The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity remained consistent with previous periods. The highlight for this period was the release of the Oracle Critical Patch Update January 2012, reported in IntelliShield Alert 24972. Despite the large number of updates included in the Critical Patch Update, researchers were quick to point out that Oracle corrected only a small number of known vulnerabilities in its flagship database products. Some of these vulnerabilities are reported to be fundamental design errors that will make the database products difficult to correct. Another highlight for the period was the large number of updates from Red Hat for multiple previously reported vulnerabilities.

Cisco released two security advisories, Cisco IP Video Phone E20 TelePresence TE Software Default Root Account Vulnerability and Cisco Digital Media Manager Privilege Escalation Vulnerability, reported in IntelliShield Alerts 24943 and 24937.

OpenSSL released additional patches for previously reported vulnerabilities. These vulnerabilities created an additional vulnerability. The previous and current vulnerabilities are reported in IntelliShield Alerts 24893 and 24974.

A vulnerability has been reported in McAfee SaaS Endpoint Protection that could allow remote code execution and, possibly more importantly, allow spammers to use the impacted systems as a relay for spam messages.

SCADA vulnerabilities remained in the headlines following a presentation at the S4 Conference, where a researcher demonstrated multiple vulnerabilities in SCADA Programmable Logic Controller (PLC) systems. The presentation was quickly followed with reports from additional researchers identifying SCADA PLC systems that are easily identified and reachable on the Internet using the Shodan tool. Also during the period, vulnerabilities and updates were reported by Rockwell, 7-Technologies, and Honeywell. Multiple vulnerability and exploit tools, including Metasploit, reported the addition of SCADA modules for their products.

IntelliShield published 107 events last week: 37 new events and 70 updated events. Of the 107 events, 66 were Vulnerability Alerts, ten were Security Activity Bulletins, seven were Security Issue Alerts, one was a Malicious Code Alert, 21 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Significant Alerts for the Time Period

Oracle Critical Patch Update January 2012
IntelliShield Vulnerability Alert 24972, Version 1, January 18, 2012
Urgency/Credibility/Severity Rating: 2/5/3
Oracle has released the January 2012 Critical Patch Update. The update contains 78 new security fixes that address multiple Oracle product families. The fixes correct multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service condition on targeted systems.

Previous Alerts That Still Represent Significant Risk

OpenSSL Datagram Transport Layer Security Plaintext Recovery Issue
IntelliShield Vulnerability Alert 24893, Version 5, January 20, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4108
OpenSSL versions prior to 0.9.8s and versions prior to 1.0.0f contain an issue that could result in easier recovery of plaintext information from encrypted text. Cisco has discovered a potential issue in the patch for the OpenSSL Datagram Transport Layer Security plaintext recovery issue. See also IntelliShield Alert 24974.

Multiple Products Hash Collisions Denial of Service Vulnerability
IntelliShield Security Activity Bulletin 24871, Version 4, January 19, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4461, CVE-2011-4815, CVE-2011-4885
Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.

Oracle Java SE Critical Patch Update October 2011
IntelliShield Vulnerability Alert 24433, Version 7, January 19, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561
Oracle has released the Oracle Java SE Critical Patch Update for October 2011. The update addresses 20 new security vulnerabilities. An unauthenticated, remote attacker could leverage several of the vulnerabilities to completely compromise an affected system. Oracle, Red Hat, CentOS, and Apple have released updates.

Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24470, Version 5, January 19, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3544
Multiple versions of Oracle Java contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Oracle and multiple other vendors have confirmed this vulnerability and released updated software. Functional code that demonstrates an exploit is publicly available.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 21, January 19, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin. MontaVista has released a security alert and updated software.

Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24698, Version 5, January 11, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-2462
Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Targeted attacks against Adobe Reader version 9.4.6 on Microsoft Windows operating systems have been observed in the wild. Adobe has released a security bulletin and software updates to address the Adobe Acrobat and Reader Universal 3D remote code execution vulnerability. Functional code that exploits this vulnerability is available as part of the Metasploit framework.

ISC BIND Recursive Query Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24590, Version 11, January 4, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4313
ISC BIND version 9 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition on a targeted system. It should be noted that there are external reports that this vulnerability is being actively exploited in the wild, as DNS server crashes have been observed. It is not, however, fully determined that exploitation of this vulnerability is the root cause for the recently observed crashes. ISC and multiple vendors have confirmed this vulnerability and released updated software.

Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24500, Version 3, December 13, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3402
Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425. Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability.

Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability
IntelliShield Vulnerability Alert 24625, Version 1, November 28, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4317
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield Alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available.

Physical

Building Alarms Defeated by High False Rate

The year 2012 started for people of San Jose, California (US) with a change in how police will respond to burglar alarms. The police will respond only if someone can verify that a break-in is happening or has happened. Some other cities, such as Fremont, Las Vegas, Detroit, and Salt Lake City already operate under this policy, called "verified response." San Jose police will continue to respond to all alarms involving banks and automated teller machines, critical infrastructure, firearms, and explosives businesses, as well as panic buttons or robbery alarms. This policy is designed to prevent wasting police time and resources. In 2010, 98.4 percent of alarms in San Jose were false, costing the department over US$600,000.
Read More

IntelliShield Analysis: There are some concerns that people may put themselves in more danger to comply with the new policy because they would have to verify that someone is indeed within the premises or that a break-in took place. At this time, it is also unclear whether activating a silent alarm under duress (for example, disabling the alarm under gunpoint) would be considered a verified report. What seems to be certain is that if the alarm goes off, police officers would not automatically be dispatched. Businesses should be aware that this policy includes many business buildings, and should consider methods to verify an alarm to the police.

If burglars can be sure that the premises are vacant, they can allow themselves more time to search for valuables. Thanks to an abundance of wireless devices, it is becoming easier to verify whether occupants of a house are away. Performing traffic analysis of wireless network activity could allow someone to determine whether someone in the house is using a device that communicates over Wi-Fi. This test can provide an advantage for burglars because they do not have to stand in front of the house and monitor who is coming in or out. It would only take a few slow drives past the house with a laptop that is configured to capture Wi-Fi traffic.

Legal

Windows 8 and No Other Operating System

The Unified Extensible Firmware Interface (UEFI) is a specification detailing an interface that helps hand off control of the system for the preboot environment to an operating system. One of the features of UEFI is that it can prevent unauthorized operating systems from booting. An operating system can become unauthorized if it is modified by malware or by a vendor's fiat. According to the Microsoft "Windows Hardware Certification Requirements" for Windows 8 published in December 2011, Microsoft will implement this UEFI feature; if a device is using an ARM processor and is certified to run Windows 8, no other operating system can be run on that device.
Read More
Additional Information
Additional Information

IntelliShield Analysis: To an extent, this situation is similar to the practice of locking GSM mobile telephones so that a handset can be used only with a single provider. If that parallel holds, Microsoft may be required to allow other operating systems to be run on Windows 8–certified hardware. Given that currently this lock-in will happen only for smart phones, where Microsoft has only 5 percent of the market, this move may not be that alarming. However, when the lock-in starts moving toward the notebook market and potentially desktop computers, it may have significant consequences because it may close markets for all non-Windows operating systems. For example, Qualcomm announced at the Consumer Electronics Show that it is talking with PC manufacturers to build a PC based on its Snapdragon chip that is based on ARM architecture.

Trust

Scope of Breach at Security Vendor Symantec Larger Than Initially Reported

The nature and scope of an incident regarding loss of intellectual property at security vendor Symantec continues to evolve. Last week, Symantec disclosed that the source code it previously reported as stolen was compromised due to a breach of Symantec's own network. Previously, the incident was purported to have occurred on resources maintained by the government of India. Source code for flagship products, including Norton AntiVirus, is reported to be affected.
Read More
Additional Information

Analysis: With the widening scope of details unfolding over time, Symantec must both address the confidence of customers in its security products and reassure those customers that it is capably handling the investigation and remediation of the issue at hand. The most recent disclosure from the security vendor now indicates that the initial breach took place in 2006, a significant amount of time for hackers to disseminate whatever was lost during the breach for criminal misuse. Losses of this nature need to be addressed in conjunction with campaigns to inform customers that all practical measures are being taken to minimize any end-user risk, as well as reassurance that steps are being taken to prevent such occurrences in the future.

