The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Microsoft released its monthly security bulletins for August 2008. Of particular interest was the buffer overflow vulnerability in the Microsoft Windows Image Color Management (ICM) component, which is described in IntelliShield Alert 16406. This vulnerability could allow a remote attacker to execute arbitrary code, potentially taking complete control of the target system. An attacker could exploit the vulnerability in several ways, although each requires user interaction. The attacker could exploit the vulnerability by convincing a user to visit a website hosting a malicious image, likely by providing a link to the user. The attacker could also exploit the vulnerability by convincing a user to view an image embedded within a separate document, or provide images directly to the user. Another attack vector could be through e-mail, since Outlook and Outlook Express automatically display images when a user opens e-mail messages containing embedded images.

During the last time period, spam e-mail messages surfaced falsely appearing to originate from the Cable News Network (CNN) with subject lines such as “CNN.com Daily Top 10” and containing links to malware. Using almost identical tactics this week, spammers have switched the CNN e-mail messages to make them appear to come from MSNBC.com with a From: address of “MSNBC Breaking News” and subject lines such as “msnbc.com - BREAKING NEWS: Elvis Presley daughter gives birth to twins” and “Anthrax case solved”. The body of the message contains a link and claims to have more information regarding the breaking news article. Once the link is followed, the user is taken to a malicious website that appears to contain a CNN Video about the article. The video fails to load and an error message is displayed stating that there has been a Video ActiveX Object Error, and in order to watch the video the user must install the Video ActiveX object, which is in fact a trojan with the executable, adobe_flash.exe. As a general best practice to avoid being victimized by e-mail scams, user are reminded of the importance of not following unsolicited links and verifying the authenticity of unexpected links prior to following them.
Read More

IntelliShield published 155 events last week: 65 new events and 90 updated events. Of the 155 events, 131 were Vulnerability Alerts, 10 were Security Issue Alerts, five were Security Activity Bulletins, four were Applied Mitigation Bulletins, three were Daily Malicious Code Summaries, one Malicious Code Alert, and one Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Previous Alerts That Still Represent Significant Risk

Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability
IntelliShield Vulnerability Alert 16183, Version 21, August 14, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-1447

DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released. This exploit caches a single malicious host entry into the DNS server. A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious record into the cache. Additional exploit code that allows for complete domain hijacking through the modification of SOA records is also available. Multiple exploit tools are becoming publicly available, increasing the risks associated with not patching affected products.

Oracle Critical Patch Update July 2008
IntelliShield Security Activity Bulletin 16276, Version 1, July 15, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the Critical Patch Update advisory for July 2008. The update contains 45 distinct security fixes for various Oracle products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available.

Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 16117, Version 2, June 24, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-2830

Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability.

Adobe Flash Player Multimedia File Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 15623, Version 5, June 4, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-0071

Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The Downloader.Swif.C trojan, which is detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software.

Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 8, June 20, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285

Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.

Physical

Medeco High Security Locks Easily Picked by Copied Key

Medeco High Security locks are used to protect the US Pentagon, the White House, and Great Britain's Royal Family. At the annual DEFCON security conference, presenters discussed a way to bypass the key duplication security features of the M3 locks by using plastic key copies made from credit cards. In order to make a working copy an attacker would need to have access to a genuine key long enough to make a photocopy of it, or to scan it in an image scanner, and the copy needs to be to scale. Then the attacker can use a utility knife and the template to cut the copy.
Read more
Additional information
 
IntelliShield Analysis: The Medeco M3 High Security locks are designed to have internal protections against key copying, and only a few authorized locksmiths are granted the means to create key copies. For very high security customers like the White House, new key copies are obtained directly from the manufacturer. This discovery, which bypasses the need for a special key blank, allows anyone with physical access to one of the keys to make a copy of it. Normally physical access to keys such as these would be strictly controlled, but with the belief that the keys cannot be easily copied, possessors of the keys may not take appropriate precautions against untusted parties who could come in contact with the keys, such as office cleaning crews and valet parking attendants. Users of these locks are advised not to rely on the supposed protection against key copying and to ensure that access to keys to the M3 locks is highly restricted.

