Cyber Risk Report

July 12–18, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity was increased during the period due to the scheduled releases of Microsoft and Oracle security updates and multiple security updates from HP, CentOS, and VMware.

Microsoft released the security bulletins for July, including four bulletins that addressed five vulnerabilities.  Three of the bulletins were rated critical by Microsoft.  The bulletins did not address the multiple vulnerabilities released by researchers in the weeks prior to the July bulletins.  Details of the Microsoft Security Bulletin vulnerabilities and the unaddressed vulnerabilities are available in the IntelliShield alerts on the Cisco Security Intelligence Operations portal.  Additional information about the July Microsoft bulletins is available in the Cisco Event Response and the Applied Mitigation Bulletin.

New malware has been detected that appears to rely on an undisclosed vulnerability in Microsoft Windows .lnk file handling. This malware appears to be targeted at Siemens WinCC SCADA installations due to the inclusion of hard-coded passwords.  The new malware, called W32/Stuxnet-B, propagates using USB drives apparently infected with malformed shortcut (.lnk) files.  Additional details are available in IntelliShield alert 20915.

Oracle has released the Critical Patch Update advisory for July 2010 for multiple products.  This update contains 59 security fixes for multiple Oracle products.  Several fixes correct vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system.  This update fixes six vulnerabilities for Oracle Database Server, two vulnerabilities for TimesTen In-Memory Database, five vulnerabilities for Oracle Secure Backup, and seven vulnerabilities for Oracle Fusion Middleware.  Additional fixes include a vulnerability for Oracle Enterprise Manager, seven vulnerabilities for Oracle E-Business Suite, two vulnerabilities for Oracle Supply Chain Products Suite, eight vulnerabilities for Oracle PeopleSoft and JDEdwards Suite, and 21 vulnerabilities for Oracle Sun Products Suite.  Since the Oracle release on July 13, 2010, additional details about the Secure Backup and WebLogic server have been reported in multiple IntelliShield alerts.

Mozilla identified and removed a malicious Firefox add-on from its download list.  The popular security add-on, Mozilla Sniffer, legitimately allowed a user to modify HTTP and HTTPS headers to perform security testing.  However, the add-on also included backdoor code that allowed an attacker to capture account and password information.

Antivirus researchers released information about what is being reported as Zeus version 3.  The new version is reported to include some modified characteristics as well as modified targeting of financial institutions.  In our analysis, this is largely a debate over naming, which has always been an issue with antivirus researchers and vendors.  According to Zeus Tracker, the Zeus or Zbot malcode currently has nearly 1,200 known configuration files and hundreds of known and not widely known binaries.  Detection rates are below 50 percent.  Zeus remains a serious threat to financial institutions and users, regardless of whether the latest changes constitute the naming of a new version.  Additional technical information, including the latest blocking lists and removal guidance, is available in IntelliShield alerts and at the Zeus Tracker website.

IntelliShield published 116 events last week: 51 new events and 65 updated events.  Of the 116 events, 84 were Vulnerability Alerts, 13 were Security Activity Bulletins, two were Security Issue Alerts, 14 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 07/16/2010 9 14 23
Thursday 07/15/2010 11 7 18
Wednesday 07/14/2010 16 12 28
Tuesday 07/13/2010 8 30 38
Monday 07/12/2010 7 2 9
Weekly Total 51 65 116

 

Significant Alerts for the Time Period

Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability
IntelliShield Vulnerability Alert 20691, Version 6, July 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1885

Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild.  The alert has been updated to indicate an increase in the Urgency score due to a reported increase in the number of targeted attacks.

ICANN Readies Deployment of Signed Root DNS Zones
IntelliShield Vulnerability Alert 20418, Version 2, July 15, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Signed root DNS zones are designated to go into effect during a maintenance window July 15, 2010, establishing the availability of DNSSEC-enabled queries.

Previous Alerts That Still Represent Significant Risk

Microsoft Exchange Server Outlook Web Access Cross-Site Request Forgery Vulnerability
IntelliShield Vulnerability Alert 20854, Version 1, July 9, 2010
Urgency/Credibility/Severity Rating: 2/4/3

Microsoft Exchange Server contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks on an affected site.  Proof-of-concept code that exploits this vulnerability is publicly available.  Updates are not available.

Multiple Adobe Products Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20625, Version 7, July 1, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1297

Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system or cause a denial of service condition.  Functional code that exploits this vulnerability is available.  Adobe has confirmed this vulnerability and released updated software.

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 4, May 19, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user.  Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable.  Apple has released security updates for Java for Mac OS X 10.6 Update 2 and Java for Mac OS X 10.5.  Multiple vendor updates are available.

Kernel Hook Bypassing Engine Affects Multiple Security Applications
IntelliShield Vulnerability Alert 20433, Version 2, May 13, 2010
Urgency/Credibility/Severity Rating: 2/4/4

A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Microsoft Windows systems and execute arbitrary code with kernel privileges.

