Cyber Risk Report

October 11–17, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity increased sharply during the time period as a result of large security updates from Microsoft and Oracle. Microsoft released 16 security bulletins that addressed 49 individual vulnerabilities in Microsoft Office Word and Excel, Internet Explorer, Media Player for Windows 7 and Vista, and OpenType Font processing. Several of the vulnerabilities allow for the execution of remote code; previously, these types of vulnerabilities have become targets of wide exploitation. IntelliShield alerts, Cisco IPS signatures, an Applied Mitigation Bulletin, and a correlated Event Response related to the Microsoft release are available on the Cisco Security Intelligence Operations portal. As research on the Stuxnet worm continues to uncover technical details, Microsoft has provided patches to correct three of the four Microsoft vulnerabilities that are being exploited by the sophisticated malicious code.

During the last week, Oracle also released a large Critical Patch Update to correct multiple vulnerabilities in Oracle and Sun products. The most impactful updates are related to 29 vulnerabilities in Sun Java packages, which are installed on many platforms and systems. Similar to the Microsoft vulnerabilities, Java vulnerabilities have been widely exploited in the past.

In addition to those large updates, other vulnerabilities were reported in SAP GUI and Crystal Reports, IBM Tivoli, and the Opera browser. A significant third-party vulnerability was also reported in Xpdf. The Xpdf package is included in many UNIX, Linux, and open-source products and systems. IT Security teams should carefully examine their assets to determine if systems are impacted by this vulnerability.

IntelliShield published 135 events last week: 88 new events and 47 updated events. Of the 135 events, 118 were Vulnerability Alerts, three were Security Activity Bulletins, two were Security Issue Alerts, nine were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 10/21/2010 8 20 28
Thursday 10/20/2010 8 3 11
Wednesday 10/19/2010 12 12 24
Tuesday 10/18/2010 55 7 62
Monday 10/17/2010 5 5 10
Weekly Total 88 47 135


Significant Alerts for October 11–17, 2010

Microsoft Internet Explorer Uninitialized Memory Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21508, Version 2, October 13, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-3328

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

Oracle Java SE and Java for Business JPEGImageWriter.writeImage Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21576, Version 2, October 15, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-3565

Multiple Oracle Java SE and Java for Business products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.

Previous Alerts That Still Represent Significant Risk

Adobe Reader and Acrobat CoolType.dll Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 21341, Version 4, October 7, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2883

Adobe Reader and Acrobat versions 9.3.4 and prior and versions 8.2.4 and prior contain a vulnerability that can allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Adobe has acknowledged that exploits for this vulnerability are occurring in the wild. Adobe has confirmed this vulnerability and released updated software. US-CERT has also released a vulnerability note to address this vulnerability.

Multiple Adobe Products Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21358, Version 5, October 7, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-2884

Red Hat has released an additional security advisory and updated packages to address the multiple Adobe products remote arbitrary code execution vulnerability.

Microsoft ASP.NET Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 21398, Version 4, September 28, 2010
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2010-3332

Microsoft has re-released a security advisory with an updated workaround to address the ASP.NET information disclosure vulnerability.

bzip2 Integer Overflow Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21411, Version 2, September 29, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2010-0405

The bzip2 program contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Updates are available.

Microsoft Windows .lnk File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20918, Version 5, September 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568

Microsoft has released a security bulletin and updates to address the Windows .lnk file processing arbitrary code execution vulnerability. Functional exploit code that is a part of the Metasploit framework is publicly available.

Microsoft Windows Applications Insecure Library Loading Behavior
IntelliShield Vulnerability Alert 21215, Version 3, August 30, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft has released a security advisory that details an application behavior that could affect a large number of Windows-based applications. An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary code with the privileges of a user.

Multiple Vendor PDF Viewer /launch Program Execution Attack
IntelliShield Vulnerability Alert 20294, Version 3, August 20, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-1240

Adobe has released a security bulletin and updated software to address the multiple vendor PDF viewer /launch program execution attack.

Microsoft Windows .lnk File Vulnerability Used for Malware Outbreak Targeting SCADA Systems
IntelliShield Vulnerability Alert 20915, Version 6, August 27, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568

Microsoft has released a security bulletin along with software updates to address the vulnerability exploited by malicious software.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 65, October 15, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Red Hat has released an additional security advisory and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Physical

Dubai Assassination Investigation Ongoing, Facing Significant Challenges

Police agencies around the world rushed to examine evidence and leads following the January killing of Mahmoud al-Mabhouh in a Dubai hotel. Despite a herculean effort (10,000 hours reviewing security tapes from over 1500 Dubai locations, tracking electronic payments, and more), arrests and investigations have all seemed to stall or fail to result in substantial progress. Despite these delays, the investigation continues; days after the Wall Street Journal reported that the investigation seemed stalled, another arrest was made in connection with the case. This issue was first covered in the Cyber Risk Report during the February 15-21, 2010 period.
Read More
Additional Information

