Cyber Risk Report

November 12–18, 2012

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

The Microsoft Security Bulletins for November 2012 highlighted the vulnerability activity for the period. Microsoft released six security bulletins to address 19 vulnerabilities affecting Windows, Internet Explorer, .NET framework, Internet Information Services (IIS), and Office. Four of the security bulletins, rated critical by Microsoft, corrected 13 vulnerabilitiestwo for Windows Shell, three for Internet Explorer, three for Windows kernel-mode drivers, and five for the .NET framework. The .NET security bulletin is particularly complex and requires careful review by systems administrators for deployment in their environments. Cisco has released the consolidated and correlated IntelliShield alerts, intrusion prevention system (IPS) signatures, and an Applied Mitigation Bulletin in the Cisco Event Response: Microsoft Security Bulletin Release for November 2012.

Other activity included the reporting of functional exploit code for the Oracle Java Applet JAX-WS Class Processing Security Bypass Arbitrary Code Execution Vulnerability, reported in IntelliShield alert 27404. The vulnerability affects Oracle Java Runtime Environment (JRE) 7 Update 7 and prior, and a software update was included in the Oracle Java SE CPU October 2012. This vulnerability and the previously reported Oracle Java Security Manager Bypass Arbitrary Code Execution Vulnerability are included in exploit tool kits and actively being exploited. Users should update to Java Version 7 Update 9, and consider disabling the Java web plugin in their browsers to avoid attempted Java exploits. During the period, Red Hat released multiple security advisories and updates for Java on Red Hat products.

Skype released a security advisory for a vulnerability reported in the password reset feature on the Skype website. Skype temporarily suspended the reset feature and implemented an updated password reset process. While Skype reported only a small number of its users were affected, and subsequently notified, it is recommended that all Skype users reset their passwords. This vulnerability also raised the potential point of weakness where e-mail account addresses are used as the user name along with a password or other authentication measure. While the user names are a known point of weakness and easily identified, or guessed in many cases, the recommendation to use a "non-public" e-mail address for these accounts provides little additional protection and is an attempt at security through obscurity. Following password best practices to create a strong password, as well as implementing additional authentication methods such as two-factor authentication, if available, are recommended to provide stronger protection for these accounts.

Adobe responded to a public posting by an attacker that the Adobe Connectusers.com forum database had been compromised, which included a posted sampling of the reported 150,000 e-mail accounts and passwords that were compromised. Adobe has confirmed the breach and reported that it has reset account passwords. This event and posting by the attacker illustrated the lack of password best practices that are too common across the Internet, including not using salted hashes and multiple iterations, not using MD5 because of its known weakness, and basic password creation best practices. To the last point of password selection and complexity, it is recommended that administrators implement password security controls that require users to create complex passwords to avoid compromises by weak and common passwords.

NASA reported a stolen laptop containing sensitive personally identifiable information (PII) for a large number of employees and contractors. Similarly, there have been recent events involving a U.S. Securities and Exchange Commission (SEC) laptop, previous NASA stolen laptops, and increasing crime statistics reporting the theft of mobile devices. As the number of stolen mobile devices continues to increase, full encryption of the device data can help limit the event to simply a stolen device rather than obtaining compromised sensitive data on the device.

Recently released reports for review include the McAfee Threats Report: Third Quarter 2012 and the Georgia Tech Emerging Cyber Threats Report 2013.

Anonymous announced an operation targeting the energy and oil industry named #OpFuelStrike, including a long list of potential targets of the attacks.

As the holiday shopping period approaches, highlighted in the United States by Black Friday on November 23, and Cyber Monday on November 26, organizations should consider increasing security awareness of current spam, phishing, and Internet scams that could lead to the compromised systems and networks. Multiple security websites provide tips for online shoppers that can be used to increase awareness. Of particular concern this season are to ensure browsers and Java software is updated to the latest versions; spam campaigns including electronic invoices and billing, shipping notices, and false bank notification using the themes of approving or updating your account information; and SMS or text adware that targets users smart phones. Users should be aware of security weaknesses in smartphones and are advised to use personal computers to benefit from the more secure browsers and security protections available on these systems and networks.

IntelliShield published 102 events last week: 54 new events and 48 updated events. Of the 102 events, 52 were Vulnerability Alerts, seven were Security Activity Bulletins, two were Security Issue Alerts, 37 were Threat Outbreak Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Saturday 11/17/2012 0 1 1
Friday 11/16/2012 3 10 13
Thursday 11/15/2012 5 11 16
Wednesday 11/14/2012 11 3 14
Tuesday 11/13/2012 28 6 34
Monday 11/12/2012 7 17 24
Weekly Total 54 48 102

 

Significant Alerts for the Time Period

Oracle Java Applet JAX-WS Class Processing Security Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 27404, Version 1, November 13, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-5076
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and execute arbitrary code on a targeted system. Oracle Java Runtime Environment (JRE) 7 Update 7 and prior are vulnerable. Oracle has released the Oracle Java SE CPU October 2012. Functional code that demonstrates an exploit of this vulnerability is available as a part of the Metasploit framework.

