October 10–16, 2011The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity for the period was dramatically increased primarily because of the scheduled Microsoft monthly updates and large security updates from Apple and VMware. Microsoft released eight security bulletins, addressing 23 vulnerabilities in multiple products. Two of the bulletins were rated critical, and three of the vulnerabilities have public proof-of-concept exploit code available. The full details of the vulnerabilities, protection, and mitigations are available on the Cisco Security Intelligence Operations website and in Cisco Event Response: Microsoft Security Bulletin Release for October 2011. Apple released multiple security advisories to address 98 individual vulnerabilities in iOS, iTunes, Safari, OS X, and Apple TV. The majority of the vulnerabilities continue to be related to open source software included in Apple products, including 79 associated with WebKit vulnerabilities. Apple remains a bellwether for vendors and end users attempting to manage open source vulnerabilities. As Cisco noted in the 2010 Annual Security Report, the difficulty associated with managing products that may include numerous open source products and packages changes the granularity required for vulnerability management. Similarly, VMware released multiple security updates to address 50 vulnerabilities in the Linux Kernel and other vulnerabilities that impact the ESXi and ESX products. This is another prime case of the difficulty of maintaining and securing these open source vulnerabilities. DerbyCon researchers presented an investigation of SCADA vulnerabilities they were able to identify from freely available software on the Internet. The researchers have not released details of the vulnerabilities, but reportedly found over 250 vulnerabilities with little effort or complex analysis. The researchers have turned over the information to US-CERT to coordinate the reporting with the vendors. IntelliShield published 234 events last week: 99 new events and 135 updated events. Of the 234 events, 170 were Vulnerability Alerts, 12 were Security Activity Bulletins, 18 were Security Issue Alerts, one was a Malicious Code Alert, 30 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for the Time PeriodApache HTTP Server mod_proxy Module Information Disclosure Vulnerability FreeType PostScript Type 1 Font Parsing callothersubr Arbitrary Code Execution Vulnerability Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability Previous Alerts That Still Represent Significant RiskFraudulent DigiNotar Digital Certificates Could Allow Man-in-the-Middle Attacks Adobe Flash Player AVM Stack Overflow Multiple Memory Corruption Vulnerabilities Microsoft SharePoint Server Contact Details Cross-Site Scripting Vulnerability Multiple Microsoft Products toStaticHTML Information Disclosure Vulnerability HTTPKiller: Apache HTTP Server Denial of Service Tool CA ARCserve D2D Security Bypass Vulnerability Multiple Oracle Products Authentication Bypass Arbitrary Code Execution Vulnerability Microsoft Windows Client/Server Run-time Subsystem Console Object Privilege Escalation Vulnerability Mozilla Firefox and SeaMonkey Dangling Pointer Arbitrary Code Execution Vulnerability PhysicalThere was no significant activity in this category during the time period. LegalGerman Authorities R2D2 Trojan Opens Systems to Criminal AttacksThe Chaos Computer Club has reportedly captured and analyzed trojan malicious code that is being used by German authorities to perform lawful intercept of computer communications. The trojan reportedly collects and transmits screen captures and other data and reports the collected data to a server based in the United States, which may violate the strict European Union privacy laws. More notably, the trojan appears to have weaknesses that could allow other criminals to access and use the trojan to compromise the system where the trojan has been installed by the German authorities. IntelliShield Analysis: Aside from the legal questions on lawful intercept and privacy protections, the possibly greater risk associated with this incident is the poor properties of the trojan code used. The researchers reported that the trojan does use encryption of the data, but it uses a common and fixed encryption key. The trojan also reportedly has no authentication controls. The use of this poorly coded trojan by German authorities could open the monitored system to additional attacks and exploits. Criminals may be able to use the government-installed trojan to gain access to the system, download additional malicious software, and perform criminal activity, arguably enabled by the authorities' installation of the trojan. TrustThere was no significant activity in this category during the time period. IdentitySony PlayStation Network Attack and the Improved ResponseSony reported a brute-force attack attempt that may have compromised 93,000 accounts on the PlayStation network. The attack appears to have been quickly identified and controlled. Sony has reported locking the potentially compromised accounts and is forcing users to change their account passwords. The attack affected only a small number of accounts, and only a small number of those accounts showed possibly malicious activity. IntelliShield Analysis: This activity from Sony should be a welcome improvement to users of these systems following the compromises of the PlayStation network earlier this year. Sony has apparently tightened its security measures and is actively monitoring the accounts for malicious activity. Despite the apparent poor security measures and response from the earlier attacks, Sony seems to have learned from those events and improved both its security practices and response measures. While the popular game networks will likely remain targets of attackers, the Sony security improvements less than 6 months after the previous compromises speak well for Sony's focus on improving its practices. HumanHuman Interaction RequiredMicrosoft released the Microsoft Security Intelligence Report (SIR) Volume 11, which includes a score of valuable metrics and statistics. The data highlights the vulnerability and threat activity associated with Microsoft systems and provides analysis of the activity to identify attack and criminal trends. IntelliShield Analysis: This is a long and detailed report from Microsoft, as are all their Security Intelligence Reports, full of useful data and analysis. The one item that jumped out of the report regarding exploits is also a timely topic for October's Cyber Security Awareness month: 44.8 percent of exploits involved human interaction, and 26 percent were related to attached devices, such as USB memory sticks. Put together, that comes to over 70 percent of the exploits that can be avoided by relatively simple user practices. Additional technical controls--such as disabling links in e-mail, disabling autorun, and enabling security features in browsers--can reinforce those recommended user practices and further protect the systems. It's generally difficult to provide meaningful security metrics; however, this report is full of useful metrics and measures to pass on to users to raise their awareness. GeopoliticalKeeping an Eye on the South China SeaWith the wind-down of wars in Afghanistan and Iraq, U.S. Secretary of State Hillary Clinton spelled out a redirection of foreign policy focus toward the Asia Pacific region in an article published in Foreign Policy magazine last week. This repositioning is in line with her assertion last summer that maintaining freedom of navigation in South China Sea shipping lanes is in the U.S. national interest and is also a reminder of the rising strategic importance of the region, not only for the United States but for the world. More than half of global merchant fleet volumes now transit the Straits of Malacca in the South China Sea, and most also pass by the contested Spratly Islands. Rising Asian demand for crude oil and raw materials accounts for much of the growth in traffic volume, which is already many times greater than Suez or Panama Canal traffic. And increasing the geopolitical stakes, vast reserves of oil and gas are believed to lie below the Spratlys, claimed by China, Vietnam, Malaysia, the Philippines, and others. IntelliShield Analysis: With the world's primary technology component sourcing and production hubs located in the region, multinational companies that consume or produce technology would be wise to keep an eye on the South China Sea. While many technology components are shipped by air, some technology companies are looking to save costs by increasing their use of sea freight. Air logistics hubs can also be impacted if diplomatic rows lead to retaliatory over-flight restrictions or tariffs. In terms of information security, spending on naval-oriented weapons and reconnaissance technologies around the world is likely to rise. Moreover, a variety of reports indicate that efforts by nation-states to work out their disputes are being complicated by website hacks and cyber attacks by nongovernment groups. All parties have an interest in maintaining peace and open shipping lanes for global commerce, but the sheer volume of traffic, the rate at which demand is growing, the increasing clout of Southeast Asian markets, and the complex interplay of multilateral players suggest that technology specialists should stay vigilant. Upcoming Security ActivityNational Cyber Security Awareness Month: October 2011 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Daylight saving time ends: November 6, 2011 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
