Cyber Risk Report

September 17–23, 2012

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity remained at elevated levels, consistent with previous periods. The majority of the activity for the period was related to the Microsoft Internet Explorer execCommand Method Use-After-Free Arbitrary Code Execution Vulnerability, reported in IntelliShield Alert 26936. After this was initially reported as a zero-day vulnerability related to img tag processing, Microsoft released Microsoft Security Advisory 2757760 with recommended workarounds, but no updated software. Microsoft later included the software update in the Cumulative Security Update for Internet Explorer security bulletin released on September 21, 2012. The execCommand method vulnerability is being actively exploited and is included in multiple attacks that install malicious code.

The second highlight for the period was the release of Apple iOS 6, which included software updates for 197 vulnerabilities and a reported 200 new features. In other vulnerability activity, security advisories and updated software were released by XMLSoft and multiple additional vendors for libxml2 vulnerabilities, Red Hat for Java vulnerabilities, IBM for DB2, Oracle for multiple vulnerabilities in Mozilla for Solaris, and Quagga for multiple vulnerabilities in the Software Routing Suite.

Multiple security reports were released during the period, including an Imperva Web Application Attack Report, the European Union Annual Threat Report, and IBM X-Force Mid-Year Threat and Risk Report.

Cisco released an updated advisory, originally released in June 2012, to add a Cisco Secure Desktop vulnerability. Also, Cisco will release the September 2012 Cisco IOS Software Security Advisory Bundled Publication on September 26, 2012. Additional information on the bundle release is available in a Cisco Security Blog post.

In upcoming security activity, the United States and European Union have designated October 2012 as National Cyber Security Awareness Month. Additional information and resources are available at the U.S. Stay Safe Online website, U.S. Department of Homeland Security website, and European Network and Information Security Agency website.

IntelliShield published 156 events last week: 56 new events and 100 updated events. Of the 154 events, 101 were Vulnerability Alerts, eight were Security Activity Bulletins, eight were Security Issue Alerts, 37 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 09/21/2012 18 29 47
Thursday 09/20/2012 5 25 30
Wednesday 09/19/2012 11 19 30
Tuesday 09/18/2012 10 17 27
Monday 09/17/2012 12 10 22
Weekly Total 56 100 156

 

Significant Alerts for the Time Period

Microsoft Internet Explorer execCommand Method Use-After-Free Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26936, Version 4, September 21, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-4969
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has released security advisory 2757760 and security bulletin MS12-063 with updated software.

Oracle Java Security Manager Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26751, Version 9, September 20, 2012
Urgency/Credibility/Severity Rating: 4/5/4
CVE-2012-4681
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the vulnerability is publicly available as part of the Metasploit framework. The Blackhole toolkit is also reported to include an exploit, and multiple threats have been reported targeting this vulnerability. Oracle has confirmed the vulnerability and released software updates. Apple, FreeBSD, Red Hat, and IBM have released security advisories and updated software.

Previous Alerts That Still Represent Significant Risk

Oracle Java Multiple Unspecified Vulnerabilities Update
IntelliShield Security Activity Bulletin 26831, Version 4, September 19, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-0547, CVE-2012-1682, CVE-2012-3136, CVE-2012-4681
Java SE 7 Update 7 mitigates a widely reported vulnerability, CVE-2012-4681, as described in IntelliShield Alert 26751. The update also mitigates two remote code execution vulnerabilities that are due to unspecified errors in the affected software. The three vulnerabilities can be exploited only through untrusted Java Web Start applications and untrusted Java applets on client deployments of the affected software. In addition, a security-in-depth issue in the Abstract Window Toolkit (AWT) has also been addressed. Direct exploitation of the AWT security-in-depth issue is not possible; however, the issue can be used to aggravate security vulnerabilities that can be directly attacked. Oracle, Apple, Red Hat, and IBM have release security advisories and software updates.

OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability
IntelliShield Vulnerability Alert 25706, Version 16, September 5, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-2110, CVE-2012-2131
OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. OpenSSL, FreeBSD, Red Hat, HP, Oracle, MontaVista Software, IBM, Balabit, and VMware have released security advisories and updates.

PHP Hash Collisions Fix Regression max_input_vars Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 25100, Version 6, August 23, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-0830
PHP 5.3.9 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition on the affected system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. PHP has confirmed this vulnerability and released updated software. Apple, FreeBSD, Red Hat, and HP have released security advisories and updated software. HP has re-released a security bulletin and updated software to address the PHP hash collisions fix regression max_input_vars arbitrary code execution vulnerability.

PHP php5-cgi Binary Setup Remote Unsanitized Command-Line Parameter Processing Vulnerability
IntelliShield Vulnerability Alert 25816, Version 13, September 21, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-1823
PHP contains a vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information, cause a DoS condition, or execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. PHP has confirmed this vulnerability and released updated software. FreeBSD, Red Hat, HP, and Apple have released security advisories and updated software. HP has re-released a security bulletin and updated software.

Adobe Flash Player Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26657, Version 3, August 21, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1535
Adobe Flash Player contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Adobe has reported that limited exploitation is ongoing in the wild. Adobe has released a security bulletin and software updates. Functional code that exploits this vulnerability is available as part of the Metasploit framework.

Microsoft XML Core Services Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 26148, Version 5, August 16, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1889
Microsoft XML Core Services contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Reports indicate that exploitation has been observed in the wild. Microsoft has re-released a security bulletin and software updates.

Oracle Java SE Java Sandbox Remote Security Bypass Vulnerability
IntelliShield Vulnerability Alert 26159, Version 4, August 15, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1723
Oracle Java SE contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Oracle has confirmed the vulnerability and released software updates. Apple, Red Hat, and HP have released security advisories and software updates.

Microsoft Internet Explorer colspan Element Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26057, Version 3, August 1, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-1876
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Oracle Critical Patch Update July 2012
IntelliShield Security Activity Bulletin 26420, Version 2, July 23, 2012
Urgency/Credibility/Severity Rating: 3/5/4
Multiple CVEs
Oracle has released the July 2012 Critical Patch Update. As part of the security response, Oracle has released updates to correct 90 vulnerabilities in multiple products that could allow attackers to gain unauthorized access to targeted systems, gain access to sensitive information, or cause a denial of service (DoS) condition. Proof-of-concept code that demonstrates an exploit of the Oracle Critical Patch Update July 2012 is publicly available. Proof-of-concept code that demonstrates an exploit for Oracle Outside In Technology is publicly available.

Physical

Security in Depth, the Human Component

On August 29, 2012, the Department of Energy released a special report on the security breach that took place at the U.S. National Nuclear Security Administration's Y-12 National Security Complex in Oak Ridge, TN on July 28, 2012. In the early morning hours, three members of a faction of the Plowshares Movement called Transform Now Plowshares—Sister Megan Rice, 82, Catholic nun of the Sisters of the Holy Child Jesus; Michael Walli, 63, a member of the Dorothy Day Catholic Worker House in Washington D.C.; and Greg Boertje-Obed, 57, a member of Veterans for Peace and a former U.S. Army officer from Fort Polk, LA—breached multiple perimeter security measures and accessed the area surrounding the Highly Enriched Uranium Materials Facility (HEUMF) at Y-12 facility managed by the G4S-owned subsidiary, WSI Oak Ridge. The activists were able to exploit multiple procedural and technical lapses to deface the exterior of the HEUMF with blood and use a hammer to beat the exterior wall before locating a member of the security detail and surrendering.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The Y-12 facility has been considered one of the most secure and important nuclear facilities in the United States. The facility is protected by security-in-depth methodologies that are noted in the U.S. Department of Energy report as "a well-trained and extensively equipped protective force, advanced technology, and a variety of physical fortifications." The protective measures include multiple fences, sensors, cameras, and armed security personnel. Despite the extensive planning, expensive procurement, and complex implementation of these measures, the human component of the defensive measures failed to properly maintain a security- and risk-aware mindset; resulting in a systemic failure of the overall security posture of the entire complex. Information security professionals may consider the implications and lessons learned from this event; at the end of the day, the most important component in a defense or protective system is the hardest to maintain: the human component.

