Cyber Risk Report

May 10–16, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity was increased during the period because of the release of security advisories from multiple major vendors.  Microsoft released two security bulletins to address vulnerabilities in Outlook Express and Windows Mail and in Visual Basic for Applications.  Proof-of-concept exploit code is publicly available for the Outlook Express vulnerability.  Adobe released two security bulletins to address three vulnerabilities in Cold Fusion and 18 vulnerabilities in the Shockwave Player.  Cisco released a security advisory to address nine vulnerabilities in the PGW 2200 Softswitch series of products.  Additional updates were released for Red Hat Java Runtime Environment (JRE), Oracle MySQL, HP OpenView Network Node Manager, IBM Apache HTTP Server, and Apple Safari for Windows.

The Cisco IronPort Threat Operations Center released 21 Threat Outbreak Alerts, showing an increased level of spam activity for the period.  Many of the alerts indicate the continually evolving nature of spam, with minor changes to the socially engineered messaging and targeted groups.

Additional information was identified on the Kernel Hook Bypassing Engine exploit and reported in an update of IntelliShield alert 20433.  This exploit tool is able to bypass security software protections provided by host-based security software on Windows systems and execute arbitrary code with kernel privileges.  The exploit method affects multiple vendor products.

Multiple sources reported identifying botnet activity that is now targeting servers.  This could be a significant shift in botnet activity because most botnets rely on social engineering or infected website methods to exploit users' systems, not direct attacks on the systems.  The server compromises likely require direct attacks on the systems and could provide the botnets with substantially more processing power that could be used in denial of service attacks.

Multiple sources have also reported widespread attacks targeting WordPress websites across multiple hosting service providers.  The attacks appear to embed malicious code in the web pages and include sophisticated methods to hide the infection. Users of WordPress websites are advised to contact their hosting providers to check their web pages and are advised to update their sites to the latest WordPress version.

IntelliShield published 105 events last week:  53 new events and 52 updated events.  Of the 105 events, 75 were Vulnerability Alerts, three were Security Activity Bulletins, two were Security Issue Alerts, 21 were Threat Outbreak Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 05/14/2010 9 6 15
Thursday 05/13/2010 8 22 30
Wednesday 05/12/2010 24 5 29
Tuesday 05/11/2010 8 4 12
Monday 05/10/2010 4 15 19
Weekly Total 53 52 105

 

Significant Alerts for the Time Period

Kernel Hook Bypassing Engine Affects Multiple Security Applications
IntelliShield Vulnerability Alert 20433, Version 2, May 13, 2010
Urgency/Credibility/Severity Rating: 2/4/4

A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Windows systems and execute arbitrary code with kernel privileges.

Previous Alerts That Still Represent Significant Risk

DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services
IntelliShield Vulnerability Alert 20418, Version 1, May 3, 2010
Urgency/Credibility/Severity Rating: 2/5/3

DNSSEC-enabled queries to the root servers may be affected because the last (J-root) of the 13 root servers will begin serving the DURZ on May 5, 2010.

Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 2, April 30, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser.  Proof-of-concept code that exploits this vulnerability is publicly available.  Microsoft has confirmed this vulnerability, but software updates are not available.

McAfee VirusScan DAT Update May Cause Microsoft Windows System Failure
IntelliShield Vulnerability Alert 20375, Version 2, April 22, 2010
Urgency/Credibility/Severity Rating: 4/5/3

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems.  As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable.  McAfee has released a knowledgebase article with various workarounds.

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 3, April 20, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user.  Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable.  Updates are available.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 50, May 13, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack.  Proof-of-concept code that exploits this vulnerability is publicly available.  Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 4, March 30, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0806

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability.  Functional exploit code is being used in ongoing exploits, and Microsoft has released a security bulletin and updated software.

Mozilla Firefox WOFF Decoder Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 2, March 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-1028

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Mozilla has confirmed this vulnerability and has released updated software.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0483

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability.  Proof-of-concept code that demonstrates code execution is available.

Physical

There was no significant activity in this category during the time period.

Legal

Payment Card Industry Security Standards Council Updates Requirements for 2011

The Payment Card Industry Security Standards Council has released a new standard for payment card devices.  The new standard is version 3.0 of the PIN Transaction Security (PTS) requirements.  One part of the new standard will require point-of-sale devices and unattended teller or payment devices to use secure reading and encryption of the card information and PIN. Another part of the new requirements is designed to strengthen security on wireless-based transactions.  The new requirements are set to become mandatory in 2011.  Read More

IntelliShield Analysis: Because of all the cases of card skimmers that are used to steal credit card information at unattended payment and teller sites, it comes as no surprise that the payment card industry is looking for ways to prevent this sort of activity from taking place.  The new rules would make it harder for criminals to use card skimmers to steal credit card information.  Another area of concern is wireless-based activities, and here the council is working to improve security as well.  The new rules will not be mandatory until 2011, which should give companies time to implement the rules before they go into effect.

