March 15-21, 2010The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity for the period was decreased from previous periods, but several important security advisories were released. Microsoft re-released a security advisory and provided updated software to address an invalid pointer reference arbitrary code execution vulnerability in Microsoft Internet Explorer, which is reported in IntelliShield Alert 20052. Apple and Google also released updates to correct multiple vulnerabilities in their respective Safari and Chrome browsers. Reports suggest that the release may be related to the upcoming CanSecWest contest, where researchers will reportedly announce additional vulnerabilities. Security updates were also released by Red Hat, IBM, and Spamassasin during the time period. Looking forward, Cisco will release the semiannual Cisco IOS Software Security Advisory bundled publication on March 24, 2010. The latest update occurred in September 2009. In threat activity, proof-of-concept code that exploits an arbitrary code execution vulnerability in Adobe Reader and Acrobat is publicly available. This vulnerability is reported in IntelliShield Alert 19948. The National Collegiate Athletic Association (NCAA) basketball tournament began during the time period. The tournament includes a large volume of online activity related to brackets, scores, and news updates. Because many games occur during the business day, interested employees will likely access media from business systems and therefore increase their risk of becoming victims of spam, search engine optimization exploits, and phishing attempts. For these reasons, organizations should remind users that criminals will attempt to exploit these events and advise users to exercise increased vigilance. Throughout March, many areas of the globe will change to Daylight Saving Time. The European Union (EU) will change on March 28, 2010. A complete list of the time changes for each region is available at worldtimezone.com. IntelliShield published 76 events last week: 20 new events and 56 updated events. Of the 76 events, 53 were Vulnerability Alerts, eight were Security Activity Bulletins, eight were Security Issue Alerts, five were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for the March 15–21, 2010Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability. Functional exploit code is being used in ongoing exploits. Previous Alerts That Still Represent Significant RiskMicrosoft Internet Explorer Unsafe Help File Handling Arbitrary Code Execution Vulnerability Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available. Adobe Download Manager Remote Arbitrary Code Execution Vulnerability Adobe Download Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Adobe has confirmed the vulnerability and released updated software. Mozilla Firefox Unspecified Arbitrary Code Execution Vulnerability Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has not confirmed this vulnerability, and updated software is not available. Multiple Symantec Products ActiveX Control Arbitrary Code Execution Vulnerability Multiple Symantec products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Symantec confirmed this vulnerability and released software updates. Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed this vulnerability and released software updates. Additional information is available regarding mitigations and exploit code related to the Internet Explorer remote arbitrary code execution vulnerability. Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service condition. Proof-of-concept code that exploits the vulnerability is publicly available. Adobe has confirmed this vulnerability, and updates are available. This vulnerability is being actively exploited through directed phishing attacks. Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available. PhysicalChips, Chips, and More ChipsA pro-privacy group in the United Kingdom (UK) recently reported that, unbeknownst to the general public, more than 2.6 million microchips were installed in garbage bins in an effort to monitor the trash generation and volume of UK households. Opponents claim that the chips represent a form of government monitoring that will be used to penalize households producing excessive amounts of trash, but proponents—namely the UK government—insist that the monitoring will actually reward families that reduce household waste. In a related story, the UK government is contemplating the use of microchips in dogs to assist in the location of animal owners that have been suspected of human attacks. IntelliShield Analysis: Many agree that our collective society is generating, collecting, storing, and analyzing more and more data at alarmingly increasing rates. The divisiveness surrounding the issues of intelligence data involves how and by whom it is used. Individuals who strive to protect privacy traditionally object to the collection and use of such data unless the individuals in question explicitly authorize it. However, groups such as government authorities and law enforcement agencies hope to leverage data in an effort to (among other uses) enhance the overall protection of our society. Although the use and purpose of this data will always be fodder for debate, it does indeed provide a view of our personal, private, and business lives. Fired Worker Disabled Cars Via WebIn the United States, an employee for a Texas-based used car dealership recently sought revenge after being terminated by interfering with car horns and engines remotely via the web. When Omar Ramos-Lopez was terminated, he authenticated to the dealership's online collections system using another employee's credentials and activated the horns and disabled the