Cyber Risk Report

September 12–18, 2011

The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support.

Vulnerability

Vulnerability activity for the time period increased after previous low levels. The increase was primarily due to scheduled security releases from Microsoft and Adobe. Additional highlights for the period included a Google Chrome update that corrects multiple vulnerabilities (reported in IntelliShield alert 24161), the release of Apache version 2.2.21 that corrects the Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability (reported in IntelliShield alert 24004), and the posting of multiple Industrial Control System/SCADA vulnerabilities by a researcher (including proof-of-concept code), who did not report to or coordinate with impacted product vendors.

As part of their monthly release, Microsoft published five security bulletins that address 15 vulnerabilities in Microsoft Office, Excel, SharePoint, and Windows. Cisco published the Cisco Event Response: Microsoft Security Bulletin Release for September 2011 to correlate Microsoft bulletins to individual IntelliShield alerts, Cisco IPS signatures, and Cisco mitigation information. All related content is available on the Cisco Security Intelligence Operations portal, including a video that shares brief highlights and analysis of the security bulletins. On the same day, Adobe released the September 2011 security update to address multiple vulnerabilities in Reader and Acrobat. The Adobe release was reported in IntelliShield alert 24143.

During the time period, Cisco released security advisories to address vulnerabilities in Cisco Unified Service Monitor, Cisco Unified Operations Manager, and CiscoWorks LAN Management Solution. These vulnerabilities were reported in IntelliShield alert 24097. IntelliShield alert 24031 was also updated to include additional Cisco products that are impacted by man-in-the-middle attacks that leverage fraudulent DigiNotar certificates.

The breach of kernel.org remains under investigation as related Linux project web servers and systems are being scrutinized for possible compromise. Many websites remained unavailable throughout the time period. Kernel.org has reported that the code base for the Linux Kernel does not appear to have been compromised.

In malware activity for the period, Bit Torrent reported an attack and compromise that allowed bit torrent sites to briefly serve malicious code to visitors. The compromise was corrected within hours of the report. Malware researchers also reported the identification of Mebromi trojan, which may be the first BIOS trojan. Although previous examples and proof-of-concept BIOS trojans have been identified, Mebromi appears to be the first functional example. A new version of SPITMO, the SpyEye malware adopted for mobile devices, was also identified during the time period.  The new version includes multiple exploits for Android smartphones and highlights the continued criminal focus on developing malware for smartphones and mobile devices.

Cisco is scheduled to release the semiannual Cisco IOS Software Security Advisory Bundled Publication on September 28, 2011. This is the primary Cisco IOS Software update for 2011, as the March update was postponed in response to the earthquake and tsunami in Japan.

And as a reminder, Network World recently recently published a feature article providing an overview of Cisco Security Intelligence Operations, including information on the many technologies and teams. An accompanying blog post is available on the Cisco Security Blog. October is National Cyber Security Awareness (NCSA) month, and the Cisco Security Blog will post daily tips for improving security. Many organizations have NSCA events planned for October; information on events and resources are available at the StaySafeOnline.org website.

IntelliShield published 113 events last week: 52 new events and 61 updated events. Of the 113 events, 70 were Vulnerability Alerts, 13 were Security Activity Bulletins, two were Security Issue Alerts, two were Applied Mitigation Bulletins, 25 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 09/16/2011 10 7 17
Thursday 09/15/2011 10 9 19
Wednesday 09/14/2011 7 17 24
Tuesday 09/13/2011 19 20 39
Monday 09/12/2011 6 8 14
Weekly Total 52 61 113

Significant Alerts for September 12–18, 2011

Microsoft SharePoint Server Contact Details Cross-Site Scripting Vulnerability
IntelliShield Vulnerability Alert 24068, Version 3, September 15, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-1891

Microsoft SharePoint Server contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS11-074 and released software updates. IntelliShield has updated this alert to report an increase in intrusion prevention system activity that is related to the Microsoft SharePoint Server Contact Details cross-site scripting vulnerability.

Fraudulent DigiNotar Digital Certificates Could Allow Man-in-the-Middle Attacks
IntelliShield Vulnerability Alert 24031, Version 11, September 16, 2011
Urgency/Credibility/Severity Rating: 2/5/3

A fraudulent Google.com digital certificate was issued by a certificate authority. This certificate could allow an unauthenticated, remote attacker to access sensitive user data via a man-in-the-middle attack. This SSL certificate was issued by a trusted root certificate authority (CA). Multiple vendors have released security advisories and updates. IntelliShield has included information relating to affected Cisco products.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 11, September 16, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability, and updated software is available. Oracle and multiple additional vendors have released security advisories.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Explorer toStaticHTML Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 23357, Version 3, September 13, 2011
Urgency/Credibility/Severity Rating: 3/5/2
CVE-2011-1252

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to access sensitive information on a targeted system. Proof-of-concept exploit code is publicly available. This code could allow an attacker to convert existing functional cross-site scripting exploits into formats that bypass protections by exploiting this vulnerability. Updates are available. Microsoft has released an additional security bulletin and software updates to address the toStaticHTML information disclosure vulnerability in Microsoft SharePoint Services.

