Cyber Risk Report

January 25–31, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Although vulnerability and threat activity declined during this period, focus still remains on Microsoft Internet Explorer and Adobe product vulnerabilities that were announced in the previous weeks. New exploits for these vulnerabilities were identified and are being included in multiple test and attack tools.

These vulnerabilities and exploits, among others, will be presented and discussed at the Black Hat DC 2010 conference that is scheduled for January 31–February 3, 2010. Additional details and presentation topics are available at the Black Hat DC website. Cisco Security Intelligence Operations will hold training sessions at the conference and will monitor other presentations and events for new security developments.

During the time period, vulnerabilities were reported in Wireshark, SAP, Hitachi, Apache Web Server, Sun Java Web Proxy, IBM WebSphere and DB2, Google Chrome, and Cisco MeetingPlace.

Cisco Ironport Security Operations Center continues to identify new and modified spam and malicious e-mail messages. This activity is reported via Threat Outbreak Alerts that are available on the Security Intelligence Operations portal. This period has seen an marked increase in activity that resulted in the publication of 20 new and updated alerts.

The Root DNSSEC website recently published its January 2010 update on root zone activity, which included a schedule for the testing and deployment of Domain Name System Security (DNSSEC) on the root servers. Over the next four months, the DNS root zone servers will begin an incremental transition to DNSSEC. The selected root zone servers will begin to serve the Deliberately Unvalidatable Root Zone (DURZ) for testing purposes and then transition to a signed root zone. DNS administrators are advised to take note of the upcoming changes and monitor their DNS activity closely during the transition. Additional details are available at the Root DNSSEC website.

IntelliShield published 71 events last week: 44 new events and 27 updated events. Of the 71 events, 44 were Vulnerability Alerts, one was a Malicious Code Alert, one was a Security Activity Bulletins, three were Security Issue Alerts, 20 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 01/29/2010 7 5 12
Thursday 01/28/2010 3 7 10
Wednesday 01/27/2010 10 4 14
Tuesday 01/26/2010 7 4 11
Monday 01/25/2010 17 7 24
Weekly Total 44 27 71

 

Significant Alerts for January 25-31, 2010
Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 4, January 26, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed this vulnerability and released software updates. Additional information is available regarding mitigations and exploit code related to the Internet Explorer remote arbitrary code execution vulnerability.

Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 8, January 22, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-4324

Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service (DoS) condition. Proof-of-concept code that exploits the vulnerability is publicly available. Adobe has confirmed this vulnerability, and updates are available. This vulnerability is being actively exploited through directed phishing attacks.

Previous Alerts That Still Represent Significant Risk
Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 28, January 20, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Microsoft Internet Explorer Cascading Style Sheets Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19468, Version 5, December 10, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3672

Microsoft Internet Explorer versions 6 and 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Proof-of-concept code is publicly available. Microsoft has released security bulletin MS09-072 to address this vulnerability.

Microsoft Windows SMB Client Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 19422, Version 2, November 16, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3676

Microsoft Windows Server 2008 R2 and Windows 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploit code is publicly available. Microsoft has confirmed this vulnerability, but updates are not available.

Physical

There was no significant activity in this category during the time period.

Legal

Bank Sues Victim of US$800,000 Theft

Reports indicate that a United States bank has filed suit against the victim of an US$800,000 online banking theft that involved unauthorized wire transfers. The bank was able to recover and return US$600,000 of the stolen assets, but the victim insisted that the theft occurred as a result of insufficient protections on the compromised account and demanded the remainder of the funds. In return, the bank filed a lawsuit asking the courts to certify that their security measures were commercially reasonable. Read More

IntelliShield Analysis: Although the bank did not employ two factor authentication, it did require transactions to originate from registered systems. However, the victim claims this protection was inadequate because the thieves were able to register new systems and stage the theft. The victim also claims that simple fraud prevention analysis would have detected the abnormal transactions that involved foreign countries and unusual transfer recipients. This incident is a new twist on the continuing theme of online theft. Victims of cyber thefts have used this defense before, but a bank filing suit to have the courts certify that their security measures were "good enough" is completely new. Only time and legal results will tell how similar cases will be handled in the future.

