January 9–15, 2012The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity was increased for the period, highlighted by scheduled security updates from Microsoft and Adobe. The Microsoft Janauary 2012 Security Update included seven bulletins addressing eight individual vulnerabilities. The full details of the January update, correlated with IntelliShield alerts, Cisco IPS Signatures, and Applied Mitigation Bulletin, is available at the Cisco Event Response: Microsoft Security Bulletin Release for January 2012. For a short summary and assessment of the update from the Cisco IPS Siganture Development team, view the Insights on the Microsoft Security Bulletin Release for January 2012. In additional Microsoft security activity, proof-of-concept exploit code was publicly released for the Microsoft .NET Framework ASP.NET HashTable Collisions denial of service vulnerability, reported in IntelliShield alert 24861. Adobe released their scheduled security update, addressing six vulnerabilities in Adobe Reader. In addition to the security update, Adobe released two new administrative controls that allow users to create whitelists for trusted sources and disable javascript for selected sources. These controls allow users greater control over the common attack vectors that are used in many exploits of Adobe Reader and Acrobat. Other vulnerability highlights include multiple updates from Kernel.org and Red Hat for previously reported and new vulnerabilities in the Linux Kernel. Users are reminded that the 2.6.x version of the kernel is approaching the end of maintenance and should update to the 3.x kernel version. Wireshark released updates for multiple vulnerabilities and PHP released updates for the hash collision vulnerability impacting multiple languages. Cisco released a Security Response for the Wi-Fi Protected Set-up (WPS) security issue, reported in IntelliShield alert 24854, and identified a potential problem with one of the security updates released for OpenSSL, reported in IntelliShield alert 24893. In upcoming security activity, the Oracle Critical Patch Update Pre-Release Announcement - January 2012 includes 76 vulnerabilities that impact multiple products. The Oracle Critical Patch Update will be released on January 17, 2012. In threat activity, US-CERT reported a malicious spam message that was spoofed to appear to have come from US-CERT. And the Cisco IronPort Threat Operations Center has released multiple updates for an ongoing spam campaign that uses a malicious American Airlines ticket message and attachment, reported in IntelliShield alert 24811. In security policy activity, the United States Chief Information Officers Council released the Federal Risk and Authorization Management Program (FedRAMP), which will be required for government organizations and that provides a strong reference for non-government organizations considering cloud security controls. IntelliShield published 123 events last week: 50 new events and 73 updated events. Of the 123 events, 83 were Vulnerability Alerts, 11 were Security Activity Bulletins, six were Security Issue Alerts, 20 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follow: Weekly Alert Totals
Significant Alerts for January 9–15, 2012Multiple Products Hash Collisions Denial of Service Vulnerability Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability Adobe Reader and Acrobat contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Targeted attacks against Adobe Reader version 9.4.6 on Microsoft Windows operating systems have been observed in the wild. Adobe has released a security bulletin and software updates to address the Adobe Acrobat and Reader Universal 3D remote code execution vulnerability. Functional code that exploits this vulnerability is available as part of the Metasploit framework. OpenSSL Datagram Transport Layer Security Plaintext Recovery Issue OpenSSL versions prior to 0.9.8s and versions prior to 1.0.0f contain an issue that could result in easier recovery of plaintext information from encrypted text. Cisco has discovered a potential issue in the patch for the OpenSSL Datagram Transport Layer Security plaintext recovery issue. . Previous Alerts That Still Represent Significant RiskOracle Java SE Critical Patch Update October 2011 Oracle has released the Oracle Java SE Critical Patch Update for October 2011. The update addresses 20 new security vulnerabilities. An unauthenticated, remote attacker could leverage several of the vulnerabilities to completely compromise an affected system. Oracle, Red Hat, CentOS and Apple have released updates. ISC BIND Recursive Query Processing Denial of Service Vulnerability ISC BIND version 9 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. It should be noted that there are external reports that this vulnerability is being actively exploited in the wild, as DNS server crashes have been observed. It is not, however, fully determined that exploitation of this vulnerability is the root cause for the recently observed crashes. ISC and multiple vendors have confirmed this vulnerability and released updated software. Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin. MontaVista has released a security alert and updated software. Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425. Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability. Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability Multiple versions of Oracle Java contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Oracle and multiple other vendors have confirmed this vulnerability and released updated software. Functional code that demonstrates an exploit is publicly available. Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available. Adobe Flash Player and AIR Multiple Vulnerabilities Adobe Flash Player and AIR contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Adobe, Red Hat and FreeBSD have release security advisories and updates. Apache HTTP Server mod_proxy Module Information Disclosure Vulnerability Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain access to sensitive information. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Apache, Red Hat, IBM, and FreeBSD have released have released security advisories and software updates. Microsoft Windows UDP Packet Processing Integer Overflow Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that demonstrates an exploit of the Microsoft Windows UDP packet processing integer overflow arbitrary code execution vulnerability is publicly available. Microsoft has released a security bulletin and updates. Trojan: W32.Duqu W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide back door access to a remote attacker. Virus definitions are available. IntelliShield has updated this alert to include information about a vulnerability in the Microsoft Windows platform that the W32.Duqu trojan could leverage to infect a targeted system. ICS-CERT and multiple anti-virus vendors have also released security alerts with virus descriptions for this trojan. PhysicalElectronic Frontier Foundation Challenges Use of Drones in United States Unmanned aerial vehicles (UAVs), more commonly known as drones, are superb for surveillance. For years they have been used in military operations and it was inevitable that they would be used by police in the United States (U.S.). Probably the first known arrest made with help of a Predator drone was made on June 