Cyber Risk Report

November 30–December 6, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability and threat activity increased during this period due to continued vendor responses to previously released vulnerabilities, and increased threat activity related to amplified levels of online shopping and searching activity.

This year's Cyber Monday (November 30, 2009) online shopping levels reportedly increased by eight percent over 2008 levels. Along with that increase, criminal activity and malicious content increased in efforts to exploit Cyber Monday users. Recent weeks have seen a rise in Zeus botnet activity in the form of H1N1 spam; Koobface circulations with a Santa reference; attempts by the Oprachki trojan to compromise and hijack users' search activity; and fraudulent Microsoft Security Update spam messages. Users should be aware of the increased levels of criminal activity and use additional caution during this time of year.

US-CERT has released Vulnerability Note #261869 to address an SSL-based Clientless VPN vulnerability that could impact numerous vendor products. This potential vulnerability has no corrections available, but it does have multiple mitigation methods that can be applied to prevent the violations of trusted domains. Users and administrators are advised to apply these mitigations to limit the potential for exploits. This potential vulnerability was reported in IntelliShield alert 19500.

Microsoft released the Microsoft Security Bulletin Advance Notification for December 2009, which includes six bulletins, three rated Critical and three rated Important. The bulletins impact multiple Windows operating systems and Microsoft Office products.

Cisco will release the Cisco 2009 Annual Security Report on December 8, 2009. A live broadcast by Cisco security executives and researchers from Cisco will discuss findings from the report and review security trends over the past year and implications for the future. The Internet TV broadcast will air at 8:00AM Pacific Time (GMT-9) and can be accessed at the following link: 2009 Cisco Annual Security Report Live Broadcast

IntelliShield published 113 events last week: 32 new events and 81 updated events. Of the 113 events, 94 were Vulnerability Alerts, six were Security Activity Bulletins, eight were Security Issue Alerts, and five were Threat Outbreak Alerts. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 12/4/2009 5 13 23
Thursday 12/3/2009 7 7 3
Wednesday 12/2/2009 7 23 12
Tuesday 12/1/2009 6 8 28
Monday 11/30/2009 7 1 15
Weekly Total 32 81 113


2009 Monthly Alert Totals

Month New Updated Monthly Total
January 148 392 540
February 227 249 476
March 222 335 557
April 164 206 370
May 218 175 393
June 232 209 442
July 128 167 295
August 176 225 401
September 173 178 351
October 191 275 467
November 195 358 553
Annual Total 2074 2769 4845


Significant Alerts for November 30-December 6, 2009

Microsoft Internet Explorer Cascading Style Sheets Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19468, Version 3, November 24, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Internet Explorer versions 6 and 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Proof-of-concept code is publicly available.

Microsoft Windows SMB Client Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 19422, Version 2, November 16, 2009
Urgency/Credibility/Severity Rating: 2/5/3

Microsoft Windows Server 2008 R2 and Windows 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploit code is publicly available. Microsoft has confirmed this vulnerability, but updates are not available.

Previous Alerts That Still Represent Significant Risk

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 17, December 4, 2009
Urgency/Credibility/Severity Rating: 2/5/3

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Gumblar Malicious Code Adopts Additional Exploit Methods
IntelliShield Vulnerability Alert 19237, Version 1, October 20, 2009
Urgency/Credibility/Severity Rating: 3/4/3

Reports indicate additional activity related to the Gumblar malicious code.

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 7, October 13, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability. Microsoft has released a security advisory and updated software to address the Microsoft Windows SMB2 remote code execution vulnerability. Functional exploit code is publicly available.

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 5, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft IIS versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges. Microsoft has released a security bulletin with software updates to address the Microsoft Internet Information Services FTPd remote buffer overflow vulnerability.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 12, November 5, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 6, October 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. IntelliShield has re-released this alert to clarify the availability of software updates.


United Nations Climate Change Summit Protests

The United Nations Climate Change Conference is being held in Copenhagen, Denmark from December 7-18, 2009. The conference will host international leaders to discuss ways to reduce greenhouse emissions and other actions related to climate change. During the summit, several groups will be staging protests to voice demands for climate change, including Climate Collective, Climate Justice Action, and Never Trust A Cop.
Read More 
Additional Information 
Additional Information 
Additional Information 

IntelliShield Analysis: When large and conflicting groups of people gather to stage protests, the risk of disorder and violence increases. At least one of the protest groups plans to engage in civil disobedience by gathering in the conference hall and disrupting the proceedings. Other tactics will likely include carrying signs in proximity of the summit location and nearby hotels where participants will be staying.

Security will be tight and police presence prevalent. The risk of confrontation between protestors and law enforcement will be high. It will be important for law enforcement to secure and maintain electricity for the event and keep necessary roads open for traffic to and from the conference. Law enforcement should also consider the potential for protestors to use Web 2.0 technologies to converge flash mobs and outmaneuver security forces, as has been the case in past protest events.


