August 18–24, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityThe Microsoft Security Response Center (MSRC) confirmed that it is investigating reports of an unspecified vulnerability in the NSlookup.exe administrative tool in Microsoft Windows XP. Unconfirmed reports indicate that this vulnerability is currently being exploited in the wild. A remote attacker could exploit this vulnerability to execute arbitrary code with sufficient privileges to compromise the target system. This vulnerability is described in IntelliShield Alert 16475. Red Hat discovered an intrusion on some of its systems that allowed an attacker to sign certain OpenSSH packages with the official Red Hat private key. As a result of the intrusion, an attacker was able to modify certain OpenSSH packages and sign them in a way makes them appear to be officially distributed by Red Hat. Official Red Hat subscribers receive updated packages via the Red Hat Network (RHN). Red Hat's initial investigation reports that packages distributed by the RHN were not affected. Red Hat has indicated that only users who obtain binary packages through alternate means are affected. This issue is detailed in IntelliShield Alert 16504. Attackers leveraged the insufficient entropy vulnerability in multiple vendors' DNS implementations, reported in IntelliShield Alert 16183, to poison the cache of the China Netcom Internet Service Provider (ISP). China Netcom users who mistype a web address may be redirected to a malicious web page that attempts to use a malicious iframe to exploit vulnerabilities in Adobe, Microsoft, and RealNetworks products on the users' systems. Successful attacks allow the attacker to place malicious code on a user's system. Read More IntelliShield published 137 events last week: 37 new events and 100 updated events. Of the 137 events, 112 were Vulnerability Alerts, 11 were Security Activity Bulletins, ten were Security Issue Alerts, two were Daily Malicious Code Summaries, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for This Time PeriodMicrosoft Windows NSlookup.exe Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability that could allow a remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. The vulnerability exists due to an unspecified error in the NSlookup.exe administrative tool. Reports indicate that attackers may be exploiting this vulnerability in the wild. The Microsoft Security Response Center (MSRC) is currently investigating reports of this vulnerability; however, the vulnerability remains unconfirmed, and updated software is not available. Previous Alerts That Still Represent Significant RiskMultiple Vendor DNS Implementations Insufficient Entropy Vulnerability DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released. This exploit caches a single malicious host entry into the DNS server. A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious record into the cache. Additional exploit code that allows for complete domain hijacking through the modification of SOA records is also available. Multiple exploit tools are becoming publicly available, increasing the risks associated with not patching affected products. Oracle Critical Patch Update July 2008 Oracle has released the Critical Patch Update advisory for July 2008. The update contains 45 distinct security fixes for various Oracle products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability. Adobe Flash Player Multimedia File Integer Overflow Vulnerability Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The Downloader.Swif.C trojan, which is detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software. Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization. PhysicalGovernment Agencies Watching for Counterfeit VehiclesOn August 12, 2008, United States (U.S.) border patrol agents near Mexico encountered a drug smuggling car disguised as a San Diego Gas & Electric company vehicle. The Ford Taurus bore the appropriate markings on its doors, but the license plate was registered to a Chevy Cavalier. The agents were suspicious because most of the San Diego Gas & Electric vehicles in the area are trucks. Drug and human smugglers have been using what has been termed "cloned vehicles" to cross the border and are increasingly using federal markings as cover. The Florida Department of Law Enforcement has issued a document to assist in identifying disguised vehicles. IntelliShield Analysis: An undue amount of trust is often given to vehicles and their occupants if the vehicles display certain markings. These markings are often easy to reproduce, especially with color printers and other widely available tools. Criminals may use these vehicles to intimidate others or gain unauthorized access to assets as well as to disguise their cargo. These vehicles are typically used for smuggling or theft, but the U.S. Federal Emergency Management Agency has issued a bulletin, warning law enforcement agencies to scout for cloned vehicles that may be used for surveillance or attack at the US. Democratic and Republican national conventions in the next couple of weeks. Businesses should be sure that inspectors, security teams, and entry guards are educated in differentiating between a counterfeit company vehicle and an authentic company vehicle. LegalChanges Introduced in Version 1.2 of the PCI Data Security StandardVersion 1.2 of the PCI Data Security Standard (PCI DSS) is scheduled for release in October 2008. PCI DSS is a standardized list of requirements that is designed to implement an increased level of security for systems that handle payment account data. The changes implemented in version 1.2 may stem from data collected from recent attack trends and possibly the feedback from the IT community and audits conducted on major networks. PCI DSS consists of six guiding principles and twelve major requirements. These guiding principles and major requirements mainly focus on identifying and implementing industry best practice standards. Read more IntelliShield Analysis: The updated version of the PCI DSS does not contain any new guiding principles or major requirements. Many of the changes in version 1.2 were made to clarify how previous requirements are to be implemented on affected systems. Some changes were designed to add flexibility for patching software, conducting tests, storing audit files, and reviewing current firewall rules. Other changes were put in place to compel administrators to discontinue the use of Wired Equivalent Privacy (WEP) in favor of other, stronger encryption schemes for wireless systems. These changes include a timeframe to discontinue the use of WEP encryption. Businesses are encouraged to examine the changes and begin updating their infrastructures if necessary. TrustPrinceton Review Student Records Accidentally Made Public on the InternetFiles that had previously been password protected lost this security measure recently