Cyber Risk Report

September 5–11, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period remained low compared to previous periods. The highlights for the period include continued activity relating to compromised certificate authority (CA) web certificates, Cisco security advisories for Cisco Nexus 3000, 5000 and 7000 series switches, and security advisories from Red Hat for Java IBM-SAP and Linux Xen Hypervisor, XenSource for Xen Hypervisor, Novell for Cloud Manager, OpenSLL, Apple QuickTime, and Siemens SIMATIC WinCC.

Cisco released a security advisory to address an access control list bypass vulnerability in Cisco Nexus 3000 and 5000 series switches, as reported in IntelliShield alert 24047, and to address a CDP packet processing denial of service vulnerability in Cisco Nexus 7000 series switches, reported in IntelliShield alert 24099.

Certificate authorities and browser vendors continue to investigate the compromise of web certificates with DigiNotar and possibly additional CAs. Multiple browser vendors continue to release updates removing or revoking the compromised web certificates, most recently Microsoft, Mozilla, Apple and Adobe. The latest information is available in IntelliShield alert 24031.

Microsoft and Adobe released advance notifications for the September monthly security advisory releases occurring Tuesday, September 13, 2011. Microsoft announced that it will release five bulletins addressing 15 vulnerabilities, and inadvertently exposed those bulletins on their security advisory web page for a brief period before removing them. All five bulletins for this month are rated as Important. Adobe announced that it will release security advisories for multiple Reader and Acrobat versions.

Wireshark released an updated 1.6.2 version, correcting multiple vulnerabilities. Wireshark is widely used by network administrators and often run with elevated privileges. Users are advised to update to the latest version.

Network World has published an article on Cisco's Security Intelligence Operations. The article outlines the multiple security teams and coordinated efforts of the teams across Cisco that provide the latest vulnerability and threat information, update Cisco security products with the latest threat protection, and provide context for the current state of vulnerability and threat activity. The article provides a good overview of the Cisco Security Intelligence Operations, which also produces these weekly Cyber Risk Reports.

Damballa and Symantec released security reports highlighting the latest criminal activity, botnets, toolkits and metrics around the criminal activity.

In preparation for the October National Cyber Security Awareness month, organizations are encouraged to develop plans to raise users awareness of the current threats and best practices. Cisco will be posting a series of security blog articles throughout the month to provide users with the latest information. Several other organizations will be holding similar events and activities throughout the month that can be incorporated by businesses to increase their users' security awareness. Additional information on these planned activities can be found on the National Cyber Security Alliance StaySafeOnline.org website.

And as a reminder, Cisco will release the bi-annual IOS Security Update on September 28, 2011.

IntelliShield published 72 events last week: 36 new events and 36 updated events. Of the 72 events, 35 were Vulnerability Alerts, five were Security Activity Bulletins, three were Security Issue Alerts, 28 were Threat Outbreak Alerts, and one was a Cyber Risk Report. There were no alerts published on September 5th, 2011 due to the U.S. holiday. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 09/09/2011

7

6 13
Thursday 09/08/2011 4 8 12
Wednesday 09/07/2011 14 14 28
Tuesday 09/06/2011 11 8 19
Monday 09/05/2011 0 0 0
Weekly Total 36 36 72

 

 

Significant Alerts for September 5–11, 2011

Fraudulent Google Digital Certificates Could Allow Man-in-the-Middle Attacks
IntelliShield Vulnerability Alert 24031, Version 7, September 9, 2011
Urgency/Credibility/Severity Rating: 2/5/3

A fraudulent Google.com digital certificate was issued by a certificate authority. This certificate could allow an unauthenticated, remote attacker to access sensitive user data via a man-in-the-middle attack. This SSL certificate was issued by a trusted root certificate authority (CA). Multiple vendors have released security advisories and updates.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 8, September 9, 2011
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-3192

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Cisco and multiple additional vendors have released security advisories.

Previous Alerts That Still Represent Significant Risk

HTTPKiller: Apache HTTP Server Denial of Service Tool
IntelliShield Vulnerability Alert 23983, Version 3, August 26, 2011
Urgency/Credibility/Severity Rating: 3/5/3

A publicly available exploit tool that exploits a vulnerability in Apache HTTP Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. Apache has reported that active use of this tool has been observed. The vulnerability, exploited by the tool is documented in IntelliShield alert 24004.

