Cyber Risk Report

February 1–7, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity during this period returned to normal higher levels. Activity was highlighted by a security advisory from VMware that included 53 vulnerabilities related to the Java Runtime Environment. Security advisory, VMSA-2010-0002, details vulnerabilities in multiple VMware products. VMware users should note that many of the current product versions, such as vCenter, Server 2.0, and multiple ESX versions are affected, but patches are not yet available.

Microsoft released security advisory 980088 to address a new vulnerability in Internet Explorer, as reported in IntelliShield alert 19873. Microsoft also released its advance notification security bulletin for February 2010, scheduled for release on February 9, 2010. The advance notification reported the release of 13 bulletins, of which five are rated Critical.
Oracle released a security advisory and update for a vulnerability in the Weblogic Server, as reported in IntelliShield alert 19889. An additional Oracle vulnerability was presented at Black Hat DC (IntelliShield alert 19883); Oracle has not responded to this vulnerability.

Apple released a security advisory for the iPhone and iPod correcting multiple vulnerabilities. The vulnerabilities can be exploited when a user opens certain types of malicious files. A successful exploit could result in the disclosure of information or code execution on the devices.

The Black Hat DC and ShmooCon security conferences were held last week. Conference presentations included further discussion and details about the Internet Explorer and Adobe vulnerabilities. Discussions included the circumvention of security mechanisms that were designed to prevent the types of exploits recently released, as well as the Trusted Platform Module (TPM). See the Trust section of this report for more details about the TPM presentation.

IntelliShield published 132 events last week:  43 new events and 89 updated events. Of the 132 events, 104 were Vulnerability Alerts, two were Security Activity Bulletins, ten were Security Issue Alerts, 15 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 02/5/2010 7 6 13
Thursday 02/4/2010 9 8 17
Wednesday 02/3/2010 5 14 19
Tuesday 02/2/2010 12 29 41
Monday 02/1/2010 10 32 42
Weekly Total 43 89 132

 

2010 Monthly Alert Totals

Month New Updated Monthly Total
January 158 259 417
Total 158

259

417


 

Significant Alerts for February 1-7, 2010

Microsoft Internet Explorer Remote Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 19873, Version 2, February 4, 2010
Urgency/Credibility/Severity Rating: 1/5/2
CVE-2010-0255

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information. Proof-of-concept code is publicly available. Microsoft has confirmed this vulnerability but software updates are not available.

Oracle WebLogic Server Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19889, Version 1, February 5, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-0073

Oracle WebLogic Server contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are available.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 4, January 26, 2010
Urgency/Credibility/Severity Rating: 1/5/2
CVE-2010-0249

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed this vulnerability and released software updates. Additional information is available regarding mitigations and exploit code related to the Internet Explorer remote arbitrary code execution vulnerability.

Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 8, January 22, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-4324

Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service (DoS) condition. Proof-of-concept code that exploits the vulnerability is publicly available. Adobe has confirmed this vulnerability, and updates are available. This vulnerability is being actively exploited through directed phishing attacks.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 31, February 5, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Physical

Canada to Increase Security Presence at Upcoming Olympic Games

During the 1988 Winter Olympic Games in Calgary, Albert, Canada, only 42 military personnel participated in efforts to secure the event. At the 2010 Winter Olympic Games in Vancouver, British Columbia, Canada, an estimated 4,500 soldiers will provide security, to include warships patrolling waterways around the port city and air patrols assisting police forces. The increase in required forces is a marked change from the past and may set the bar for handling security at future events. A travel advisory from the United States Department of State has warned about the potential for threats against American and other citizens at the games, although there have been no specific threats made against the games.
Read More    
Additional Information

IntelliShield Analysis: Travelers to the Vancouver Games should be aware of additional security screenings that may increase travel time. Businesses with interests in the area should also be aware of such measures and the impact on travel times and facility availability due to the influx of attendees. Although some have questioned the ability of the Canadian military to assist with security because of their efforts in Afghanistan and Haiti, it is unlikely that Olympic security will burden Canadian military resources.

Legal

United Kingdom Asks the Public to Report Terrorist Websites for Removal

The British Government has introduced a new program that asks citizens to report websites that either promote terrorism, or are designed to help in terrorist activity. The website Direct.co.uk accepts anonymous reports, which are then investigated by members of the Counter Terrorism Internet Referral Police Unit. Investigators will determine if reported websites indeed aid terrorism, and if so, will seek to have the websites removed from the Internet. This new reporting measure will enable the British government to enforce the Terrorism Acts of 2000 and 2006. Read More

IntelliShield Analysis: Although this approach has the advantage of increasing awareness of the problem, it may be a difficult solution to implement. The criteria for identifying a website for removal is vague and could encompass a wide range of general informational, educational, political, and religious websites with questionable links to any form of terrorism. Such a broad policy could result in legal challenges from organizations that believe their website has been unfairly targeted or removed. In the end, the decision to remove a website will be a judgment made by the enforcing officers, who may also have difficulty making decisions based on this policy.

