April 28–May 4, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityAlert publication totals for April 2008 increased by almost 22 percent over those from the same time period in 2007. Thus far, alert publication in 2008 also increased 23 percent compared to totals from the first four months of 2007. After the relatively low increase of vulnerabilities and threats from 2006 to 2007 and past annual increases that averaged between 12-16 percent for the last few years, 2008 may demonstrate a change in vulnerability trends with substantial increases over the previous year. The release of security research that demonstrated exploitable vulnerabilities and a new kind of attack highlighted vulnerability activity during this past week. Independent security researchers continue to publish details regarding vulnerabilities that are associated with the Oracle Critical Patch Update for April 2008. From these details, IntelliShield analysts released alerts for three previously undisclosed vulnerabilities. Information about a new type of SQL injection attack that could affect Oracle users was also published during the time period. This new attack, which is described in IntelliShield Security Activity Bulletin 15760, could allow an attacker to inject arbitrary SQL code into functions and procedures that do not accept direct user input by modifying DATE-type and NUMBER-type variables. Currently, no Oracle packages or procedures have been identified as being vulnerable, but the affected variable types are widely used and often considered safe. Administrators should consider reviewing current Oracle installations to determine whether additional input validation may be necessary. Independent security researchers have also announced a proof-of-concept video that exploits a previously undisclosed vulnerability in the Apple QuickTime media player. Reportedly, the vulnerability affects QuickTime for Windows, but other platforms may also be vulnerable. The researcher made the announcement public via a web page and video that displays an exploit occurring on fully updated Windows XP and Vista systems. As demonstrated by the proof-of-concept video, an unauthenticated, remote attacker could exploit this vulnerability by convincing the user to view a malicious video file. Because the video file showed the attacker running a number of common Windows utilities, such as Notepad, Microsoft Paint, and the Calculator, exploits of the vulnerability will allow an attacker to execute arbitrary code with the privileges of the user running QuickTime. If the user has administrative privileges, the attacker could completely compromise the system. IntelliShield published 119 events last week: 40 new events and 79 updated events. Of the 119 events, 102 were Vulnerability Alerts, four were Security Issue Alerts, four were Security Activity Bulletins, four were Daily Malicious Code Summaries, four were Malicious Code Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
2007 Monthly Alert Totals
Previous Alerts That Still Represent Significant RiskOracle Critical Patch Update April 2008 Oracle has released the Critical Patch Update advisory for April 2008. This update addresses a total of 41 vulnerabilities in Oracle products affecting Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Microsoft Windows GDI File Name Parameter Vulnerability Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is currently being exploited in the wild by Trojan.Emifie, which is documented in IntelliShield Alert 15642. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. CA BrightStor ARCserve Backup ListCtrl ActiveX Control AddColumn() Buffer Overflow Vulnerability Multiple CA products contain a buffer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. Exploit code that allows for the execution of arbitrary code is available. Reports indicate that attackers are actively exploiting this vulnerability. To exploit this vulnerability, an attacker must rely on user interaction. An attacker may employ social engineering tactics to convince a user to visit a malicious website by using a browser, such as Internet Explorer, that supports ActiveX controls. CA confirmed the vulnerability in a security response, but updates are not available. Microsoft Jet Database Engine Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. This vulnerability is currently being exploited by malicious software. The vulnerability has been identified as being used by TROJ_MSJET.C, which is documented in IntelliShield Alert 15486, and Trojan.Acdropper.C, as described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable. Apple Security Update 2008-002 Multiple Mac OS X and OS X Server Vulnerabilities Apple has released Security Update 2008-002 to address multiple vulnerabilities in Mac OS X and Mac OS X Server. This update addresses vulnerabilities that could allow an attacker to cause a DoS condition or execute arbitrary code with elevated privileges. The update corrects flaws within core operating system components as well as third-party packages that are bundled with the operating system. Microsoft Windows Vista DHCP Request Processing Denial of Service Vulnerability Microsoft Windows Vista and Microsoft Windows Vista x64 Edition contain a vulnerability that could allow a remote attacker to cause a DoS condition. Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on March 13, 2008, could indicate exploit attempts. Microsoft confirmed this vulnerability in a security bulletin and released software updates. Linux Kernel vmsplice Invalid Memory Pointer Dereference Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain superuser privileges. