Cyber Risk Report

March 15-21, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability activity for the period was decreased from previous periods, but several important security advisories were released. Microsoft re-released a security advisory and provided updated software to address an invalid pointer reference arbitrary code execution vulnerability in Microsoft Internet Explorer, which is reported in IntelliShield Alert 20052. Apple and Google also released updates to correct multiple vulnerabilities in their respective Safari and Chrome browsers. Reports suggest that the release may be related to the upcoming CanSecWest contest, where researchers will reportedly announce additional vulnerabilities. Security updates were also released by Red Hat, IBM, and Spamassasin during the time period. Looking forward, Cisco will release the semiannual Cisco IOS Software Security Advisory bundled publication on March 24, 2010. The latest update occurred in September 2009.

In threat activity, proof-of-concept code that exploits an arbitrary code execution vulnerability in Adobe Reader and Acrobat is publicly available. This vulnerability is reported in IntelliShield Alert 19948.

The National Collegiate Athletic Association (NCAA) basketball tournament began during the time period. The tournament includes a large volume of online activity related to brackets, scores, and news updates. Because many games occur during the business day, interested employees will likely access media from business systems and therefore increase their risk of becoming victims of spam, search engine optimization exploits, and phishing attempts. For these reasons, organizations should remind users that criminals will attempt to exploit these events and advise users to exercise increased vigilance.

Throughout March, many areas of the globe will change to Daylight Saving Time. The European Union (EU) will change on March 28, 2010. A complete list of the time changes for each region is available at

IntelliShield published 76 events last week: 20 new events and 56 updated events. Of the 76 events, 53 were Vulnerability Alerts, eight were Security Activity Bulletins, eight were Security Issue Alerts, five were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 03/19/2010 5 23 28
Thursday 03/18/2010 8 10 18
Wednesday 03/17/2010 8 30 38
Tuesday 03/16/2010 14 12 26
Monday 03/15/2010 8 24 32
Weekly Total 20 56 76


Significant Alerts for the March 15–21, 2010

Microsoft Internet Explorer Invalid Pointer Reference Access Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20052, Version 3, March 15, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability. Functional exploit code is being used in ongoing exploits.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Explorer Unsafe Help File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20014, Version 2, March 2, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available.

Adobe Download Manager Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19979, Version 4, February 26, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Adobe Download Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Adobe has confirmed the vulnerability and released updated software.

Mozilla Firefox Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19968, Version 1, February 19, 2010
Urgency/Credibility/Severity Rating: 2/3/4

Mozilla Firefox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Mozilla has not confirmed this vulnerability, and updated software is not available.

Multiple Symantec Products ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19970, Version 1, February 19, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Multiple Symantec products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Symantec confirmed this vulnerability and released software updates.

Microsoft Internet Explorer Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19726, Version 5, February 25, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has confirmed this vulnerability and released software updates. Additional information is available regarding mitigations and exploit code related to the Internet Explorer remote arbitrary code execution vulnerability.

Adobe Reader and Acrobat newplayer() Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 19602, Version 8, January 22, 2010
Urgency/Credibility/Severity Rating: 3/5/4

Adobe Acrobat and Reader versions 9.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system or cause a denial of service condition. Proof-of-concept code that exploits the vulnerability is publicly available. Adobe has confirmed this vulnerability, and updates are available. This vulnerability is being actively exploited through directed phishing attacks.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 40, March 18, 2010
Urgency/Credibility/Severity Rating: 2/5/3

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.


Chips, Chips, and More Chips

A pro-privacy group in the United Kingdom (UK) recently reported that, unbeknownst to the general public, more than 2.6 million microchips were installed in garbage bins in an effort to monitor the trash generation and volume of UK households. Opponents claim that the chips represent a form of government monitoring that will be used to penalize households producing excessive amounts of trash, but proponents—namely the UK government—insist that the monitoring will actually reward families that reduce household waste.

In a related story, the UK government is contemplating the use of microchips in dogs to assist in the location of animal owners that have been suspected of human attacks.
Read More
Additional Information

IntelliShield Analysis: Many agree that our collective society is generating, collecting, storing, and analyzing more and more data at alarmingly increasing rates. The divisiveness surrounding the issues of intelligence data involves how and by whom it is used. Individuals who strive to protect privacy traditionally object to the collection and use of such data unless the individuals in question explicitly authorize it. However, groups such as government authorities and law enforcement agencies hope to leverage data in an effort to (among other uses) enhance the overall protection of our society. Although the use and purpose of this data will always be fodder for debate, it does indeed provide a view of our personal, private, and business lives.

Fired Worker Disabled Cars Via Web

In the United States, an employee for a Texas-based used car dealership recently sought revenge after being terminated by interfering with car horns and engines remotely via the web. When Omar Ramos-Lopez was terminated, he authenticated to the dealership's online collections system using another employee's credentials and activated the horns and disabled the starters of over 100 financed vehicles. After the horns had been activated, many owners only recourse was to remove the batteries from their vehicles. Some vehicles were also towed. Police used access logs from the collections system to trace the source IP address to Ramos-Lopez's AT&T Internet service.
Read More
Additional Information
IntelliShield Analysis: The car dealership has indicated that, moving forward, it will now change all users' passwords when an employee is terminated. Although this action should prevent a future occurrence, a larger issue is afoot. The practices that allowed the miscreant to obtain another employee's login credentials should be addressed immediately. Passwords should be known by owners only. Login credentials should never be shared between employees because the scenario destroys the value of any existing audit trails. Employees should be trained on the need to keep their passwords secure. If a password is forgotten, it should be reset and, upon the next login, the employee should be required to change it using strong password requirements.


