Cyber Risk Report

September 28–October 4, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity this period was highlighted by increased port scanning activity related to the Microsoft SMB2 vulnerability. A new Metasploit module was released on September 27 for the Microsoft SMB2 vulnerability, which may have contributed to the increase in scanning activity. Cisco Security Intelligence Operations also continues to see elevated levels of port activity related to the Clampi trojan, although levels have decreased from previous weeks.

Annual IntelliShield alert totals continue to show a marked decrease from previous years. This trend was reported in the Cisco 2009 Midyear Security Report and has continued in the second part of 2009. Analysis of this trend indicates several contributing factors, including improved vendor identification and correction of vulnerabilities in their products and a shift in criminal activity toward social engineering methods that do not require the exploitation of a vulnerability. One variable in this trend is the SQL injection and cross-site scripting vulnerabilities in websites and applications that are most often a local coding error on the web page and not a vulnerability in a vendor product or application. Although many websites have been identified as compromised through SQL and cross-site scripting exploits, an accurate count of these vulnerabilities is based on the exploited websites, not the identification of the additional similar vulnerabilities that may exist.

This week marked the beginning of the U.S. and Canadian Cybersecurity Awareness Month. Activities are planned throughout the month to improve both security knowledge and user awareness. All organizations are encouraged to take advantage of these activities and improve their users' knowledge and awareness of security measures and current threats. Additional information is available at the U.S. Department of Homeland Security and the Stay Safe Online websites.

In upcoming activity, Microsoft will release the Security Bulletin for October on Tuesday, October 13, 2009.

IntelliShield published 55 events last week: 34 new events and 21 updated events. Of the 55 events, 44 were Vulnerability Alerts, three were Security Activity Bulletins, three were Threat Outbreak Alerts, four were Security Issue Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 10/2/2009 10 1 11
Thursday 10/1/2009 7 4 11
Wednesday 9/30/2009 7 6 13
Tuesday 9/29/2009 5 5 10
Monday 9/28/2009 5 5 10
Weekly Total 34 21 55

 

2009 Monthly Alert Totals

Month New Updated Monthly Total
January 148 382 540
February 227 249 476
March 222 335 557
April 164 206 370
May 218 175 393
June 232 209 441
July 128 167 295
August 176 225 401
September 170 168 338
Annual Total 1685 2116 3811

 

Significant Alerts for the Time Period

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 6, September 29, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-3103

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability. Updates are not available, but Microsoft has released an official workaround.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 4, September 4, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3023

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. Microsoft has confirmed this vulnerability and updated software is available for some platforms. Safeguards are available.

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 18847, Version 9, September 30, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-2692

The Linux Kernel versions 2.4 through 2.6.30.4 contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a denial of service condition. Proof-of-concept exploit code is publicly available. Red Hat has released updates.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 9, August 27, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0901

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability
IntelliShield Vulnerability Alert 18595, Version 9, August 11, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0015

Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX control that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released an additional security bulletin and software updates to address the Microsoft Windows video msvidctl ActiveX control code execution vulnerability.

ISC BIND Dynamic Update Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 18730, Version 10, September 22, 2009
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2009-0696

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. HP has released an additional security bulletin and updated software to address the ISC BIND dynamic update remote denial of service vulnerability.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 5, August 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1136

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability.

Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18366, Version 3, July 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1537

Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability.

Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability
IntelliShield Vulnerability Alert 18261, Version 3, June 9, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-1535

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Physical

Colocation Raises Issues for Trading Data Centers but Lowers Data Latency

As traders increasingly rely on high-frequency trading based on complex proprietary algorithms, low latency has taken on heightened importance in the race to trim microseconds from the milliseconds it takes to get the best price and best the competition. Trading faster than competitors is a crucial component of high-frequency trading that, according to press reports, accounts for more than half of U.S. equities trading. In pursuit of the lowest latency, colocation—placing the trading systems as close to the server as possible to allow flash trading to occur at the fastest possible transmission rate—has become a critical business driver for trading firms. Read More

IntelliShield Analysis: While colocation as a trading strategy is already being examined by the the U.S. Securities and Exchange Commission amid criticism that only the wealthiest investors can afford the installation and subsequent maintenance, the physical security of the data centers integral to colocation appears to be unregulated. Placing all of one's eggs in a single basket is rarely a good idea, but colocation proposes a new way to threaten the global economy. Data centers will need to be safeguarded not only from floods, fires, earthquakes, and utility or communications failures, but also from insider threats and terrorist attacks. Currently, the need for speed trumps transparency in colocation security. Similar issues impact remote workers, who may have slower network connections and less physically secure environments.

