Cyber Risk Report

May 9–15, 2011

The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support.

Vulnerability

Vulnerability activity was increased for the period. Microsoft released the May 2011 Security Bulletins, which was a relatively light load for the month. The release included two security bulletins addressing vulnerabilities in Windows WINS and PowerPoint and Office. Cisco released the Event Response: Microsoft Security Bulletin Release for May 2011, detailing the vulnerabilities and mitigations.Also this week, Kernel.org corrected multiple vulnerabilities in Linux Kernel 2.6.32.36, HP corrected multiple vulnerabilities in Intelligent Management Center, WebOS and Network Node Manager, and Google Chrome released an update for webkit. Additionally, VMware released multiple security updates for vSphere and vCenter, Sybase released multiple updates for M-Business Anywhere, and Adobe released updates for Flash and Audition.

Multiple reports identified the public availability of the infamous ZeuS botnet code. ZeuS is a financial theft botnet that has been highly active across the Internet and responsible for millions of dollars in account compromises. While the ZeuS code has been available for purchase on the Internet, the public release of the code, which includes the user interface, may trigger an increase in ZeuS-related activity, in addition to the hundreds of existing ZeuS botnets already active.

Cisco released the 1Q11 Global Threat Report and a security blog post highlighting threat activity collected across the Cisco Security Intelligence Operations, with perspective on what is currently affecting enterprise security, and insight on top threats that occurred from January through March 2011.

The Industry Consortium for Advancement of Security on the Internet (ICASI) announced it is holding a webcast where it will detail a standardized framework for reporting IT system vulnerabilities. The Common Vulnerability Reporting Framework (CVRF) enables stakeholders across different organizations to share critical security-related information in a single format, speeding up information exchange and digestion.

IntelliShield published 106 events last week: 66 new events and 40 updated events. Of the 106 events, 71 were Vulnerability Alerts, four were Security Activity Bulletins, two were Security Issue Alerts, 26 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 05/13/2011 14 8 22
Thursday 05/12/2011 15 3 18
Wednesday 05/11/2011 16 16 32
Tuesday 05/10/2011 10 4 14
Monday 05/09/2011 11 9 20
Weekly Total 66 40 106

 

Previous Alerts That Still Represent Significant Risk

Microsoft Office Excel Array Indexing Vulnerability
IntelliShield Vulnerability Alert 22797, Version 2, May 2, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-0978

Microsoft Office Excel contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.

IBM and Oracle Multiple Java Products Security Update
IntelliShield Vulnerability Alert 22466, Version 7, May 6, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs

Oracle has released the April 2011 Critical Patch Update to address 73 new vulnerabilities in multiple products. Multiple vendors have released updated Oracle Java patches.

Multiple Vendor Issue Revocation for Fraudulent SSL Certificates
IntelliShield Vulnerability Alert 22740, Version 6, May 2, 2011
Urgency/Credibility/Severity Rating: 2/5/3

Multiple vendors have revoked several fraudulent SSL certificates to protect users from spoofing attacks. Microsoft has re-released a security advisory to address the multiple vendor SSL certificate revocation issue.

Microsoft Windows MHTML Protocol Handler Script Execution Vulnerability
IntelliShield Vulnerability Alert 22310, Version 7, April 28, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-0096

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script in a user's browser session. Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not yet available. Proof-of-concept code that demonstrates an exploit of the Microsoft Windows MHTML protocol handler script execution vulnerability is publicly available. IntelliShield has updated this alert to report an increase in intrusion prevention system activity that is related to the Microsoft Windows MHTML protocol handler script execution vulnerability.

Multiple Adobe Products SWF File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22909, Version 6, April 29, 2011
Urgency/Credibility/Severity Rating: 3/5/4

Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Adobe has released additional security bulletins and updated software to address the SWF file processing arbitrary code execution vulnerability.

LizaMoon SQL Script Injection Attacks
IntelliShield Vulnerability Alert 22869, Version 2, April 8, 2011
Urgency/Credibility/Severity Rating: 3/4/3

Multiple SQL script injection attacks have been detected. These attacks are designed to modify targeted sites and redirect users to malware distribution sites. A Cisco IPS signature that detects SQL script injection attacks is available.

RSA Breach Exposes SecurID Information
IntelliShield Vulnerability Alert 22689, Version 1, March 18, 2011
Urgency/Credibility/Severity Rating: 1/5/3

RSA has issued a security announcement about data compromises related to SecurID two-factor authentication products.

Multiple Apple Products Security Update on March 2, 2011
IntelliShield Vulnerability Alert 22583, Version 2, March 10, 2011
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs

Apple has released security notifications and updated software to address multiple Apple product vulnerabilities.

Linux Kernel video4linux and compat_mc_getsockopt() Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21389, Version 13, March 9, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-3081

VMware has re-released a security advisory and updated software to address the Linux Kernel video4linux and compat_mc_getsockopt() privilege escalation vulnerability. Kernel.org has released a changelog and updated software.

EXIM Mail Transfer Agent Arbitrary Configuration Loading Root Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 22053, Version 5, April 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-4345

EXIM Mail Transfer Agent contains a vulnerability that can allow an attacker with shell access to gain elevated privileges. Updates are available. Exploitation of this vulnerability has been observed in conjunction with exploits for a vulnerability detailed in IntelliShield alert 22051 (CVE-2010-4344). CentOS has released updated packages to address the EXIM mail transfer agent arbitrary configuration loading root privilege escalation vulnerability.

Physical

There was no significant activity in this category during the time period.

Legal

There was no significant activity in this category during the time period.

