The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.
Vulnerability and threat activity decreased throughout the holidays and remained so during this period. There were multiple significant denial of service threats over the periods, including a Research In Motion BlackBerry devices service outage and an attack against Amazon.com during the height of the holiday shopping season that made hundreds of websites unreachable.
There were also several significant exploits publicly released during the periods that included a zero-day vulnerability in Microsoft Internet Information Services (IIS) reported in IntelliShield alert 19658, and exploits for vulnerabilities in Java Runtime Environment reported in IntelliShield alert 17203, Microsoft Internet Explorer reported in IntelliShield alert 19493, CA ARCserve Backup reported in IntelliShield alert 16883, and IBM Tivoli reported in IntelliShield alert 18118. In addition, the Adobe Reader and Acrobat vulnerability reported in IntelliShield alert 19602 continues to be widely exploited through directed phishing attacks.
Kingston, SanDisk, and Verbatim USB flash drives were reported to contain a vulnerability that could allow a local attacker to read encrypted data in plain text, which is reported in IntelliShield alert 19673. The exploit requires physical access to the USB flash drive. However, there are also certification and compliance issues with the vulnerable flash drives because many of the affected products were FIPS 140-2 Level 2 security certified.
There are also multiple reports of products that have issues with the change of date to the new year. The issues range from minor sorting bugs to potential loss of data and denials of service. Many of the vendors have already released updates or corrected the date issues, but more yet unidentified issues may remain. Users are advised to keep a close eye on listing and logging products that may show an incorrect date being applied, or listings that show events out of the correct order.
The IntelliShield vulnerability and threat metrics finished the year supporting the trends and activity reported in the Cisco 2009 Annual Security Report. For a review of these activities, trends, and recommendations for 2010, the report is available at Cisco 2009 Annual Security Report.
In upcoming activity, Tuesday, January 12, 2010, is the release date for the Microsoft monthly security updates and coincides with the quarterly security updates from Oracle and Adobe. The most significant known vulnerability to be addressed is the Adobe Reader and Acrobat vulnerability reported in IntelliShield alert 19602. This vulnerability is being actively exploited through directed phishing attacks.
IntelliShield published 99 events last week: 29 new events and 70 updated events. Of the 99 events, 83 were Vulnerability Alerts, five were Security Activity Bulletins, nine were Security Issue Alerts, one was a Threat Outbreak Alert, and one was an Applied Mitigation Bulletin. The alert publication totals are as follows:
Weekly Alert Totals
2009 Monthly Alert Totals
Significant Alerts for January 4–10, 2010
Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 4, January 8, 2010
Urgency/Credibility/Severity Rating: 3/5/4
Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service (DoS) condition. Proof-of-concept code that exploits the vulnerability is publicly available. Adobe has confirmed this vulnerability; however, software updates are not available. This vulnerability is being actively exploited through directed phishing attacks.
Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 25, January 7, 2010
Urgency/Credibility/Severity Rating: 2/5/3
Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.
Previous Alerts That Still Represent Significant Risk
Microsoft Internet Explorer Cascading Style Sheets Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19468, Version 5, December 10, 2009
Urgency/Credibility/Severity Rating: 2/5/4
Microsoft Internet Explorer versions 6 and 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Proof-of-concept code is publicly available. Microsoft has released security bulletin MS09-072 to address this vulnerability.
Microsoft Windows SMB Client Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 19422, Version 2, November 16, 2009
Urgency/Credibility/Severity Rating: 2/5/3
Microsoft Windows Server 2008 R2 and Windows 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploit code is publicly available. Microsoft has confirmed this vulnerability, but updates are not available.
Access Control Security Failures
Recent high-profile security failures highlighted shortcomings in physical access controls: the would-be bomber on a flight bound for the United States, who was allowed to fly even though he was a known risk; an attack on Pope Benedict XVI in St. Peter's Basilica by the same person who attempted to gain access to him in 2008; an incident at Newark International Airport in which an individual was able to bypass staffed and video surveillance, resulting in a 6-hour lockdown of a national transportation hub; and the discovery that United States (U.S.) White House security video showed a third unauthorized person had succeeded, as the Salahi couple did, in attending a state dinner. Human error and access control failures appear to be common themes as multiple agencies review security procedures and protocols.
IntelliShield Analysis: Inadequate maintenance of access control lists, including the U.S. watch-listing system, contributed to three of the four events. The most stringently enforced deny/allow access lists will permit threats if the lists are not updated and correlated with other layers of a comprehensive physical security model. Media reports indicate that the U.S. National Counterterrorism Center has significantly upgraded terrorist watch lists; however, the events point to weaknesses in physical access control.
CYBERsitter Lawsuit Targets Several Companies and China
The Solid Oak Software company of California is filing a lawsuit claiming that a Chinese-sponsored product called Green Dam violated their copyrights. Solid Oak is suing the People's Republic of China and the following two Chinese companies: Zhengzhou Jinhui Computer System Engineering Ltd. and Beijing Dazheng Human Language Technology Academy Ltd. Also appearing in the lawsuit are several other companies that sold computers with Green Dam installed. These companies include Lenovo, Toshiba, Sony, Acer, ASUSTeK, BenQ, and Haier. Green Dam is a state-sponsored initiative that is required to be installed or included with all computers sold in China since 2009. Solid Oak alleges that Green Dam contains 3,000 lines of copyright-protected code that originally appeared in their CYBERsitter Internet filter software.