HTTPKiller: Apache HTTP Server Denial of Service Tool
IntelliShield Vulnerability Alert 23983, Version 3, August 26, 2011
Urgency/Credibility/Severity Rating: 3/5/3

A publicly available exploit tool that exploits a vulnerability in Apache HTTP Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. Apache has reported that active use of this tool has been observed. The vulnerability, exploited by the tool is documented in IntelliShield alert 24004.

CA ARCserve D2D Security Bypass Vulnerability
IntelliShield Vulnerability Alert 23735, Version 4, August 11, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-3011

CA ARCserve D2D contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and gain unauthorized access to a system. Functional code that demonstrates an exploit of this vulnerability is available as part of the Metasploit Framework. CA has confirmed this vulnerability and updates are available.

FreeType PostScript Type 1 Font Parsing callothersubr Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23602, Version 4, August 11, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-0226

FreeType versions prior to 2.4.5 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional exploit code for this vulnerability is used publicly in conjunction with other vulnerabilities to provide web-based “jailbreak” capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose this exploit code for malicious purposes. Apple, Red Hat and FreeBSD have released security updates.

Multiple Oracle Products Authentication Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22963, Version 2, August 8, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0807

Oracle Sun GlassFish Enterprise Server and Sun Java System Application Server contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Oracle has confirmed the vulnerability and released updated software.

Microsoft Windows Client/Server Run-time Subsystem Console Object Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 23555, Version 3, August 5, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-1281

Microsoft Windows contains a vulnerability that could allow a local attacker to gain elevated privileges on the system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS11-056 and released software updates.

Mozilla Firefox and SeaMonkey Dangling Pointer Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23046, Version 3, August 5, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0065

Mozilla Firefox and SeaMonkey contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Mozilla has confirmed this vulnerability and released updated software.

Citrix XenApp and XenDesktop XML Interface Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23777, Version 2, July 29, 2011
Urgency/Credibility/Severity Rating: 2/5/3

Citrix XenApp and XenDesktop contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Citrix has confirmed this vulnerability and released software updates. Proof-of-concept code that demonstrates an exploit of the Citrix XenApp and XenDesktop XML interface remote arbitrary code execution vulnerability is publicly available.

Apple iOS IOMobileFrameBuffer Queueing Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 23653, Version 1, July 18, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0227

Apple iOS contains a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code. Functional exploit code for the vulnerability is publicly available and used in conjunction with other vulnerabilities to provide web-based “jailbreak” capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose the exploit code for malicious purposes. Updates are available.

Physical

The Southwestern United States Blackout and National Preparedness Month

Over five million electric customers lost power in California, Arizona, and northwestern Mexico when a 500 kilovolt transmission line was accidentally knocked offline during a maintenance procedure at a Yuma, Arizona substation on September 8, 2011. The North Gila transmission line failure caused a cascading ripple effect that left the San Diego area without power and affected the San Onofre Nuclear Power Station. Power was restored to most customers by the morning of September 9, 2011. Southern California, along with the Northeast United States (U.S.), is a critical area for power because there is no redundancy for transmission lines that serve those areas.
Read More
Additional Information
Additional Information

IntelliShield Analysis: September is the U.S. National Preparedness Month and usually represents one of the most active months in the Atlantic hurricane season. The power outage in the southwestern U.S. also demonstrates the need for power backup for critical infrastructure. Organizations are advised to maintain active risk management, disaster recovery, and business continuity plans that quantify business risks and define steps that mitigate these risks.

Legal

The Security of Health Records: Facing Its Own Chronic “Health” Issue?

The United States (U.S.) Department of Health and Human Services recently delivered a report to the U.S. Congress detailing health care data losses over a period of fifteen months ending in 2010. All told, nearly eight million individuals were affected spanning over 250 discrete breaches, of which the single greatest incident affected almost two million people. The report categorizes the losses into four major categories: theft, intentional unauthorized access, human error, and loss of electronic media or paper records that contained protected health information.
Read More
Additional Information

IntelliShield Analysis: As more health care providers and organizations move to Electronic Medical Records (EMR), the checks and balances required to protect sensitive data become both wider in scope as well as more complex to implement. Beyond well-known measures used to protect any confidential data, EMRs are increasingly being accessed in clinical settings using portable devices, such as tablet PCs, which are susceptible to theft and subsequent compromise. Given regulations and the cost of notification for data loss, securing EMRs across a range of devices should be part of any “health care plan” for the responsible IT organizations. Measures must include best practices that cover both the human and electronic elements of any system. Organizations that are chartered with safeguarding confidential data should consider that, even in industries such as health care that historically have managed patient information effectively, the risk of loss increases as technology and the demand for ubiquitous access for authorized users grows.

