Cyber Risk Report

January 7–13, 2007

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


The number of vulnerabilities and threats reported by IntelliShield analysts during the time period corresponded to the high activity levels reported for December 2007. Microsoft released two security bulletins that addressed three previously undisclosed vulnerabilities. IntelliShield analysts identified the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) code execution flaw in the Microsoft Windows kernel as having the most damaging potential impact and detailed this vulnerability in IntelliShield Alert 14854. An attacker could exploit this vulnerability to execute arbitrary code, potentially gaining complete control of the affected system. Because this is a vulnerability in the processing of multicast packets, an attacker in the proper position could compromise or deny service to a large number of machines with a single attack.

Proof-of-concept code is available for the yaSSL library buffer overflow vulnerability in precompiled version of MySQL. This vulnerability, which is detailed in IntelliShield Alert 14890, could allow an attacker to access files or resources hosted on the MySQL server. This vulnerability can be exploited on systems running MySQL and configured to use the yaSSL library. Administrators should contact their MySQL vendor to determine if a patch is necessary.

In malicious code activity, the Storm worm, which is described in IntelliShield alert 14009, is actively conducting phishing attacks. The Storm botnet is reportedly being used to run phishing scams on the Barclays and Halifax banks. Sources indicate that thousands of phishing e-mails have been sent in an attempt to steal customer account information. This type of attack will likely increase in upcoming months.

Trojan.Mebroot, described in IntelliShield Alert 14911, infects the Master Boot Record (MBR) by installing itself in the bootable section of the system's hard drive. The trojan modifies the Windows kernel and installs a rootkit in order to make detection extremely difficult for security software. By infecting the MBR of the hard drive, the trojan can completely control the operating system, making Trojan.Mebroot a very serious threat.

IntelliShield published 148 events last week: 44 new events and 104 updated events. Of the 141 events, 132 were Vulnerability Alerts, four were Security Issue Alerts, four were Daily Malicious Code Summaries, three were Applied Mitigation Bulletins, two were Malicious Code Alerts, two were Security Activity Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 1/11/2008 11 9 20
Thursday 1/10/2008 9 40 49
Wednesday 1/9/2008 7 35 42
Tuesday 1/8/2008 10 7 17
Monday 1/7/2008 7 13 20
Weekly Total 44 104 148



Military Data on Portable Drive Forgotten at Swedish Library

A Swedish Armed Forces staff member left a portable drive containing classified information plugged into a public computer at a Stockholm library. The device was delivered to a Swedish news agency by an unidentified person, and the news agency turned the USB drive over to the Swedish military. The portable drive is said to have contained military information, including a classified United States (U.S.) intelligence report. Read more
Additional information

IntelliShield Analysis: The Swedish Armed Forces may learn several lessons about portable drive security from this incident, including the need to encrypt sensitive documents in transit and storage, enforce data protection policies, and review acceptable use of portable storage devices. One of the more important factors in this case may be the presence of classified foreign intelligence on the drive. Many administrative and technical controls can protect data that is under an organization's control, but when that data is shared with partners, subcontractors, and other outsiders, control can be lost. Organizations should ensure that appropriate data classification, transit, storage, and dissemination policies are in place to limit the loss of information through trusted (but perhaps careless) partners


Prolific Spammers Accused of Stock Fraud

The United States (U.S.) Federal Bureau of Investigation (FBI) has indicted 12 individuals from the U.S., Canada, and Russia for fraud and manipulation of Chinese stock prices. The indictment charges that the defendants sent tens of millions of e-mails that defrauded the recipients and inflated the prices of Chinese penny stocks. Spam-related indictments include accusations that the defendants used misleading subject lines and sender names to convince victims to purchase the stocks, and used multiple domain names to hide the origins of the e-mails and the identities of the senders.  Read more

IntelliShield Analysis: The U.S. government continues to pursue scammers that profit monetarily from spam e-mail. If convictions are attained by this effort, the U.S. must still ensure that the penalty creates a net loss for the spammers. Compared to profits estimated at US$3 million that were generated by a single spammer over a few months during 2005, a fine in the range of US$250,000 will surely fail to make a significant impact on cyber criminals.