Microsoft SharePoint Services Help.aspx Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 3, June 8, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft Windows SharePoint Services versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser.  Proof-of-concept code that exploits this vulnerability is publicly available.  Microsoft has confirmed this vulnerability and released software updates.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 59, July 13, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack.  Proof-of-concept code that exploits this vulnerability is publicly available.  Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Physical

ATM Skimmers and Bluetooth

Credit card thieves are now using Bluetooth technology in their latest method of stealing credit card data.  Along Interstate 75 in Florida, thieves have infiltrated pay-at-the-pump gas stations with credit card data skimmers that are connected between the card reading electronics inside the gas pump and the CPU of the pump, completely hiding the device and providing little or no visual clues that any tampering has taken place.  The only sign that a pump may have been tampered with would be a broken inspection seal on the outside of a pump.  However, many states do not use seals, but rather stickers indicating that the pump has been inspected within the last year.  Many gas pump models use a common key for all of a manufacturer's pumps, or a common key for each of the individual pump models, giving thieves quick access to the pump's electronics.  All a thief needs to do once the device is installed is to associate a Bluetooth device to their device inside the pump during a quick stop at the station and then download the collected card information.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Efforts in Europe are well underway, and in many cases completed, to transition away from a simple magnetic stripe to a smart card "chip and PIN" system.  American financial institutions have been much more recalcitrant in making this change due to the cost of the cards and the replacement of the card terminals at retail locations.  If possible, do not use debit cards for transactions at unattended credit card terminals, but use credit cards instead.  This action transfers liability from the individual to the credit card's issuing bank.  Due to the escalating ATM skimming fraud, organizations should consider adjusting their physical security measures to prevent these attacks with refocused or increased electronic surveillance and employee monitoring and checks of the ATM systems.

Legal

Customer Database as an Asset

As part of a bankruptcy filing, the former publishers of XY Magazine and its related website have listed their entire subscriber database as an asset, which lists between 100,000 and one million people.  The United States Federal Trade Commission (FTC) warned that selling the customer information as part of the settlement would violate the privacy policy established by XY for its customers, which promised that it "never sells its list to anybody." Because XY's target audience was gay or questioning adolescents and young men, the disclosure of such information could have serious personal ramifications, particularly if those subscribers have not reached the age of majority or shared specific details of their personal lives with their families.  The FTC court ruling noted that "data could be sold and re-sold for decades" and that "customers would have no adequate remedy at law and no way to regain their security."
Read More
Additional Information
Additional Information

IntelliShield Analysis: Individuals who conduct business under the privacy terms set forth by a company expect that the agreement will be adhered to, barring any revised terms to which the customer must agree in order to continue the business relationship.  The XY case is a poignant example of the potential peril involved if such information is listed as an asset as part of a liquidation.  While XY's subscriber base could be viewed as valuable to another media outlet that targets the same demographics, customers should not have to worry that a transfer of ownership—whether through liquidation, acquisition, merger, or other means—would change the terms of the original conditions without their personal consent in advance.  Consumer confidence and the willingness to share personal (and potentially sensitive) information will erode unless the "privacy promise" is maintained, regardless of the legal circumstances of the company involved.

Trust

There was no significant activity in this category during the time period.

Identity

New Health and Human Services Rules to Expand Patients' Rights to Control Data

The United States Department of Health and Human Services (HHS) recently announced new rules that will provide patients with more control over who has access to and what can be done with their health and medical data.  These rules are considered modifications to the Health Insurance Portability and Accountability Act (HIPAA), which has governed the use of patient health information since its inception in 1996.  HHS has also created a privacy website to help in the dissemination and subsequent understanding of the continued efforts in place to help secure patient health information.  Read More

IntelliShield Analysis: On the surface, the idea of giving users more control over their own information appears to be prudent, but it also brings with it the normal paranoia that it may increase the possibility that the patient information could be disclosed or compromised.  One concern revolves around how the data is controlled (or not) based on default settings of the application used to access patient information.  In other words, do individuals have to explicitly allow others to view data (while implicitly denying access to all others) or do they have to specifically restrict others from viewing their data (while implicitly allowing access to all others)?  Another concern could be the ease (or difficulty) with which users can make changes to these settings without inadvertently providing more access to their data than they had envisioned.  The human element of security—including physical, network, and data security—is often considered the weakest link in the overall infrastructure used to protect proprietary data and resources.

Human

There was no significant activity in this category during the time period.

Geopolitical

Russian Mobile Operators Urge Transparency in 4G Auctions

In a letter to the Communications Ministry this month, Russia's top three mobile carriers called on the government to ensure transparency in upcoming LTE 4G spectrum auctions.  Chief executives of MTS, MegaFon, and Vimpelcom signed the letter, according to the Russian business daily Kommersant. The executives were concerned that smaller companies, owned by the Defense Ministry, might receive preferential consideration in the auctions, and might later resell spectrum rights at a significant profit.  They requested an explicit ban on noncompetitive distribution of 4G frequency rights to entities that may quickly resell them.
Read More
Additional Information

IntelliShield Analysis: The issue of spectrum allocation is contentious in many countries as needs outpace available bandwidth. For years, incumbent carriers and military establishments in these countries enjoyed mostly uncontested access to the electromagnetic spectrum, with the result that portions fell idle or were inefficiently utilized.  As governments move to free up spectrum for consumer and industry use, incumbent carriers may be disinterested in investing in broadband networks supported by new spectrum allocations or wish to slow the pace of investment, while military establishments may be reluctant to give up valuable spectrum without some payback.  The letter from Russia's top mobile carriers may be an encouraging sign that Russia's current modernization push, led by President Dmitry Medvedev, may be paying early dividends not only in freeing up spectrum but in freeing up discourse on the rule of law and transparency.

Upcoming Security Activity

Black Hat USA (Las Vegas, United States): July 24–29, 2010
BSides Las Vegas: July 28–29, 2010
DEFCON 18: July 29–August 1, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top