IntelliShield Analysis: The details of this investigation emphasize the power of detective controls and also demonstrate their shortcomings. Not only did correlation of video sources result in a suspect list, but it also yielded information about a potential getaway vehicle. (Authorities noticed the suspects approach, and then quickly back away from a vehicle, leading to the assumption that they had mistaken it for one they were expecting.) These kinds of details provided a significant foundation to investigate the suspects. However, without a tangible or lasting result, the presence of significant and even overwhelming surveillance did not lead to a satisfactory result for Dubai authorities. While the surveillance information certainly led to greater visibility in the case, without preventive controls, and possibly because of the amount of information to review, the suspects remain at-large. Though the investigation is ongoing and an arrest has recently been made in connection with the case, leads have not provided results. Organizations are advised to consider both the benefits and limitations of intended controls when they are structuring information security and physical security plans.

Legal

Payment Card Industry Security Standards Council Releases Point-To-Point Encryption Initial Guidance

The Payment Card Industry (PCI) Security Standards Council (SSC) has released initial guidance regarding the use of point-to-point encryption (P2PE) in merchant environments. The document does not extend the existing PCI Data Security Standard (DSS) but rather provides a roadmap for potential inclusion in later standards. The PCI SSC will continue evaluation of P2PE and consider its use in future standards. Read More

IntelliShield Analysis: The roadmap provided by the Council promises the potential for easy adoption of PCI DSS in some environments. Because equipment using P2PE does not allow the recovery of unencrypted customer data, the devices are considered out of scope of PCI DSS compliance for a merchant that accepts payment cards. As a result, merchants could much more easily deploy PCI DSS-compliant point-of-sale stations by using devices with point-to-point encryption. The adoption of P2PE in the PCI DSS standard could help drive adoption and reduce complexity of standards compliance while increasing the protections on consumer data.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

Website "Scraping" Impacts Privacy

Recently, a large media-research firm was discovered collecting or "scraping" private messages from a medical blog that is comprised of a series of support groups for private discussions. Many forum participants had discussed personal matters under the assumption that their conversations were secure. The blog uncovered the data collection with automated software that identifies unusual activity. Blog members took a variety of actions after the discover, including deleting all previous posts and identities. The media-research firm subsequently discontinued the practice, but other companies perform similar functions, some of which that actually correlate user pseudonyms with real user IDs. Read More

IntelliShield Analysis: Maintaining a presence on the Internet means giving up some amount of privacy. Marketing firms are identifying new ways to leverage the information store that is the Internet. Currently, there is no United States law that covers removing personal data from a website at the request of the data owner. A poster should assume that anything uploaded to the Internet becomes somewhat of a permanent record. Although pseudonyms can be used for posting, unique names would be required for each separate discussion group, and the originating IP address would need to be hidden from services like Tor.

Geopolitical

Google Price Index Suggests Future of Economic Data

Google is utilizing its vast data resources to create a price index to track inflation, according to Google chief economist Hal Varian. The Google Price Index (GPI) uses web shopping data to create a daily index of price trends that could rival the official Consumer Price Index (CPI). The longstanding CPI is still compiled using data collected from thousands of businesses and is published monthly, with a several-week lag. Google has not yet decided whether to publish their index, which could forecast economic data ahead of official figure posting. Varian noted that current GPI numbers indicate a clear deflationary trend for United States consumer spending and a slight inflationary trend in the United Kingdom.
Read More
Additional Information

IntelliShield Analysis: As business transactions increasingly take place online, Google's experimental price index provides a glimpse into the likely future of economic data that is faster and cheaper to compile than before. In addition to inflation data, other economic trends, such as consumer confidence, could also be measured in real-time online. At the same time, Google acknowledges that online purchasing provides only one aspect of the larger picture, as there are many kinds of purchases, services, small parts, and other transactions that still occur primarily in the "brick-and-mortar" world. There is some risk that economists and stock traders may allow early indicators of a trend to impact decisions and lead to market distortions. Still, online data like the GPI will be used to augment traditional statistics to provide an early estimate of trends that can be verified later or adjusted with a broader data set. In the long run, hand-collected data will probably be regarded like telephone books as the Internet quite simply provides better, faster, cheaper ways to complete essential tasks.

Upcoming Security Activity

Cyber Security Awareness Month: October 2010
InterOp NY: October 18–22, 2010
Toorcon San Diego: October 22–24, 2010
CSI 2010: October 26–29, 2010
USENIX LISA: November 7–12, 2010
Black Hat Abu Dhabi: November 8–11, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
United States Elections: November 2, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top