Cyber Risk Report

November 7–13, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period was increased due to large security updates from multiple, major vendors including Cisco, Microsoft, Adobe, Mozilla, Red Hat, IBM, and Apple. Additional security advisories were released by Novell for Zenworks, Oracle Sun for Apache, and HP for Data Protector.

Microsoft released their security bulletins for the month of November. The most significant of these is the TCP/IP vulnerability that was reported in Microsoft Bulletin MS11-083 and in IntelliShield alert 24490. The full details of the November release are available in the Cisco Event Response: Microsoft Security Bulletin Release for November 2011. In additional Microsoft-related activity, Microsoft released a security advisory reporting that because of improper Certificate Authority (CA) security practices at DigiCert Sdn. Bhd. (Digicert Malaysia), the CA trust has been revoked and these certificates have been invalidated via an update that was issued through the Windows Update service.

Cisco released multiple advisories and IntelliShield alerts reporting vulnerabilities in Cisco Unified Communications Manager, Unified Contact Center Express, Cisco IOS Software, and Cisco Telepresence System Integrator. These security advisories and IntelliShield alerts are available on the Cisco Security Intelligence Operations website.

Mozilla released Firefox 8 and 3.6.24 that correct multiple vulnerabilities, including four that are rated critical by Mozilla. Adobe release security advisories for Flash Player and Shockwave Player, and Red Hat and Apple released multiple security advisories to provide updates for the previously reported Oracle Java vulnerabilities.

New vulnerabilities were reported in BroadWin SCADA RPC Service WebAccess, multiple General Electric products, and Schneider Electric CitectSCADA. Industrial Control systems continue to see increasing levels of research and reporting, and in some cases an increasing risk to systems that may be publicly reachable.

In threat activity for the period, the Steam cloud-based game distribution and social networking service with over 1400 games and 35 million registered users reported that their user forum had been defaced and that intruders had accessed their database containing users' information. Steam posted a breach notification on their forum home page, and reported that evidence indicates only a few forum accounts were compromised, and that they have no evidence of credit card misuse. Steam is requiring forum users to reset their passwords, but is not forcing regular Steam account users to reset their passwords.

Brazil experienced a wide-spread DNS cache poisoning attack impacting multiple Internet service providers. The attack redirected users to websites that were hosting malicious code. The investigation indicates the DNS cache poisoning was initiated by an employee of a local service provider and that the employee was working with criminals in the coordinated attacks. In a similar criminal DNS redirection scheme, law authorities from multiple countries made multiple arrests in what is being called Operation Ghost Click. These criminals were using malware to infect a user's system with code that performed DNS redirection or replaced legitimate advertising with advertisements from the criminals. The DNS redirection and the replacement of advertisements allowed the criminals to collect advertisement funds for the user's visits.

As the holiday and shopping season approaches, employees are likely to use their business or personal systems, connected via the business network, to shop online. Users should be reminded of known threats during this time and avoid hyperlinks provided in e-mail messages sent from unknown or untrusted sources. Users should also avoid clicking on advertisements or coupon offers and are advised to go directly to the company's website to avoid these risks and only visit known and trusted websites.

IntelliShield published 127 events last week: 70 new events and 57 updated events. Of the 127 events, 82 were Vulnerability Alerts, 13 were Security Activity Bulletins, six were Security Issue Alerts, 22 were Threat Outbreak Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 09/29/2007 5 23 28
Thursday 09/28/2007 8 10 18
Wednesday 09/27/2007 8 30 38
Tuesday 09/26/2007 14 12 26
Monday 09/25/2007 8 24 32
Weekly Total 43 99 142

 

Previous Alerts That Still Represent Significant Risk

Trojan: W32.Duqu
IntelliShield Vulnerability Alert 24425, Version 3, November 2, 2011
Urgency/Credibility/Severity Rating: 3/5/3

W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide back door access to a remote attacker. Virus definitions are available. IntelliShield has updated this alert to include information about a vulnerability in the Microsoft Windows platform that the W32.Duqu trojan could leverage to infect a targeted system. ICS-CERT has also released a security alert with additional information regarding this trojan.

Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24500, Version 2, November 4, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-3402

Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425. Microsoft has announced it is investigating this vulnerability. However, no official confirmation is available.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 17, November 4, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin.