CA ARCserve D2D Security Bypass Vulnerability
IntelliShield Vulnerability Alert 23735, Version 4, August 11, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-3011

CA ARCserve D2D contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and gain unauthorized access to a system. Functional code that demonstrates an exploit of this vulnerability is available as part of the Metasploit Framework. CA has confirmed this vulnerability and updates are available.

FreeType PostScript Type 1 Font Parsing callothersubr Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23602, Version 4, August 11, 2011
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2011-0226

FreeType versions prior to 2.4.5 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional exploit code for this vulnerability is used publicly in conjunction with other vulnerabilities to provide web-based "jailbreak" capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose this exploit code for malicious purposes. Apple, Red Hat and FreeBSD have released security updates.

Multiple Oracle Products Authentication Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 22963, Version 2, August 8, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0807

Oracle Sun GlassFish Enterprise Server and Sun Java System Application Server contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Oracle has confirmed the vulnerability and released updated software.

Microsoft Windows Client/Server Run-time Subsystem Console Object Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 23555, Version 3, August 5, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-1281

Microsoft Windows contains a vulnerability that could allow a local attacker to gain elevated privileges on the system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS11-056 and released software updates.

Mozilla Firefox and SeaMonkey Dangling Pointer Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23046, Version 3, August 5, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0065

Mozilla Firefox and SeaMonkey contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Mozilla has confirmed this vulnerability and released updated software.

Citrix XenApp and XenDesktop XML Interface Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23777, Version 2, July 29, 2011
Urgency/Credibility/Severity Rating: 2/5/3

Citrix XenApp and XenDesktop contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Citrix has confirmed this vulnerability and released software updates. Proof-of-concept code that demonstrates an exploit of the Citrix XenApp and XenDesktop XML interface remote arbitrary code execution vulnerability is publicly available.

Microsoft Internet Explorer toStaticHTML Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 23357, Version 2, July 22, 2011
Urgency/Credibility/Severity Rating: 3/5/2
CVE-2011-1252

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to access sensitive information on a targeted system. Proof-of-concept exploit code is publicly available. This code could allow an attacker to convert existing functional cross-site scripting exploits into formats that bypass protections by exploiting this vulnerability. Updates are available.

Apple iOS IOMobileFrameBuffer Queueing Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 23653, Version 1, July 18, 2011
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-0227

Apple iOS contains a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code. Functional exploit code for the vulnerability is publicly available and used in conjunction with other vulnerabilities to provide web-based "jailbreak" capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose the exploit code for malicious purposes. Updates are available.

Physical

There was no significant activity in this category during the time period.

Legal

Insider Cases Result in Arrests and Prison: MIT Engineer Espionage

An MIT PhD graduate and space scientist, Stewart Nozette, who attempted espionage in selling secrets to Israel plead guilty after FBI agents running an undercover operation discovered that he provided classified materials on three occasions. Nozette committed espionage by offering classified satellite information, including directly concerned satellites, early warning systems, and communications intelligence information, to a perceived Israeli intelligence officer. Fortunately, as a result of the FBI operation, the information was in fact passed to FBI agents, and as stated by the United States (U.S.) Department of Justice, "the indictment does not allege that the government of Israel or anyone acting on its behalf committed any offense under U.S. laws in this case."
Read More

IntelliShield Analysis: The growing trend and thought of separation of duties continues to surface. Cases such as this beg the question, how does this happen? How does one have the means to execute such a crime or exploitation, seemingly without question or scrutiny? The fact of the matter is threats and exploitation at the social level continue to be prone to increasing success. With the pace at which society and information moves, gaps will continue to appear. Organizations must establish policies and guidelines, and enforcement around the concepts of separation of duties create intrinsic balances of power. A bit more discerning are the roles that the engineer has held with regard to classified information and protected assets. Beyond the constructs, policies, and politics, individuals must be held accountable for their actions. It seems in today's society, ethics, morals and values are overlooked or replaced with constructs, policies and regulations. At the end of the day, these aspects do not solve, nor do they offer substitutes for an individual's ethics, morals and values.