Questions Raised Over Boeing 787 Design

The United States (U.S.) Federal Aviation Administration (FAA) has published a report citing concerns that the computer network contained within the Boeing Dreamliner's passenger compartment may be connected to the plane's critical systems, including navigation and maintenance systems. Boeing has responded with a statement saying the company was unaware of any actual vulnerabilities and that airgaps and firewall devices were being included.  Read more
Additional information

IntelliShield Analysis: This story demonstrates the quick pace of the information industry and the need for engineers to be vigilant in identifying common security issues adopted into existing technologies. Safety engineers must take into consideration new issues that may be introduced. The FAA's report does not explicitly state that it has identified any issues, but reads more as a warning on how state-of-the-art network interact.  Boeing hasn't released much information, but the adoption of airgaps and firewalls seems to be more of a marketing spin, because airgaps would eliminate the need for firewalls. Even if Boeing guards against vulnerabilities, concern remains over the way different components could respond in a failure or error. The FAA, through the report, is simply demanding proof that the current design is secure. If Boeing is able to provide sufficient evidence of security, the plane should reach production on time. More security issues can be expected as the transportation industry continues to adopt additional technologies.


EDS Prints Social Security Numbers on Mail Labels

The Electronic Data Systems (EDS) Corporation printed the Social Security numbers (SSN) of an estimated 260,000 persons enrolled in Wisconsin's Medicaid, SeniorCare, and BadgerCare services. In early January 2008, the Wisconsin State Department of Health and Family Services (DHFS) requested a mailing be sent to approximately 485,000 recipients. EDS printed the address labels along with the SSN of each member. The DHFS is asking EDS to send explanation letters to the affected members along with one year of credit-monitoring free of cost. Read more

IntelliShield Analysis: The incident raises questions regarding the EDS Corporation and how it failed to notice that the SSNs of 260,000 people were being printed on the mailing. This is the second incident involving Wisconsin's DHFS; in December 2006, the agency disclosed the SSNs of 171,000 taxpayers in Wisconsin via address labels. Further controls should be implemented to prevent sensitive information from appearing on mailing address labels, websites, or any other public space. A final check on electronically printed material during day-to-day operations could prevent misprints and ensure proper data security for both organizations and the general public.


British Columnist Invites Identity Theft

After the theft of CDs containing personal information from 25 million United Kingdom residents, Jeremy Clarkson, a car enthusiast, newspaper columnist, and television celebrity, wrote a column stating that the massive protest over the event amounted to a "storm in a teacup." To prove his point, Clarkson posted his bank account information and a reference on how to obtain his address. The columnist has since published a column reporting that someone had made an unauthorized direct deposit from Clarkson's bank account to the British Diabetic Association. Read more

IntelliShield Analysis: Clarkson's hope was to calm the public outcry centered around the computer CDs lost in the U.K. While his intentions may have been admirable, his conclusions were flawed. A reader of his column demonstrated what could be done with the information that Clarkson posted, and the reader seems to have specifically chosen a charity that does not require a signature to use a direct debit service. Clarkson was correct in saying that consumers put a great deal of information into the public forum when doing business, but the method he chose to make his point was an invitation to be exploited.


Unrest in Pakistan and Kenya Highlights Emerging Market Risks

In Pakistan, 2008 thus far has seen the continuation of street protests, suicide bombings, and Taliban insurgency in the northwest. Although in recent years, Pakistan has become a promising destination for cost-effective, high-tech outsourcing, recent events have given Western investors pause. Most analysts believe that Pakistan's military will maintain control of the country in 2008, but it may be some time before foreign direct investment resumes. Similarly, in Kenya, continued social unrest in the wake of the late December 2007 reelection of President Kibaki not only threatens Kenya's economy, but casts a shadow over all of sub-Saharan Africa. Kenya had been seen as a role model of relative stability for other industrializing and democratizing African nations, many of which also face democratic elections in the next two years. In addition to damage to Kenya's tourism industry, Kenya's role as a distribution and transport hub for all of eastern Africa has been disrupted. With international mediation unsuccessful to date, the disruptions look likely to drag on, especially in light of the call for mass riots through the next week. Read more
Additional information

IntelliShield Analysis: The unrest in Pakistan and Kenya highlight for international investors the risks of investing in rapidly growing emerging markets. As the living standards and economic power of these and other emerging market economies grow, many of them inevitably will grapple with social upheaval as old systems are cast aside for the new. Western investors will have to assess the potential risks and benefits carefully, on a case-by-case basis, taking into account not only the threat of terrorist activity and social unrest, but more subtle issues such as organized crime, corruption, and even state-sponsored economic espionage.

Upcoming Security Activity

Oracle Critical Patch Update: January 15, 2008
International Consumer Electronics Show: January 7–10, 2008
Microsoft Security Bulletin Update for January: January 8, 2008
Financial Cryptography and Data Security Conference: January 28–31, 2008
Shmoocon: February 15–17, 2008
Black Hat DC: February 18– 21, 2008

Because of the potential for increased risk on multiple vectors, organization's security teams should be aware of and consider making special preparations for the following dates:
Carnival: February 2–5, 2008
Ash Wednesday: February 6, 2008
Chinese New Year: February 7, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top