Cyber Risk Report

March 1–7, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for this period returned to the higher levels consistent with previous periods.  The period was highlighted by vulnerabilities in Microsoft Internet Explorer, Cisco Unified Communications Manager, Cisco Digital Media Player and Digital Media Manager, and IBM Informix Dynamic Server.  Later in the period, VMware also released advisory VMSA-2010-0004, which addressed 29 vulnerabilities.

Microsoft released the advance notification for the March security bulletins.  This month's release on March 9, 2010, will include two bulletins with a maximum security rating of Important.

In spam and potentially in other vectors, the month of March includes three events that criminals are likely to use to attempt to exploit users.  In the United States (U.S.), it is nearing the individual income tax deadline of April 15, and the U.S. 2010 census began in March.  The US-CERT has released a warning message for the U.S. census activity and recommendations for avoiding malicious activity.  Later this month, the National Collegiate Athletic Association (NCAA) basketball tournament will also begin, which includes a large volume of online activity related to brackets, scores, and news updates.  Because many of the games occur during the business day, interested employees are likely to access these media from their business systems and therefore increase the risk for becoming victims of spam, search engine optimization exploits, and phishing attempts.  Users should be reminded that criminals will attempt to exploit these events and to use increased vigilance during the period.

Throughout March, many areas of the globe will be changing to Daylight Saving Time.  The United States will change on March 14, 2010, and the European Union (EU) will change on March 28, 2010.  A complete list of the time changes for each region is available at worldtimezone.com.

Related to future activity, Cisco will release the semiannual IOS security update on March 24, 2010.  The latest update occurred in September 2009.

IntelliShield published 116 events last week: 35 new events and 81 updated events.  Of the 116 events, 93 were Vulnerability Alerts, four were Security Activity Bulletins, 12 were Security Issue Alerts, six were Threat Outbreak Alerts, and one was a Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 03/05/2010 2 39 41
Thursday 03/04/2010 6 10 16
Wednesday 03/03/2010 17 4 21
Tuesday 03/02/2010 5 15 20
Monday 03/01/2010 5 13 18
Weekly Total 35 81 116

 

Significant Alerts for the Time Period

Microsoft Internet Explorer Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 2, March 2, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0483
Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability.

Previous Alerts That Still Represent Significant Risk

Adobe Download Manager Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19979, Version 4, Feb 26, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0189

Adobe Download Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.  Adobe has confirmed the vulnerability and released updated software.

Mozilla Firefox Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 1, Feb 19, 2010
Urgency/Credibility/Severity Rating: 2/3/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Mozilla has not confirmed this vulnerability, and updated software is not available.

Multiple Symantec Products ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19970, Version 1, Feb 19, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0107

Multiple Symantec products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system.  Symantec confirmed this vulnerability and released software updates.

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 5, February 25, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Microsoft has confirmed this vulnerability and released software updates.  Additional information is available regarding mitigations and exploit code related to the Internet Explorer remote arbitrary code execution vulnerability.

Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 8, January 22, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-4324

Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service condition.  Proof-of-concept code that exploits the vulnerability is publicly available.  Adobe has confirmed this vulnerability, and updates are available.  This vulnerability is being actively exploited through directed phishing attacks.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 38, March 4, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack.  Multiple vendors have released updates to correct this vulnerability.  Proof-of-concept code that exploits this vulnerability is publicly available.

Physical

There was no significant activity in this category during the time period.

Legal

United States Declassifies Portion of Comprehensive National Cybersecurity Initiative

At the RSA Conference last week, the recently appointed U.S. White House Cybersecurity Coordinator Howard Schmidt announced the declassification of portions of the Comprehensive National Cybersecurity Initiative (CNCI).  The declassified portions of the initiative are now available online at the White House website.  The reported reason for declassifying a portion of the plan was to improve transparency and improve government and private industry partnerships in cybersecurityRead More

IntelliShield Analysis: Improving partnerships with private industry was a main theme for many government speakers at the RSA Conference last week.  Classification of government materials is one of the major inhibitors to government and industry partnerships, information sharing, and cooperation on cybersecurity projects.  Few private industry workers have government security clearances, and few will attempt to complete one because of the requirements, time, and cost involved.  No doubt some of this material requires classification for national security, but declassifying or producing declassified versions of many of these documents will aid in encouraging private industry to participate.  In addition to the U.S. administration's call for transparency, the openness will also assist private industry from the public relations perspective.  This is a small step in the right direction, but much more can and will probably have to be done for the government to build these partnerships.