Legal

US District Court Blocks DEFCON Presentation

On Sunday August 10, 2008, three undergraduate students from the Massachusetts Institute of Technology were scheduled to present their findings (“Anatomy of a Subway Hack”) at the annual DEFCON security conference in Las Vegas. The presentation addressed alleged security flaws in commonly used subway fare collection systems and a subway system managed by the Massachusetts Bay Transportation Authority (MBTA). On Friday, August 8, 2008, the MBTA filed a complaint in federal court in Massachusetts against the three students and MIT. The MBTA requested, among other things, a temporary restraining order (TRO) to stop the students from presenting their findings until MBTA's own vendors had had adequate time to correct any system weaknesses. The court held a hearing on Saturday, August 9, 2008, and issued a 10-day restraining order against the students “from providing program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare media System.” On Thursday August 14, 2008 the court upheld the original TRO.
Read more
Additional information

IntelliShield Analysis: The MIT students, represented by the Electronic Frontier Foundation, did not present their findings at DEFCON. They have sought the court's reconsideration of its TRO on the basis that the TRO is an unconstitutional restraint of free speech and is not supported by the wording of the federal Computer Fraud and Abuse Act. The EFF counsel also contends that the MBTA publicly posted, via the court docket system, sensitive information about the students' findings than the students themselves had planned to disclose at DEFCON. MBTA, in turn, has now asked the court to adjust its TRO to “correct any public or intra-party misperception” by precluding the students from providing “non-public” information. MBTA also seeks to mediate, and has maintained that its primary and “immediate concern” is the “security and integrity” of its system.

Trust

There was no significant activity in this category during the time period.

Identity

Cloned E-Passports Fool Security Software

The Times newspaper conducted tests on e-passports that are becoming widely accepted around the world in place of paper passports. Jeroen van Beek, who is a security researcher at the University of Amsterdam, conducted the tests to determine whether security flaws existed within the e-passports. Van Beek was able to clone the microchips and implant digital images of Osama bin Laden and a suicide bomber, which were accepted as legitimate passports by the United Nations software. Forty-five countries currently use e-passports but only five have implemented the Public Key Directory (PKD) code system, which includes added security by checking an international database for key codes. Read more

IntelliShield Analysis: Contrary to popular belief that e-passports cannot be forged, Jeroen van Beek has proven that microchips can be read and copied. This should raise alarms to those who depend on passports for identification and those who travel across borders to take extra security measures when using e-passports. Last week, 3000 blank British passports and visas were stolen from a security van en route to London from Manchester. With the recent discovery that e-passports can be cloned, this could allow the attackers resources in order to falsify identities. People could attempt to open bank accounts or pose as British citizens in other countries. Until the PKD code system is implemented world-wide, security checkpoints should not rely on e-passports for the sole means of identification.

Human

Security Researcher Asks for Money in Revealing Mobile Phone Vulnerabilities

Adam Gowdiak, a security researcher from Poland, has reported that mobile phones using the Nokia Series 40 platform are vulnerable to an attack that may allow an attacker to gain complete access of the handset. Gowdiak has given both Sun Microsystems and Nokia a summary of his research but is offering the full content of his findings to reputable third parties for the cost of 20,000 euros. Gowdiak is hoping that he can raise enough money to fund his start-up company. It has been reported that Sun has looked into the vulnerabilities and will release a patch in the near future. Nokia has not commented on the situation.
Read more
Additional information

IntelliShield Analysis: Although there is malicious code targeted at mobile phones, security has not been a major concern for most phone companies. But these sorts of incidences may begin to change that, as such vulnerabilities could affect millions of phones. Gowdiak is well aware that his method of disclosing the information is not in line with what many in the security industry would consider full disclosure. He has stated that he only intends to sell the information to security companies and would release all of the information to the public if a leak occurred. Gowdiak is not holding the vulnerability information hostage, but if other researchers follow suit, the debate over what constitutes responsible disclosure may become more heated, and at the same time, research into finding new vulnerabilities may become more mercenary and less open. Businesses that rely on phones using the Nokia Series 40 platform should be sure to remind users to be cautious when viewing e-mail and attachments, and also when viewing text messages.