Legal

There was no significant activity in this category during the time period.

Trust

The Sexy E-mail Test

The New Taipei government of Taiwan recently conducted a test of its employees by sending e-mail messages with the subject: “Justin Lee's sex videos, download it, quick." The e-mail was actually a controlled phishing test. A reported 1 in 6 employees clicked on the link in the e-mail. Instead of showing a video, the link destination advised the employees to report to their boss and a security training course.
Read More

IntelliShield Analysis: Similar exercises have occurred across the business and education communities, usually with similar results. While these types of tests can demonstrate realistic threats, as reported in IntelliShield Alert 24023, and may provide an assessment of the employees' security awareness, organizations should also be aware that these tests can have some less-desirable impacts. Depending on the culture of the company, the location, and the employees, these types of tests can instead result in hostility and a loss of trust in their organizations. Further, some employees have seen these tests as childish tricks that are insulting, whether they opened the link or not. Managers and security teams should apply the same careful analysis in these types of employee tests as they do other penetration tests, considering all the potential results and ramifications. The strategy for many companies is to educate employees and have them actively participate in the security strategy, which is recommended. In some cases, these tests can have the opposite effect of alienating the employees and creating hostility and distrust toward the company, management, and security teams. With National Cyber Security Awareness Month coming in October, organizations are advised to consider carefully how to improve employees' security awareness.

Identity

Hijacking Mobile Subscribers

According to a blog post from a software developer, millions of users of Virgin Mobile are susceptible to having their accounts compromised due to the lack of strong authentication required by the provider. When using their telephone number as their username and only a six-digit numeric password, users may have their accounts accessed easily by hackers who use brute-force PIN-guessing software.
Read More

IntelliShield Analysis: Although there is no shortage of media accounts covering the loss of personally identifiable information (PII), in many cases made possible by weak authentication schemes, our society continues to encounter these types of issues. With the increasing dependency on keeping electronic data secure, we need to exercise more diligence, both personally and at a corporate level, in developing and maintaining stronger authentication methods to ensure the necessary protection of confidential and proprietary data. These methods include, but are not limited to, such techniques as longer and more complex passwords (those containing both alphanumeric and special characters) and two-factor authentication (something someone knows combined with something someone possesses). A Cisco Security Blog post on this topic is scheduled to be published on September 25, 2012.

Human

Invitation to a Riot

A young girl in a small Dutch town intended to use Facebook to invite her friends to a sixteenth birthday party. But she inadvertently posted the invitation to "public," causing it to be spread to thousands of people, and further spread when a Twitter account was created for the event. Fortunately, the girl, family, and police realized the mistake and had time to prepare for the thousands that arrived in the small town for the party. Police made 20 arrests and 6 people were reported injured. The town was vandalized, shops looted, and cars set on fire before 600 police in riot gear could break up the crowd.
Read More
Additional Information

IntelliShield Analysis: This was a relatively simple mistake that could be made by anyone, and once the invitation became viral across Facebook and Twitter there was no stopping it. This is not the first time this type of event has spun out of control through social media. Similar events have occurred in Germany and Australia. It is also similar to the public panics created in India, Mexico, and Syria when social media and SMS messages became widely distributed. Similar events could occur at any business, university, or home when an event is posted on Facebook or Twitter, and for whatever reason thousands seize upon the event to create havoc. Fortunately, the girl who posted the initial invitation was monitoring the activity and realized what was occurring. All organizations and individuals that use the social media for events, announcements, or marketing should realize this potential risk and closely monitor their accounts and postings.