Trust

Patterns of Fraud Point to Michaels Stores

The Michaels Stores account compromise initially reported to affect the Chicago area has now been expanded to over 20 states and 90 Michaels stores. The ongoing investigation links the fraud activity to point of sale (POS) Personal Identification Number (PIN) pads that are believed to have been exchanged for PIN pads that captured customers' card details. The fraudulent PIN devices are being removed from Michaels stores. The compromised PIN pads where identified after many customers reported fraudulent account activity, which led investigators to the Michaels stores.
Read More

IntelliShield Analysis: The credit card skimming scam affecting Michaels Stores is much larger than initially reported, and as a precaution, Michaels Stores is replacing virtually all of their POS devices. By rolling out Chip and PIN credit cards, banks would help combat this particular type of crime. Chip and PIN cards do have their weaknesses, but it would expose criminals to higher risks in order to steal credit cards details at the point of sale. This increased risk would likely deter some low-level criminals from attempting this kind of crime. One potential consequence of moving to Chip and PIN is that store staff could become a bigger target, as criminals may attempt to blackmail or coerce them into helping them steal credit card information. Additionally, third-party organizations that are involved in processing credit card payments could also come under increased threats from criminals. Current magnetic and Chip and PIN standards both have weaknesses that need to be understood by POS staff and security teams to establish procedures to mitigate those risks.

Identity

Report Investigates Exploitation of Children's U.S. Social Security Numbers

A recent report by NBC investigated techniques and targets that some criminals have turned to for perpetrating credit fraud. In this report, criminals are alleged to use predictable structures designed into the U.S. Social Security numbering scheme to determine a person's number while they are young, or even before they are born. Once a child's number is in their possession, criminals often have long periods of time to exploit their victim's credit rating before they are detected.
Read More
Additional Information

IntelliShield Analysis: While the NBC report mentions safeguards recommended by the credit agencies and the Federal Trade Commission, it also highlights some failed controls. For example, banks are cited as not always paying the fees required to match names to Social Security numbers. Further, the predictability inherent in the Social Security numbering scheme has been a known weakness for some time. Later this year, the U.S. Social Security Administration will be taking steps to randomize assigned numbers, which should assist in reducing such fraud. Organizations should consider this example not only a notice to review whether they are doing their part to reduce credit fraud, but also to consider weaknesses in other areas, especially long-term procedures, which may be vulnerable to exploitation due to technological or other systemic shifts. The bottom line to all the discussion of Social Security numbers is that they are widely used, known and available, and should not be solely relied upon for authentication.

Human

Protecting Children's Personal Information

In the past year, social networks have contributed to millions of cases of online malfeasance, such as identity theft, malware propagation, and cyber bullying, with many involving minors. Millions of individuals are victims of their own carelessness by freely posting information such as vacation plans and family photos on social networks, and by storing Personally Identifiable Information (PII) such as medical records and financial information on mobile devices.
Read More

IntelliShield Analysis: The increasing popularity of social networking sites is certainly understood, as these sites enable families and friends to stay connected regardless of their physical proximity to each other. Unfortunately, many users are not aware or properly educated when it comes to what types of information should be shared, and with whom. It is highly recommended, especially in the case of minors, not to provide personal details such as gender, complete birth dates (including year of birth), home addresses, family photographs, and the names and locations of the current schools the user is attending. In addition, there are settings in applications such as Facebook that can be leveraged to minimize the amount of friends that are allowed to view your personal information. Many of the popular social networking sites have minimal requirements for limiting and verifying a user's age, placing the responsibility on the parent or guardian to protect the children on these sites. One of the preferred account models for this is the parent/child account structure used by some Internet sites, which allows the parent to create an administrative-level account and the minors to have more limited user-level permissions on sub-accounts. This account structure allows the parent to control and, if needed, assist children with their accounts and site activity.

Geopolitical

Turkey Surges Ahead

The economy of Turkey is now the fastest growing in Europe, and among G20 countries, is second only to China in the pace of its expansion. Turkey emerged early from the global recession of 2008-2009, thanks to responsible stewardship by the ruling AKP party and strict financial management imposed by an earlier International Monetary Fund (IMF) package. With general elections approaching on June 12, 2011, major ratings agencies have signaled that they may upgrade Turkey's sovereign debt, a move that would make it easier for Ankara and private companies to borrow.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Despite all of the positive economic news, there are at least three worrying macro trends whose management may define Turkey's prospects going forward. First is a trend away from fiscal responsibility, amplified by election season political imperatives. This may endanger the upgrade in Turkish sovereign debt, worsen inflation, and imperil continued growth. Second is the recent erosion in relations with EU member nations. This has been hastened by Western Europe's lack of enthusiasm to welcome Turkey into the EU club, and EU economic sluggishness, forcing Turkey to seek trade growth elsewhere. This trend is also complicated by recent NATO moves, including the Libya no-fly zone, which have been problematic given Turkey's desire to act as a mediator between the Arab world and the West. Third is the longevity of the AKP administration, whose 9-year run appears likely to be extended in June's elections. Some analysts argue that the long run is tempting the AKP to lapse into corruption and authoritarian policies. Information security professionals may wish to keep these risks in mind as technology companies line up for Turkish spending projects, including a proposed new canal to bypass the Bosporus Strait, and a multinational terrestrial data cable set to connect Asia with Western Europe by the end of the year.

Upcoming Security Activity

CiscoLive Bahrain: Postponed
HITBSecConf2011: May 17–20, 2011
23rd Annual FIRST Conference: June 12–17, 2011
CiscoLive 2011: July 10–14, 2011
Black Hat USA 2011: July 30–August 2, 2011
DEFCON 19: August 4–7, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top