Cyber Risk Report

June 4–10, 2012

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period returned to levels that are consistent with previous periods. The highlight for the period continues to be the focus on the investigation and reporting of Flame malicious code and activity. Sources reported the details of how the cryptographic collision attack was used in the attack and that command-and-control systems that are controlling the Flame-infected systems may be sending out a message to remove itself from infected systems. Reports also noted that many of the command-and-control servers have stopped operating. As speculation on the authors of the Flame malicious code continues, the United States (U.S.) government has called for an investigation into the leaks of classified information in some of the reports.

In other activity, Mozilla released Firefox 13, which corrects seven vulnerabilities, including four that are rated Critical. Adobe released multiple security advisories for vulnerabilities in Photoshop, Illustrator, and later in the period, for the Flash Player. Apache Struts released a security advisory and update for an unauthenticated, remote code execution vulerability. Functional exploit code for the Apache Struts vulnerability is publicly available. Additional security advisories and updates included multiple vulnerabilities in IBM AIX, SPSS, DB2, and Websphere, multiple vulnerabilities in WordPress, and multiple vulneraiblities in RealNetworks RealPlayer.

In upcoming activity, Tuesday, June 12, 2012, will be the release date for both the monthly Microsoft Security Bulletins and the quarterly Oracle Java SE Critical Patch Update. Microsoft posted the Microsoft Security Bulletin Advance Notification for June 2012, which will include 7 bulletins addressing 25 vulnerabilities in Microsoft Windows, Internet Explorer, Visual Basic for Applications, Dynamics AX, and the .NET Framework. Oracle released the Oracle Java SE Critical Patch Update Pre-release Announcement for June 2012, which will include 14 security vulnerabilities.

IntelliShield published 107 events last week: 53 new events and 54 updated events. Of the 107 events, 61 were Vulnerability Alerts, 10 were Security Activity Bulletins, six were Security Issue Alerts, 29 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Saturday 06/09/2012     2     1     3
Friday 06/08/2012     8    22   30
Thursday 06/07/2012    12    11   23
Wednesday 06/06/2012    15     5   20
Tuesday 06/05/2012    10    10   20
Monday 06/04/2012     6     5   11
Weekly Total   53   54  107

Significant Alerts for June 4–10, 2012

Microsoft Windows Security Update for Digital Certificates Spoofing Vulnerability
IntelliShield Security Activity Bulletin 26035, Version 2, June 7, 2012
Urgency/Credibility/Severity Rating: 3/5/3

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to conduct spoofing, phishing, or man-in-the-middle (MITM) attacks on a targeted system. This update fixes a spoofing vulnerability in the affected software that results from the unauthorized use of digital certificates from a Microsoft Certificate Authority associated with Terminal Server licensing. The update revokes the trust of two Microsoft Enforced Licensing Intermediate PCA and one Microsoft Enforced Licensing Registration Authority CA certificates.

Previous Alerts That Still Represent Significant Risk

Oracle Java SE Critical Patch Update February 2012
IntelliShield Activity Bulletin 25191, Version 10, June 1, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs

Oracle has released the February 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions. This update remediates 14 vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition on a targeted system. Oracle, CentOS, Red Hat, IBM, HP, and Apple have released security bulletins and updated software. Red Hat and HP have released additional security advisories and updated packages.

Adobe Flash Player Object Confusion Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 25833, Version 2, May 23, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-0779

Adobe Flash Player contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. At the time of publication, reports indicate exploitation is ongoing in the wild. Adobe and Red Hat have released security advisories and software updates.

PHP php5-cgi Binary Setup Remote Unsanitized Command-Line Parameter Processing Vulnerability
IntelliShield Vulnerability Alert 25816, Version 9, May 22, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-1823

PHP contains a vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information, cause a DoS condition, or execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. PHP has confirmed this vulnerability and released updated software. FreeBSD and Red Hat have released security advisories and updated software.

OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability
IntelliShield Vulnerability Alert 25706, Version 7, May 30, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-2110, CVE-2012-2131

OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. OpenSSL, FreeBSD, Red Hat, and HP have released security advisories and updates.

Samba Marshaling Code Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 25650, Version 5, May 11, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-1182

Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. If successful, the attacker could execute arbitrary code with root-level privileges. Samba, Apple, FreeBSD, Red Hat, and Oracle have released security advisories and updates.

PHP Hash Collisions Fix Regression max_input_vars Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 25100, Version 3, May 10, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-0830

PHP 5.3.9 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition on the affected system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Apple has released a security advisory and updated software.

Multiple Products Hash Collisions Denial of Service Vulnerability IntelliShield Security Activity Bulletin 24871, Version 11, May 10, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4461 , CVE-2011-4815 , CVE-2011-4885, CVE-2012-0193, CVE-2012-0841

Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Updates are available. Apache, Microsoft, CentOS, IBM, ruby, FreeBSD, Red Hat, Oracle, HP and Apple have released security advisories and updates.

Microsoft Windows, Office, and Silverlight TrueType Font Parsing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24500, Version 4, May 08, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3402

Microsoft has released an additional security advisory and software updates to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425.

EXIM Mail Transfer Agent Arbitrary Configuration Loading root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 6, May 11, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345

EXIM has released a changelog and updated software to address the mail transfer agent arbitrary configuration loading root privilege escalation vulnerability. Exploitation of this vulnerability has been observed in conjunction with exploits for a vulnerability detailed in IntelliShield Alert 22051 (CVE-2010-4344). The vulnerability described by CVE-2010-4344 grants an unauthenticated, remote attacker exim privileges. The combination of these two vulnerabilities could allow an unauthenticated, remote attacker to gain root privileges on an affected system.

FreeType PostScript Type 1 Font Parsing callothersubr Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23602, Version 6, May 11, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-0226

FreeType versions prior to 2.4.5 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. FreeType.org has confirmed this vulnerability in the git repository and software updates are available. Functional exploit code for this vulnerability is used publicly in conjunction with other vulnerabilities to provide web-based "jailbreak" capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose this exploit code for malicious purposes. Oracle has released a security advisory and updated software.

Physical

Political Bloggers SWAT-ed

Political bloggers have reported incidents of police arriving at their homes and businesses in response to anonymous and fraudulent emergency calls that reported crimes being committed at their locations. Known as SWAT-ing, this practice attempts to initiate a police SWAT response to a location as a form of harassment inflicted on unsuspecting victims. As the common link for the recent occurrences, it appears to be a new form of political activity. Read More

IntelliShield Analysis: SWAT-ing is usually done by spoofing the caller ID over Voice over IP (VoIP) phones, which hides or displays a false caller ID phone number for the call. Police and others have little ability to determine if the call and caller ID is fraudulent and, in an emergency, have little to time to validate the call information, forcing an emergency response. SWAT-ing is not new and is a highly dangerous situation for both victims and police responding to what appears to be an emergency. Businesses can do little to avoid being fraudulently represented in caller ID, but can establish coordinated procedures with local police to quickly de-escalate an attempted SWAT-ing or similar incident.

Legal

German Credit Agency SCHUFA Launches Project to Mine Social Networking Data

German credit agency SCHUFA announced a three-year project named SCHUFALab@HPI to mine and analyze personal data from social media platforms and other web applications. This information could come from Facebook, LinkedIn, Twitter, Xing, Yasi, and Google Street View, as well as other websites. SCHUFA is collaborating with the University of Potsdam's Hasso Plattner Institute on this project.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The SCHUFA project is likely to face numerous legal challenges before it is ever put into practice. Politicians are already calling for complete transparency regarding the information gathered and how it may be used. Additionally, SCHUFA must develop a method to ensure they are gathering information about the correct person and how to respond in the case of a mistaken identity. While SCHUFA addresses these legal questions, users of social media applications should review the privacy policy of their chosen applications and should adopt a policy of carefully choosing the type on information they are willing to share.