At best this action will likely drive the actual terrorist websites underground or offshore to countries that will not cooperate with the United Kingdom's request for website removal, making the intelligence job far more difficult. At worst, this could become a policy that is exploited solely to report websites that submitters want persecuted or removed for any host of reasons. Although the policy appears to have potentially serious operational issues, the most significant may be the broader topic of censorship of Internet content and how to address such censorship in the ongoing international discussions about Internet agreements.  

Trust

Trusted Platform Module Successfully Attacked

The Trusted Platform Module (TPM) that is used in various secure platforms for storage of encryption keys and in licensing servers was successfully compromised according to researcher, Christopher Tarnovsky. Mr. Tarnovsky presented his findings at the Black Hat DC conference last week. Tarnovsky jumpered the internal circuitry on an SLE 66 CL PC processor in a lab setting to trace the data bus of the chip and eventually crack the encryption. Mr. Tarnovsky acknowledged that the hacking method used was not easy to duplicate. He reported that his next steps are to duplicate the feat with TPM chips from another manufacturer.
Read More    
Additional Information

IntelliShield Analysis: This attack has changed the problem of hacking TPM chips from brute force guessing, which would be potentially insurmountable, to a mere esoteric and time consuming problem. Although these results may not currently affect the majority of computer users, entities with valuable data that is protected by TPM may be advised to take another look at how the data is protected. If organizations suspect that their data could be of value to potential adversaries with the ability to mount a similar attack, a different method of data storage and protection is advised. As work progresses using this attack method, organizations can expect that such an exploit will become easier to execute.

Identity

Researchers Track Users Based On Unique Browser Footprints

Privacy advocates from the Electronic Frontier Foundation (EFF) have released an informational website and browser test suite called Panopticlick. The website is designed to gather information from browsers and tabulate a level of uniqueness of the user running the test suite. The more unique a user is, the more likely that user could be uniquely identified across various websites, even without cookies. The EFF plans to release the results of its three month study and make recommendations to users, browser vendors, and other web developers about how to decrease the amount of unintentional information leakage online. Read More 

IntelliShield Analysis: This research continues to show that privacy in the digital age is threatened by combining seemingly innocuous data points. In this case, the fragments of information are correlated by associating them with a single browser installation. The research could show that previous methods for privacy, such as disabling cookies, is not sufficient to protect anonymity. Combining browser fingerprints with other data sources, such as comparing visitor fingerprints across multiple sites, could lead to reliable tracking of an individual browser installation and potentially its primary user's activity. Organizations should continue to monitor these developments, as they may lead to significant changes in privacy laws, regulations, or practices. There may also be implications for both educating users on safe browsing practices and the type of information that should be collected and stored by organizations.

Human

Twitter Account Users Forced to Create Stronger Passwords

Twitter discovered that some accounts had been compromised and sent a required password reset request to an unspecified number users. The director of Twitter Safety and Trust, Del Harvey, wrote in a blog post that the company believed that attackers may have accessed user accounts through third-party Torrent services, which allowed the capture of login details. Because the affected users were managing multiple online accounts with a single password, attackers were able to use the captured data to infiltrate the Twitter accounts.
Read More    
Additional Information  
Additional Information 

IntelliShield Analysis: The popularity of social networking sites makes user accounts valuable targets for phishers of personal data. Using a single password for many accounts is an open invitation for data loss. During the time that Twitter announced this recent compromise, Sophos, a computer security company, released the results of its recent survey, which indicated that malware originating from social networking sites was up 70 percent in 2009. Twitter was proactive regarding member security, but the Sophos report suggests that many users will learn hard lessons about the value of their personal data if they persist in trusting a single password to protect multiple services and accounts.

Geopolitical

United States National Threat Assessment Puts Cyber Threat Front and Center

United States (U.S.) Director of National Intelligence, Dennis Blair, delivered his annual threat assessment to the U.S. Senate Select Committee on Intelligence last week, opening with a sobering assessment of the threat of malicious cyber activity to the security of the U.S. and the international community. Blair acknowledged that no single adversary threatened the U.S. with military force, and the dire global economic situation, the primary threat he highlighted to the Committee in his last assessment, appears to have improved. Rather, he described the multiplicity of interrelated and complex threats and actors as the greatest challenge facing the U.S., and highlighted the cyber threat as a prime example. One critical factor, according to Blair, was the increased number of international companies supplying software and hardware to private sector and even government networks, increasing the potential for subversion of the information in those systems.
Read More   
Additional Information

IntelliShield Analysis: Although Blair included the cyber threat in his 2009 testimony, this year's assessment places it front and center. For information security specialists, it is noteworthy in its admission that the technology balance currently favors malicious actors, and that current U.S. government defenses are insufficient. Blair's concern goes beyond government networks to include credit card and ATM fraud, intellectual property theft from private companies, and critical infrastructure such as the power grid. The primary message on the subject appeared to be that the government could not hope to take on the problem alone. Blair's assessment confirms top-level government acknowledgment that the partnership between the private and public sectors is essential in protecting the country's vital economic and security interests.

Upcoming Security Activity

RSA Conference 2010, San Francisco: March 1–5, 2010
CanSecWest 2010, Vancouver: March 24–26, 2010
Cisco Networkers 2010, Bahrain: March 28–21, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

XXI Olympic Winter Games, Vancouver, British Columbia, Canada: February 12–28, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top