Cyber Risk Report

November 9–15, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability and threat activity were elevated during the period, primarily due to security updates from Microsoft and Apple. The anticipated Microsoft Tuesday monthly Security Update release was preempted by Apple's release of two security advisories that addressed more than 58 vulnerabilities in Mac OS X 10.5.8 and 10.6.1, the Safari browser, and QuickTime. This is the third time in 2009 that Apple has released advisories that address more than 50 vulnerabilities. Users of Mac systems and Windows users of Safari and QuickTime are advised to ensure they update to the latest versions to avoid system and web-based attacks.

The Microsoft Security Update for November included six bulletins that addressed 15 vulnerabilities. Since the release, four of the vulnerabilities have been identified as having a high potential for exploitation and attacks. The Microsoft bulletins MS09-063, MS09-065, MS09-067, and MS09-068 all present elevated risk of system and web-based exploits. No exploits of these vulnerabilities have been identified as active on the Internet, although the technical aspects of the vulnerabilities indicate a high risk for exploits. Details of the vulnerabilities are available on the Cisco Security Intelligence Operations web site.

Additional vendors released advisories related to the previously reported Sun Java Runtime Environment (JRE) vulnerabilities. Because of the heightened exploitation of Java vulnerabilities from web-based attacks, users are advised to update their Java environments and versions.
IntelliShield published 170 events last week: 74 new events and 96 updated events. Of the 170 events, 134 were Vulnerability Alerts, 17 were Security Activity Bulletins, 12 were Security Issue Alerts, three were Threat Outbreak Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 11/13/2009 2 10 12
Thursday 11/12/2009 13 27 40
Wednesday 11/11/2009 15 14 29
Tuesday 11/10/2009 33 27 60
Monday 11/09/2009 11 18 29
Weekly Total 74 96 170


Significant Alerts for November 9–15, 2009

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 7, November 13, 2009
Urgency/Credibility/Severity Rating: 2/5/3

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Previous Alerts That Still Represent Significant Risk

Gumblar Malicious Code Adopts Additional Exploit Methods
IntelliShield Vulnerability Alert 19237, Version 1, October 20, 2009
Urgency/Credibility/Severity Rating: 3/4/3

Reports indicate additional activity related to the Gumblar malicious code.

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 7, October 13, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability. Microsoft has released a security advisory and updated software to address the Microsoft Windows SMB2 remote code execution vulnerability. Functional exploit code is publicly available.

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 5, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft IIS versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges. Microsoft has released a security bulletin with software updates to address the Microsoft Internet Information Services FTPd remote buffer overflow vulnerability.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 12, November 5, 2009
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 6, October 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. IntelliShield has re-released this alert to clarify the availability of software updates.


Brazil Power Blackouts

In Brazil, President Luiz Inacio Lula da Silva ordered an investigation to determine an official explanation for a grid failure that left 18 of the country's 26 states without electricity and water for several hours. The blackout caused chaos in major cities as traffic lights failed, commuter trains stopped, and opportunistic criminals engaged in street crime during the confusion. Including neighboring Paraguay, more than 60 million people were affected by the power outage. The blackout has been blamed variously on bad weather, a fault at the Brazil's Itaipu hydro-electric dam, poor transmission lines, inadequate infrastructure, and even cyber sabotage. Read More

IntelliShield Analysis: Brazil's energy sector struggles to meet the country's day to day energy demands and a blackout of this magnitude raises issues over Brazil's readiness to host Olympic games in 2016. As rapidly growing economies propel Brazil, Russia, India, and China into global prosperity, the lack of critical modern infrastructure in these emerging markets becomes more apparent. Until investment in infrastructure allows capacity to meet the growing urban demand, physical security will be a potential hostage to utility failures, power outages, and natural disasters. Companies doing business in these markets are advised to keep continuity plans up to date to ensure employee safety and minimize disruption to the supply chain.


European and United States Anti-trust Commissions Disagree over Oracle-Sun Merger

The European Commission is objecting to the proposed merger of Sun Microsystems and Oracle Corporation on the grounds that the merger would give Oracle a monopoly in database technology. The basis for the complaint is that Oracle, the market leader in commercial-grade databases, would acquire MySQL with Sun Microsystems, the market leader in open source databases. The United States (U.S.) Department of Justice approved the merger in August 2009.
Read More 
Additional Information
Additional Information

IntelliShield Analysis: The proposed acquisition of Sun Microsystems by Oracle Corporation would give Oracle ownership of both Oracle databases and MySQL databases. Oracle has argued that the acquisition does not create a monopoly because the two databases do not compete directly against one other. Oracle databases are used in high-end business applications. MySQL is used in smaller-scale applications, and is commonly used in Internet applications such as web logs and message forums. Further, MySQL is an open source application, so Oracle does not exert full control over it. Oracle sees MySQL as an application that could be used as a bridge to users of Oracle Database Server, if a user's need for a more industry-strength database server comes about. The European Commission has not accepted these arguments, and a fight is brewing over the issue that could cause an increase in tensions over other U.S.-EU trade and regulatory issues. If Oracle were to agree to spin off MySQL, then it seems likely the merger deal would go through. However, Oracle is known for playing hardball in business and may put up a major fight, extending the debate and tensions.