Multiple Agencies Issue Joint Wire Transfer Fraud Warning

A rise in fraudulent wire transfers to overseas locations prompted multiple agencies to issue a joint cybersecurity advisory that offered recommendations on best security practices for banks and businesses. The United States (U.S.) Department of Justice, the New York State Intelligence Center, New York State Police, the New York State Office of Homeland Security, the U.S. Secret Service, the Multi-State Information Sharing and Analysis Center (ISAC), and the Financial Services ISAC called the Zeus botnet and related malware a growing threat to online banking consumers and claimed that average losses per victim ranged from US$100,000 to $200,000.
Read More
Additional Information
IntelliShield Analysis: The advisory offers useful advice to financial institutions and their customers during a time when legal questions of what constitutes reasonable security on the part of banks remain unanswered. This advisory also demonstrates the magnitude, elevated concerns, and focus of this threat and criminal activity. Consumers, businesses, and financial institutions are advised to review the recommendations and consider implementing additional security controls to avoid these attacks. Informed, educated, and vigilant users remain a strong defense against cybercrime, and many financial organizations have taken the additional steps of raising the awareness of their users as one additional preventive measure.


United States Judge Freezes Accounts of Russian Firm Accused of Manipulating Stocks

A United States Federal judge recently agreed to freeze the assets of a Russian stock trading firm after the Securities and Exchange Commission (SEC) presented evidence of fraudulent trading. The SEC noticed that 38 securities traded by BroCo Investments were heavily bought by a series of legitimate accounts that were later found to have been compromised. BroCo profited heavily from this trading activity, and the SEC believes that the organization orchestrated the intrusions in an effort to inflate the value of stocks held by BroCo so that they could be sold for significant profit.
Read More  
Additional Information

IntelliShield Analysis: These "pump and dump" scams are not new on the Internet; they have been featured prominently in e-mail campaigns that attempt to convince individuals that they have received a valuable stock tip. In BroCo's case, the SEC noticed that several microcap stocks with low trading volumes had sharp increases in activity, and, as a result, a single account was profiting from the spikes. Anomaly detection was clearly valuable in the SEC's investigation; organizations that are involved in securities and commodities trading should consider employing network situational awareness and advanced heuristics to detect these kinds of activities as well.


MySpace to Sell User Data

The MySpace social networking website recently initiated sales of bulk user data on the data marketplace. The data for sale includes user pictures, names, zip codes, blog posts, updates, and music playlists. Some types of data, such as user friend lists, will remain restricted. Read More

IntelliShield Analysis: The MySpace development is especially interesting because other social networking companies may choose to follow suit. The sale of user data prompts interesting and difficult questions. Of particular interest is how MySpace users will react to the sale. At the very least, the sale should reinforce the lesson that users should not post anything on a public forum that could eventually embarrass them or compromise their identity, especially if access to the information could be sold to unknown parties at a later date.


There was no significant activity in this category during the time period.


Mexican Drug Violence Continues

Following the recent murders of three individuals with ties to the United States (U.S.) consulate in Ciudad Juarez, Mexico, the U.S. Department of State issued a travel warning and authorized the departure of U.S. government employee dependents from six consulates near the U.S.-Mexico border. Although the investigation is ongoing, some theorize that two of the victims were mistakenly targeted because their SUV was similar to that of the intended target. The possibility that U.S. government employees were deliberately targeted, however, has increased pressure on both the U.S. and Mexican governments to demonstrate that they are handling the problem. Drug-related violence in Mexico continues to escalate as a by-product of Mexican President Felipe Calderón's campaign to subdue the violent gangs that are believed to be responsible for 7,000 deaths in 2009 alone.
Read More  
Additional Information  
Additional Information

IntelliShield Analysis: Mexico's struggle against drug trafficking is of grave concern to multinational companies that use the country as a manufacturing and transportation hub. Businesses with operations in the border region (in cities like Ciudad Juarez, Tijuana, and Nogales, as well as cities further south including Mexico City) have observed no improvements in relation to employee security. Deeming the country off-limits to business is not a solution, particularly as certain areas of Mexico remain as safe as many U.S. cities. Security planners may consider assessing the security profile of each city individually as they gauge travel and safety policies for the region. At the same time, concerns about spillover violence into cities north of the border—although punctuated by anecdotal evidence—are not reflected in larger statistical samples. Furthermore, the murders that make headlines are not the greatest risk to the vast majority of individuals who are able to avoid violence. Rather, high rates of kidnappings and ATM express kidnappings are a more common concern for foreign operations and employees in Mexico. Given President Calderón's resolve to continue the antidrug war, chances are high that business risks in the southwest border region will remain elevated for years to come.

Upcoming Security Activity

CanSecWest 2010, Vancouver: March 24–26, 2010
Cisco Networkers 2010, Bahrain: March 28–31, 2010
InfoSec World 2010: April 17–23, 2010
INTEROP Las Vegas: April 25–29, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Passover: March 29, 2010
Easter: April 4, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top