Cyber Risk Report

March 26–April 1, 2012

The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support.

Vulnerability

Vulnerability activity remained consistent with previous periods. The annual IntelliShield statistics show a continued increase in activity for the first three months of 2012, a significant 17 percent increase over the same period in 2011.

Highlights for the period include the Semi-Annual Cisco IOS Software Security Advisory bundled publication, and security advisories and updates for Adobe Flashplayer, Realnetworks Realplayer, CLAM AV, HP Performance Manager and HP-UX, Opera, Red Hat, and Wireshark.

Cisco released the Semi-Annual Cisco IOS Software Security Advisory bundled publication that included 9 security advisories and 13 individual vulnerabilities. The security advisories, correlated with IntelliShield alerts, IPS signature updates and an Applied Mitiigation Bulletin are available on the Cisco SIO portal, and at the Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication.

Researchers reported identifying malicious applications on the Google Web Store, and a new denial of service (DoS) vulnerability for the Google Android operating system and phones. The DoS vulnerability may also remain persistent after the phone is rebooted, preventing users from clearing the exploit.

Microsoft and the U.S. Marshals Service executed another botnet takedown, this time targeting the Zeus botnet. This takedown was unique in that it exercised civil filing and RICO Act filings to enable rapid warrants to seize the command-and-control server domains. Similarly, Kaspersky reported the reactiviation of the Hlux/Kelios botnet following the previous takedown that now appears to be reactivating with a new version of the botnet code. And Russian officials reported the contiued investigation and arrests associated with the Carberp botnet takedown.

IntelliShield published 112 events last week: 67 new events and 45 updated events. Of the 112 events, 78 were Vulnerability Alerts, eight were Security Activity Bulletins, three were Security Issue Alerts, 21 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 03/30/2012 5 10 15
Thursday 03/29/2012 11 7 18
Wednesday 03/28/2012 25 16 41
Tuesday 03/27/2012 13 7 20
Monday 03/26/2012 13 5 18
Weekly Total 67 45 12

 

2012 Monthly Alert Totals

Month New Updated Monthly Total
January 208 344 552
February 234 317 551
March 249 238 487
Annual Total 691 899 1509

 

Previous Alerts That Still Represent Significant Risk

MIT Kerberos 5 Telnet Service Buffer Overflow Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24838, Version 7, March 30, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-4862

MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. MIT has confirmed the vulnerability and released software updates. Cisco, FreeBSD, GNU.org and Red Hat have released security advisories. VMware has released a security advisory and updated software to address the MIT Kerberos 5 Telnet service buffer overflow arbitrary code execution vulnerability.

Oracle Java SE Critical Patch Update February 2012
IntelliShield Activity Bulletin 25191, Version 3, March 28, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs

Oracle has released the February 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions. This update remediates 14 vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. CentOS and Red Hat have released security advisories and updates. IBM has released an APAR and fix to address the vulnerability in Oracle Java SE critical patch update for October 2011. HP has also released a security bulletin and updated software to address this update.

Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability
IntelliShield Vulnerability Alert 24625, Version 6, March 28, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4317

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available. HP has released a security bulletin and updated software to address the Apache HTTP Server reverse proxy rewrite URL validation vulnerability.

Microsoft Windows Remote Desktop Uninitialized Memory Access Arbitrary Code Execution Vulnerability
IntelliShield Security Activity Bulletin 25326, Version 3, March 20, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-0002

Microsoft Windows contains a vulnerability in Remote Desktop that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Microsoft has confirmed the vulnerability in a security bulletin and released updated software. Proof-of-concept code that exploits the vulnerability is publicly available. ICS-CERT has released a security advisory to address the Microsoft Windows Remote Desktop uninitialized memory access arbitrary code execution vulnerability.

Apple iOS 5.1 Security Update
IntelliShield Security Activity Bulletin 25374, Version 2, March 13, 2012
Urgency/Credibility/Severity Rating: 2/5/3
Multiple CVEs

Apple iOS contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to conduct information disclosure, security bypass, denial of service, code execution, or cross-site scripting attacks. Apple has released an additional security update and updated software to address the vulnerability in multiple Apple products security update. Apple added products Apple Safari versions prior to 5.1.4 and Apple Safari for Windows version prior to 5.1.4.

Apple iTunes and iTunes for Windows Multiple Memory Corruption Vulnerabilities
IntelliShield Security Activity Bulletin 25373, Version 1, March 9, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs

Apple iTunes and iTunes for Windows contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to conduct conduct cross-site scripting attacks, cause a denial of service condition, or execute arbitrary code on the targeted device.

