November 30–December 6, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity increased during this period due to continued vendor responses to previously released vulnerabilities, and increased threat activity related to amplified levels of online shopping and searching activity. This year's Cyber Monday (November 30, 2009) online shopping levels reportedly increased by eight percent over 2008 levels. Along with that increase, criminal activity and malicious content increased in efforts to exploit Cyber Monday users. Recent weeks have seen a rise in Zeus botnet activity in the form of H1N1 spam; Koobface circulations with a Santa reference; attempts by the Oprachki trojan to compromise and hijack users' search activity; and fraudulent Microsoft Security Update spam messages. Users should be aware of the increased levels of criminal activity and use additional caution during this time of year. US-CERT has released Vulnerability Note #261869 to address an SSL-based Clientless VPN vulnerability that could impact numerous vendor products. This potential vulnerability has no corrections available, but it does have multiple mitigation methods that can be applied to prevent the violations of trusted domains. Users and administrators are advised to apply these mitigations to limit the potential for exploits. This potential vulnerability was reported in IntelliShield alert 19500. Microsoft released the Microsoft Security Bulletin Advance Notification for December 2009, which includes six bulletins, three rated Critical and three rated Important. The bulletins impact multiple Windows operating systems and Microsoft Office products. Cisco will release the Cisco 2009 Annual Security Report on December 8, 2009. A live broadcast by Cisco security executives and researchers from Cisco will discuss findings from the report and review security trends over the past year and implications for the future. The Internet TV broadcast will air at 8:00AM Pacific Time (GMT-9) and can be accessed at the following link: 2009 Cisco Annual Security Report Live Broadcast IntelliShield published 113 events last week: 32 new events and 81 updated events. Of the 113 events, 94 were Vulnerability Alerts, six were Security Activity Bulletins, eight were Security Issue Alerts, and five were Threat Outbreak Alerts. The alert publication totals are as follows: Weekly Alert Totals
2009 Monthly Alert Totals
Significant Alerts for November 30-December 6, 2009Microsoft Internet Explorer Cascading Style Sheets Remote Code Execution Vulnerability Microsoft Internet Explorer versions 6 and 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Proof-of-concept code is publicly available. Microsoft Windows SMB Client Remote Denial of Service Vulnerability Microsoft Windows Server 2008 R2 and Windows 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploit code is publicly available. Microsoft has confirmed this vulnerability, but updates are not available. Previous Alerts That Still Represent Significant RiskTransport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available. Gumblar Malicious Code Adopts Additional Exploit Methods Reports indicate additional activity related to the Gumblar malicious code. Microsoft Windows SMB2 Remote Code Execution Vulnerability Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability. Microsoft has released a security advisory and updated software to address the Microsoft Windows SMB2 remote code execution vulnerability. Functional exploit code is publicly available. Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability Microsoft IIS versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges. Microsoft has released a security bulletin with software updates to address the Microsoft Internet Information Services FTPd remote buffer overflow vulnerability. Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows. Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. IntelliShield has re-released this alert to clarify the availability of software updates. PhysicalUnited Nations Climate Change Summit ProtestsThe United Nations Climate Change Conference is being held in Copenhagen, Denmark from December 7-18, 2009. The conference will host international leaders to discuss ways to reduce greenhouse emissions and other actions related to climate change. During the summit, several groups will be staging protests to voice demands for climate change, including Climate Collective, Climate Justice Action, and Never Trust A Cop. IntelliShield Analysis: When large and conflicting groups of people gather to stage protests, the risk of disorder and violence increases. At least one of the protest groups plans to engage in civil disobedience by gathering in the conference hall and disrupting the proceedings. Other tactics will likely include carrying signs in proximity of the summit location and nearby hotels where participants will be staying. Security will be tight and police presence prevalent. The risk of confrontation between protestors and law enforcement will be high. It will be important for law enforcement to secure and maintain electricity for the event and keep necessary roads open for traffic to and from the conference. Law enforcement should also consider the potential for protestors to use Web 2.0 technologies to converge flash mobs and outmaneuver security forces, as has been the case in past protest