February 22–28, 2010The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability activity was substantially lower during this period and the month of February 2010, as compared to February 2009. Vulnerability and threat activity was highlighted by continued spam activity with updates to spam messages from previous spam traffic, along with a new spam message targeting PayPal users, as reported in IntelliShield alert 19997. Adobe has re-released a security advisory to address the Adobe Download Manager Remote Arbitrary Code Execution Vulnerability (IntelliShield alert 19979). A new corrected version of the download manager is available. The RSA Conference 2010 begins this week in San Francisco, California. The conference agenda will likely focus on cloud security, virtualization, cybercrime, advanced persistent threats, compliance, and mobility issues. In addition to the RSA Conference, potentially equally interesting topics may be discussed at Security B-Sides, a security event that coincides with the RSA Conference. IntelliShield published 64 events last week: 22 new events and 42 updated events. Of the 64 events, 48 were Vulnerability Alerts, six were Security Issue Alerts, eight were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
2010 Monthly Alert Totals
Significant Alerts for February 22-28, 2010Adobe Download Manager Remote Arbitrary Code Execution Vulnerability Adobe Download Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Adobe has confirmed the vulnerability and released updated software. Previous Alerts That Still Represent Significant RiskMozilla Firefox Unspecified Arbitrary Code Execution Vulnerability Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has not confirmed this vulnerability and updated software is not available. Multiple Symantec Products ActiveX Control Arbitrary Code Execution Vulnerability Multiple Symantec products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the target system. Symantec confirmed this vulnerability and released software updates. Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed this vulnerability and released software updates. Additional information is available regarding mitigations and exploit code related to the Internet Explorer remote arbitrary code execution vulnerability. Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service condition. Proof-of-concept code that exploits the vulnerability is publicly available. Adobe has confirmed this vulnerability, and updates are available. This vulnerability is being actively exploited through directed phishing attacks. Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available. PhysicalThere was no significant activity in this category during the time period. LegalUnited States Judge Orders Pennsylvania Schools to Stop Laptop SpyingThe Lower Merion School District of Ardmore, Pennsylvania in the United States (U.S.) has been barred by a U.S. court from using the photo and screenshot features of laptop computers that were issued to students. A student filed a lawsuit against the school alleging that school officials used the laptop web cameras to spy on students. IntelliShield Analysis: The issue arose because school officials accused a student of "inappropriate behavior" and then showed the student a photo of himself, allegedly captured from the student's laptop. School officials have denied all use of the web camera or screen shot features except for purposes of recovering lost or stolen laptops. However, some students have reported seeing the green flashing light on their web cameras, which could indicate the camera is active. With new technology come new rules of behavior; however, the implementation of such rules takes time to go through review and legal processes. In this case, it seems that although school officials deny the spying allegations, there is evidence to suggest that spying did occur. In this scenario, if the school's only intention was to protect school assets, in this case, laptop computers, the involvement of minors along with technology capabilities expose the school district to a broad range of legal and liability issues. TrustThere was no significant activity in this category during the time period. IdentityThere was no significant activity in this category during the time period. HumanAOL and Facebook Partnership Posting Exposes User AwarenessRecently, Mike Melanson of the ReadWriteWeb blog posted an article titled Facebook Wants to Be Your One True Login, which discussed the effects of a partnership between AOL and Facebook. The article included an image of a Facebook logo. Soon after, the Google search engine placed a link to this article near the top of the list of results for anyone performing a search using the terms "Facebook Login". The Google search results even listed the blog post URL ahead of the actual Facebook.com login page. This action confused many Facebook users that rely on search engine results to find the login page. Numerous users accidentally followed the link to the blog rather than to the Facebook login page and failed to understand that they were not on the correct page. As a result, users left messages on the blog post complaining that they could not authenticate to and access their Facebook account. Read More IntelliShield Analysis: The combination of the highly placed link in the search engine results and the inclusion of the Facebook logo was enough to confuse a surprisingly large number of users. This situation demonstrates just how easily an attacker could take advantage of search engine optimization routines to conduct phishing campaigns or even distribute malicious code to unsuspecting users. These tactics could be especially effective against Internet users who rely on search engines to access their favorite pages instead of using the address bar or browser bookmarks and favorites. This recent incident demonstrates the need for increased awareness among users who are conditioned to trust search engine results. GeopoliticalEuropean Recovery Fraught with TroubleAs European Union (EU) economies return to tentative growth following the global financial crisis, the stresses on social institutions and families over the past 18 months are creating instability across Europe. The last two weeks in February saw labor strikes and protests in Greece, France, Germany, Spain, and Britain; a military-government crisis in Turkey; the collapse of the Dutch government; and tensions over the question of a Greek debt bailout. Airlines across Europe have been crippled by labor stoppages. Spain has even accused the Anglo-Saxon media and financial speculators of sabotaging its economy and the European currency, while a high-level Greek official lashed out at the Germans, who are contemplating a financial bailout, recalling Nazi appropriation of Greek gold during World War II. IntelliShield Analysis: Unfortunately for the entire world, things in Europe could get worse before they get better, just as Asia races forward into a healthy recovery. As Eastern Europe and the Eurozones deficit-ridden economies (Portugal, Ireland, Italy, Greece and Spain) attempt to rein back fiscal deficits, deep spending cuts are likely to spark continued social unrest. In Turkey, a crucial NATO ally and aspirant to EU membership, the past month's arrests of high-ranking military officers by the government have caused concern over the state of democratic institutions. Another blow to NATO stability was the collapse of the Dutch government ensuring the withdrawal of their troops from Afghanistan. For information security specialists, the instability in Europe points to continued weakness of governance and law enforcement in countries where organized cybercrime is rampant. Labor unrest increases the likelihood of physical security threats to facilities, as well as business stoppages. EU bickering dims prospects for cooperation on Internet-related policy decisions, including privacy and copyright protections. All of these issues mean that the short-term outlook for information technology operations in European countries is troubled. Upcoming Security ActivityRSA Conference 2010, San Francisco: March 15, 2010 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Iraq Parliamentary Elections: March 7, 2010 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