when the Princeton Review moved its website to a new Internet provider in late June of this year. The names and birthdays of 74,000 students were made publicly available. The records of another 34,000 students were also made public and included not only their names and birthdays but also other personal information, such as test scores and ethnicity. Although the files were public, an individual would still need to know where to look to find them. Some of the pages may have been locatable using a search engine such as Google, however. The information about this exposure was revealed to the New York Times by a Princeton Review competitor who discovered the information while doing competitive research. Read more IntelliShield Analysis: Making sensitive information available over the Internet, even when a password is required to access it, carries some degree of risk. Companies need to consider what data needs to be accessible to authorized users and whether extra protection such as Secure Socket Layer (SSL) is needed to prevent eavesdropping on the data transfer. Some data should be made available only to company employees, using a Virtual Private Network (VPN) for access to the corporate network or some segment of it. It is not uncommon for companies to change Internet providers for their websites. As such, this information disclosure event is a reminder of the pitfalls possible during such a change. When a migration of this sort is performed, it is imperative that all security checks be validated to ensure that everything is in proper working order before completing the rollover to the new provider. IdentityMillions of Personal Records Missing in UKAccording to the BBC, the United Kingdom government has lost 29 million personal records from April 2007 to April 2008, based on figures found in documents released by UK governmental departments. The vast majority of the missing information was lost last November when 25 million records failed to be delivered through the HM Revenue and Customs (HMRC) postal system. These records contained information pertaining to child benefit payments for 7.5 million families. The remaining four million records include driving test data from the Department of Transport, as well as sensitive financial information that was contained in a missing laptop. A representative for the Cabinet Office stated that "Departments are taking intensive action to improve data security." Read more IntelliShield Analysis: With a population of approximately 60.8 million people, the UK's loss of data for nearly half of its population is an extremely serious security breach. With such a large pool of identity data, millions could be subject to financial loss and legal issues, and criminals and terrorists could disguise their activities. Identity theft is a rising security concern in the business community, with an 80-percent increase of reported phishing attacks from the first half of 2008 compared to the second half of 2007 (taken from a Cyveillance 2008 press release). Organizations should look to encrypt sensitive information, safeguard against eavesdropping, and take measures to ensure the destination of records in transit is trusted. Early reporting of identity theft may guard against further damage. HumanPirate MotivationCliff Harris conducted a poll on his blog as well as several popular game-related and technology-related websites to gain feedback regarding the reasons that people pirate games. Harris received quite a bit of feedback and published his findings on his blog. Respondents gave a variety reasons, indicating that they were not willing to pay the full price, and that often the product quality did not warrant the cost. Some even indicated that they did it because they knew there was a only small chance that they could be caught. Read more IntelliShield Analysis: Piracy of software, games, music, video, and other media has been a frustration for the software and e-commerce industries since floppy disks became mainstream. Despite several industry attempts, the ease of pirating software and media as well as its intangibility continues to make it easier in many users' minds to illegally copy or download the products that they would not likely consider stealing in a physical store. Although the technologies have changed, little has changed in the human aspect of this issue. While the western countries' copyright protections have been violated, others globally do not have similar legal or cultural considerations. Software vendors may wish to review Harris' findings and consider changes that would limit the theft as well as encourage users to legally obtain their products. GeopoliticalEmerging Market Impact on Semiconductor IndustryEmerging markets have become a major driver in semiconductor demand growth, according to a recent report by the Semiconductor Industry Association (SIA). According to the report, purchases of personal computers represent about 40 percent of semiconductor demand, and mobile phones drove 20 percent of that demand. Of the 5.4 percent demand growth in the first half of 2008, surging growth in China, India, Latin America, and Eastern Europe helped offset declines in the United States. The SIA report also noted that high fuel prices do not appear to have slowed demand growth in any meaningful way. On the supply side of the equation, emerging markets are becoming hubs for the increasing percentage of semiconductor fabrication. As one of the world's leading manufacturers of semiconductors, Taiwan seeks to share its semiconductor industry with mainland China by revising trade restrictions between the two countries. This move reflects Taiwan's new President's pro-China stance and would allow China to build 12-inch chip plants. Current trade laws restrict China from engaging in the production of 12-inch chips. IntelliShield Analysis: The impact of emerging market growth on the semiconductor industry is being felt both from supply chain and market demand, adding to potential volatility. Particularly given the energy-intensive nature of chip fabrication, increased demand is likely to drive costs up. Moreover, with the increasing moves of semiconductor fabrication plants to emerging market locations, the reliability of critical infrastructure, electricity, clean water, and transportation becomes a greater risk. This is particularly noteworthy in the movement of production from Taiwan to mainland China, which is expected to increase as Taiwan's new government relaxes controls on outsourcing of sensitive technology to China. Many companies that have outsourced semiconductor manufacturing to Taiwan should be aware that these chips may increasingly be produced in mainland China. Upcoming Security Activitysec-t: September 11–12, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Democratic National Convention: August 25–28, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
