Cyber Risk Report

August 10–16, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity for this period was elevated again because of the release of Microsoft and other vendors' announcements.  Microsoft released its monthly Security Update on August 11, including nine security bulletins that address 19 vulnerabilities.  Although five of the bulletins were rated Critical, MS09-037, which included five updates for Active Template Library (ATL) vulnerabilities, is possibly the most important.  Another security update of particular concern is the Remote Desktop vulnerability reported in MS09-044.  The IntelliShield alerts and Cisco mitigations are available in the Cisco Event Response.

A vulnerability was reported in the Linux Kernel versions 2.4 through 2.6.30.4 that allows local privilege escalation, reported in IntelliShield Alert 18847.  Proof-of-concept and working exploits are publicly available on multiple websites to exploit this vulnerability.  Although it is limited to a local or compromised system attack, the vulnerability could allow the compromise of the system.

IntelliShield published 93 events last week: 44 new events and 49 updated events.  Of the 93 events, 78 were Vulnerability Alerts, four were Security Activity Bulletins, five were Threat Outbreak Alerts, two were Security Issue Alerts, one was a Malicious Code Alert, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 8/14/2009 6 7 13
Thursday 8/13/2009 8 6 14
Wednesday 8/12/2009 6 20 26
Tuesday 8/11/2009 21 7 28
Monday 8/10/2009 3 9 12
Weekly Total 44 49 93

 

Significant Alerts for the Time Period

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 8, August 11, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0901

Sun has released an alert notification and updated software to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability.  Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability
IntelliShield Vulnerability Alert 18595, Version 9, August 11, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0015

Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code.  Microsoft has released an additional security bulletin and software updates to address the Microsoft Windows video msvidctl ActiveX control code execution vulnerability.

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 18847, Version 1, August 14, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-2692

The Linux Kernel versions 2.4 through 2.6.30.4 contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a denial of service condition.  Stable updates are not available currently.  Proof-of-concept exploit code is publicly available.

Previous Alerts That Still Represent Significant Risk

ISC BIND Dynamic Update Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 18730, Version 8, August 13, 2009
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2009-0696

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition.  Apple and Novell have released security advisories and updated software to address the ISC BIND dynamic update remote denial of service vulnerability.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 5, August 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1136

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.  This vulnerability is due to an unspecified error in the Office Web Components ActiveX control.  Reports indicate that exploits of this vulnerability are ongoing.  Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. 

Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18366, Version 3, July 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1537

Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.  Microsoft has indicated that limited, active attacks are occurring.  Microsoft has released an update that corrects this vulnerability.

Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability
IntelliShield Vulnerability Alert 18261, Version 3, June 9, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-1535

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information.  The vulnerability is due to improper processing of Unicode characters in HTTP requests.  An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available.  Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17966, Version 3, May 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0556

Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint.  Reports indicate that targeted attempts to use this vulnerability continue to occur.  A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability.

Worm: W32/Conficker.worm
IntelliShield Malicious Code Alert 17121, Version 18, April 9, 2009
Urgency/Credibility/Severity Rating: 4/5/3

W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems.  Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet.  Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems.

Adobe Reader getAnnots Function Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18088, Version 6, July 15, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-1492

Adobe Reader and Acrobat versions 9.1, 8.1.4, 7.1.1, and earlier contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.  The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents.  An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file.  If the user views the document, the attacker could execute arbitrary code with the privileges of the user.  Proof-of-concept code is available.  Adobe has confirmed this vulnerability and provided software updates.

Adobe Acrobat Products PDF File Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 17665, Version 12, June 30, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0658

Adobe Reader, Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user.  The level of user privileges and the code that is executed determine the degree to which the system is compromised.  This vulnerability is actively being exploited in the wild by the Pidief family of trojans.  Additional information about the trojan is available in IntelliShield Alert 14388.  Adobe has confirmed the vulnerability and released updated software.

