Cyber Risk Report

March 8–14, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity levels decreased during the period and included Microsoft security bulletins and an update for Apple Safari that corrected multiple vulnerabilities.  Microsoft released two bulletins for March that addressed multiple vulnerabilities in the Microsoft Movie Maker and Office Excel products.  The vulnerabilities had a maximum severity rating of "Important" by Microsoft, and both vulnerabilities could allow remote code execution.  The March security bulletins did not further address the vulnerability in Microsoft Internet Explorer, reported in IntelliShield alert 20052, which is being actively exploited.  Exploit code for this vulnerability was made public during the period, which may increase the exploit activity.

In other vulnerability and threat activity during this period, news media widely reported a malicious code found in the Energizer DUO USB battery charger.  The malicious code included in the product was a backdoor trojan that could allow remote access to the system.  While we have not seen other recent reports of malicious code included in these types of products, there have been numerous previous reports of malicious code included in digital picture frames and similar peripheral types of products that users connect to their systems.  Antivirus products will likely detect the malicious code included in these products and should be kept updated as a primary means of defense.

During the month of March, many areas of the globe will be implementing Daylight Saving Time.  The United States (U.S.) moved clocks forward on March 14, 2010, and the European Union will change on March 28, 2010.  A complete list of the time changes for each region is available at worldtimezone.com.

In upcoming activity, Cisco will release the semiannual IOS security update on March 24, 2010.  The previous update occurred in September 2009.

IntelliShield published 87 events last week:  41 new events and 46 updated events.  Of the 87 events, 72 were Vulnerability Alerts, one was a Malicious Code alert, four were Security Issue Alerts, six were Threat Outbreak Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 03/12/2010

 15

  7

22

Thursday 03/11/2010

  5

  4

  9

Wednesday 03/10/2010

  1

15

16

Tuesday 03/09/2010

14

13

27

Monday 03/082010

  6

  7

13

Weekly Total 41 46 87

 


Significant Alerts for March 8–14, 2010

Microsoft Internet Explorer Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, March 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0483

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability.  Public exploit code is available and the vulnerability is being actively exploited.

Previous Alerts That Still Represent Significant Risk

Adobe Download Manager Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19979, Version 4, February 26, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0189

Adobe Download Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.  Adobe has confirmed the vulnerability and released updated software.

Mozilla Firefox Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 1, February 19, 2010
Urgency/Credibility/Severity Rating: 2/3/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Mozilla has not confirmed this vulnerability, and updated software is not available.

Multiple Symantec Products ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19970, Version 1, February 19, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0107

Multiple Symantec products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system.  Symantec confirmed this vulnerability and released software updates.

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 5, February 25, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Microsoft has confirmed this vulnerability and released software updates.  Additional information is available regarding mitigations and exploit code related to the Internet Explorer remote arbitrary code execution vulnerability.

Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 8, January 22, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-4324

Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service condition.  Proof-of-concept code that exploits the vulnerability is publicly available.  Adobe has confirmed this vulnerability, and updates are available.  This vulnerability is being actively exploited through directed phishing attacks.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 38, March 4, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack.  Multiple vendors have released updates to correct this vulnerability.  Proof-of-concept code that exploits this vulnerability is publicly available.

Physical

There was no significant activity in this category during the time period.

Legal

FTC Fines Lifelock.com for Deceptive Practices

Lifelock CEO Todd Davis promised consumers that their personal data would be worthless to identity thieves if they were Lifelock subscribers. The United States (U.S.) Federal Trade Commission (FTC) took exception to those claims and others by Lifelock and fined the company US$12 million. Eleven million will go toward reimbursement of Lifelock subscribers. The fraud alerts that Lifelock used as the centerpiece of its service and that the company put on subscriber accounts did not prevent misuse of previously held credit accounts or prevent the opening of new loans. The credit report that Lifelock provided is available free to individuals from www.annualcreditreport.com. The FTC and attorney generals from 36 states found that the claims made by Lifelock were fraudulent and that gaping holes were left in the protection that was promised to consumers.  Read More

IntelliShield Analysis:  The Lifelock case evokes the adage, "If it sounds too good to be true, it probably is."  With the number of identity theft cases running at record rates, Lifelock had loads of customers who hoped to permanently secure their identities for "just pennies a day" fall for the company's advertisement campaign.  Identity theft is a real threat, but individuals need to assume responsibility for their own protection.  All credit cards offer fraud protection and limitations on liability.  An individual can obtain one free credit report each year from each of the three major credit reporting bureaus.  By staggering reports over every four months, individuals can obtain copies of their own credit reports three times a year at no cost.  The fraud alert posted on subscribers' accounts is easily done by the subscriber themselves.  Consumers are also advised to use a shredder on all outdated personal records.