Digital Forensics Key to Trusting Evidence

Facebook made headlines recently when a status update and its timestamp were used to exonerate a suspect in a crime. In other news on digital evidence, the Associated Press released the results of an investigation into the prevalence of computer viruses being linked to child pornography cases. Viruses are being used to store child pornography on unsuspecting victims' systems. The systems are then remotely accessed by pedophiles who can view the material without having it stored on their own systems.
Read More
Additional Information

IntelliShield Analysis: Digital forensics and legal evidence are essential and complicated subjects for businesses to address. In issues such as child pornography, where the mere presence of material stigmatizes the suspect and is punishable by law, the capability to prove or disprove guilt is substantial evidence. Businesses need to prepare to defend themselves if systems are infected with such viruses, or if employees are caught with illegal material and then claim such a virus or similar software as a defense. As with the Facebook case, it is important to remember that when evidence is present, it isn't always immediately clear whether the primary user of a computer or an account is to blame. Establishing incident response procedures to preserve and protect evidence, employees, and the business are essential to minimizing the risk to all.


RBS Bank Card Global Hacking Scheme

Several members of an international crime ring displayed an extraordinary amount of planning and coordination by robbing an Atlanta-based bank card processor (RBS WorldPay) of more than US$9 million in less than 12 hours. Not only were the criminals able to identify and subsequently exploit a vulnerability that existed in the RBS WorldPay network, but they took advantage of this access to obtain enough information to illegally make ATM withdrawals at more than 2,000 locations around the world, siphoning money from multiple bank accounts. In much the same way that the withdrawals were performed in a coordinated and swift fashion, so too were the actions taken by both RBS WorldPay and international law enforcement officials in successfully identifying, apprehending, and bringing to justice the crime ring members behind the operation. Read more

IntelliShield Analysis: This event is notable because it highlights the advances made in terms of technical and organizational abilities with regard to network hacking and the subsequent identification and prosecution of those involved in the illegal hacking of public and private networks. Those charged with the crime apparently spent a great deal of time planning the attack because they were able to make off with over US$9 million dollars in just under 12 hours, coordinating the action with several individuals around the globe. The event is also a great example of how multiple groups working together (in this case, the victims and local and federal authorities around the world) can effectively use technical skills and legal actions to bring miscreants to justice and, hopefully, make others think twice before attempting similar acts.


Amid Privacy Concerns, Users Give Data Away

New initiatives in the United Kingdom (U.K.) to store telecommunications and census data, an upcoming census in the United States (U.S.), and the exposure of data on social networking sites to scammers has driven increased public discussion regarding necessary protections on personally identifiable information. Increasingly, social website users, business customers, and ordinary citizens demonstrate a near-total willingness to freely provide personal data with little consideration for how the data may be used or transferred. This cultural shift continues as more users join social networks and supermarket buyers' clubs, trading privacy and personal data for friends lists, discounts, and convenience.
Read More 
Additional Information

IntelliShield Analysis: Despite a rise in legislation and regulatory requirements aimed at protecting personal and sensitive information, users continue to freely provide sensitive data that can be used against them online. Businesses, both legitimate and unscrupulous, are making use of the willingness of users to give away personal data. Unethical advertisers can use the information as part of social engineering tactics to make users believe that advertisements look like messages from known parties. Users can be targeted by scammers with ads that appear believable and trusted. Data collected by companies about their customers, and then lost, continues to be a contributing factor to identity theft. To combat ongoing fraud and scams, social website users must carefully consider the data they provide about themselves online. Many applications on social websites require access to the user's profile information, photos, and postings to use the application, opening the users to the spread of personal data. Businesses must continue to educate their employees on safe usage of social networking, specifically where the exposure of business-related information may be at risk.


Obama's Asia Trip is a Reminder of Changing World Order

U.S. President Obama's ongoing nine-day visit to Asia includes stops in Japan, Singapore, Shanghai, Beijing, and Seoul. His most closely-watched stop is taking place now in China (November 15-18), where bilateral relations have been damaged by protective trade measures taken by both sides in response to the global economic slowdown. Observers expect topics of discussion in China to coalesce around exchange rates, Iran, trade, and the upcoming climate summit in Copenhagen. President Obama is expected to play up his personal background in Asia, including childhood years in Hawaii and Indonesia. In addition to hard bilateral issues at every stop, Obama will likely face pressure to provide reassurances of his commitment to trade liberalization and globalization, a tricky task given that he faces even greater pressure at home to protect U.S. jobs.
Read more 
Additional Information  
Additional Information

IntelliShield Analysis: For information security professionals, Obama's Asia visit highlights both short-term tactical considerations and longer-term trends. From a tactical perspective, public emotions toward U.S. policies may run high this week, leading to short-term threat spikes to physical assets and electronic networks identified with well-known Western brands. From a longer term perspective, the U.S. administration's devotion of nine days of the President's time to an Asia tour highlights the region's rising importance as a demographically young, rapidly growing economic powerhouse. Indeed, Asia's youthful enthusiasm for the Internet and cell phones will likely drive product development and sales growth for many multinationals in the future. Information security specialists may wish to monitor legal developments such as India's new telecommunications law and China's draft telecoms law. They may also want to watch user trends, such as the rapidly expanding use of cell phones in developing countries for financial transactions, to manage risk.

Upcoming Security Activity

Interop New York: November 16–20, 2009
Black Hat DC: January 31–February 3, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

The Hajj: November 25–30, 2009
Copenhagen Climate Change Summit: December 7–18, 2009
Hanukkah: December 11, 2009
Christmas: December 25, 2009
New Year's Day: January 1, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top