Physical

H1N1 Impacts Major Indian Business Areas

Pune and Mumbai, India are experiencing increasing infection rates of the H1N1 swine flu.  Authorities have reported 20 deaths and over 1,200 confirmed infections in the area.  The growing concerns have flooded hospitals and testing centers and caused the closing of schools and other public buildings.  The government has increased its response, providing additional testing centers and increased orders of the antivirus drug Tamiflu.  While increasing the response, the government and medical professionals are also attempting to reduce the level of panic and fear, which many blame on the media coverage and those attempting to exploit the situation for political and financial gains.
Read More
Additional Information

IntelliShield Analysis:  India, like many other emerging countries, is well aware of the H1N1 risks and has made preparations for an incident response.  Although the situation is certainly serious, the number of deaths and confirmed infections remains low relative to the area population.  The public communication seems to be presenting authorities an equal if not greater challenge: providing accurate information and assistance without causing disproportionate fear and panic.  Physical and IT security organizations are frequently challenged to provide accurate public information, assistance, and recommendations without causing the often-cited fear, uncertainty, and doubt (FUD).  Understanding the challenge and planning for communications and public relations is a critical part of incident response, but is often overlooked while the focus is on more pressing details.  All incident response plans and preparations should include communications and public relations team members to address the communications challenges.

Legal

Sex Offenders in Illinois Banned from Social Networking Sites

Governor of the U.S. state of Illinois, Pat Quinn, signed a law this week that blocks sex offenders living in the state of Illinois from joining social networking sites.  The law, sponsored by state senator Bill Brady, is intended to protect innocent users from sexual predators who use the Internet.  Critics are claiming that the law goes too far and could effectively be used to block those listed as sex offenders from using a large portion of the Internet.
Read More 
Additional Information

IntelliShield Analysis:  The social networking sites Facebook and MySpace have faced criticism before for allowing sexual predators to use their services and have undergone voluntary checks to remove such profiles.  The Illinois law is trying to avoid being too narrow and offering its own definition of social networking sites.  A recent study by Cambridge University identified 45 "popular social web sites" globally.  The problem is that the definition could be applied to a large number of websites that encourage user interaction and rely on member participation.  Without defining the difference among social networking sites and sites that contain similar elements, some users could be banned from a larger category of websites including CNN, Monster.com, and other member communities.  Without a strict definition, enforcement could be another difficult issue to tackle because it is unclear whether only certain social networks would be polled or whether a broader online inspection is necessary.  Organizations that attempt to define policies for social networking sites will face similar definition issues and should carefully consider the wording of their policies so that they are clear and understood by their users.

Trust

National Retail Federation Survey Identifies Small Retailer Compliance Challenges

A poll by the National Retail Federation (NRF) has found that a majority of small retailers know about the Payment Card Industry's Data Security Standard (PCI DSS) but do not understand it. Eighty-six percent of the surveyed businesses knew about the standard, much higher than the results from last year's survey, but many did not know what it would take for their businesses to be compliant.  The two factors named most by these businesses as hampering their compliance with PCI DSS were the complexity of the standard and the cost of compliance.
Read More 
Additional Information 
Additional Information

IntelliShield Analysis:  Security standards and policies are only a necessary first step.  This poll sheds light on a larger problem with security standards such as PCI DSS, Health Insurance Portability and Accountability Act (HIPAA), Red Flags, and others.  These standards must be translated into understandable nomenclature that does not require the services of an attorney during implementation.  Many small businesses appear to be completely at a loss when it comes to the more esoteric aspects of their business systems compliance.  They are familiar with day-to-day operations of a point-of-sale system, or patient records system, but may be unable to speak to whether those systems adequately protect the data that they handle.  For many small businesses, being able to say with confidence that they are compliant with a particular standard will require two things: an understandable translation of the security standard, and an assurance from their software vendor that their software is compliant with the applicable standards.  Many of these standards have information published on the Internet that can help with the understanding and the steps necessary to come into compliance.