Previous Alerts That Still Represent Significant Risk

Oracle Java SE Critical Patch Update October 2012
IntelliShield Security Activity Bulletin 27210, Version 4, November 9, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. Reports indicate these vulnerabilities are being exploited successfully in the wild. Oracle, Apple, Red Hat, and IBM have released security advisories and software updates.

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 2, October 4, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service (DDoS) attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions

Samba Marshaling Code Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 25650, Version 10, October 17, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1182
Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Functional code that demonstrates an exploit in the Samba marshaling code remote code execution vulnerability is publicly available. Samba has confirmed this vulnerability and released updated software. Samba, Apple, FreeBSD, HP Oracle, and Red Hat have released security advisories. Oracle has re-released a security notification and patches.

Oracle Java Security Manager Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26751, Version 10, October 19, 2012
Urgency/Credibility/Severity Rating: 4/5/4
CVE-2012-4681
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the vulnerability is publicly available as part of the Metasploit Framework. The Black hole toolkit is also reported to include an exploit, and multiple threats have been reported targeting this vulnerability. Oracle has confirmed the vulnerability and released software updates. Oracle, Apple, FreeBSD, Red Hat, IBM, and HP have released security advisories and updated software.

Oracle Java Multiple Unspecified Vulnerabilities Update
IntelliShield Security Activity Bulletin 26831, Version 5, October 19, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-0547, CVE-2012-1682, CVE-2012-3136, CVE-2012-4681
Java SE 7 Update 7 mitigates a widely reported vulnerability, CVE-2012-4681, as described in IntelliShield Alert 26751. The update also mitigates two remote code execution vulnerabilities that are due to unspecified errors in the affected software. The three vulnerabilities can be exploited only through untrusted Java Web Start applications and untrusted Java applets on client deployments of the affected software. In addition, a security-in-depth issue in the Abstract Window Toolkit (AWT) has also been addressed. Direct exploitation of the AWT security-in-depth issue is not possible; however, the issue can be used to aggravate security vulnerabilities that can be directly attacked. Oracle, Apple, Red Hat, and IBM have release security advisories and software updates. HP has released a security bulletin and updated software.

OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability
IntelliShield Vulnerability Alert 25706, Version 18, October 12, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-2110, CVE-2012-2131
OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. OpenSSL, FreeBSD, Red Hat, HP, Oracle, MontaVista, IBM, Balabit, and VMware have released security advisories and updates. MontaVista Software has re-released a changelog and updated software

Microsoft Internet Explorer execCommand Method Use-After-Free Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26936, Version 4, September 21, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-4969
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has released security advisory 2757760 and Security Advisory MS12-063 with updated software.

Physical

Austerity Protests Across The European Union

Multiple protests and strikes against the austerity measures took place in Italy, Spain, Portugal, France, Belgium, Greece, and other countries. Trade union throughout the countries organized the largest protests, while less organized protests and marches were conducted across Europe in front of government buildings and embassies. Several of the protests turned violent in clashes with police, resulting in hundreds of injuries. Some business were shut down because of the direct effect of the union strikes, others shut down voluntarily in support of the protests or to avoid endangering the welfare their businesses and employees near the protest areas.
Read More
Additional Information
Additional Information

IntelliShield Analysis: As the austerity measures continue to spread across Europe, these types of protests and interruptions will continue to impact businesses, travel, and government activity. While the protests have turned violent in some places, the protests and attacks have not significantly reached the Internet yet. As with many existing activists groups currently conducting defacements, denial of service (DoS) attacks, and attacks to capture and publicly post data, these physical austerity protests are likely to escalate and spread to the Internet. Businesses are advised to not only remain aware of the physical activity and potential impact to their physical locations, but also increase the monitoring of their Internet presence to protect their systems and networks.

Legal

U.S. President Issues Classified Cyber Security Directive

Reports from multiple source announced that U.S. President Barack Obama has signed what is being called the "Presidential Policy Directive 20," establishing the classified U.S. policy for cyber security. While the contents of the classified directive are not available, reports stated that the directive provides policy for how U.S. government agencies, particularly the military, will respond to cyber security events. Specifically, the directive is purported to address the use of offensive cyber operations, data privacy, and the use of network defenses across the government. Meanwhile, the U.S. Senate voted down the cyber security legislation that was supported by the President, likely ending the release of any new cyber security legislation from the U.S. House of Representatives.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Discussion of cyber security legislation in the U.S. House of Representatives, and executive orders from the U.S. Administration, have been circulating for several months. It is interesting that the reported directive was classified, limiting its distribution and leaving many in the private sector to wonder what exactly the U.S. policy or actions will be. The United States, like many countries around the globe, continues to look toward more active or offensive cyber operations in defense of its networks and critical infrastructure, while many in the private sector continue to ask questions about attribution and the potential effectiveness of offensive operations. The Presidential classified directive does little to clarify the U.S. policy at home or abroad. Organizations are cautioned that any consideration or conduct of offensive cyber operations could place them in legal jeopardy at home and abroad.