Multiple Products Hash Collisions Denial of Service Vulnerability
IntelliShield Security Activity Bulletin 24871, Version 8, February 24, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4461 , CVE-2011-4815 , CVE-2011-4885, CVE-2012-0193, CVE-2012-0841

Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Apache, Microsoft, CentOS, IBM, ruby, FreeBSD, Red Hat and HP have released secvurity advisories and updates.

Trend Micro Control Manager CmdProcessor.exe Arbitrary Code Execution Vulnerability
IntelliShield Activity Bulletin 24728, Version 2, February 23, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-5001

Trend Micro Control Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that demonstrates an exploit of the Trend Micro Control Manager CmdProcessor.exe arbitrary code execution vulnerability is publicly available. Proof-of-concept code that exploits this vulnerability is available as part of the Metasploit framework.

Increase SSH Scanning Activity on Industrial Control Systems
IntelliShield Activity Bulletin 25143, Version 1, February 7, 2012
Urgency/Credibility/Severity Rating: 2/5/3

ICS-CERT has released a security alert to address recent activity involving SSH scanning of Internet-facing control systems that could allow an unauthenticated, remote attacker to access sensitive information.

Oracle Critical Patch Update January 2012
IntelliShield Vulnerability Alert 24972, Version 2, February 9, 2012
Urgency/Credibility/Severity Rating: 2/5/3

Oracle has released the January 2012 Critical Patch Update. The update contains 78 new security fixes that address multiple Oracle product families. The fixes correct multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service condition on targeted systems. Red Hat has released a security advisory and updated packages to address vulnerabilities listed in the Oracle Critical Patch Update January 2012.

Physical

JetBlue Pilot Incident Raises More Security Questions

The widely reported incident of a JetBlue pilot casuing a mid-air emergency resulting in the co-pilot locking the pilot from the cockpit and later having to be subdued by the crew and passengers again raises more security questions for air travel. The co-pilot and another pilot who was travelling on the flight safely landed the aircraft, and authorities removed the pilot from the aircraft. While investigation of the event continues, and in this case the situation was handled without injuries, it again raises several questions over the policies and procedures for aircraft security.
Read More

IntelliShield Analysis: This type of scenario may have been played out in table top exercises and planning sessions, but calls in to question some of the practices currently in place: Are we now expecting the passengers or passers-by to actively participate in a security event? Who is making the decision on what or who is a threat: the pilot, co-pilot, crew, passengers, office managers, any individual stepping forward? And how do those individuals determine if it is the pilot that is the threat and not that the co-pilot that has taken over the aircraft? Would this similarly apply to subdueing a threatening individual in a business or public setting? Emergency and law enforcement authorities are trainied responders, face these complicated decisions regularly, and are backed by their organizations for liability protection. But if the passengers or random indivduals that happen to be present are now expected to actively participate, who is making those decisions and backing them? What if they do not participate? Taking this out of the aircraft and placing it in a business office, if a perceived threat is identified, who is making the decision that there is in fact a threat, and who is now expected to volunteer or participate? If untrained individuals are expected to participate, should they receive some type of notification of that expectation, training, or should they particpate in drills? One point to note was that the majority of this particular event was captured on video taken on cell phones, allowing for review of the details of the incident, in addition to the aircraft communications, although the aircraft did not have this type of security video capability. While these types of events have ended positively to date, there are several gray areas in these practices that need to be considered and addressed in planning exercises, policies and practices.

Legal

There was no significant activity in this category during the time period.

Trust

U.S. Department of Defense Networks Compromised?

Recently security experts testified to the Senate Armed Services Subcommittee that U.S. Department of Defense (DoD) computer networks have been penetrated in a manner so complete that the current mentality of cyberdefense must change. According to the experts, the focus should be on "protecting data, not controlling access." Experts from the NSA and other government labs also reiterated the need for the U.S. to change the way it thinks about DoD computer networks. Moreover, the notion that the U.S. must assume that "the adversary is in our networks" has been promoted.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The call to arms has been stated. The challenge with DoD and other government entities is much like that of security in the vendor versus open source realm. As the public has limited insight into the inter-workings and solutions in this space, not unlike with vendor product/software code, the possibilities and solutions are limited to those that are employed by the DoD. This inherently also limits the scope and innovation factor. Should the DoD security teams indeed work on the assumption that they have been compromised and look to protect from the inside out? The Verizon Data Breach report shows that most breaches are not discovered by the owners but by third parties, and can have been compromised for 1-2 years before discovery. How does this change security perspectives such as recommended practices, security architecture, incident response, and others? As always, there are many questions, but solutions must begin to flow in order to better protect, prevent, and mitigate attacks on DoD environments.