IntelliShield Analysis: Solid Oak is seeking US$2.2 billion in damages based on a $40 price tag for CYBERsitter and a distribution of some 56 million copies of Green Dam by the Chinese government. Collecting any of this money through a California court from the Chinese government is problematic at best. Solid Oak may be able to collect some damages from the companies involved in the case, especially if they have U.S. offices. Also, the recent rulings by the World Trade Organization regarding U.S. intellectual property rights suggest that this Green Dam case may be emblematic of more, similar copyright infringement cases to come as China and the United States work out common ground on copyright enforcement. These cases serve to highlight the potential risks and costs of copyright and licensing infringements.
People, vendors, and the courts have historically been loose with their licensing, copyright, and patent management and enforcement. Based on some recent court rulings, these areas could become more strictly enforced in the future. Businesses and organizations will need to tighten the management of their code, products, and licenses to avoid these very expensive lawsuits. Because of the current economic situation, many businesses are struggling for cash, and many of them already know of patent and copyright violations they have not yet pursued. The current economic pressures and recent court rulings may be the tipping point that will cause them to initiate legal action.
Concerns Raised over Unencrypted Military Video Feeds
Recent media reports have uncovered startling information indicating that anyone with access to off-the-shelf software could intercept and view video feeds transmitted by U.S. military drones and war planes. The reports cite evidence that insurgents in Iraq and Afghanistan stored videos on laptops that were seized by soldiers. The software used to capture these videos is designed for intercepting satellite transmissions and is often used to gain free access to international sporting events. The U.S. government has been aware of the situation since the 1990s, but had not believed that adversaries of the United States were capable of intercepting the video feeds without expending significant resources.
IntelliShield Analysis: It is certainly embarrassing for the U.S. administration to find that its technological military capabilities could seemingly be overcome by insurgents who make a US$26 investment. Bruce Schneier has made the counterargument that factors such as key management may have kept the military from widely encrypting the output of aerial video streams, favoring usability over privacy. On the other hand, Gartner's John Pescatore has labeled this decision as one of the worst encryption failures ever, noting that all U.S. Central Intelligence Agency (CIA) drones encrypt these kinds of communications.
The CIA may have a significantly different use case than the U.S. military, with different requirements for information sharing and availability. Security benefits greatly from flexibility, and organizations are encouraged to consider a range of options when securing their information. Yet even meager encryption of military video feeds could have significantly hindered U.S. adversaries in their efforts. Because military encrypted feeds will not be ready for several more years, it seems that the military erred at least by not being prepared to encrypt if the need arose.
Twitter Bans Hundreds of Passwords
Several websites have reported that the source code of the new user registration page for Twitter, the popular microblogging site, includes a list of passwords Twitter deems unsafe. Attempts to use one of the listed passwords will result in an error stating that the password is "too obvious." How Twitter compiled the list of passwords, whether through analysis of its own data or from an external source, is not clear. The transparency of the list, however, is generally being lauded by the security community.
IntelliShield Analysis: Twitter's increasing popularity has put it firmly on the radar of miscreants for malicious activities, including compromising accounts through easily guessed passwords. Twitter's actions to reduce potential compromises continue to reinforce the value of passwords that are not easily guessed or susceptible to dictionary attacks. The enforced ban on hundreds of passwords is effectively a game of cat and mouse: users may be tempted to alter a password by one or more characters instead of following more prudent guidelines for password creation. Such guidelines include using nonalphanumeric characters or randomly generated passwords created by programs designed to manage multiple credentials. Using such programs and practices minimizes the risk of compromise of a single account or of multiple accounts that all have the same password.
There was no significant activity in this category during the time period
White House Fills Cybersecurity Coordinator Position
In December, the U.S. White House tapped Microsoft and eBay veteran Howard Schmidt to serve as its new cybersecurity coordinator, following months of searching and the high-profile resignation of interim coordinator Melissa Hathaway in August. Schmidt will report to Deputy National Security Advisor John Brennan and have regular access to the president. Various press reports suggest he will also work closely with National Economic Advisor Larry Summers. The cybersecurity coordinator's job is to protect U.S. digital networks by coordinating digital data security policy across the government and military, including the planned Pentagon-led cyber command. In addition to his private sector background, Schmidt served in the U.S. Air Force, headed a computer exploitation team at the Federal Bureau of Investigation, and served as a White House adviser on cyberspace security from 2001 to 2003.
IntelliShield Analysis: The appointment of Schmidt to the cybersecurity coordinator post is being greeted with relief and enthusiasm by most, following months of media debate over the position's mission, scope, and powers. As the central coordinator for the U.S. government's far-flung computer security initiatives, but without budgetary or regulatory powers, Schmidt may be well positioned to focus on setting the tone of policy going forward. Efforts could include articulating common goals and limitations, calling out (if not eliminating) redundancy, and advocating for improved coordination. Given the foiled airline bombing attempt on December 25 and the president's subsequent harsh critique of failures to connect the intelligence dots, Schmidt may be able to push harder to get competing government agencies to communicate. His broad experience, which spans private industry, government, and law enforcement, may earn him credibility among all stakeholders. Indeed, given the criticality of protecting data across the vast, interwoven array of data networks (spanning public, private, military, and commercial uses), any real improvements in policy coordination that result from this new appointment will leave the American public indebted to Schmidt.
Upcoming Security Activity
Networkers at Cisco Live 2010, Barcelona, Spain: January 25–28, 2010
Black Hat DC: January 31–February 3, 2010
Annual CanSecWest 2010: March 24–26, 2010
Cisco Networkers 2010, Bahrain: March 28–31, 2010
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:
World Economic Forum Annual Meeting 2010, Davos-Klosters, Switzerland: January 27–31, 2010
XXI Olympic Winter Games, Vancouver, British Columbia, Canada: February 12–28, 2010
For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service
For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
Back to Top