Trust

LinkedIn and eHarmony Suffer Major Breaches

LinkedIn and eHarmony websites both reported major breaches of user account information and millions of user passwords appear to have been compromised. A list of LinkedIn password hashes were posted to a website and quickly confirmed by multiple LinkedIn users as their passwords. LinkedIn has confirmed the breach and continues to investigate.
Read More
Additional Information

Additional Information
Additional Information

IntelliShield Analysis: The available details of the LinkedIn breach were included in a Cisco Security Blog post. Users of both websites have been advised to change their passwords. Multiple sources are reporting spam and phishing activity that attempts to further compromise user information with fake password change and breach notification e-mail messages. Users' attempts to maintain complex and different passwords on the number of accounts that many users now have is beyond the capabilities of most users. Cisco recommends that users install password management software to assist them with creating, maintaining, and storing their password. Many of these applications are avialable for free. A recent review of some of these products is available in the third Additional Information link above.

Identity

There was no significant activity in this category during the time period.

Human

Texting Driver Convicted of Vehicular Homicide

A 17-year-old Massachusetts driver was found guilty and sentenced to jail for vehicular homicide. The sentencing resulted from a fatal accident in which one individual was killed and another seriously injured. Electronic evidence indicated the teen who caused the accident had been texting while driving just prior to the accident. Texting while driving is a misdemeanor offense in most U.S. states, but the judge in Massachusetts applied a new law to include texting while driving as negligence. Read More

IntelliShield Anlaysis: Most U.S. states now have laws against texting while driving, but the dangers have caused some states to consider the practice a more serious offense. As users become increasingly mobile, the risks involved in attempting to text, make a phone call, or perform other actions on a mobile device while performing other tasks, such as driving, are a serious risk that has to be addressed. There are products available to provide hands-free operations or block mobile device activity while driving that could provide some technical controls for what is, at root, a human risk. Users must understand the risk associated with these activities.

Geopolitical

What Is The G20 About Again?

This year's G20 summit takes place in Los Cabos, Mexico, on June 18-19, 2012. Discussions this year will probably center on global economic growth and the European financial crisis,especially with Spain receiving a EU bailout and Greece looking at options that include leaving the Euro. Less apocalyptic but still alarming to economists, China's interest rate cut, the first one since 2008, provided more evidence this week that Europe's problems are everyone's problem.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Every G20 Summit seems to have its own crisis to define it. This year, the crisis is the situation in Europe, so arguments may center on the long-term viability of the Euro and the austerity-versus-stimulus debate. The summit regularly attracts protests and criticism, not only from countries that are shut out of the club, but also from populist groups who see it as a party for wealthy leaders who make decisions with their own political agendas and big business interests in mind. Luckily for everyone, global growth is not a zero-sum game and what is good for one country may be good for others as well. For information security specialists, the G20 summit may best be viewed as a barometer for global economic priorities and problems. From a more tactical point of view, information security specialists who are tasked with monitoring critical networks in Mexico may want to bear in mind that the summit comes only a few weeks before the July 1, 2012, presidential elections in Mexico. It could provide groups who wish to tarnish current President Calderon's political party with an opportunity to do so for a global audience

Upcoming Security Activity

Cisco Live US: June 10–14, 2012
Gartner Security & Risk Management Summit: June 11–14
Black Hat USA 2012: July 21–26, 2012
DEFCON 20: July 26–29, 2012
8th Annual GFIRST National Conference: August 19–24, 2012
ISSA International Conference: October 25–26, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:
G20 Summit (Los Cabos, Mexico): June 18–20, 2012
Mexico General Elections: July 1, 2012
London Olympic Summer Games: July 27–Aug 12, 2012
US Republican Convention (Tampa, FL): August 27-30, 2012
US Democratic Convention (Charlotte, NC): September 3-6, 2012

 

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration


This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top