Cyber Risk Report

January 18–24, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity continued to remain consistent with previous periods. This period was highlighted by additional vendor security advisories from Microsoft and Adobe, following the scheduled security advisories released last week. Additional vendor security announcements were released by Apple, Cisco, and RealNetworks to correct multiple vulnerabilities. New exploits also continue to be publicly released by Russian security researchers. The new exploits impact multiple popular server systems.

Microsoft released Security bulletin MS10-002 with details and updates for eight vulnerabilities. The vulnerabilities continue to focus on Internet Explorer, including one vulnerability related to reported exploit attempts against multiple companies. IntelliShield alerts that contain details regarding these vulnerabilities are available on the Cisco Security Intelligence Operations web site.

Arbor Networks released the 5th Edition of the Worldwide Infrastructure Security Report, highlighting security issues and future concerns based on survey results from network operators and administrators. The report includes metrics on the current and previous threat levels, mitigation for those threats, and the top issues facing the network operators.
The Internet Engineering Task Force (IETF) also announced that a fix for the SSL protocol has been completed. The fix will be incorporated in vendor products over the coming periods after the vendors have completed testing. Organizations with or considering SSL deployments should track these developments with their vendors to deploy the updates when they become available. Additional development information is available from the following source: Read More

IntelliShield published 113 events last week: 46 new events and 67 updated events. Of the 113 events, 96 were Vulnerability Alerts, three were Security Activity Bulletins, six were Security Issue Alerts, six were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 09/29/2007 12 15 27
Thursday 09/28/2007 13 33 46
Wednesday 09/27/2007 11 16 27
Tuesday 09/26/2007 10 3 13
Monday 09/25/2007 0 0 0
Weekly Total 46 67 113

 

Significant Alerts for January 18–24, 2010

Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 8, January 22, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-4324

Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service (DoS) condition. Proof-of-concept code that exploits the vulnerability is publicly available. Adobe has confirmed this vulnerability, and updates are available. This vulnerability is being actively exploited through directed phishing attacks.

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 3, January 21, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed this vulnerability and released software updates.

Previous Alerts That Still Represent Significant Risk

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 28, January 20, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Microsoft Internet Explorer Cascading Style Sheets Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19468, Version 5, December 10, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3672

Microsoft Internet Explorer versions 6 and 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Proof-of-concept code is publicly available. Microsoft has released security bulletin MS09-072 to address this vulnerability.

Microsoft Windows SMB Client Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 19422, Version 2, November 16, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3676

Microsoft Windows Server 2008 R2 and Windows 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploit code is publicly available. Microsoft has confirmed this vulnerability, but updates are not available.

Physical

There was no significant activity in this category during the time period.

Legal

Oracle Wins EU Approval for Sun Acquisition

The European Commission has approved the US$7.4 billion Sun acquisition by Oracle. The approval had been in question due to concerns over the fate of MySQL, which is owned by Sun, and how it would affect the product in the market after the acquisition. Oracle has committed to honoring all MySQL contracts for the next five years and promises not to assert copyright claims over MySQL for the same period of time. This commitment and an analysis that shows Oracle and MySQL do not compete in the exact same markets was enough to convince the European Commission to approve the acquisition to go forward.
Read More
Additional Information

IntelliShield Analysis: Oracle has been faced with anti-trust issues in prior acquisitions. The PeopleSoft acquisition faced some resistance, but Larry Ellison (CEO of Oracle) aggressively defended his stand to acquire the company and promised to continue to support the PeopleSoft line of products, thus not leaving PeopleSoft customers in behind. Larry is an aggressive competitor and fights hard to for acquisitions that make Oracle a stronger company. The Sun acquisition also gives Oracle ownership of Java and the Solaris operating system. The acquisition of MySQL was apparently not high on the list of reasons for buying Sun, but Oracle has again defended their right to make the acquisition and sufficiently addressed concerns that the acquisition will make them anti-competitive. This case helps to highlight some of the issues and difficulties that come with acquisitions and mergers in today's international market. It also highlights how an aggressive competitor can carefully make their case and complete these acquisitions with minimal risks and concessions to regulators.

Trust

DNSSEC Testing and Deployments on Root Servers

Securing the Domain Name System (DNS) infrastructure has been long desired by many, but it looks like the Internet community is getting closer to seeing it become a reality. DNS provides, in its most basic form, the ability to take an alphabetic name which is much more understandable, recognizable, and memorable to human beings and convert it to a numeric Internet Protocol (IP) address in order for it to be processed by the network infrastructure (hosts, servers, routers, etc.) which we all use directly and indirectly to communicate over the Internet. DNS Security Extensions (DNSSEC) was developed in an effort to protect the integrity of the DNS system and to help ensure that users actually end up reaching the websites they truly want to visit. Read More

IntelliShield Analysis: There have been several reasons why DNSSEC or, more accurately, securing the DNS protocol has taken as long as it has to get even this far in terms of becoming a legitimate solution. For one, there have been multiple efforts that have led to a variety of solutions for securing DNS, leading to years of debating which solution would be most effective. A second reason is that while individual enterprises could take steps to ensure validity or integrity of the records for their domain name space (such as, sites signing their own DNS information that is sourced from their own domain authority) a DNS reply cannot be completely trusted unless each of the root servers also participates in a solution such as DNSSEC. But, implementing this step is expected to take a considerable amount of time in terms of design, testing, and deployment. However, once DNSSEC has become a reality in each of the Top Level Domains (such as, .com, .edu, .org, etc.) attacks such as DNS cache pollution/poisoning will become much more difficult to execute, which would result in a more valid, accurate, and trusted DNS environment.

Identity

There was no significant activity in this category during the time period.

Human

Haiti Relief Leads to Expected Fraud

The January 12, 2010 earthquake that devastated the region near Port-au-Prince, Haiti was widely believed to be a prime target for scammers looking to profit off of a popular topic. As expected, many scams were noticed using e-mail, search engine optimization (SEO) poisoning, and social networks. On January 13, the FBI issued a warning that encompassed not only computer-based scams, but also personal appeals for money from those representing themselves as victims or charities.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Those looking on at the desperate situation in Haiti were often moved to make donations to relief efforts, band together on social networking sites in displays of solidarity, or to compel those around them to donate or spread the word. Miscreants looking to make a profit used this outpouring of attention and emotion to establish many fraudulent sites, e-mail messages, and social network associations for their purposes. Combating these scams will require technical controls that can recognize and account for emerging social engineering threats based on these kinds of events. In addition, organizations should consider providing verified options for employees to donate to relief efforts when distributing corporate communications about how the company is responding to such an event. In fact, technology use was very effective when applied to raise donations legitimately. The Red Cross SMS text donation campaign was highly successful, raising millions of dollars in a very short time, and through coordination with the wireless service providers to make those funds available more rapidly than the normal accounting cycles. These rapid and coordinated efforts may set the new standard for emergency relief efforts in the future, further requiring users and businesses to increase their familiarity and security for these technologies.

Geopolitical

There was no significant activity in this category during the time period.

Upcoming Security Activity

Networkers at Cisco Live 2010, Barcelona, Spain: January 25–28, 2010
Black Hat DC: January 31–February 3, 2010
RSA 2010 Security Conference: March 1–5, 2010
CanSecWest 2010: March 24–26 2010
Cisco Networkers 2010, Bahrain: March 28–21, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Economic Forum Annual Meeting 2010, Davos-Klosters, Switzerland: January 27–31, 2010
XXI Olympic Winter Games, Vancouver, British Columbia, Canada: February 12–28, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top