Cyber Risk Report

August 24–30, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activities were typical during the past week. None of the reported vulnerabilities were particularly notable.

IntelliShield published 100 events last week: 42 new events and 58 updated events. Of the 100 events, 82 were Vulnerability Alerts, five were Security Activity Bulletins, five were Threat Outbreak Alerts, six were Security Issue Alerts, one was an Applied Mitigation Bulletin and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Saturday 08/29/2009 0 4 4
Friday 08/28/2009 4 11 15
Thursday 08/27/2009 13 13 26
Wednesday 08/26/2009 12 6 18
Tuesday 08/25/2009 7 14

21

Monday 08/25/2009 6 10

16

Weekly Total 42 58 100

 

Previous Alerts That Still Represent Significant Risk

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 9, August 27, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0901

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability
IntelliShield Vulnerability Alert 18595, Version 9, August 11, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0015

Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released an additional security bulletin and software updates to address the Microsoft Windows video msvidctl ActiveX control code execution vulnerability.

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 18847, Version 4, August 29, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-2692

The Linux Kernel versions 2.4 through 2.6.30.4 contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a denial of service condition. Stable updates are not available currently. Proof-of-concept exploit code is publicly available.

ISC BIND Dynamic Update Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 18730, Version 9, August 25, 2009
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2009-0696

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Apple and Novell have released security advisories and updated software to address the ISC BIND dynamic update remote denial of service vulnerability.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 5, August 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1136

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability.

Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18366, Version 3, July 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1537

Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability.

Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability
IntelliShield Vulnerability Alert 18261, Version 3, June 9, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-1535

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Worm: W32/Conficker.worm
IntelliShield Malicious Code Alert 17121, Version 18, April 9, 2009
Urgency/Credibility/Severity Rating: 4/5/3

W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems.

Physical

Centers for Disease Control and Prevention Skeptical of White House Advisory Panel H1N1 Report

The Council of Advisors on Science and Technology released a report earlier this month to brief President Obama on preparations for H1N1 and the coming flu season. In the report, the panel estimated that up to 90,000 deaths may occur, 1.8 million people could be hospitalized, intensive care resources could be used to capacity, and up to half of the U.S. population could be infected by this winter season. This week the Center for Disease Control (CDC) commented on the report, suggesting that the statistics reflect a pessimistic perspective of the possible scenarios. Marc Lipsitch, one of the experts who helped prepare the report, admitted that the latest calculations had not been completed before the report was released. Doctor Harold Varmus, a chairman of the panel, defended the report, however, saying that many people are largely ignoring the threat, believing that the pandemic may be over.
Read more
H1N1 report

IntelliShield Analysis: The CDC is known as having the broadest range of experience on tracking influenza pandemics, so their comments should be seriously regarded. However, current polls indicate that many people may not be concerned enough about the pandemic to take any precautionary steps. The current vaccine is not expected to be released until just before mid-October, when the highest rate of infection is expected to occur at mid-October. A cautious position between complacency and extreme precaution may be the safest approach. As students return to school, the number of infections wills most likely increase. Organizations are encouraged to review their health-policy plans with employees prior to the flu season.

Legal

Anti-Spam Company Files Lawsuit, Attempts to Gain Information on Fraudsters

Citing the CAN-SPAM Act, anti-spam company Unspam Technologies is filing a lawsuit against a number of companies in an attempt to acquire information about attackers who have used fraudulent methods of stealing money from banks. The lawsuit seeks to obtain compensatory and punitive damage against unnamed attackers, so-called John Does. The company hopes to correlate the unreleased information about the John Does and potentially identify attack patterns or even identify the attackers. Read more

IntelliShield Analysis: Currently banks do little to reveal the methods used by attackers to break into users' accounts. Unspam is trying to obtain information about these types of attacks in an attempt to identify better ways to defend against and perhaps prevent the attacks. It is unclear if the banks will voluntarily provide this information to a company like Unspam; however, the motives behind the lawsuit may raise awareness among those organizations that are named in the lawsuit. Banks and other organizations that are targeted in these types of attacks may need to pay close attention to these types of lawsuits, because they may influence future incident responses.

Trust

FS-ISAC Warns Banks About Hacking Threats Against Small Businesses

The Financial Services Information Sharing and Analysis Center (FS-ISAC) is an information-sharing partnership designed to communicate physical and cyber threats to the financial services industry. The FS-ISAC recently released a notice to financial services firms suggesting that they implement consumer-style controls on small business wire transfers. The notice is in response to increasing activity of cyber fraud being perpetrated against small businesses, which currently lack many of the protections available to consumers. Consumers have 60 days to report fraudulent activity, whereas commercial customers have two days. Similarly, banks have not applied the same technical detection mechanisms to commercial accounts that spot fraud among consumers. Read more

IntelliShield Analysis: Criminals are quick to notice areas where they can get the most return for the least amount of effort. This trend of increasing fraud against small businesses is not necessarily an indication of criminals taking notice, however. The problem in this situation rests more with customers who have little recourse under a shortened time window, than with the criminals whose major benefit is the potential for larger accounts from which to steal. Small organizations, and those businesses that provide services to them, such as the banks the FS-ISAC notified, need to understand the risks inherent to their industry. Ensuring stronger procedural and electronic controls on wire transfers, as well as the potential relaxation of commercial requirements to more closely match consumer requirements, will reduce the impact of fraud on underprepared small businesses.