Identity

Close of Peer-to-Peer Identity Theft Case Highlights Risk

Frederick Wood was sentenced to 3 years in prison for his actions in using the open and poorly configured nature of P2P networking clients to steal personal information from other P2P network users, and using that information to commit fraud.  Home users who had installed the software on their computers unknowingly shared large portions of their personal information, including tax returns and loan applications, which Wood accessed to write forged checks.  The casual and easy nature of Wood's exploitation demonstrates the risks that exist to users who participate in P2P file-sharing networks.  The sentencing in this case follows several other P2P network information disclosures due to accidental file sharing, including records lost from law firms and the Walter Reed Army Medical Center.
Read More 
Additional Information

IntelliShield Analysis:  The legitimate uses of P2P are well known and include distribution of various types of software and self-published media.  Distributing software via P2P networks can be an attractive choice for businesses that want to leverage the network's speed and availability.  However, like any other software, P2P clients must be used safely and in accordance with the law.  Specifically, businesses must ensure that client applications are configured to share only the desired set of files.  Otherwise, there is a great risk that an accidental exposure of data that may be leveraged by criminals.  Sites may consider allowing P2P software only on systems that do not handle confidential customer or internal data to reduce the chance of exposure.  Businesses may also consider adopting usage policies similar to other network usage policies to help direct users in safe and effective P2P network activities.

Human

UK Law Leads to Jail for Some Who Refuse to Decrypt Data

The annual report from the United Kingdom's (UK) Chief Surveillance Commissioner outlined the past year's activities under Part 3, Section 49 of the Regulation of Investigatory Powers Act (RIPA).  Under RIPA, investigators can demand either the encryption key or decrypted data for encrypted files, and if suspects do not comply they can face up to 2 years in prison.  In the report, the Commissioner outlined that 15 notices to comply were served, four were complied with, seven that were not complied with were charged, and two of those were convicted.  All 15 cases were related to "counter terrorism, child indecency, and domestic extremism." Additional Information   

IntelliShield Analysis:  The UK's decision to impose jail on those who refuse to divulge keys or decrypt data has been controversially received in security and privacy circles.  Opponents fear that authorities could demand keys and decrypted contents that could expose information that is unrelated to the investigation but secured by the same keys.  Further, it will be difficult to prove that one does not know the password or passphrase for a key, making defense against an accusation difficult.  Despite these concerns, it does not appear that this law is being broadly applied at this time.  As encryption continues to be more widely deployed in organizations, the issue of recovering encrypted data will also likely grow.  Users forgetting or losing passwords or passphrases is a very common issue that can often be overcome with administrative privileges, but the challenge of recovering forgotten passwords or passphrases for encryption keys includes several additional challenges.

Geopolitical

Twitter Taken Down in Apparent Political Vendetta

In the first half of August, several high profile social networking and blogging sites including Twitter, Facebook, Blogger, and LiveJournal were affected by distributed denial of service (DDoS) attacks.  Of the affected sites, Twitter alone experienced several episodes of downtime, which stretched up to 2 hours in length.  According to a Facebook spokesperson, the attacks on the various websites all appear to have targeted a single person, Georgian activist blogger Cyxymu.  Cyxymu (derived from the Cyrillic characters for Sukhumi, the capital of the breakaway republic of Abkhaziahas) blamed the Russian government directly for the attacks, but there is no evidence of a state actor.
Read More 
Additional Information

IntelliShield Analysis:  The DDoS attacks were unusual in that they appear to have been politically or personally motivated, unlike the more common attacks against major websites that tend to be financially motivated.  The attacks targeted a single individual, and in the process inconvenienced millions of users.  From an information security perspective, it may be valuable to note that web 2.0 social networking sites may be vulnerable to such attacks in the future because of the inherently emotional or political nature of the content.  Although financial and e-commerce sites to date have been most at risk because of their high-value personal and financial data, a new strain of personal attacks on social networking and blogging sites may be on its way.  It is also worth noting the vulnerability of fast-growing sites such as Twitter, which has profit models that are still evolving and an infrastructure that may be more appropriate to a lower-profile startup.  As the business model matures, even smaller sites may have to invest more and sooner into building robust load-balancing and redundancy capabilities.  Companies for whom uninterrupted Internet connectivity is critical may want to look into the counter-DDoS capabilities of service providers and cloud services.

Upcoming Security Activity

GFIRST 2009: August 23–28, 2009
ASIS International 55th Annual Seminar & Exhibits: September 21–24, 2009
Hack In The Box Malaysia 2009: October 5–6, 2009
CSI2009 Annual Conference: October 24–30, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Japan Lower House Elections: August 30, 2009
Ramadan: August 21–September 19, 2009
Rosh Hashanah: September 18, 2009
Yom Kippur: September 27, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top