Cyber Risk Report

January 11–17, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity for this period remained consistent with previous periods.  Many vendors released additional security advisories for previously reported vulnerabilities.  The period also included the release of the monthly security bulletins from Microsoft and the quarterly security updates from Oracle and Adobe on January 12, 2010.

Microsoft reported one security bulletin in their January monthly release, reported in IntelliShield alert 19674.  Shortly after the monthly release, Microsoft released a second unscheduled security bulletin, reported in IntelliShield alert 19726.  The second bulletin addresses an Internet Explorer vulnerability that was discovered during the investigation of attacks against multiple companies in the United States.

Adobe released a security advisory addressing nine vulnerabilities in Adobe Reader and Acrobat.  The most significant of these is the vulnerability that is being actively exploited.  This vulnerability is reported in IntelliShield alert 19602.  With the current attack focus on Adobe vulnerabilities, users should be reminded to install the updates.  Installation may require opening the applications and manually running the update feature.

Oracle released the Critical Patch Update for January 2010, describing 24 vulnerabilities.  The most significant vulnerability in the update may be the Oracle Secure Backup vulnerability, which could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.

A Russian security company initiated the release of multiple zero-day vulnerabilities during the period.  The company began releasing the zero-day vulnerabilities in multiple products after claiming the vendors had been unresponsive to working with the company to correct the vulnerabilities.  These exploits are publicly available, are being incorporated in attack and test tools, and are being widely reported in the media, increasing the probability that they will be attempted against vulnerable systems.

A new exploit method was identified on Facebook, using widely distributed messages that claimed Facebook would begin charging US$4.99 for the Facebook service.  The links included in the messages directed users to infected pages and web sites that attempted to install malicious software. 

IntelliShield published 134 events last week:  39 new events and 95 updated events.  Of the 134 events, 115 were Vulnerability Alerts, eleven were Security Activity Bulletins, four were Security Issue Alerts, one was a Threat Outbreak Alert, two were Applied Mitigation Bulletins, and one was the Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 01/15/2010

  5

26

31

Thursday 01/14/2010

  3

36

39

Wednesday 01/13/2010

11

10

21

Tuesday 01/12/2010

11

  8

19

Monday 01/11/2010

  9

15

24

Weekly Total 39 95 134

 


Significant Alerts for January 11-17, 2010

Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 6, January 14, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-4324

Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service (DoS) condition.  Proof-of-concept code that exploits the vulnerability is publicly available.  Adobe has confirmed this vulnerability, and updates are available.  This vulnerability is being actively exploited through directed phishing attacks.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 27, January 13, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability.  Proof-of-concept code that exploits this vulnerability is publicly available.

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 1, January 14, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Updates are not available.

Previous Alerts That Still Represent Significant Risk


Microsoft Internet Explorer Cascading Style Sheets Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19468, Version 5, December 10, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3672

Microsoft Internet Explorer versions 6 and 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.  Proof-of-concept code is publicly available.  Microsoft has released security bulletin MS09-072 to address this vulnerability.
 
Microsoft Windows SMB Client Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 19422, Version 2, November 16, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3676

Microsoft Windows Server 2008 R2 and Windows 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.  Exploit code is publicly available.  Microsoft has confirmed this vulnerability, but updates are not available.

Physical

There was no significant activity in this category during the time period.

Legal

Nineteen Arrested in Dallas Cyber Fraud Case

Matthew Simpson, the owner of Core IP Networks, a Texas-based Internet Service Provider, has been charged with conspiracy to defraud over US$15 million from several communications companies, including AT&T, Verizon, and XO Communications.  Eighteen other individuals were also arrested in the case.  The fraud involved shell companies that used the identities of bribed homeless people as CEOs.  The shell companies were apparently used to obtain loans from companies such as Verizon.  The money received from the loans was used to pay employees and resell telecommunications services.  The fictitious CEOs would disappear when the loan repayments were due.  Core IP sold Internet services to other companies and had them pre-pay, using the payments to pay for business operations.  Read more 

IntelliShield Analysis:  The complexity of this scam was such that it was hard for the businesses to detect.  Even after an April 2009 raid on Core IP Networks, Simpson was able to claim that his company and 50 of his customers were innocent victims of another's crimes.  The alleged mastermind of the operation, Michael Faulkner, fled the United States (U.S.) to Mexico, and may have been killed when he attempted to re-enter the U.S.  The scheme is reminiscent of Bernard Madoff's Ponzi scheme, both for complexity and how hard it was to detect.  Only when red flags from non-payments for shell companies became apparent was detection facilitated.  Businesses that are aware of this type of complex fraud may consider additional controls to detect fraud prior to delivery of services.

Trust

Wikileaks Suspended Operations to Encourage Donations

Wikileaks.org is a website run by the non-profit organization Sunshine Press, driven by user contributions, with a mission to combat injustice by publishing sensitive documents that might be suppressed by owners for business or political reasons. The website has recently been trying various methods, including the recent shutdown, to gain support for its operations, citing significant infrastructure and legal costs to maintain its ability to freely publish controversial documents.  Should Wikileaks be unable to obtain appropriate funding or implement funding in an acceptable manner, they may have difficulty pursuing their mission over the long term.  Read more

IntelliShield Analysis:  The Wikileaks shutdown was intentionally temporary in nature.  The site's leadership has perceived a need to restrict information to develop a sense in its userbase that there are costs and other risks incurred by those who provide content to the site.  The website has both positive and negative aspects: while it has been instrumental in uncovering major stories of great public interest, it has also received documents that were acquired through illegal means.  Organizations may find themselves simultaneously supportive of the human rights mission of such a site but wary of those who would seek to expose private company information through the site.  What has become clear is that the collaborative efforts to disseminate information are not limited to free and level playing fields such as social networking or microblogging services.  Wikileaks has shown that there is a real economy for collaboratively obtaining, investigating, and sharing secrets.