Trust

There was no significant activity in this category during the time period.

Identity

Identity Theft of Medical Insurance Coverage

Medical insurance fraud through identity theft is gaining attention.  Patients are finding that their medical records have incorrect information added to them or that patients have been charged for procedures that they have not undergone.  Like credit fraud, medical insurance fraud can lead to unnecessary charges to the victim.  However, it can also cause improper medical information—including data related to allergies, blood type, or medical conditions—to be associated with the victim's medical history.  Such improper associations could have the potential for diminished medical care or even physical harm or death. 
Read More
Additional Information

IntelliShield Analysis: In many cases, investigators have shown that credit identity fraud and medical identity fraud have similar sources, including theft resulting from employees who handle identity information, relatives who steal identity information from each other, and online records breaches.  In cases in which the services are not performed locally, increased medical costs are the most likely damages because victims could be billed for services they did not receive.  But if the victim lives within the vicinity of the fraud perpetrator, such as a relative, it may be more likely that the victim could receive diminished care because of conflicting health records.  Distribution of health information, such as electronic health records, removes compartmentalization that could help prevent physical harm from these kinds of activities.  As health records move from localized or paper-based to distributed, electronic records, organizations might notice more reports of fraud as well as increased patient harm from fraud.

Human

Israeli Military Action Called Off After Soldier's Facebook Post

An Israeli soldier posted details to his Facebook account about an upcoming Israeli Defense Forces (IDF) operation in which he was preparing to participate.  He was relieved of duty after his Facebook friends reported him to military authorities. The planned operation was scrapped by the IDF when the secrecy surrounding the event was compromised by the soldier's Facebook post, which included the time, place, and date of the engagement as well as the name of his combat unit. Meanwhile, in the United States, Department of Defense (DoD) Secretary William J. Lynn III signed into effect a policy that allows U.S. forces to use social networking tools such as Facebook on nonclassified DoD systems.  The new policy provides instructions for "safe and effective use of Internet-based capabilities," including Web 2.0 applications.
Read More
Additional Information

IntelliShield Analysis: The disclosure of sensitive military operation details through a Facebook post was a thoughtless act that could have jeopardized the lives of the entire IDF unit. The Israeli soldier's post underscores the need for responsible use of social networks and highlights fresh perils for military personnel. The DoD policy lifts the previous ban on social networking but adds some new rules, including one that allows U.S. commanders to restrict access to the Internet in cases of operational security issues. Representatives for the IDF had no immediate comment regarding their recent experience with Web 2.0, but IDF commanders will undoubtedly be reviewing allowed levels of access to the Internet for Israeli soldiers.

Geopolitical

German Court Overturns Data Retention Law

Germany's constitutional court has overturned a 2008 law requiring that telecommunications call data be retained for six months for counterterrorism and law enforcement purposes.  Calling the law a particularly significant infringement of privacy in telecommunications, the court not only struck down the law, but also mandated the deletion of all data currently on file.  The law has been broadly unpopular and went beyond other countries' data retention requirements, although it stopped short of requiring that the contents of e-mail messages, telephone conversations, and text messages be retained.  The ruling comes on the heels of German privacy objections to Google's plans to store unblurred street images for Google Street View for 12 months.  Another recent example of European rejection of data retention conventions is the European Parliament's veto of an EU-U.S. accord that allowed the United States to access bank money transfer records for counterterrorism investigation purposes.
Read More
Additional Information
Additional Information

IntelliShield Analysis: It may be too early to say that the tide in Europe has turned in favor of privacy advocates and against those who advocate greater leverage for law enforcement, governments, and private companies to collect and retain information about individuals. However, recent cases do appear to be breaking against those laws promulgated in the aftermath of the September 11, 2001, terror attacks in the United States.  Private sector technology companies that retain customer data as a part of their businesses may find the laws governing them becoming more restrictive in the current political climate.  Such companies may want to monitor these laws carefully because they vary widely across jurisdictions and involve increasingly complicated issues. These issues include where data physically resides and where the user is located, which are potentially two very different data points.  Guardians of valuable customer information may also be called upon by law enforcement or government representatives to share data, and may wish to independently verify their rights and responsibilities.  This pro-privacy trend manifests itself even as users share more of their personal lives more freely than ever on the Internet, an irony not lost on many observers.

Upcoming Security Activity

CanSecWest 2010, Vancouver: March 24–26, 2010
Cisco Networkers 2010, Bahrain: March 28–31, 2010
InfoSec World 2010: April 17–23, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top