Trust

Internationalized Domain Name Roll-Out Begins

The Internet Corporation for Assigned Names and Numbers (ICANN) has begun the roll-out of Internationalized Domain Names (IDNs) with the deployment of four Top-Level Domains (TLDs).  IDNs allow domain names to be represented using local alphabets. Previously, domain names were constrained to using the Latin alphabet.  The first three internationalized TLDs were created for Egypt, Saudi Arabia, and the United Arab Emirates; the TLD for the Russian Federation was deployed one week later on May 12, 2010.
Read More
Additional Information

IntelliShield Analysis:  The realization of IDNs will bring positives and negatives to both organizations and Internet users at large.  Being able to name and locate Internet resources using their primary language will remove an unnecessary barrier for Internet users, allowing them to connect with information and organizations more easily. However, this significant step forward also exposes a number of risks.  It is expected that many will rush to seize the opportunity and claim popular domain names in localized languages, possibly in conflict with existing names.  Furthermore, criminals will capitalize on the flexibility created by IDNs by providing authentic-looking but ill-intended services or using IDNs to undermine existing security tools and methodologies.  IDNs that are presented in a language that a user does not know present challenges, such as obscuring information about the destination of the URL from the user. These issues are similar to those of URL shortening services, such as TinyURL.com. However, there is not currently the same level of user awareness, and compensating tools are not available. Organizations are advised to raise internal awareness of IDNs and review their tools and processes while being mindful of the risks.

Identity

National Identity Register, National Identity Card System Scrapped in United Kingdom

A coalition government between the Conservative and Liberal Democrat parties was formed last week in the United Kingdom.  As the parties had outlined in policy statements prior to the election, they were both opposed to continuing the National Identity Register and national identity card program, for which staged deployments began last year.  Read More

IntelliShield Analysis:  National identity databases—particularly those that, like the U.K. system, include biometric information—are very attractive targets for criminals.  The detailed information, stored in a system that would eventually expand to almost every citizen in the United Kingdom, caused many individuals and advocacy groups to be concerned about privacy.  The program was also widely criticized for its far-reaching scope and for costs that, by some estimates, would expand to GBP£5.4 billion over 10 years.

The impending reversal in the U.K. policy toward national identity cards will cause the cancellation of a system that was in the process of deployment, and it could pose additional challenges for similar efforts in the United States and elsewhere.  Perhaps more than technical challenges, overcoming individual aversion to such a system is likely the biggest hurdle that the United Kingdom and others will face in future national identity programs.

Human

"Joke" Results in Conviction and Criminal Record for Twitter User

On January 13, 2010, British police arrested Paul Chambers as a result of a joke he posted on the social networking site, Twitter.  Chambers posted the following message because inclement weather disrupted services at Robin Hood airport: "Crap! Robin Hood airport is closed. You've got a week and a bit to get your **** together, otherwise I'm blowing the airport sky high!"  On May 10, 2010, the Doncaster Magistrates' Court in northern England found Chambers guilty under the Communications Act 2003.
Read More
Additional Information

IntelliShield Analysis:  The case of Paul Chambers should serve as a stark reminder to all users of social networking.  Anything a user posts could come back to haunt the user at a later date, often in unexpected ways.  Paul Chambers has suffered the embarrassment of an arrest at work as well as a search of his home.  Chambers must also pay a fine and legal fees.  Worst of all, Chambers now has a criminal record that could restrict his ability to travel and could harm his chances for future employment.  All of this is the result of a simple message posted on Twitter.  Other users should learn from this lesson and take great care when deciding what to share and how to share it on social networking sites.

Geopolitical

Standoff in Thailand Threatens Supply Chain, Prospects for Democracy

Antigovernment red-shirt protestors, who have been camped in central Bangkok since March, ignored government orders to evacuate over the weekend. Violent confrontations brought the casualty count to 36 deaths and at least 250 wounded, according to the BBC. Soldiers used tear gas, rubber bullets, and live rounds against protesters, who retaliated with homemade rockets and Molotov cocktails, according to a variety of reports.  Many protestors support ousted Prime Minister Thaksin Shinawatra and are calling for current Prime Minister Abhisit Vejjajiva to resign and call elections.  Vejjajiva at one point had offered elections in November, but the negotiations broke down when no agreement could be reached on who would take responsibility for a violent crackdown on protestors in April.  Saying that pro-red-shirt websites, television, and radio stations incite violence, the government has threatened to shutter many media outlets. This move has angered Thai citizens across the country.
Read More
Additional Information

IntelliShield Analysis:  The situation remains too fluid at this writing to make predictions about its resolution.  However, it appears that government-backed military forces are making inroads, by dint of their superior firepower, against the protestors. Relative peace may be restored to central Bangkok within a few days.  Until the red shirts' basic grievances are addressed, however, the political situation in Thailand will remain precarious.  The frustration threatens to spill over into neighboring countries like Malaysia, Indonesia, Myanmar, and the Philippines.  For information security specialists, the primary short-term concern is increased physical risk to employees and assets in the region, as well as the risk of disruptions to supply chains if air or maritime ports are closed.

Longer term, the upheaval may be emblematic of democratic movements across Southeast Asia, which have begun to support more open, prosperous economies.  Thailand's attempts to guide its constitutional monarchy through the current crisis will be watched closely by its neighbors.  A repressive crackdown on dissent runs the risk of sparking further backlash and encouraging the growth of violent extremism across the entire region, as well as weighing heavily on prospects for economic growth.

Upcoming Security Activity

AusCERT2010:  May 17–20, 2010
Gartner Security & Risk Management Summit: June 21–23, 2010
Cisco Live 2010 (Las Vegas): June 27–July 1, 2010
Black Hat USA (Las Vegas): July 24–29, 2010
DEFCON 18: July 29–August 1, 2010
BSides Las Vegas: July 28–29, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
FIFA World Cup (South Africa): June 11–July 11, 2010
Poland Elections:  June 20, 2010
G20 Summit (Toronto, Canada): June 26–27, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top