Trust

Third-Party Web Advertising Malicious Code Infections

Recently, WhitePages.com joined a growing list of groups that have been forced to deal with malicious code distributed through their website by means of third-party advertisement networks.  Multiple users reported the presence of advertisements for fake antivirus programs on the whitepages.com website.  The reports prompted the group to suspend relationships with the advertisement networks in question.  
Read More 
Additional Information 

IntelliShield Analysis:  This type of attack is not new but it remains effective because it takes advantage of trust relationships at several levels.  Any website that hosts advertisements from third-party networks must trust that the content received from the advertising network will be free of malicious code.  This type of attack also exploits the trust relationship that is built between a user and a website.  The attacks can harm any user whose system becomes infected with malicious code.  Websites that host the content could have their reputations harmed as collateral damage, losing out on future income as a result.  Some organizations recommend the use of third-party groups to verify content from advertising networks as an added layer of protection against this type of attack.

Identity

HSBC Bank Account Disclosures and New Data on Electronic Bank Fraud

British HSBC Bank announced that their Switzerland-based HSBC Private Bank SA was the victim of an insider attack by a former employee who stole information relating to 24,000 customer accounts from 2006 and 2007.  A spokesperson for HSBC said that although the information is unlikely to be used to gain access to the accounts, the information could be damaging to customers by exposing confidential assets to tax authorities.  The disclosure comes as the U.S. Federal Deposit Insurance Corporation (FDIC) released data from electronic fraud losses in the third quarter of 2009.  Losses were in excess of US$120 million, including $25 million related to assets stolen from small to medium-sized business in the U.S. from online banking sites.  The loss rate of $25 million dwarfs the loss of $9.4 million from bank robberies during the same time period. 
Read More 
Additional Information

IntelliShield Analysis: While protections against external attacks are important, especially those involving malicious software designed to steal account information as the FDIC report shows, businesses must be reminded that insider attacks can be just as damaging.  The financial liability to HSBC as a result of the data disclosures may be insignificant when compared to the impact to customer trust and brand perception, especially in the Swiss banking industry.

Human

Willful Disobedience Responsible for 12 Percent of Security Policy Violations

FiberLink, a vendor of endpoint security management and "mobility as a service" solutions, released results from a study it commissioned regarding security policy compliance.  FiberLink's study reported that 12 percent of employees are aware of security policies but choose to disobey the policies.  In 2008, Cisco performed a similar study that explored some of the reasons that employees offer for failing to follow security policies. 
Read More 
Additional Information

IntelliShield Analysis:  The study from FiberLink shows continued resistance from end users to compliance for compliance's sake.  Global metrics, however, should not by themselves determine organizational policy changes.  Organizations should query internal users to determine where resistance is felt against existing policies. The Cisco 2008 study revealed that awareness of the value of policy, the impact of threats, and the role of users in security were not aligned between policy makers and employees.  Organizations should continuously improve their policies, awareness programs, and their understanding of how users perceive the constraints placed upon them.

Geopolitical

China Cautious on Migration Reforms

As China wraps up its annual legislative session this month, the macroeconomic news is mostly good. Exports are up 8.2 percent from two years ago prior to the impact of the global financial crisis on trade and imports are up almost 10 percent.  Government officials have expressed some concern over the threat of trade disputes, inflation, and international pressure over yuan appreciation.   In an unusual development, 13 local newspapers jointly published an editorial calling for reform of the longstanding hukou system, which critics say exacerbates rural-urban disparities by cutting migrant workers off from health care and other public services when working in jurisdictions outside their homes.  Support for hukou reform expressed by Politburo official Zhou Yongkang and Minister of Agriculture Hang Changfu earlier in the month stoked expectations of an announcement at the legislative gathering, but none was forthcoming. 
Read More 
Additional Information 
Additional Information

IntelliShield Analysis:  The issue of hukou reform is noteworthy for technology companies with operations in China because of its potential to impact the labor pool.   As the global economic downturn hit China's manufacturing export business last year, many laid-off migrant workers returned home.  With the quick turnaround in demand for manufactured goods late last year, many companies are facing a shortage of labor in urban centers.  Workers in many cases have been reluctant to return to cities, however, because of the lack of public services.  Also, infrastructure stimulus spending in rural areas is providing jobs closer to home.  With hukou reform on the back burner for now, labor costs for China-based suppliers are increasing, the quality of labor may go down as skilled workers become scarce, and the risk of intellectual property finding its way out of factories may intensify.

Upcoming Security Activity

CanSecWest 2010, Vancouver: March 24–26, 2010
Cisco Networkers 2010, Bahrain: March 28–31, 2010
InfoSec World 2010: April 17–23, 2010
INTEROP Las Vegas: April 25–29, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top