Identity

City College of San Francisco Malware Infection Dates Back to 1999

The Chief Technology Officer (CTO) for the City College of San Francisco discovered last November that a large number of the college's desktop computers and servers were infected with a variety of malware and viruses. Upon further investigation it was determined that the malware, which was present on these machines for at least 10 years, was responsible for harvesting proprietary information from the network-connected devices and sending this data to a variety of locations in Russia and China that had direct ties to the Russian Business Network (RBN).
Read More

IntelliShield Analysis: It is disheartening enough to find that the computers on the college's network were infected and transmitting data, unknowingly, to a consortium of criminals. What makes this situation even more unfortunate is that some of the viruses and malware may have been present on these devices since 1999. On a positive note, however, the hiring of the new CTO in conjunction with improved security practices (such as upgraded technology and enhanced password policies) has helped to finally uncover this situation and started the college on the road to recovery in terms of its overall network security posture. As recommended in the Cisco 2011 Annual Security Report, improving monitoring of the networks can greatly enhance an organization's ability to identify and respond to malicious activity. Organizations that have not yet implemented active monitoring should consider it as a priority for 2012.

Human

Anti-SOPA Online Protests Carry the Day

On the same day that the Stop Online Piracy Act (SOPA) was scheduled to be heard by the U.S. House Judiciary Committee, major websites such as Wikipedia and Reddit went dark, and web giants such as Google, Facebook, Twitter, and Wired spearheaded an online protest, drawing the attention of netizens, activists, and legislators. President Obama issued a statement saying he would not support the bill. A number of senators, including one of the authors of the act, withdrew their support from both SOPA and a similar measure, the Protect IP Act (PIPA). By the end of the week, Senate Majority Leader Harry M. Reid said he would delay voting on both acts until further analysis could be made and perhaps a compromise reached.
Read More
Additional Information

IntelliShield Analysis: The withdrawal of support for these two acts was a commanding display of the power of the Internet. SOPA and PIPA may have appeared to contain draconian solutions for the Internet industry, with domain takedowns, blocked sites, and endowment of the Department of Justice with broad and somewhat vague powers to police the Internet. Existing laws and international trade commissions may be more effective in the pursuit of foreign piracy websites and less likely to stifle innovation. At the end of Blackout Wednesday, however, intellectual property piracy remained a serious concern that will require a balance between legitimate freedom of speech and a state-controlled Internet. The pause to reconsider these two bills underscored, for better or worse, the influence of the Internet as a powerful voice in the representation of the people.

Geopolitical

World Economic Forum Leaders Only Half-Convinced of Cyber Threat?

This week, the World Economic Forum (WEF) convenes in Davos, Switzerland. More than 2,600 of the world's top business and government leaders are expected, including German Chancellor Angela Merkel, European Central Bank head Mario Draghi, International Monetary Fund Director Christine Lagarde, Google's Eric Schmidt, and British Prime Minister David Cameron. Ahead of the gathering, the WEF issued its annual assessment of trending global risks. The report is based on a survey of hundreds of "experts and industry leaders" who are asked to identify the most impactful and most likely global risks of the coming decade. This year's report identifies three broad "risk cases," one of which is the "dark side of connectivity." Technology also plays a role in the other two risk scenarios, which examine the longer-term effects of economic dislocation, poor governance, and eroding social contracts.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The WEF Global Risks report was greeted by the tech press with skepticism, although the analysis was, if anything, unadventurous. Some tech bloggers took offense at the report's observation that cyber risk may be overplayed by the information security community, although most of us who work in the industry are familiar with the problem. One lesson to draw from this report, perhaps, is that an empirical, fact-based case for information security has yet to be made to C-level industry executives that is clear about the potential magnitude of the risk without appearing alarmist.

This tech skepticism toward the WEF Global Risks report is echoed in the broader public reception of this year's Davos gathering. Set against a backdrop of global economic malaise, perceived lack of leadership, and increasing wealth disparities, the invitation-only confab on the snowy slopes of Davos runs the risk of becoming a lightning rod for public frustration, more so this year than before. Particularly given the recent spike in vigilante online acts of civil disobedience, security specialists may want to be on the lookout for targeted attacks aimed at embarrassing Davos VIP visitors.

Upcoming Security Activity

Cyber Defence & Network Security conference: January 24–27, 2012
Cisco Live 2012 (London): January 30–February 3, 2012
RSA Conference: February 27–March 2, 2012
CanSecWest 2012: March 7–9, 2012
Black Hat Europe: March 14–16, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Chinese New Year: January 23–27, 2012
World Economic Forum (Davos): January 25–29, 2012
Australia Day and Republic Day (India): January 26, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top