Viviane Reding Chosen to Amend European Union Data Protection Laws

The new European Union (EU) Commissioner for Justice, Fundamental Rights, and Citizenship, Viviane Reding, will amend the EU's Data Protection Laws in 2010. Ms. Reding was notable in her previous position as Commissioner for Information Society and Media by drastically decreasing the cost of cellular roaming. Her most notable success during her previous tenure was the revision of the EU's telecom laws, which included a section on network neutrality. The 1995 Data Protection Directive regulates processing of personal data, but it does not specifically address instances of accidental information disclosure.
Read More 

IntelliShield Analysis: The Data Protection Directive is due for a revision because several common issue items do not exist in the current law. Changes to the law will likely include data disclosure penalties to be put into place for entities that inadvertently disclose information, or have information disclosed during hacking episodes. As well, such entities will likely be held responsible for notifying affected individuals. In previous years, the EU maintained strict individual privacy protections, but anti-terror initiatives, financial fraud, and copyright and intellectual property infringements have resulted in increased support of law enforcement. The forthcoming amendments will be of interest to both individuals and organizations as future law changes will impact the policy and procedures of businesses in the context of liability to customers.


Google Announces Modification to First Click Free Program

Google has announced changes to the First Click Free program that allows publishers, whose search results appear in Google searches, to limit the amount of free content access to users. Previously, the feature allowed users to access pages the first time, but subsequent clicks on the site would bring up a registration page. The program update allows site owners to limit the number of free clicks allowed per day. As a result, users may still receive five free clicks on a given site per day, but on the sixth click, the user may be presented a registration or subscription page.
Read More 
Additional Information 

IntelliShield Analysis: Google has long combated the phenomenon of cloaking, which means to present different pages to the user than what the web crawler found. Although Google differentiates between the new First Click Free features and cloaking, the practice can be seen as deceptive. Even though publishers may flock to the model, users may resent the additional controls. Search engine users may purposefully avoid subscription content that is labeled in search results. However, the model could allow content owners greater control over access to their content from referrers.


Tools Emerging to Correlate Open-Source Intelligence

Open-source intelligence (OSINT), which is the collection and analysis of information from public sources, has long been supported by custom tools and techniques. In the past few years, powerful and readily available commercial tools have been emerging and improving to bring OSINT to individuals and organizations with more modest budgets. These tools map the connections between identifying pieces of data, like IP addresses, e-mail addresses, names, phone numbers, aliases, and more. From that, users of these tools can easily see relationships that are not obvious from raw or diffuse data.
Read More 
Additional Information

IntelliShield Analysis: Some experts are concerned that the proliferation of social networking and digital traces will allow attackers, who are armed with these tools, to more easily and accurately target victims. The Electronic Frontier Foundation recently brought suit against the United States government to determine how the government is exercising its capabilities for OSINT regarding surveillance of public social networks. Individuals and organizations will be increasing their digital footprints; awareness of these tools and their capabilities can help organizations to understand the risks that could accompany their use. Targeted spam, even directed spear phishing or other social engineering, could occur more easily if an attacker has a wealth of OSINT about their target.


There was no significant activity in this category during the time period.


Iran Crackdown Broadens Through Social Media

An Iranian prison torture whistle blower died after eating a poisoned salad in early November. Stories of this sort that detail the political crackdown in Iran following disputed presidential elections this summer are disturbing, but not unique. However, the Wall Street Journal last week reported that an Iranian-American living in the United States received an ominous email saying that his relatives in Tehran would be harmed if he continued to criticize the regime on his Facebook page. Shortly thereafter, he learned that his father, who lives in Tehran, had been arrested. During the arrest, his father was told that his son could not safely return to Iran. According to the Journal, the incident appears to be part of a larger crackdown by the regime in Tehran against the Iranian diaspora.
Read More 
Additional Information

IntelliShield Analysis: Faced with a major political crisis, the regime in Tehran may have reached the conclusion that maintaining control requires quieting the global conversation taking place on social media and electronic communications. The information revolution has made it easier for individuals to make their voices heard, but has also made it easier for these individuals to be identified and intimidated. It appears that the realm of social media will become a familiar arena for repressive regimes to identify, track, and pressure activists regardless of geographical location. For information security specialists, this incident may raise brand protection concerns if a service provider is accused of failing to take reasonable steps to protect its customers from this sort of intimidation.

Upcoming Security Activity

Cisco Annual Security Report 2009: December 8, 2009
Black Hat DC: January 31–February 3, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Copenhagen Climate Change Summit: December 7–18, 2009
Hanukkah: December 11, 2009
Christmas: December 25, 2009
New Year's Day: January 1, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top