Legal

U.S. Nuclear Regulatory Commission Moves Forward with Recommendations

On September 28, 2009, the U.S. Nuclear Regulatory Commission (NRC) released Regulatory Issue Summary 2009-13 (RIS09-13), advising licensees of a new recommendation for the communication of information to the Emergency Response Data System (ERDS). The recommendation comes after extensive technology review and testing with a select number of voluntary licensees. The NRC is asking that all legacy modems currently in use for the communications of ERDS data to the NRC Headquarters be replaced with dedicated VPN appliances. Read More

IntelliShield Analysis: This Regulatory Issue Summary seems to be the first of its kind in that it recommends leveraging the reliability and scalability of the public Internet for the communication of SCADA-related information to the NRC. Such a move will also allow the simultaneous communication from all VPN-equipped sites to submit ERDS data to the NRC while allowing the discontinuation of legacy equipment that may introduce vulnerabilities into the system. This change could allow the NRC to more rapidly notify licensees of extraordinary events on the grid that may affect connected generation sites. It is expected that future moves of this type will be forthcoming as the NRC continues its attempts to modernize the communications infrastructures that are used to ensure the safety of nuclear power generation.

Trust

New Sophistication in Banking Trojan Hides Transfers

Recent research from security firm Finjan has uncovered a new trojan, URLZone, that uses a novel technique to disguise malicious activity. When infected systems connect to online banking portals from a number of German banks, the trojan waits for users to initiate bank transfers and then rewrites the transaction to funnel large amounts of money to "money mules." These people are often duped third parties who agree to accept transfers before funneling the money a second time to the actual criminals. However, the trojan uses HTML injection to disguise the actual size of the transfer on the online statements in an effort to prevent users from noticing that the transactions were not completed as they expected.
Read more 
Additional Information

IntelliShield Analysis: While URLZone currently targets only German banks, the demonstration of the capability of the trojan should raise concern for all financial customers. Beyond the standard methods commonly advocated for avoiding and detecting the presence of malicious code, users can further reduce risk through common and recommended banking practices. Regularly practiced reconciliation can provide an effective mitigation against altered payments because users who compare bank statements to account balances and online transaction registers can spot inconsistencies and pursue resolution. Although this may be one argument in favor of opting to receive traditional paper statements in the mail, organizations may consider other alternatives to ensuring customers have an out-of-band confirmation of banking information that is presented to them through their computers.

Identity

There was no significant activity in this category during the time period.

Human

Medical Students Post Confidential Patient Data to Social Networking Sites

In a study published in the Journal of the American Medical Association, medical students have been found to divulge confidential patient data on social networking sites such as Facebook and Twitter. The survey of 78 U.S. medical colleges found that 13 percent of them had experienced incidents in which students posted confidential patient information online. Read More

IntelliShield Analysis: Social networking sites such as Facebook and Twitter can seem like a private place to share information with friends. However, it is indeed public, and such postings can be found by employers or other parties who may wish to do harm to the poster or someone the poster publishes content about. Although medical students are only human, we and regulatory requirements hold them to higher standards than most people. We entrust them with our sensitive medical information and we trust them to maintain a level of professionalism about that data. Of the colleges surveyed, only 38 percent reported having a formal policy regarding what can and cannot be posted online. In this age of Facebook and Twitter, every college should have such a policy, and posting of confidential patient information should be severely punished.

Geopolitical

Governments Tackle Cybersecurity

As the United States and Canada observe Cybersecurity Awareness Month, governments around the world are setting up offices to protect critical electronic networks and experimenting with legislation to protect users and data. The United States this year launched a White House office to head up cybersecurity, although a coordinator has yet to be appointed, while a Pentagon-sponsored Cyber Command is being established to head up protection of American military networks. The government of Singapore last week launched a cybersecurity authority that reportedly will tighten controls over the private sector, while the United Kingdom's new Office of Cyber Security, in its planning stages, is emphasizing its private-public coordination role amidst press speculation about the office's offensive capabilities. NATO, meanwhile, has housed a Cyber Defense Center in Tallinn, Estonia, the home of damaging cyber attacks in 2007.
Read more 
Additional Information 
Additional Information
Additional Information

IntelliShield Analysis: As governments work to protect their electronic infrastructure, a global debate is taking shape over where online security stops and invasion of privacy begins. A proposal to give the U.S. president kill-switch powers over domestic networks sparked an outcry this summer and was withdrawn, while a political squabble over which U.S. entity will be primarily responsible for cybersecurity, and what its powers will be, has stalled forward progress and frustrated efforts to appoint a coordinator to head the White House cyber effort. Plans in South Korea to block individual Internet users who fail to implement proper security programs is being criticized domestically as going too far. As the debate progresses, information security experts may wish to contribute to the conversation, as the ultimate shape of these governments' efforts and their regulatory reach will impact corporations for the foreseeable future.

Upcoming Security Activity

U.S. National Cybersecurity Awareness Month: October 2009
Hack In The Box Malaysia 2009: October 5–6, 2009
Oracle Critical Patch Update: October 20, 2009
CSI 2009 Annual Conference, Washington, D.C.: October 24–30, 2009
Interop New York: November 16–20, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top