Trust

Google Reports Increased Government Surveillance

The latest Google Transparency report shows increasing requests from governments across the globe to remove or restrict Internet content and provide user data. The latest report covers the period from January to June 2012 when over 20,000 requests were made for data on over 30,000 accounts. The requests to remove content also rose sharply in this period from 1048 requests in the second half of 2011, to 1791 in the first six months of 2012. Google repeated that it is required to follow the law in countries where it operates, but also does not comply with all the requests.
Read More
Additional Information

IntelliShield Analysis: This report continues to be a strong source for indicating the level of government actions regarding Internet content. The requests reflect both the increasing number of law enforcement investigations of criminal activity and governments' awareness and monitoring of Internet content. While the requests cover a wide range of subjects, the largest concerns include defamation to copyright and trademark, and privacy and security requests. A current example is the reporting of China blocking all access to Google during the recent 18th Chinese Communist Party Congress. As governments continue to develop privacy, security, and intellectual property laws regarding Internet activity, users and businesses are likely to experience further government restrictions. Businesses and individual users need to remain aware of the increasing government activity to avoid violations of restrictions implemented by the government, or involvement in investigations negatively impacting their business activities.

Identity

Early Lesson from the Petraeus Investigation

As the investigation of retired U.S. Army General and former Director of the U.S. Central Intelligence Agency David Petraeus continues to unfold, the case appears to offer several lessons on Internet activity and protecting sensitive personal information. Initial investigative reports suggest those involved took various, sometimes elaborate, steps to hide their activity and remain anonymous. While some involved in the case may have believed anonymity was possible, the investigation is proving otherwise.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Needless to say, law enforcement conducting an official criminal investigation has extensive capabilities to acquire user information from service providers, website operators, and other sources through search warrants and forensic investigation of seized computer equipment. Counter to what many believe or have been told (on the Internet), and despite many skilled individuals best efforts to hide their identity and activity, it is not easy to remain completely anonymous and hide activity on the Internet. Whether it is a lack of technical understanding, a human or technical mistake, being socially engineered by another, data mining of publicly available information, or many other methods, it is difficult to hide your activity, identity, and traces of information that can lead back to you. Users should be aware and advised that if they do something on the Internet that warrants an investigation, whether official or not, despite what they may have been told including assurances from tools or applications that claim anonymity, you will most likely be found.

Human

There was no significant activity in this category during the time period.

Geopolitical

Live-tweeting The War

Following an Israeli airstrike last week that killed a Hamas military commander, a new military confrontation between Israel and Hamas has begun in the Gaza Strip. The Israeli Defense Forces (IDF) and Hamas have taken the hostilities online as well, exchanging threats and making announcements via social media. The IDF announced the death of the Hamas leader via their Twitter feed, reportedly prior to any other official communications on the topic, with the phrase, "Ahmed Jabari: Eliminated." Anonymous Internet activists have also joined the online hostilities, taking the role of unnamed vigilantes by calling for attacks against Israeli government websites and providing information for Internet users in the Palestinian Territories wishing to access the Internet despite wide connectivity problems.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The social media dimension of this newest Israeli-Palestinian confrontation raises a number of issues for information security specialists. The exchange of threats between adversaries at the outset of hostilitiesin this case, apparently involving the IDF and one or more non-state actorsis the latest signpost in the development of cyberspace as a theater of military activity. The now-familiar insertion of online activists claiming affiliation with the Anonymous group of hackers underscores the growing risk of asymmetric, non-state, and sometimes individual actors influencing the outcome of real-world military events. As this phenomenon evolves, at some point militaries may have to deal with them as battlefield enemies. From a business perspective, Brian Fung, writing for The Atlantic, notes that the apparent exchange of threats via social media probably violates the Terms of Service of Twitter and Facebook. He notes that Google took down a video of the deadly IDF airstrike that had been posted to YouTube. In the future, commercial content providers probably can expect to be drawn into political or even military disputes when they choose to remove or leave politically-charged content. Removing content may raise freedom of speech questions, while looking the other way may be just as objectionable. There are few clear lines, but content providersparticularly social media sponsorsmay want to spell out their rules as clearly as possible, using these recent events as guideline scenarios.

Upcoming Security Activity

Black Hat Abu Dhabi: December 3–6, 2012
Cisco Live London: January 28–February 1, 2013
ShmooCon: February 15–17, 2013
RSA Conference 2013: February 25–March 1, 2013
Cisco Live ANZ : March 5–8, 2013
Cisco Live US: June 23–27, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

European Union Summit: December 13–14, 2012
South Korea Presidential Election: December 19, 2012
World Economic Forum: January 23–27, 2013

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top