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code demonstrating the privilege escalation vulnerability is publicly available. Reports indicate that this vulnerability is being actively exploited. Linux Kernel get_iovec_page_array() Privilege Escalation Vulnerability The Linux Kernel contains a vulnerability that could allow a local attacker to gain privileges equal to the superuser account. The attacker could leverage these privileges to take complete control of the vulnerable system. Exploit code is available. Reports indicate that attackers are actively exploiting this vulnerability to compromise affected systems. Adobe Reader and Acrobat Security Update 8.1.2 Adobe has released updates for Adobe Reader and Acrobat on the Mac OS X, Linux, Solaris, UNIX, and Windows platforms. The update corrects several unspecified vulnerabilities in versions of the affected applications prior to 8.1.2. Independent security researchers have released the technical details of several vulnerabilities corrected by this update. At least one has been used to distribute malicious code. PhysicalMexican Official Takes United States Government BlackBerry DevicesAt a recent diplomatic meeting in the United States (U.S.) between Mexican dignitaries and United States President Bush, several BlackBerry devices belonging to representatives from the U.S. were taken by a Mexican government official. The Mexican official was captured on surveillance film taking the devices and was confronted by United States Secret Service at the airport prior to leaving the country. Although the official claims he took the devices believing they were left behind by their owners, Mexican officials have asked him to resign. Read more IntelliShield Analysis: Many high-ranking dignitaries and corporate executives own BlackBerries or other similar devices. These devices, which are widely used for communication purposes and storage of sensitive information, often include cameras, video and voice recording devices, and capabilities that allow transmission of device contents. For these reasons, the devices are often restricted during meetings where confidential or sensitive information is under discussion. However, the physical security of these devices must remain paramount due the nature of information they often contain. Meeting hosts should consider providing a secure means to store these electronic devices, or participants should consider locking them in desks or hotel rooms to prevent possible loss. LegalPrivate Eyes Jailed for Industrial Espionage Involving SpywareIsraeli private investigation firms involved in a 2003–2005 sypware incident have been convicted of industrial espionage and sentenced to jail terms ranging from 9 to 19 months. The private investigation firms were accused of selling information collected via e-mail campaigns that installed trojan software on the systems of targeted companies. A British couple, the Haephrati's, created the trojan and were convicted in Israel in 2005, but other companies are still under investigation or being prosecuted. As the case proceeds through the court systems in the United States, United Kingdom, and Israel, it has become a classic reference for Internet industrial espionage. The targeted use of the trojan resulted in the compromise of unknown amounts of information and impacted several of Israel's largest companies. Corporate officers at some of the largest companies in Israel are suspected of spying on their competitors through the private investigation firms. IntelliShield Analysis: The competitive intelligence market and suspected industrial espionage continue to grow rapidly. However, there is a high risk in contracting the services of third-parties to provide this information, because these activities require high levels of diligence, carefully constructed and detailed agreements, legal reviews, and continuous monitoring. Because this kind of intelligence gathering can escalate to malicious behavior, companies have are beginning to evaluate methods to prevent data leakage, insider threats, and unintentional disclosures that can threaten the company's performance on increasingly complex network structures. Data Leakage Prevention (DLP) is becoming an area of focus, primarily due to regulatory requirements. Security teams are encouraged to consider the range of risks that can be mitigated implementing a well-designed DLP strategy. TrustE-Mail Marketing Company May Have Commandeered IP Address SpaceMembers of the anti-SPAM community are accusing Media Breakaway of using IP addresses that the company does not own. A researcher determined that the e-mail marketing company created a entity named SF Bay Packet Radio LLC to access IP space that was originally reserved 17 years ago for the similarly named San Francisco Bay Packet Radio organization. Because the space was allocated to San Francisco Bay Packet Radio before the American Registry for Internet Numbers (ARIN) was created, the possessors of the IP space are not required to pay annual fees. ARIN is investigating the matter and could revoke Media Breakaway's access and file formal charges. The CEO of Media Breakaway believes that ARIN has no authority in this matter. IntelliShield Analysis: ARIN is responsible for allocating IP addresses within the United States, Canada, and the Caribbean countries. Media Breakaway's use of the IP space and dismissal of ARIN's authority could undermine the organization's purposes. "Hijacking" existing IP space is adding additional complexity to the difficult process of managing lists of trustworthy IP addresses. Some individuals in anti-SPAM community are suggesting that ARIN blacklist the IP space in question, but this action could lead to the blacklisting of trusted IP space in the future, especially if Media Breakaway's space is reclaimed. More importantly, blacklisting does not address the underhanded methods involved in taking IP space from other entities, as well as the challenge to ARIN's authority. Administrators can obtain continually updated lists of "untrusted" IP addresses from sites such as The Spamhaus Project or badmalweb.com, but utilizing blacklist procedures requires close attention to unused IP addresses. IdentityFormer Online Lending Company Employees Share Network AccessAccording to letters sent by the company, several former employees of the LendingTree online lending service may have shared network passwords with competitors of the company. The affected network accounts were not disabled after the employees left the company, and other lenders may have used customer information such as loan applications to make other offers to LendingTree customers. LendingTree has not reported any evidence of fraud or identity theft as a