events. LegalViviane Reding Chosen to Amend European Union Data Protection LawsThe new European Union (EU) Commissioner for Justice, Fundamental Rights, and Citizenship, Viviane Reding, will amend the EU's Data Protection Laws in 2010. Ms. Reding was notable in her previous position as Commissioner for Information Society and Media by drastically decreasing the cost of cellular roaming. Her most notable success during her previous tenure was the revision of the EU's telecom laws, which included a section on network neutrality. The 1995 Data Protection Directive regulates processing of personal data, but it does not specifically address instances of accidental information disclosure. IntelliShield Analysis: The Data Protection Directive is due for a revision because several common issue items do not exist in the current law. Changes to the law will likely include data disclosure penalties to be put into place for entities that inadvertently disclose information, or have information disclosed during hacking episodes. As well, such entities will likely be held responsible for notifying affected individuals. In previous years, the EU maintained strict individual privacy protections, but anti-terror initiatives, financial fraud, and copyright and intellectual property infringements have resulted in increased support of law enforcement. The forthcoming amendments will be of interest to both individuals and organizations as future law changes will impact the policy and procedures of businesses in the context of liability to customers. TrustGoogle Announces Modification to First Click Free ProgramGoogle has announced changes to the First Click Free program that allows publishers, whose search results appear in Google searches, to limit the amount of free content access to users. Previously, the feature allowed users to access pages the first time, but subsequent clicks on the site would bring up a registration page. The program update allows site owners to limit the number of free clicks allowed per day. As a result, users may still receive five free clicks on a given site per day, but on the sixth click, the user may be presented a registration or subscription page. IntelliShield Analysis: Google has long combated the phenomenon of cloaking, which means to present different pages to the user than what the web crawler found. Although Google differentiates between the new First Click Free features and cloaking, the practice can be seen as deceptive. Even though publishers may flock to the model, users may resent the additional controls. Search engine users may purposefully avoid subscription content that is labeled in search results. However, the model could allow content owners greater control over access to their content from referrers. IdentityTools Emerging to Correlate Open-Source IntelligenceOpen-source intelligence (OSINT), which is the collection and analysis of information from public sources, has long been supported by custom tools and techniques. In the past few years, powerful and readily available commercial tools have been emerging and improving to bring OSINT to individuals and organizations with more modest budgets. These tools map the connections between identifying pieces of data, like IP addresses, e-mail addresses, names, phone numbers, aliases, and more. From that, users of these tools can easily see relationships that are not obvious from raw or diffuse data. HumanThere was no significant activity in this category during the time period. GeopoliticalIran Crackdown Broadens Through Social MediaAn Iranian prison torture whistle blower died after eating a poisoned salad in early November. Stories of this sort that detail the political crackdown in Iran following disputed presidential elections this summer are disturbing, but not unique. However, the Wall Street Journal last week reported that an Iranian-American living in the United States received an ominous email saying that his relatives in Tehran would be harmed if he continued to criticize the regime on his Facebook page. Shortly thereafter, he learned that his father, who lives in Tehran, had been arrested. During the arrest, his father was told that his son could not safely return to Iran. According to the Journal, the incident appears to be part of a larger crackdown by the regime in Tehran against the Iranian diaspora. IntelliShield Analysis: Faced with a major political crisis, the regime in Tehran may have reached the conclusion that maintaining control requires quieting the global conversation taking place on social media and electronic communications. The information revolution has made it easier for individuals to make their voices heard, but has also made it easier for these individuals to be identified and intimidated. It appears that the realm of social media will become a familiar arena for repressive regimes to identify, track, and pressure activists regardless of geographical location. For information security specialists, this incident may raise brand protection concerns if a service provider is accused of failing to take reasonable steps to protect its customers from this sort of intimidation. Upcoming Security ActivityCisco Annual Security Report 2009: December 8, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Copenhagen Climate Change Summit: December 7–18, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