Identity

Multiple Instances of Data Theft in the Medical Community

As 2009 came to a close, two new cases of data theft involving the medical industry became public knowledge.  In one, a theft of computer equipment at a Blue Cross Blue Shield facility in Tennessee, U.S., resulted in the loss of personally identifiable information (PII), including names, member IDs, social security numbers, and dates of birth.  While the theft occurred in early October, some of the individuals potentially impacted by the data theft were not notified until at least two months later.  Also reported this week was a December 2009 theft of an external drive from an employee of Kaiser Permanente that resulted in the potential compromise of medical records of over 15,000 patients in Northern California.  All of the patients have since been notified by Kaiser, and the employee from whose car the drive was stolen was subsequently fired by Kaiser. 
Read more 
Additional Information 

IntelliShield Analysis:  The two cases are similar in that each involved organizations in the medical community and both organizations were victims of a malicious theft of network hardware that translated to the loss of sensitive personal information.  Where they differ is in the response time taken to notify those individuals impacted by the respective thefts resulting in the compromise of PII.  One organization began to notify affected individuals within weeks and it took the other approximately 2 ½ months to notify those potentially impacted by the loss of the respective data.  While many states already have legislation that mandates the notification of individuals if their data is compromised (for example, the California Security Breach Information Act (SB-1386) and Tennessee Code 47-18-2107), there is hope that a national data breach notification bill, such as the Data Accountability and Trust Act passed by the U.S. House of Representatives in December 2009, may go a long way towards enhancing the insuring adequate protection of PII and force increased notification of individuals of data breaches regardless of the state in which the breach occurs.

Human

Haiti Relief Fraud on the Rise

Within 24 hours of the earthquake in Haiti, donation scams began appearing in e-mail messages and fraudulent donation websites.  Scammers are sending out bulk e-mail messages that solicit funds for victims given through their charity.  If a targeted user clicks a link in the e-mail message, either they pay money to the scammer, or a malicious website opens in the users browser, infecting their machine.  These sites are also appearing in search query results through search engine optimization (SEO) manipulation techniques.  Read more 

IntelliShield Analysis:  Criminals often use anything garnering headlines as fodder for phishing and malware campaigns, especially events that inspire compassion and generosity on a broad scale.  Malicious websites, phishing emails, clickjacking, malicious links in Twitter postings, and social engineering by means of social networks are all methods that criminals are using to profit from the Haitian crisis.  Currently, phishing e-mail messages claim to be from victims, claim to contain video and photographs of the aftermath of the earthquake, or purport to have been sent by a legitimate charity.  Those who wish to donate should avoid clicking links in unsolicited e-mail messages and carefully vet any organization accepting donations. The United States Internal Revenue Service maintains a list of charitable organizations. Major news agencies are linking to trusted charities in their reporting as well.  Individuals seeking additional details about the relief effort should take care when using search engines, because some of the results could be malicious and placed through SEO abuse.

Geopolitical

Ukraine Elections Promise an End to Logjam

Presidential elections in Ukraine over the weekend yielded no clear winner, paving the way for a runoff between front-runners Prime Minister Yulia Tymoshenko and opposition leader Viktor Yanukovych.  Both candidates are seen as pro-Russian, leading some observers to pronounce the death of the Orange Revolution of 2004–2005, which signaled Kiev's Westward tilt under President Yushchenko.  At the same time, reports have surfaced suggesting that some Ukrainian voters are selling their votes over the Internet, suggesting that the political climate surrounding the elections may be rather less electric this time around. 
Read more   
Additional Information   
Additional Information   

IntelliShield Analysis:  So long as the runoff next month provides a clear winner, prospects for Ukraine and for the technology industry in the region are generally positive.  At minimum, the change in administration will help break the prolonged political logjam created by the rivalry between Prime Minister Tymoshenko and President Yushchenko.  Yushchenko's suspension of 3G spectrum auctions last year, for instance, is believed to have been politically motivated, and served only to postpone Ukraine's 3G adoption and all the economic benefits that could bring.  Bickering between the two political leaders also contributed to a delay in International Monetary Fund disbursements that has not helped the dire fiscal situation.  Similarly, an end to the standoff between Russia and Mr. Yushchenko bodes well for perennial bilateral problems, including payments for natural gas and relations between technology companies straddling the two countries, such as Russian-backed mobile phone providers MTS Ukraine and Kyivstar.  Despite Western media concern about Kiev's tilt back toward Russia, Ukraine will make her own decisions.  With any luck, those decisions will be less politicized and more focused on economic growth than has been the case in the recent past. 

Upcoming Security Activity

Networkers at Cisco Live 2010: January 25–28, 2010
Black Hat DC: January 31–February 3, 2010
RSA 2010 Conference: March 1–5, 2010
CanSecWest 2010: March 24–26 2010
Cisco Networkers 2010: March 28–21, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Economic Forum Annual Meeting 2010, Davos-Klosters, Switzerland:  January 27–31, 2010
XXI Olympic Winter Games, Vancouver, British Columbia, Canada:  February 12–28, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top