Cyber Risk Report

March 22–28, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity returned to a lower level this period. The most significant events were the semiannual Cisco IOS Security Advisories, a new OpenSSL vulnerability that will impact a large number of products and vendors, and the CanSecWest security conference with its contest and presentations.

The semiannual Cisco IOS Software Advisory bundled publication included seven advisories that addressed 11 vulnerabilities. Links to the advisories and IntelliShield alerts are available at the above link, or at the Cisco Security Intelligence Operations portal through the Cisco Event Response.

A new vulnerability was reported in OpenSSL versions 0.9.8f through 0.9.8m. These versions contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the targeted system. OpenSSL has confirmed this vulnerability and released updated software. This vulnerability was reported in IntelliShield alert 20139. OpenSSL is widely deployed and included in numerous vendors' products. In the coming weeks many of these vendors will be releasing updates to correct their products.

Also last week, Mozilla, Opera and Firefox released updates for their products correcting multiple vulnerabilities. Despite the recent releases of browser updates from multiple vendors, the hacking contest held at CanSecWest demonstrated attackers' abilities to exploit these products. User should expect another round of updates for their browsers following the release of the vulnerabilities exploited during the event.

IntelliShield published 87 events last week: 39 new events and 48 updated events. Of the 87 events, 72 were Vulnerability Alerts, two were Security Activity Bulletins, six were Security Issue Alerts, six were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 03/26/2010

 7

  11

18

Thursday 03/25/2010

 8

  7

15

Wednesday 03/24/2010

 19

12

31

Tuesday 03/23/2010

1

7

8

Monday 03/22/2010

 4

  11

15

Weekly Total 39 48 87

 

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 3, March 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0806

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability. Functional exploit code is being used in ongoing exploits.

Microsoft Internet Explorer Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 2, March 2, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0483

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available.

Adobe Download Manager Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19979, Version 4, February 26, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0189

Adobe Download Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Adobe has confirmed the vulnerability and released updated software.

Mozilla Firefox Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 1, February 19, 2010
Urgency/Credibility/Severity Rating: 2/3/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has not confirmed this vulnerability, and updated software is not available.

Multiple Symantec Products ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19970, Version 1, February 19, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0107

Multiple Symantec products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Symantec confirmed this vulnerability and released software updates.

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 5, February 25, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed this vulnerability and released software updates. Additional information is available regarding mitigations and exploit code related to the Internet Explorer remote arbitrary code execution vulnerability.

Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 8, January 22, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-4324

Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service condition. Proof-of-concept code that exploits the vulnerability is publicly available. Adobe has confirmed this vulnerability, and updates are available. This vulnerability is being actively exploited through directed phishing attacks.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 40, March 18, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Physical

Symantec Report Notes Top 50 U.S. Most Dangerous Cities for Cybercrime

Symantec teamed with Sperling's Best Places to identify the Top 50 Riskiest Cities for cybercrime. The study measured the fifty largest U.S. cities for several per capita statistics for computer risk: malicious attacks, malware infections, spam zombies and bot-infected machines. This information was combined with several computer use statistics: per capita places with free wifi, computer hardware and software expenditures, Internet access expenditures, and percentage of the population using e-mail, online shopping, or online financial access. Seattle ranked as the most risky, while Detroit came in last place.
Read More

IntelliShield Analysis: A careful look at the methodology reveals several misleading measurements. Of the four areas of computer risk, only "malicious attacks" seems to be a threat that would apply largely to a non-Windows userbase. Second, the measures of computer usage seem to make this more of a study about "most connected cities" rather than "most dangerous connected cities." If there is little access, obviously there is less opportunity to get into trouble online.

Instead of focusing on Seattle as "most dangerous," it might be more beneficial to look at why San Francisco, for example, does not have very high computer risk scores and still ranks fourth, or why Miami is first or second in every category of computer risk and yet falls to 27th place. Organizations should check into the methodologies used in such studies. It is clear that Internet usage can be risky, but until attacks frequently target residents of a particular geographic community, it matters more that someone is accessing the Internet, rather than from where.

Legal

RBS WorldPay Heist Suspects Arrested in Russia

Authorities from the Russian Federal Security Service (FSB) arrested suspects accused of being the perpetrators of a sophisticated ATM robbery in 2008 of $9.5 million from RBS WorldPay, an Atlanta-based card processing company. One of the suspects had been indicted for the crime by a grand jury in the U.S. in 2009, but Russian law prohibits extradition of Russian citizens. Read More

IntelliShield Analysis: The arrests have been heralded as a major breakthrough in international law enforcement and cooperation. Federal Bureau of Investigation (FBI) agents had approached the FSB for help in apprehending the suspects but historically have received little cooperation in this or other matters, frustrating prosecutions. The FSB arrests surprised U.S. authorities and may indeed signal the beginning of increased cooperation with Russia in resolving cybercrimes.

In the U.S., cooperation with authorities has been facilitated by websites such as the Internet Crime Complaint Center (IC3) a joint partnership of the FBI, the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA), and the Federal Communications Commission (FCC) Consumer & Governmental Affairs Bureau, where victimized users can file online complaints. U.S. agencies fighting cybercrime describe levels of Internet fraud as increasing in number and sophistication, but say the reporting of online crimes to proper authorities has lagged behind the activities of cyber criminals.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

Rio Tinto Case Illustrates Ambiguity of Business

Four China-based employees of Australian mining company Rio Tinto have been found guilty of bribery and stealing commercial secrets and sentenced to prison terms in China. The trial has strained relations between the Australian and Chinese governments, in part because one of the executives, Stern Hu, is an Australian citizen. The executives were brought to trial for accepting a staggering $13.5 million in bribes among them in connection with sensitive annual iron-ore pricing negotiations, according to Xinhua News Agency. A second closed-door hearing also reportedly was held to review allegations of theft of commercial secrets, downgraded from an earlier charge of espionage.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The Rio Tinto trial highlights two problems that are intensifying globalization risks for multinational companies: bribery and the premium placed by host countries on critical information. These issues pose risks both coming and going. That is, companies need to be aware that their trade secrets could be stolen or their executives bribed. At the same time, they need to ensure that their executives are not offering bribes in order to close major deals, or unwittingly dealing with information that may be highly sensitive, even if the government does not have an obvious stake in the company in question. In many countries, the line between state-owned and private enterprise may be blurred. Particularly in the technology sector, where almost anything may be considered to be of national security import, multinationals corporations may want to make extra efforts to clarify where lines are drawn. Poor governance and lack of legal transparency in many countries can foil the best of intentions on this front. The same goes for the risk of corruption, especially when operating in countries where costly entertainment and the hiring of go-betweens are an assumed part of doing business. The best defense in this case may be an aggressively publicized and enforced zero-tolerance policy.

Upcoming Security Activity

Cisco Networkers 2010, Bahrain: March 28–31, 2010
InfoSec World 2010: April 17–23, 2010
INTEROP Las Vegas: April 25–29, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top