Trust

UBS Investment Trader Arrested, Linked to Unauthorized Trades

A UBS investment trader was recently arrested by London City Police for allegedly perpetrating fraudulent trades that resulted in a US$2 billion loss for the Swiss-based bank. Currently, few details are available to describe what unauthorized trades occurred and and how they were accomplished, but reports indicate that the arrested trader supervises electronic funds transfers and Delta One trading.
Read More
Additional Information

IntelliShield Analysis: Although it is not clear which specific actions resulted in the US$2 billion loss, it remains likely that certain security policies and procedures were either lacking, not followed, or not properly enforced. If adequate policies and subsequent controls are not in place to prevent these types of fraudulent transactions (for example, separation of functions and password management controls), it may be difficult for UBS to prosecute and punish the offender. In the network security world, the primary step an organization must take is establishing necessary policies and procedures. Next, organizations can begin to implement controls (using technology) to help monitor and enforce said policies and procedures.

Identity

There was no significant activity in this category during the time period.

Human

Mexican Executions Threaten Internet Commenters

During the time period, two people were killed, and their bodies were left hanging from a pedestrian bridge in Nuevo Laredo, Tamaulipas, Mexico. Signs left with the bodies threatened violence towards individuals who would post negatively on two Internet forums that share news about Mexico’s drug cartels and the ongoing cartel violence, Blog del Narco and Al Rojo Vivo. The warnings were signed “Z” for Zetas, a particularly ruthless and violent cartel that has previously used murder and violence to exert control over Mexico’s traditional journalists.
Read More
Additional Information
Additional Information

IntelliShield Analysis: While this incident is still being investigated, the threat clearly indicates that negative commentary is not welcomed by the cartels, either in traditional or social media outlets. These brutal killings should remind individuals who do not encounter violence daily that anonymous Internet collaboration is an invaluable force against those who deal in terror to keep their opponents silent and uninformed. Whether or not these victims were identified by or connected to any particular online postings, their murders have been used to spread fear among the populace of Nuevo Laredo and discourage discussing cartel activities online. For those operating in such dangerous locations, traditional and electronic profile management and field security techniques should be leveraged to maintain personal safety. Disassociation of high-risk activities from personally identifying information online is essential, as is maintaining vigilance and variability in routines to avoid physical violence associated to the cyber environment.

Geopolitical

Russia is Online But Unhappy

According to the Financial Times, broadband penetration in Russia has reached one-third of the population, or 60 million people. Growing at 15 percent annually, Russia is poised to overtake Germany in a few years as Europe’s largest Internet market. Russia also has its share of domestic Internet company champions, which are competing well against Western heavyweight companies. English Prime Minister David Cameron visited Russia last week, creating a smooth transition for increased United Kingdom investment and activity at Russia’s new high-tech hub at Skolkovo outside Moscow. Despite this progress in technology investment and adoption, all may not be well in Russia. A recent poll conducted by the independent, Russia-based Levada Center indicates that 22 percent of Russia’s population would like to leave the country for good.
Read More
Additional Information
Additional Information

IntelliShield Analysis: It is unclear how much of Russia’s Internet business success–symbolized by newcomers such as search engine Yandex, web portal Mail.ru, and online retailer Ozon.ru–can be credited to government efforts to boost technology investment. Leaders in Moscow have said they recognize the need to diversify away from Russia’s dependence on energy exports and Soviet-era industries and have committed to economic modernization through ambitious new investments, such as the Skolkovo high-tech hub. Building a technology campus and creating an energetic environment for technology start-ups are two different things, however. The poll indicating that large numbers of Russians want to emigrate is particularly concerning because it focused on young-adult Russians with comparatively higher incomes. Their complaint, according to a write-up in the Economist, is high levels of corruption and a lack of investment in the sort of infrastructure that makes a place pleasant to live, such as hospitals and schools. The challenge for Russia’s economic planners, then, may be to move faster on efforts to wean vestiges of the old economy away from government support, and focus more on making the country a safe place to incubate new business ideas, as well as a good place to raise a family. These actions may convince Russia’s new generation of technology entrepreneurs, with all of their energy and creativity, to stay.

Upcoming Security Activity

ISC2 Security Congress: September 19–22, 2011
ASIS International 57th Annual Seminar and Exhibits: September 19–22, 2011
NIST National Initiative for Cybersecurity Education (NICE) Workshop: September 20–22, 2011
RSA Europe: October 11–13, 2011
Cisco Live Mexico: November 7–10, 2011

Because of the potential for increased risk on multiple vectors, organizations’ security teams should be aware of and consider making special preparations for the following dates:

United Nations (U.N.) General Assembly Palestinian Statehood Vote: September 22, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration


This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top