Geopolitical

Russia/Georgia Conflict

The conflict in Georgia's breakaway region of South Ossetia escalated dramatically a week ago Friday when events spiraled into war between Georgia and Russia, with Russia occupying South Ossetia, portions of Abkhazia, and the reported blockading of Georgia's Black Sea ports. A French/US-brokered cease-fire is currently in place - the second in as many days - which as of late Thursday, August 14, appears to be holding. In agreeing to a cease-fire, Russian President Dmitry Medvedev announced a significant change in Russian foreign policy and declared Russia's readiness to brush aside the West's objections to the two regions splitting away from Georgia. Interestingly, Georgia's Internet infrastructure had been reportedly subjected to distributed denial of service (DDOS) attacks prior to the onset of Russian forces, and such attacks continue. Meanwhile, Russian news site, Ria Novosti, has been and is under attack; the attacks reportedly originate from Georgia. There is no empirical evidence indicating that either Russia or Georgia governments were actively pursuing information warfare. Read more

IntelliShield Analysis:  The conflict between Russia and Georgia may carry negative and far-reaching effects on the global economy, placing strain on certain businesses. Oil prices may be impacted in the short term if the Baku-Tbilisi-Ceyhan pipeline is shut down, and in the long term if Russia makes good on threats to use control of regional crude oil and gas spigots to geopolitical advantage. The conflict may negatively impact the business environment in Russia for Western multinationals if the conflict drags on. That said, Moscow will probably be keen not to let business deals derail, particularly high technology and telecommunications deals, which bring jobs and training to Russian citizens. Should this second cease-fire not hold and a drawn-out conflict ensue, it raises the risks for new business opportunities in the former Soviet States, as annexation of South Ossetia or Abkhazia by Russia either as autonomous regions or independent states, would throw into question the legal status of assets there, and would raise the likelihood that Russia may be gauging the efficacy of throwing its weight around in other volatile areas, such as Ukraine or Kosovo. The conflict and its aftermath may ultimately boil down to the extent to which Moscow wants to reassert its influence in the former Soviet states.

Transnational Online Crime Identity Theft

The State of California experienced a 31% increase in identity (ID) theft reports in 2007, and industry analysts indicate that street and prison gangs are responsible for the increase. Gangs such as the Mexican Mafia, the Crips, and the Armenian Power Gang, typically known for violent crime and drug trafficking, are joining the ranks of computer hackers and other organized crime groups to engage in ID theft. One ongoing California investigation involves a state employee, Rachel Dumbrique, who is being investigated for allegedly sending via e-mail the names and social security numbers of 5,000 state employees to her personal Yahoo! e-mail account. Ms. Dumbrique is married to Edward Dumbrique, who is a member of the group identified as the Mexican Mafia and is currently serving a prison sentence. According to Identity Theft 911, an identity management solutions firm, 1.5 million Californians were victims of ID theft that resulted in credit card fraud, ATM theft, and unlawful wire transfers, among other types of theft. Employment-related identity theft was cited as the second most prevalent form of ID theft, which includes the use of stolen social security numbers for undocumented workers. The cost of California's identity theft for 2007 is estimated to be $749 million.
Read more
Additional information

IntelliShield Analysis: The Identity Theft Resource Center has reported that 431 security breaches affected 22,468,773 individuals through unauthorized information disclosure between December 2007 and July 2008. These incidents took place in diverse industries, including banking, education, retail, and government agencies. Although hackers and organized crime groups have been perpetrating and supporting identity theft for some time, only recently have street and prison gangs shown interest in this type of crime and begun attempting to recruit suppliers for the required information. Some gangs are targeting individuals who may be able to assist and use their financial issues as leverage. The wide-spread capitalization of identity theft demonstrates how lucrative it has become compared to the amount of risk involved. The speed in which criminals have found new methods of obtaining personal data has continued to surpass the speed in which businesses have been able to secure the data, with the human element still being the weakest link. The inclusion of identity theft by gangs may provide an opportunity and motivation for them to interact with other organized criminal elements, such as the Russian Business Network (RBN).

Upcoming Security Activity

sec-t: September 11–12, 2008
OWASP Israel 2008: September 14, 2008
Oracle OpenWorld 2008: September 21–25, 2008
OWASP NYC AppSec 2008: September 22–25, 2008
OARC Workshop 2008: September 24–25, 2008
Kiwicon 2k8: September 27–28, 2008
SANS Network Security 2008: September 28–October 6, 2008
BA-Con Argentina 2008: September 30&–October 1, 2008
Virus Bulletin 2008: October 1–3, 2008
ekoparty Security Conference: October 2–3, 2008
Critical Infrastructure Protection Congress: October 6–8, 2008

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Beijing 2008 Summer Olympics: August 6–24, 2008
Democratic National Convention: August 25–28, 2008
Republican National Convention: September 1–4, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top