starters of over 100 financed vehicles. After the horns had been activated, many owners only recourse was to remove the batteries from their vehicles. Some vehicles were also towed. Police used access logs from the collections system to trace the source IP address to Ramos-Lopez's AT&T Internet service. LegalMultiple Agencies Issue Joint Wire Transfer Fraud WarningA rise in fraudulent wire transfers to overseas locations prompted multiple agencies to issue a joint cybersecurity advisory that offered recommendations on best security practices for banks and businesses. The United States (U.S.) Department of Justice, the New York State Intelligence Center, New York State Police, the New York State Office of Homeland Security, the U.S. Secret Service, the Multi-State Information Sharing and Analysis Center (ISAC), and the Financial Services ISAC called the Zeus botnet and related malware a growing threat to online banking consumers and claimed that average losses per victim ranged from US$100,000 to $200,000. TrustUnited States Judge Freezes Accounts of Russian Firm Accused of Manipulating StocksA United States Federal judge recently agreed to freeze the assets of a Russian stock trading firm after the Securities and Exchange Commission (SEC) presented evidence of fraudulent trading. The SEC noticed that 38 securities traded by BroCo Investments were heavily bought by a series of legitimate accounts that were later found to have been compromised. BroCo profited heavily from this trading activity, and the SEC believes that the organization orchestrated the intrusions in an effort to inflate the value of stocks held by BroCo so that they could be sold for significant profit. IntelliShield Analysis: These "pump and dump" scams are not new on the Internet; they have been featured prominently in e-mail campaigns that attempt to convince individuals that they have received a valuable stock tip. In BroCo's case, the SEC noticed that several microcap stocks with low trading volumes had sharp increases in activity, and, as a result, a single account was profiting from the spikes. Anomaly detection was clearly valuable in the SEC's investigation; organizations that are involved in securities and commodities trading should consider employing network situational awareness and advanced heuristics to detect these kinds of activities as well. IdentityMySpace to Sell User DataThe MySpace social networking website recently initiated sales of bulk user data on the infochimps.com data marketplace. The data for sale includes user pictures, names, zip codes, blog posts, updates, and music playlists. Some types of data, such as user friend lists, will remain restricted. Read More IntelliShield Analysis: The MySpace development is especially interesting because other social networking companies may choose to follow suit. The sale of user data prompts interesting and difficult questions. Of particular interest is how MySpace users will react to the sale. At the very least, the sale should reinforce the lesson that users should not post anything on a public forum that could eventually embarrass them or compromise their identity, especially if access to the information could be sold to unknown parties at a later date. HumanThere was no significant activity in this category during the time period. GeopoliticalMexican Drug Violence ContinuesFollowing the recent murders of three individuals with ties to the United States (U.S.) consulate in Ciudad Juarez, Mexico, the U.S. Department of State issued a travel warning and authorized the departure of U.S. government employee dependents from six consulates near the U.S.-Mexico border. Although the investigation is ongoing, some theorize that two of the victims were mistakenly targeted because their SUV was similar to that of the intended target. The possibility that U.S. government employees were deliberately targeted, however, has increased pressure on both the U.S. and Mexican governments to demonstrate that they are handling the problem. Drug-related violence in Mexico continues to escalate as a by-product of Mexican President Felipe Calderón's campaign to subdue the violent gangs that are believed to be responsible for 7,000 deaths in 2009 alone. IntelliShield Analysis: Mexico's struggle against drug trafficking is of grave concern to multinational companies that use the country as a manufacturing and transportation hub. Businesses with operations in the border region (in cities like Ciudad Juarez, Tijuana, and Nogales, as well as cities further south including Mexico City) have observed no improvements in relation to employee security. Deeming the country off-limits to business is not a solution, particularly as certain areas of Mexico remain as safe as many U.S. cities. Security planners may consider assessing the security profile of each city individually as they gauge travel and safety policies for the region. At the same time, concerns about spillover violence into cities north of the border—although punctuated by anecdotal evidence—are not reflected in larger statistical samples. Furthermore, the murders that make headlines are not the greatest risk to the vast majority of individuals who are able to avoid violence. Rather, high rates of kidnappings and ATM express kidnappings are a more common concern for foreign operations and employees in Mexico. Given President Calderón's resolve to continue the antidrug war, chances are high that business risks in the southwest border region will remain elevated for years to come. Upcoming Security ActivityCanSecWest 2010, Vancouver: March 24–26, 2010 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Passover: March 29, 2010 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time. |