Identity

Counterfeiting Concerns Force Manufacturing Relocation

The owner of Farouk Systems Inc. moved outsourced manufacturing operations to a new location in Houston, Texas. A manufacturer of hair care products, Farouk Systems previously employed outsourcing to produce appliances outside of the United States. However, after spending millions of dollars combating counterfeit products the company has relocated appliance manufacturing back to the United States, where closer quality control can be achieved. Read more

IntelliShield Analysis: Counterfeiting remains a problem in outsourced manufacturing as well as in computer software and hardware production. The use of counterfeit electronic components can be especially dangerous, especially in high availability or mission-critical applications. While consumers may believe a new piece of hardware is genuine, it may be a counterfeit, and the hardware may perform poorly or with less reliability. Additionally, when problems arise with counterfeit hardware, the company's brand and reputation for quality may suffer as well.

Businesses should adhere to stringent hiring practices and institute strong physical security protection to prevent the loss of confidential information. Combating counterfeiting can be costly, and the solution in some cases may be to accept higher initial production costs to reduce the theft of designs and the copycat products of unauthorized production. Businesses should also be careful when purchasing to ensure the authenticity of goods.

Human

U.S. Federal Trade Commission Shuts Down Deceptive Web Sites

The U.S. Federal Trade Commission (FTC) announced the shutdown of a number of websites that tricked American consumers with offers of assistance to obtain "free government grant money" through a product called Grant Connect. The websites featured photos of U.S. President Barack Obama, Vice President Joe Biden, and the American flag, deluding many customers into thinking that the websites and the product were affiliated with the U.S. government. The FTC called the product "outdated, useless," and "worthless" information. Charges against the companies responsible for the websites include the use of bogus testimonials, failure to disclose the actual cost of the product, bundling multiple products with the primary product without adequate disclosure, and debiting customers' bank accounts on a recurring basis without permission. Read more

IntelliShield Analysis: During an economic downturn, consumers may be especially susceptible to social engineering ploys that convey trustworthiness with familiar images and promises of easy money. Grant Connect's patriotic images were captioned "CHANGE Is Here! $15 BILLION in FREE Government MONEY for you!" The shutdown of the "free government grant money" websites is a positive step toward consumer protection; however, the propensity for consumers to fall victim to social engineering tactics and to trust offers of 'free money' virtually assures future, similar scams. Organizations should also be on guard against the use of their brands, trademarks, or likenesses in similar schemes.

Geopolitical

CCTV Cameras Said to Provide Little Help to Law Enforcement

According to an internal London police report leaked to the BBC, closed-circuit television (CCTV) surveillance cameras helped solve around one out of every 1,000 crimes in London last year. British MPs and private citizens reacted angrily, citing the expense and diversion of police resources, as well as the invasion of privacy, caused by the United Kingdoms aggressive surveillance program. Police officials were less eager to do away with the program, pointing to the many crimes and terrorist investigations that have been aided by the cameras.
Read more
Additional Information

IntelliShield Analysis: With better than a half-million surveillance cameras, London may be the most heavily-surveilled city in the world, but it is not the safest. Indeed, numerous studies in a variety of countries have shown that CCTV cameras are ineffective at solving crimes. They are too easily disabled, used for blackmail by staging events in front of a camera, too difficult to identify individuals in the frequently low-quality or low-light images, and incidents revealed in real-time often cannot be responded quickly enough to prevent the crime or apprehend the perpetrator. CCTV cameras are widely unpopular, with much press coverage of incidents of snoopers watching bedroom windows or tracking the private activities of famous persons. Information security specialists may wish to weigh the costs against the benefits when considering the scope and use of CCTV cameras within the enterprise.

Upcoming Security Activity

ASIS International 55th Annual Seminar and Exhibits: September 21-24, 2009
G20 Summit, Pittsburgh, PA, U.S.: September 24–25, 2009
National Cyber Security Awareness Month: October, 2009
Hack In The Box Malaysia 2009: October 5–6, 2009
CSI2009 Annual Conference: October 24–30, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Ramadan: August 21–September 19, 2009
Rosh Hashanah: September 18, 2009
Yom Kippur: September 27, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top