Geopolitical

Explosions Crippling Iran Nuclear Facilities Highlight Advantages of Cyber Tactics

According to the head of Iran's Atomic Energy Organization, a detonation of explosives cut electricity to its underground enrichment facility at Fordow last month. The Iranian official accused the International Atomic Energy Agency (IAEA) of sabotage, noting that a similar explosion had also affected the Natanz uranium enrichment facility. The explosions follow the Stuxnet, Flame, and Gauss malware attacks and the assassinations of Iranian nuclear scientists over the past several years, incidents that have repeatedly set back Iran's nuclear program. The report of the explosions comes at a time when differences between Israel's Prime Minister Netanyahu and U.S. President Obama have never been more stark, and with recent statements by Netanyahu appearing to raise the likelihood of a preemptive strike by Israel against Iranian nuclear facilities.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The string of incidents crippling Iran's nuclear program appears to be part of an effort—undertaken by Israel and the United States, most analysts agree—to set back Tehran's suspected attempts to attain a nuclear bomb through covert action and sabotage. Strategists in Israel and Washington, D.C. may have assessed the difficulty of conducting a conventional military attack against Iran's facilities, some of which are buried deep underground, and concluded that sabotage and cyber attacks are preferable. Fewer lives are lost, attribution is difficult, and international reaction is muted. Iran's nuclear program is not permanently destroyed, but time can be bought for sanctions and diplomacy to work. For information security specialists, from a tactical perspective, the risk of collateral damage—as was reported in the wake of the Stuxnet and Gauss malware attacks—is worth considering. From a broader strategic perspective, regardless of whether Israel and the United States have in fact made the decision to pursue cyber attacks in lieu of traditional military action, the reality of cyber war appears increasingly to be a fait accompli.

Miscellaneous

FS-ISAC and FBI Issue Warning to Banks

The U.S. Federal Bureau of Investigation (FBI), Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3) issued a joint warning to banks and financial institutions, and the FS-ISAC raised the threat level from "elevated" to "high" over recent distributed denial of service (DDoS) attacks, zero-day exploits, and criminal activity targeting bank employees. The DDoS attacks have impacted traffic at Bank of America and JPMorgan Chase websites, while recent FBI investigations have identified fraud schemes to compromise employee credentials that could be used in fraudulent fund transfers and the compromise of sensitive information.
Read More
Additional Information
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: U.S. financial institutions have been under increasing levels of attacks in recent years, which calls into question the raising of the alert level at this point, although the level is likely to be accurate. The recent DDoS attacks, fraud and phishing attempts, and zero-day exploits have created an increased level of risk for many businesses. Similar to the ongoing debates over the physical protests across the Middle East and North Africa against United States locations, there is a question whether these recent attacks are in response to the anti-Islam video posting or part of a larger state-sponsored attack that is being credited to Iran, which Iran has denied. Regardless of the intelligence and criminal investigations, these attacks are testing the security measures of the financial institutions and their employees. Fortunately, these institutions and employees have long demonstrated a high level of information security and awareness. To date, the attacks have had little impact on the banks and financial institutions, which may prompt the attackers to turn their attention to other businesses. All businesses are advised to be aware of the increased level of activity and be prepared to respond.

Upcoming Security Activity

Cloud Security Alliance EMEA Congress: September 25–26, 2012
DerbyCon 2012: September 27–30, 2012
Oracle OpenWorld: September 30–October 4, 2012
Information Systems Security Association International Conference: October 25–26, 2012
Information Security Forum 23rd Annual World Congress: November 4–6, 2012
Cisco Live Cancun: November 6–8, 2012
Cloud Security Alliance Congress 2012: November 7–8, 2012
Cisco Live London: January 28–February 1, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

U.S. Presidential Debates:
October 3, 2012: University of Denver in Denver, Colorado
October 11, 2012: Centre College in Danville, Kentucky
October 16, 2012: Hofstra University in Hempstead, New York
October 22, 2012: Lynn University in Boca Raton, Florida

U.S. Presidential Election: November 6, 2012
Asia Pacific Economic Cooperation Summit: November 7–13, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top