Oracle Java SE Critical Patch Update October 2011
IntelliShield Vulnerability Alert 24433, Version 4, November 10, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-3389 , CVE-2011-3516 , CVE-2011-3521 , CVE-2011-3544 , CVE-2011-3545 , CVE-2011-3546 , CVE-2011-3547 , CVE-2011-3548 , CVE-2011-3549 , CVE-2011-3550 , CVE-2011-3551 , CVE-2011-3552 , CVE-2011-3553 , CVE-2011-3554 , CVE-2011-3555 , CVE-2011-3556 , CVE-2011-3557 , CVE-2011-3558 , CVE-2011-3560 , CVE-2011-3561

Oracle has released the Oracle Java SE Critical Patch Update for October 2011. The update addresses 20 new security vulnerabilities. An unauthenticated, remote attacker could leverage several of the vulnerabilities to completely compromise an affected system. Oracle, Red Hat, CentOS, and Apple have released updates.

Worm Targeting Vulnerable JBoss Application Server Installations
IntelliShield Vulnerability Alert 24445, Version 1, October 21, 2011
Urgency/Credibility/Severity Rating: 3/5/3

Multiple reports indicate a worm circulating in the wild is exploiting a patched vulnerability in JBoss Application Server, reported in IntelliShield alert 20397. Updates and instructions to mitigate the threat are available. This vulnerability was originally reported in april 2010.

Apache HTTP Server mod_proxy Module Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 24327, Version 5, November 10, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3368

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain access to sensitive information. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Apache, IBM, Red Hat, and CentOS have released security advisories and software updates.

FreeType PostScript Type 1 Font Parsing callothersubr Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23602, Version 5, October 14, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-0226

FreeType versions prior to 2.4.5 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional exploit code for this vulnerability is used publicly in conjunction with other vulnerabilities to provide web-based "jailbreak" capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose this exploit code for malicious purposes. Apple, Red Hat and FreeBSD have released security updates.

Fraudulent Google Digital Certificates Could Allow Man-in-the-Middle Attacks
IntelliShield Vulnerability Alert 24031, Version 13, September 26, 2011
Urgency/Credibility/Severity Rating: 2/5/3

A fraudulent Google.com digital certificate was issued by a certificate authority. This certificate could allow an unauthenticated, remote attacker to access sensitive user data via a man-in-the-middle attack. This SSL certificate was issued by a trusted root certificate authority (CA). Multiple vendors have released security advisories and updates. IntelliShield has included information relating to affected Cisco products. Updated information is also available regarding Cisco IronPort Email Security Appliance firmware updates.

Adobe Flash Player AVM Stack Overflow Multiple Memory Corruption Vulnerabilities
IntelliShield Vulnerability Alert 24189, Version 3, November 9, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-2426 , CVE-2011-2427 , CVE-2011-2428 , CVE-2011-2429 , CVE-2011-2430 , CVE-2011-2444

Adobe Flash Player versions 10.3.183.7 and prior for Windows, Macintosh, Linux, and Solaris and Adobe Flash Player versions 10.3.186.6 and prior for Android contain multiple vulnerabilities that could allow a remote attacker to conduct a cross-site scripting attack, cause a denial of service (DoS) condition, bypass security restrictions, or execute arbitrary code on a targeted system. Adobe has released a security bulletin and updated software.

Microsoft SharePoint Server Contact Details Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 24068, Version 4, September 20, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-1891

Microsoft SharePoint Server contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS11-074 and released software updates. IntelliShield has updated this alert to report an increase in intrusion prevention system activity that is related to the Microsoft SharePoint Server Contact Details cross-site scripting vulnerability.

Microsoft Internet Explorer toStaticHTML Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 23357, Version 3, September 13, 2011
Urgency/Credibility/Severity Rating: 3/5/2
CVE-2011-1252

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to access sensitive information on a targeted system. Proof-of-concept exploit code is publicly available. This code could allow an attacker to convert existing functional cross-site scripting exploits into formats that bypass protections by exploiting this vulnerability. Updates are available. Microsoft has released an additional security bulletin and software updates to address the toStaticHTML information disclosure vulnerability in Microsoft SharePoint Services.

HTTPKiller: Apache HTTP Server Denial of Service Tool
IntelliShield Vulnerability Alert 23983, Version 3, August 26, 2011
Urgency/Credibility/Severity Rating: 3/5/3

A publicly available exploit tool that exploits a vulnerability in Apache HTTP Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. Apache has reported that active use of this tool has been observed. The vulnerability, exploited by the tool is documented in IntelliShield alert 24004.

CA ARCserve D2D Security Bypass Vulnerability
IntelliShield Vulnerability Alert 23735, Version 4, August 11, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-3011

CA ARCserve D2D contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and gain unauthorized access to a system. Functional code that demonstrates an exploit of this vulnerability is available as part of the Metasploit Framework. CA has confirmed this vulnerability and updates are available.

Multiple Oracle Products Authentication Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22963, Version 2, August 8, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0807

Oracle Sun GlassFish Enterprise Server and Sun Java System Application Server contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Oracle has confirmed the vulnerability and released updated software.