Identity

Exploiting the Secret Questions

Reports this week showed how criminals are targeting credit reporting agencies and websites. The preferred method is to skip the password and instead attack the security questions, questions that are common across many websites. When the guesses are correct, post the credit information for sale to others.
Read More

IntelliShield Analysis: Criminals target credit reporting companies because the information about a credit report consumer is complete. The credit report on someone with a high credit score may sell for $80. Why is this amount so high when compared with a black market credit card price of $3 for the same consumer? With credit reports and credit reporting credentials, criminals may turn off alerts, change contact information, order credit cards, secure loans and buy a car or a house with the information. Last April when Prince William and Kate Middleton were married, a popular Facebook post was to "generate your own Royal Name" by combining your grandmother or grandfather's first name, add that to your first pet's name, and then the street you grew up on. This was clearly a way to harvest critical security questions. The convenience of the Facebook API allowed for anyone to download "Royal Names" by the thousands. But to what end? Now, the same types of security answers are being used for wholesale identity theft. Banks have been using security questions since 1906 and until a stronger authenticator is implemented this attack will continue. Recent iterations of this fraud have already arrived in the form of tax refund fraud.

Human

Affects of the Possession of Social Media Accounts, Not What They Contain

Students at a Jewish girls' school in Brooklyn were compelled to delete their Facebook accounts or be faced with expulsion from the school. The school is attempting to address a decline of modesty with the anti-Facebook policy. According to the principal at the Beis Rivkah High School, a policy prohibiting social media use has been in place for two years. Earlier this year a student was forced to turn over her Facebook account password after it was alleged that she was carrying on a conversation about sex with another student. A U.S. Army Reserve Specialist is also being reprimanded for making a Ron Paul endorsement while in uniform. Specialist Jesse D. Thorsen violated an army policy barring soldiers from participating in political events while in uniform.
Read More
Additional Information

IntelliShield Analysis: Both of these groups of individuals are subject to policies of organizations that they joined voluntarily, one online and the other offline. When an individual desires to voluntarily aline themselves with an organization, they also agree to comply with the policies put in place by that organization. While public schools are prohibited from implementing arbitrary censorship, nothing prevents such censorship in private schools, private businesses or any other organization, if acting as a representative of that business or organization. If the organization has in place a policy that limits online activity or public speech, and an individual goes against that policy, it is only logical that the individual may be reprimanded or denied association with the organization. When making comments on social media, steps should be taken to ensure you are speaking as an individual and not as an official representative of any organization you may be associated with.

Geopolitical

The Politics of the Toulouse Shootings

Following the shootings in Toulouse France, the investigation continues tracking personal through online connections of the confessed shooter. In the past week, 17 additional arrests have occurred in connection with the shooter across the country. At the same time, the presidential election in France is reaching its peak, with elections coming on April 22, 2012. The shootings and on-going investigation has pushed immigration, terrorism, state security, and Internet policies to the front of the election debates.
Read More
Additional Information
Additional Information

IntelliShield Analysis: These shootings sent a shock wave across France, which some of the presidential candidates compared to the U.S. 9/11 attacks. With the France presidential elections now in the home stretch, the shootings have pushed security to the front of the election debates, both highlighting President Sarkozy's current policies and handling of the attacks and the challenger's calling out the failures of the president's policies and handling. As all of the EU currently debates Internet privacy, user rights, and government monitoring policies, the shootings in France similarly have impacted those debates, possibly tilting the scales in favor of security over individual rights. The presidential candidates in France have called for increased monitoring, blocking of threatening websites and forums, and investigation of those who visit or contribute to threatening sites. Similar to the U.S. policy and increased government authority shifts following the 9/11 attacks, France and the EU in general could be more inclined to enact policies tightening Internet monitoring, blocking and tracking.

Upcoming Security Activity

InfoSec World Conference & Expo 2012: April 2–4, 2012
Interop May 6–10, 2012
Cisco Live US: June 10–14, 2012
Black Hat USA 2012: July 21–26, 2012
DEFCON 20, July 26–29, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

NCAA Basketball Tournament (U.S.): March 13–April 2, 2012
France Presidential Elections: April 22, 2012
World IPv6 Launch: June 6, 2012
London Olympic Summer Games: July 27–Aug 12, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top