23, 2011, in North Dakota. By itself, that would not be so remarkable because U.S. Customs and Border Protection has been allowed to use drones since 2005 in their operations. The practice of using drones begs two big questions: oversight and operational parameters. In another words, who can use drones and for what purposes, and what is their payload? IntelliShield Analysis: To adress the first question, Electronic Frontier Foundation has filed a lawsuit against the Federal Aviation Administration (FAA) asking who is certified to fly drones such as the one used in North Dakota. This information, if obtained, will probably only be partial, because if the drone flies bellow 120 meters, it is not necessary to file a flight plan, so the FAA may not know about these drones and their operators. The second question is whether drones are only equipped with optical sensors or with electronic payload as well? If they do carry electronic payload, then they can be used for other purposes, as demonstrated by a home-made prototype presented at Defcon in 2011. The Defcon presentation model has shown that it is relatively easy to build a drone that could collect information to break into wireless networks, clone mobile telephones, and snoop on BlueTooth sessions. When there is experimentation with various payloads, it is only a small step to arming drones with firepower to use against targets. LegalLandmark Lawsuit Challenge to Payment Card Industry RulesFinancial services companies that require compliance to the Payment Card Industry Data Security Standard (PCI DSS) are facing a legal challenge from an independent merchant in Park City, Utah. Cisero's Ristorante and Nightclub have brought a lawsuit against U.S. Bank in a dispute regarding money seized from the restaurant owner's account to pay for fines levied by the financial services companies for losses of customer data, including credit card numbers. This is the first known legal challenge to the authority of payment card industry companies fining third-party merchants for non-compliance to the PCI DSS. Read More IntelliShield Analysis: Unchallenged so far, the rules of the PCI DSS could change as the result of a legal ruling following the resolution of this case. The right of financial services companies to enforce the standard and fines related to breaches or non-compliance could be affected. TrustComcast Completes DNSSEC Deployment Comcast, one of the largest Internet service providers in the U.S., announced that it has completed its deployment of DNSSEC. DNSSEC supplements the hierarchical nature of the DNS with cryptographic characteristics that make it possible to verify the authenticity of information stored in the DNS. This validation makes it possible for resolvers to be assured that when they request a particular piece of information from the DNS, they receive the correct information as published by the authoritative source. Comcast signed all its domains so that users can verify the legitimacy of DNS responses for these websites. Comcast also said it verifies DNS transactions triggered by its customers when they are using Comcast DNS servers. Comcast is the first ISP in the US that completed a full DNSSEC deployment. IntelliShield Analysis: DNSSEC serves a security purpose to verify the authenticity and integrity of the address that the user is accessing when looking up the address of a website to visit. Attacks such as DNS cache poisoning, spoofing, and corruption are harder to achieve, and users can be assured that they are visiting legitimate websites. Given the milestone that Comcast has accomplished by successfully completing their DNSSEC deployment and migrating their subscribers to use DNSSEC-validating resolvers can only be seen as a positive countermeasure to the DNS threats mentioned above. We expect other ISPs and vendors will follow with similar deployments. On the opposite side, DNSSEC by nature is not compatible with DNS redirects. For that same reason, Comcast stopped its DNS redirect service after deploying DNSSEC. DNS redirects and DNS blocking that could be enforced by the recently introduced Stop Online Piracy Act (SOPA) will pose challenges to DNSSEC. It remains to be seen how SOPA will be enforced and what its implications on DNSSEC will be. Users are encouraged to look for DNSSEC-capable servers and employ DNSSEC in their operating systems when possible. IdentityThere was no significant activity in this category during the time period. HumanIf I Die: Who Speaks for the Dead? Facebook has released a new application that will allow users to leave a message that will only be published after their death. The user selects "trustees" to report the death. This service, and the ensuing campaign, is predicated on the fact that most people do not have foresight into their death. Now users can install the application, create a video or text message, and nominate three people to serve as trustees who will be responsible for reporting your death. The trustees must be Facebook friends and the message will only be published after all three have confirmed your death. Read More GeopoliticalIran Nuclear Tensions Aggravated By Online Attacks Reports surfaced last week that an Iranian nuclear scientist had been murdered in a car bomb, the fourth such apparent assassination in two years. Tehran’s official news agency blamed Israel for the killing, which is alleged to be part of an ongoing effort to sabotage Iran’s nuclear program. In November, an explosion at an Iranian military base killed at least 17. The struggle has also manifested itself online, most prominently with the emergence of the sophisticated Stuxnet virus, which disabled centrifuges used for uranium enrichment. The New Year started off with new reports of data breaches in Israel, culminating in the personal and credit card information of thousands of Israeli citizens being posted online. The Israeli government likened the incident to a terrorist attack, responsibility for which was claimed by a Saudi Arabian activist group. Days later, pro-Israel groups carried out a retaliatory cyber attack, leaking customer data reportedly gleaned from Saudi shopping websites. IntelliShield Analysis: This escalation of tit for tat cyber attacks threatens to push the level of confrontation past a point where official state actors can even attempt to manage the situation, especially when taken in context of coincidental, real world assassinations. Because perpetrators cannot be positively identified, the relative weight given to those who claim responsibility and those who are blamed is comparatively greater. Indeed, truth becomes in some ways less relevant as new actions and attacks proceed based on speculation. For online businesses and financial institutions, trust is eroded and brands are damaged, despite the fact that these companies likely took no overt political side. Information security specialists can probably expect continued cyber incidents in the region, given the apparent motivations behind these attacks. Iran’s nuclear ambitions and frustrations over lack of progress in Middle East peace process remain far from being resolved. Upcoming Security Activity Cyber Defence & Network Security Conference: January 24–27, 2012 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: World Economic Forum (Davos): January 25–29, 2012 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