Insider Cases Result in Arrests and Prison: Ex-Citigroup VP Embezzlement

Gary Foster, an ex-Citigroup Vice President who embezzled approximately 19–22 million U.S. dollars over a span of 10 years with the company, is facing a prison sentence of eight to ten years. While Foster worked for Citigroup for approximately ten years, the embezzlement occurred between 2003 and 2010. Moreover, Foster was arrested on a charge of embezzling 19 million U.S. dollars, when in essence he admitted in court to coveting over 22 million. The fraudulent activity occurred when Foster transferred funds from various Citigroup accounts into a Citigroup cash account, and subsequently wired the money to his personal bank account. He was able to perform these operations unimpeded by making falsified accounting entries to balance Citigroup's cash accounts. In seeking to resolve the case as expeditiously as possible, Foster agreed to forfeit his interests, which include real estate and luxury cars.
Read More

IntelliShield Analysis: Once again the warning signs are evident in this case. The report shows that there were many signs or red flags that should have been noticed and investigated, but unfortunately were not. The irony is the ratio of employment to fraudulent activity given the ten year tenure. Ten years, of which fraud occurred for seven, results in a great deal of activity. In addition, the lack of checks and balances, separation of duties, and policy enforcement points must be part of an organization's risk management and architecture plans. The sources do not provide details as to whether Foster circumvented policies and enforcement points that may have been in place, by authorizing transfers and making system changes to permit the outcomes; the only conclusion we can effectively come to is that any solutions that may have been in place were ultimately not successful.

Trust

Certificate Authorities Broken Trust

The discovery of a breach at a certificate authority has brought the current trust model using digital certificates into the headlines again. The incident at DigiNotar in The Netherlands took place earlier this year and was discovered on July 19th. Over 500 fraudulent certificates were issued. At least one of the issued certificates has been used in attacks against web users, including a man-in-the-middle attack against Google users. This breach has resulted in DigiNotar ceasing their activities as a certificate authority and browser manufacturers revoking DigiNotars certificates.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The integrity of the digital certificate system is dependent on all CAs remaining secure. So far breaches have been discovered at two different certificate authorities. With over 500 CAs currently operating, these two breaches may not be isolated events. Users should check and remove any root certificates in their computers' or phones' certificate storage that have been issued by DigiNotar. Enterprises considering the use of certificates for public key infrastructure should thoroughly vett potential certificate authorities prior to becoming a customer. At the very least, the prospective CA should be doing manual verification of all of its customers' identities. Mozilla may be on the right track to correcting this problem by demanding that all CAs included in the Mozilla browser's Trusted certificates validate that their certificates are secure.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

East Africa's Crisis and the Potential of Information and Communications Technology

The worst drought in a generation is affecting some ten million people in East Africa, according to the United Nations. Particularly hard hit are Somalia and Kenya, East Africa's financial center. In the last two months alone, some 70,000 Somali refugees crossed the border into Kenya, according to UN data, adding new strains on Kenya's stretched farms, economy, and water resources. Frustration over government failure to redistribute food and water from less affected regions is intensifying as Kenya approaches presidential elections in 2012. Some fear a replay of the violence that followed Kenya's 2007 elections. In response to the crisis, online communities are working to assist where the government is seen to have fallen short. Microblogs are being used to solicit individual contributions; according to the International Business Times, hashtags include #HornOfAfrica, #Famine, #Drought, #Somalia, #Kenya and #Ethiopia. Grass roots groups such as Kenyans For Kenya, started by the Kenyan Red Cross but supported by individuals and companies such as mobile service provider Safaricom, are using social networks to collect donations for food and water relief.
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: In dire situations such as the drought and famine in East Africa, the ability of information communications technology to cheaply connect people and mobilize support is clearly demonstrated. In fast-growing East African economies like Ethiopia and Kenya, in particular, technology-powered community initiatives such as these social media campaigns may fuel a sense of empowerment among the growing middle class. Looking forward, as East Africa recovers from this crisis, crucial upgrades including submarine fiber optic cable system SEACOM, and price wars between market leader Safaricom and Airtel Kenya, will continue to fuel surging ICT growth. While future inward investment will depend in some part on sustainable land and water management and agricultural policies, as well as government reforms focused on accountability and transparency, those individuals in the region whose first experience with the power of ICT during this crisis may remember its positive impact and carry that potential forward.

Upcoming Security Activity

ISC2 Security Congress: September 19–22, 2011
NIST National Initiative for Cybersecurity Education (NICE) Workshop: September 20–22, 2011
ASIS International 57th Annual Seminar and Exhibits: September 19–22, 2011
RSA Europe: October 11–13, 2011
Cisco Live Mexico: November 7–10, 2011

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following date:

U.N. General Assembly Palestinian Statehood Vote: September 22, 2011

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top