09/27/2007 4 41 45
Tuesday 09/26/2007 30 17 47
Monday 09/25/2007 10 12 22
Weekly Total 58 86 144

 

Significant Alerts for February 8–14

Microsoft Office mso.dll Buffer Overflow Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19864 Version 2 February 10, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0243

Microsoft Office contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Microsoft confirmed this vulnerability and released updated software.

Microsoft Windows SMB Service Unauthorized Access Security Bypass Vulnerability
IntelliShield Vulnerability Alert 19842 Version 2 February 10, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2010-0231

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and gain unauthorized access to a targeted system. Proof-of-concept code has been released publicly that demonstrates exploitation.

Microsoft DirectShow Heap Overflow Vulnerability
IntelliShield Vulnerability Alert 19816 Version 2 February 10, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0250

Microsoft Windows contains a vulnerability in the DirectShow component that could allow an unauthenticated, remote attacker to execute arbitrary code. Because of its exploitability within a web browser, the vulnerability may be especially targeted by attackers. Microsoft has confirmed this vulnerability in a security bulletin and released software updates that correct it.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 4, January 26, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed this vulnerability and released software updates. Additional information is available regarding mitigations and exploit code related to the Internet Explorer remote arbitrary code execution vulnerability.

Adobe Reader and Acrobat newspaper() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 8, January 22, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-4324

Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service (DoS) condition. Functional exploit code is publicly available. Adobe has confirmed this vulnerability, and updates are available. This vulnerability is being actively exploited through directed phasing attacks.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 34, February 12, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TULSA implementations contain a vulnerability when renegotiating a Transport Layer Security (TULSA) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Physical

Converged Network Being Used for the Vancouver Olympics

This year's Winter Olympics in Vancouver, British Columbia bring with it, amongst many new sports, athletes, and venues, a new approach to communications technology for all of the athletes, teams, media, and fans. While in past years voice and data was provided over separate physical infrastructures, this year all voice, video, and data communications for the Vancouver Olympics will take place over a single Internet Protocol (IP) network. Read more

IntelliShield Analysis: The approach being used by the Information Technology (IT) workers that are supporting the Vancouver Olympics to provide connectivity for voice, video and data through the use of a converged IP network, is certainly in line with the network communications direction many enterprises and organizations are following. Using one IP network for everything provides for both a flexible and robust solution for all of the various communications media; however, this all-in-one approach does bring with it concerns, such as the network being a single point of failure for everything dependent on IP communications. These concerns are heightened when assessing the risk of either a malicious, security-related incident compromising the entire network or the capacity of the network being overloaded by those wishing to gain visibility via voice, video, and/or data, into the events occurring over the duration of the Winter Olympic Games. One of the loads that could potentially stress the network capacity will be the coverage provided by NBC on the NBCOlympics.com web site which is expected to help viewers catch their favorite athletes and events despite the time zone differences that can impact local and cable television channel viewing schedules.

Legal

Judge Dismisses Windows Anti-Piracy Software Lawsuit

The judge in a recent Microsoft lawsuit has dismissed a case that the plaintiffs had hoped would have become a class action lawsuit. The case against Microsoft concerned an anti-piracy update for Windows that was presented as a critical update. Both sides settled the case in such a way that each side paid its own lawyers' costs and fees.
Read more
Additional Information

IntelliShield Analysis: Microsoft argued that a class action lawsuit would simply tap Microsoft for money to be handed out in small quantities to millions of users. They argued that there was no point in doing this and the Judge seems to have agreed. This is not the first class action lawsuit request against technology companies like Microsoft. In May of 2009 a group of laptop owners tried to bring forward a class action lawsuit against the maker of Vidal graphics cards. However, if this Microsoft case sets a precedent in cases like this, we may see fewer and fewer class action lawsuits brought against technology companies.

Trust

Bank Accounts of the Town of Poughkeepsie, NY Plundered by Online Thieves

Funds for the government of the town of Poughkeepsie, New York in the United States (US) were recently transferred illegally from the town's accounts with TD Bank to a recipient in the Ukraine, according to a press release issued by the town government. Nine transactions were attempted, but only four succeeded, resulting in an initial loss of US$378,000. To date, one of those four transactions has been reversed, resulting in a US$95,000 returned to the town. The US Secret Service, the US Federal Bureau of Investigation (FBI), and Poughkeepsie police continue to investigate and pursue the remaining US$283,000 in losses. The town has criticized the bank's apparent failure to apply adequate controls.
Read more
Additional information

IntelliShield Analysis: Though the root cause of this breach is unknown, and speculation would be ill-advised, this incident does highlight a trend that is being seen by the FBI. Further, in August 2009 the Financial Services Information Sharing and Analysis Center (FS-ISAC) had warned small businesses in the financial services sector that these types of attacks were on the rise. In the Cyber Risk Report for August 24-30, 2009, we reported on this trend and the FS-ISAC's warning about Eastern European cyber criminals using wire transfers to deplete accounts. Financial organizations should continue to ensure that they are following the advice of groups like the FS-ISAC, and businesses that use smaller financial institutions should inquire about the controls used to protect their funds.