Physical

Testing the National Emergency Alert System

On November 9, 2011, the Federal Communications Commission (FCC), along with the Federal Emergency Management Agency (FEMA) and National Weather Service ran a nationwide test of the Emergency Alert System (EAS). The EAS is operated at national, state, and local levels and is routinely tested at state and local levels, but has not been tested at the national level. The public warning system is supported by broadcasters of radio and television systems to provide public warnings and messages in a national, state, or local emergency such as severe weather and AMBER alert messages. The Emergency Alert System has gone through many changes over the years, replacing the Emergency Broadcast system, and is now part of the Integrated Public Alert and Warning System (IPAWS) under FEMA, in coordination with the FCC, and the National Weather Service (NOAA/NWS). This was the first test ever conducted of the nationwide system.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The emergency warning system has gone through many changes over the years as changes to federal organizations, technologies, and legal requirements have evolved. Like the government, this is probably a good description of most of the businesses, organizations, schools, and technology environments over the years. What caught our attention was that the national system had never been tested. State and local systems are tested monthly and weekly respectively, and most frequently used for weather emergency messages. Initial reports indicate a 90 percent success rate for the test, while problems with broadcasts were reported in about 10 percent of the areas. Of further concern, this exercise only tested the communications systems, not a full response test of people, movements, lockdowns, agency coordination, etc. Organizations should work closely with their local emergency agencies and conduct these tests regularly, and consider the integration of available communications technologies to provide messages to their employees, visitors, and area. Organizations should consider that they actually have no plan or system until it has been tested and validated.

Legal

There was no significant activity in this category during the time period.

Trust

Public Cloud Hacking Finds Credentials

Researchers at the recent Hacking Halted security conference presented techniques to identify public cloud credentials, including access codes and secret keys. As the researchers included, the public cloud accounts normally require multiple authentication credentials, but also demonstrated they were able to collect all the required credentials to compromise an account. The techniques are based on fairly complex Google search hacking techniques that use complex strings to find the desired information. Read More

IntelliShield Analysis: Cloud security is top-of-mind for many organizations considering or already moving to public or private cloud services. As recommended, the basis for the cloud service is the agreement with the service provider, which requires close scrutiny regarding availability, security, accessibility, and all the factors that would normally be under the organization's controls, but in a cloud environment are now provided by the cloud service. As these services and agreements continue to develop, users will be faced with risk decisions on the levels of service provided, and the level of acceptable risk for the benefits provided by the cloud services. While this trend is only likely to continue to increase the amount of data and organizations using cloud services, the controls and security features available are also going to increase. Organizations should understand these current risk trade-offs, and consider the full range of cloud services and provider agreements available to find the best fit for their purposes. As with most developing services, the users are likely to be the drivers behind improving the services by requiring improvements from their providers.

Identity

There was no significant activity in this category during the time period.

Human

Social Engineering Capture the Flag Results

Defcon 19, an annual security conference, offered its second consecutive Social Engineering Capture the Flag (CTF) event. The event proposes a challenge to competitors with the focus of leveraging social engineering tactics to successfully obtain key company information from a list of prospective companies, with the ultimate goal of raising awareness of the threat impact social engineering has on organizations. Furthermore, the competition highlights the common tactics and aspects that social engineers employ. Following this year's competition, the results report which provides a debrief of the event, outcomes, and lessons learned, puts an emphasis on the techniques utilized, and the reasons why the respective techniques ultimately succeeded or failed. Read More

IntelliShield Analysis: Reports often target a specific audience, and based on the topical area have a self-imposed bias. However, with bias also comes an aspect of validity, hence this report is no different. This report stands out in a prominent manner due to its depth of detailed feedback, concise format, and viable information, specifically the highlighted findings in the output format of "information, vector, mitigation." The true benefit of this document is not the findings, but the feedback and solutions to aid those who face the challenges presented. The fact that the report noted that all the companies involved would have received a failing mark in a real social engineering penetration test should no doubt be an eye opener, not just for these organizations, but the many others that face the same challenges. A key point that is directly extrapolated from the report is "the content a company chooses to put on its website proves to be critical to overall security." The plethora of successful social engineering tactics highlights the many avenues for data loss, hence data loss prevention needs to remain at the forefront of an organization's security policy, and maintain a high level of attention with regard to risk assessments and analysis. Organizations should take a few moments to review the common tactics and successful solutions, note the vectors and most importantly the mitigation options that exist and work to incorporate them into their policies and security awareness activities.

Geopolitical

There was no significant activity in this category during the time period.

Upcoming Security Activity

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:
ASEAN Summit Bali: November 14–19, 2011
Thanksgivings Day (US): November 24–25, 2011
Al-Hijra/Muharram: November 26–December 24, 2011
COP-17 climate summit, Durban, SA: November 28–December 09, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top