result of the breach. Read more IntelliShield Analysis: As this incident demonstrates, procedures and policies cannot replace human oversight, negligence, or deliberate violations. All businesses are advised to audit the accounts of former employees for usage and ensure the accounts are disabled or removed as soon as employees discontinue work. Additional, redundant procedures should be performed to ensure that actions dictated by policies occur on a regular basis. Finally, to avoid oversights or conflicts of interest, businesses are advised to separate account management responsibilities to distribute maintenance among several trusted parties . HumanMexico Plagued by False Kidnapping ExtortionCriminals in Mexico who are increasingly falsifying kidnappings to extort money have collected perhaps as much as US$20 million through the scheme over the last six months. Criminals use accomplices who pretend to be the victim's kidnapped child or loved one to make a desperate call to the victim, and the criminal makes a demand for money or valuables. The police chief of Mexico City estimates that a special police hotline established to track the growing threat received over 30,000 complaints from December 2007 through February 2008, although only eight arrests were made. Mexico's Attorney General credits the rise in kidnapping occurrences to the government's success in combating drug trafficking, which has forced criminals into other pursuits. IntelliShield Analysis: The high rate of actual kidnappings in Mexico has allowed criminals to take a path of lower risk. Because the crimes have become so common, many victims view ransom payouts as necessary but unwelcome transactions. This trend is particularly interesting because it shows how criminals have adapted not only to pressure from law enforcement, but even changes in victim's attitudes. Even as police work diligently to stop top priority crimes, the inability to keep pace with other crimes allows criminals to thrive in the new areas. Organizations should review travel policies to cope with real kidnapping events, but they are also advised to enact countermeasures and procedures to verify that a kidnapping has actually occurred. Organizations may find some benefit in examining other internal areas where a high threat rate occurs and reviewing whether users have become so accustomed to threats that they let their guard down. GeopoliticalRadio Free Europe Suffers Distributed Denial of ServiceDuring the time period, Radio Free Europe/Radio Liberty (RFE/RL) was subjected to a distributed denial of service attack that coincided with the anniversary of the Chernobyl disaster. RFE/RL is a news organization funded by the United States (U.S.) that operates websites in several different languages. The Belarus, Kosovo, Azerbaijan, Tata-Bashkir, Radio Farda, South Slavic, Russian, and Tajik websites were all impacted. According to RFE/RL, 50,000 hits per second were registered, which was a level never before experienced by RFE/RL technologists. A RFE/RL broadcaster commented that the government of Belarus could be responsible for the attacks, and the network's president compared the attacks to the cold war tactics of jamming radio signals. In a possibly related move, the Belarus government demanded the United States reduce its diplomatic presence in Minsk, the Belarusian capital, and ordered the expulsion of ten U.S. diplomatic personnel. IntelliShield Analysis: The apparent coincidence of events has led some individuals to speculate about geopolitical tensions. The government of Belarus has not claimed responsibility for the distributed denial of service attack, and no reports indicate whether the activity was conducted under their auspices or if it was a spontaneous reaction by an individual or group. It is unlikely that the attackers will be identified, but the event does raise concern about the growing frequency of attacks against websites for political purposes. Estonia, the U.S. Cable New Network (CNN), and sites in France have been attacked in a similar fashion. With the Summer Olympic games in China approaching and the activism displayed throughout the tour of the Olympic torch, Olympic games websites, supporting nations, and individual businesses associated with the games may become targets of similar attacks. German Intelligence Agency Engages in Cyber-based EspionageGermany's foreign intelligence agency, the Bundesnachrichtendienst (BND), successfully conducted a cyber-based espionage operation from June 2006 through November 2006 against the computer network of the Afghanistan Ministry of Commerce and Industry. According to press coverage, the operation was initiated via an e-mail that contained a trojan program and produced large amounts of confidential data and internal documents, as well as government e-mail addresses and corresponding passwords. Among the collected information was the log-in details for the personal e-mail account of the Afghan Commerce Minister, which included correspondence with a Der Spiegel journalist. Because intercepting this kind of correspondence is illegal, the BND self-reported the electronic collection of data from Afghanistan. Read more IntelliShield Analysis: This incident is not the only instance of BND's successful use of such technology against the networks of another government. In 2007, the BND used Trojan delivery methodology to compromise the network of an African country; this instance was exposed when a BND employee misused the tool to monitor his partner's romantic correspondence with a member of the German military. These are repeated instances of nation states engaging in cyber-based espionage and utilizing targeted e-mail to carry a trojan payload. Had it not been for the violation of German law and the subsequent self-reporting, information about the BNDs cyber capabilities may never have surfaced. Similar capabilities have been identified or self-proclaimed by numerous countries, highlighting the growing cyber-warfare interests and potential. Upcoming Security ActivityMicrosoft Security Bulletin Update for May: May 13, 2008 EDUCAUSE Security 2008: May 4–6, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