Identity

Google Unveils New Social Networking Functionality, Buzz

On Tuesday, February 9, Google unveiled Buzz, a social networking capability available to user of its Gmail, Reader, and other online tools. Buzz works within Gmail and allows a user post updates, share content from Google Reader, and post content from other social networks. Buzz brings together the social graphs of anyone a user frequently interacts with through e-mail or chat and allows them to comment on the content of their friend's streams. A number of privacy and security risks have emerged since Buzz was announced. Initially, when a person opted into Buzz their network of contacts was publicly displayed to their Google Profile and they were automatically followed by those they most frequently communicate. A few days after launch this feature was modified. Likewise, other privacy features were more prominently displayed.
Read more
Additional Information
Additional Information

IntelliShield Analysis: As with other social networks, companies should educate their employees on what to share and set guidelines. Of high concern is the sharing of business contacts and internal conversations by an employee using Buzz. As Gmail is an established web e-mail client and is generally considered suitable for conducting business conversations (as opposed to Facebook's e-mail functionality, for example) users may have a more robust set of business contacts within their Google e-mail account that they may wish to keep private.

With a public Google profile accompanying the use of Buzz, the lists of people a user follows and are followed by becomes public knowledge. Another concern is spammers and unknown contacts. As Buzz has been adopted, spammers have taken to it and started following people. There is currently no sure-fire way to know if a new follower is someone within your extended social network (a friend-of-a-friend) or is just someone who found you and has malicious intent. It is hoped that over time Google will allow users to choose the type of data they share on a more granular level.

Human

Vodafone UK Twitter Account Issues Objectionable Tweet

On Friday, February 12, the official Vodafone Twitter account was used to post an explicit and objectionable message to microblogging followers of the mobile phone company. Shortly after the tweet was delivered, Vodafone issued an apology through Twitter, assuring customers that they had not been hacked, but rather that an internal investigation was underway. In a statement issued by the company, Vodafone identified that they believed a staff member was to blame and that security policies were violated in the incident. Read more

IntelliShield Analysis: Social media platforms have become a favorite outlet for marketing, support, and customer-facing portions of organizations to connect more readily with individual customers and the public in general. However, the instant accessibility of this medium demands that controls to appropriately restrict inappropriate usage must become more strict. Organizations should consider a combination of standard recommended practices, like locking screensavers and automatic logout after a time delay, alongside additional controls such as restricting the number of trained users that are permitted to post under corporate accounts.

Geopolitical

Greek Debt Crisis Threatens European Union Solidarity on Many Fronts

European leaders last week promised to help Greece manage its sovereign debt problems, but stopped short of promising immediate financial support. Greece is facing a snowballing fiscal crisis, with its budget deficit climbing to almost 13 percent of the gross domestic product (GDP) and public debt topping 125 percent of GDP this year. Because Greece is part of the European Monetary Union, its problems threaten the common euro currency. Germany and France are taking the lead on the rescue plan, which European leaders had hoped to avoid. The prospect of providing financial support to a neighbor who has fallen onto hard times for questionable fiscal policies, at a time when pockets are empty across Europe, could be politically perilous in the fiscally stronger European Union (EU) countries. Read more

IntelliShield Analysis: Information security specialists may wish to watch Greece's unfolding debt crisis for a number of reasons. First, what is at stake is no less than the long term health and effectiveness of the EU, as the fears of those long opposed to a common currency seem to be coming true. By undermining trust and unity, the crisis will strain EU efforts to forge common sets of rules on information security issues as far reaching as Internet privacy, copyright protections, domain name conventions, and border-sensitive law enforcement efforts involving data retention and disclosure. Greece's fiscal crisis is not a one-time event that will soon be forgotten, indeed it could be repeated over the course of 2010 in other EU countries with debt problems, including Portugal, Spain, Italy, and Ireland. To the extent that it spreads and undermines the euro, the crisis could slow financial recovery in Western Europe, exacerbating corruption and white collar crime such as intellectual property theft.

Upcoming Security Activity

RSA Conference 2010, San Francisco: March 1–5, 2010
CanSecWest 2010, Vancouver: March 24–26, 2010
Cisco Networkers 2010, Bahrain: March 28–21, 2010
InfoSec World 2010 April 17–23, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

XXI Olympic Winter Games, Vancouver, British Columbia, Canada: February 12–28, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top