Trust

Huffington Post Republishes Twitter Feeds

During the time period, the Huffington Post allowed users to view public Twitter feeds on their website. Reports suggest that a large amount of public profiles were republished. The Huffington Post called the incident a misunderstanding and stated that it was testing a Twitter API that creates pages where viewers can see user profiles. Even though the information could easily be viewed via the Twitter website or a variety of applications, some Twitter users were unhappy and speculated that Huffington Post was generating profits from republishing their messages.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Twitter has enabled the republishing of content via its API at no charge for years, so the ability to republish this type of information in an application or website is not new. Many small and large news outlets enhance their content by using individual Twitter messages (also known as tweets) to provide up-to-the-moment information and comments on developing stories. The major difference in this incident was Huffington Post's republication of a full list of messages by a user rather than information specific to a topic. This situation highlights the risk that consumers may take offense if their information is used in ways they do not expect, even when it is intentionally posted publicly and within the terms of service. Users who wish for their content to remain controlled are advised to read the terms of service carefully. To avoid negative publicity, organizations are also advised to scrutinize end user content and consider consumer expectations before using that data.

Identity

National Data Privacy Day

January 28, 2010 was recently declared National Data Privacy Day to raise awareness of the growing problem. Several organizations held special user education events and many posted additional privacy information and user recommendations on their websites.
Read More
Additional Information
Additional Information

IntelliShield Analysis: As criminal activity continues to increase across the Internet, criminals have focused on exploiting users through social engineering methods and embedded content that is designed to entice users to click on items that make them unwitting accomplices. Although numerous security technologies, procedures, and regulations have been implemented to reduce the privacy risks, technologies and procedures have limited effects in controlling user actions. User education and awareness continue to be the most effective method to avoid these attacks, and many organizations have now implemented more active education programs. Like the dynamic nature of threats on the Internet, user education requires regular updates, reviews, and reinforcement to maintain and improve user awareness and the ability to avoid becoming victims. The declared Privacy Day serves as a reminder and opportunity to keep this issue on the minds of users.

Human

Poor Change Management Leads to Denial of Service, US$150,000 Fine

According to a recently released report, an employee of Credit Suisse working at the bank's proprietary trading desk made an innocuous, yet devastating, mistake in November 2007. As a result of a code update that was not properly tested, a trader for the bank issued a series of orders simply by inadvertently double-clicking an interface icon that should only have been single-clicked. The code update did not present the user with any confirmation of user intent, and the trader's double-click caused a small-scale denial of service at the New York Stock Exchange (NYSE). The NYSE reviewed the incident and found that Credit Suisse was negligent in its software testing procedures and issued a $150,000 fine for the error.
Read More
Additional Information

IntelliShield Analysis: Security professionals have long been aware of the complications and challenges that human factors bring to security. Not only can human psychology, decision-making, and lack of awareness and education cause problems when users act improperly under established controls and policies, but they also raise important concerns during back-end operations like code development and design, system deployment, and more. In this incident, the NYSE fined Credit Suisse for poor policy and procedure related to software development, highlighting the direct financial impact from improper controls on software design. Good code design policy is only part of the solution; analysis of anomalous incoming requests is also important. The NYSE has had to improve measures to prevent runaway trading under exceptional conditions, and other organizations may also benefit from these kinds of layered controls.

Geopolitical

Calls for Global Regulation in Davos, Switzerland

Speaking at the recent World Economic Forum in Davos, Switzerland, French President Nicolas Sarkozy blamed unfettered capitalism for the global economic crisis. He called for the establishment of a new international monetary system brokered by the Group of 20, which France will head next year. The system would help control exchange rates and, according to the French president, would not use the United States (U.S.) dollar as the worlds' primary reserve currency. Sarkozy urged attendees for an international set of standards to govern labor, the environment, and public health, claiming that reforms should be unified and not help one country at the expense of another.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Sarkozy's message was not unexpected and was greeted with both enthusiasm and skepticism. The obstacles to establishing an effective international system to regulate anything are considerable. From an information security perspective, the significance of Sarkozy's message may be his apparent voicing of an international mood in favor of greater regulation and the creation of new global systems. This mood swing is already being felt in technology and security circles. For example, U.S. Homeland Security Secretary Janet Napolitano recently called for global security standards for international airports and aircraft. This month, Microsoft outlined the tangle of laws in the European Union and U.S. that govern cloud computing and called for a resolution. Over the coming year, it is likely that information security specialists will see a host of new global proposals relating to IPv6, data privacy, net neutrality, and more. As the immense success of the annual World Economic Forum demonstrates, governments will need private sector input if these new systems are to do more good than harm.

Upcoming Security Activity

Black Hat DC: January 31–February 3, 2010
RSA 2010 Security Conference: March 1–5, 2010
CanSecWest 2010: March 24–26, 2010
Cisco Networkers 2010, Bahrain: March 28–21, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

XXI Olympic Winter Games (Vancouver, British Columbia, Canada): February 12–28, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top