Cyber Risk Report

August 31–September 6, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity for this time period was consistent with previous time periods. Significant activity included vulnerabilities in Microsoft Internet Information Services (IIS) server and SQL server, the release of Apple Mac OS X 10.6 (Snow Leopard), and a Google Gmail outage.

Microsoft released a security advisory to address a vulnerability in the IIS versions 5.0, 5.1 and 6.0 FTP service, as reported in IntelliShield alert 18951. The vulnerability could allow an authenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with SYSTEM privileges. Exploiting the vulnerability requires the FTP service to allow anonymous write access. Microsoft confirmed this vulnerability, and updated software is available for some platforms. A security flaw was also reported in the Microsoft SQL server 2000, 2005, and 2008, which allows a user with administrative privileges to view unencrypted passwords of other users. Although this issue is likely a low risk for most environments, the flaw could impact the separation of administrator duties; increase the risk of insider threats; and enable the extension of privileges of an attacker who gains administrative access to the database. According to reports, Microsoft considers the flaw a minor issue and does not intend to release an immediate patch.

Google Gmail experienced an outage that lasted approximately two hours. The Gmail blog postings reported the problem as a cascading failure triggered by taking a small number of servers offline for routine maintenance. Gmail reported "slightly underestimating" the load that was transferred to the remaining servers, which stopped traffic and caused additional load on the remaining servers until all servers stopped accepting traffic. Read More

Apple released Mac OS X 10.6 (Snow Leopard) with early adopters reporting only minor flaws and bugs while running some 32-bit applications on the 64-bit operating system. The initial release of Snow Leopard reportedly included an older version of the Adobe Flash Player that is known to have multiple vulnerabilities. Users that have updated to Mac OS X 10.6 are advised to update their Flash Player to version 10.0.32.18, which is available at http://get.adobe.com/flashplayer/. Reports also indicate that fraudulent websites are offering downloads of the new Mac OS X version. Users are advised to only update their systems and applications from official Apple and Adobe websites.

Antivirus vendors reported a "wiretap trojan" with various names that captures recordings of Skype service VoIP communications. The trojan captures the communications prior to encryption through the Microsoft Windows audio processing. The trojan, however, does not exploit a vulnerability in Skype or Microsoft Windows. The captured communications can be converted to an MP3 format and saved on the attacker's computer. This trojan is likely to be used for directed attacks against specific individuals or systems and not the mass compromise of Skype VoIP communications.

Also during the time period, a cross-site scripting vulnerability was reported in Twitter that could allow an attacker to take over user accounts if a user views a malicious tweet message. According to Twitter, the website has been updated, but reports indicate the vulnerability may not be completely corrected. Users are advised not to follow untrusted sources, and to continue to use caution on all Web 2.0 and social networking sites. These sites are experiencing increased focus from malicious and criminal elements that are attempting to exploit the popularity of the sites.

In upcoming activity, the Microsoft Security Bulletin Advance Notification for September 2009 was released and includes five security bulletins. The bulletins will be released on Tuesday, September 8, and each bulletin is rated Critical by Microsoft. The bulletins impact Microsoft Windows 2000, XP, Server 2003, Vista, and Server 2008.

Cisco will release its semiannual Cisco IOS Software advisory bundle on September 23, 2009. Cisco moved to bi-annual Cisco IOS advisory releases in 2008. The last Cisco IOS Software advisory bundle was released in March 2009.

Oracle announced that the October 2009 Oracle Critical Patch Update that was scheduled for release on October 13, 2009, has been rescheduled for release on October 20, 2009. The new release date is meant to avoid conflicts with Oracle OpenWorld, which is scheduled for October 11-15, 2009.

IntelliShield published 83 events last week: 31 new events and 52 updated events. Of the 83 events, 66 were Vulnerability Alerts, three were Security Activity Bulletins, two were Threat Outbreak Alerts, eleven were Security Issue Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 09/4/2009 8 13 21
Thursday 09/3/2009 3 7 10
Wednesday 09/2/2009 7 23 30
Tuesday 09/1/2009 5 8 13
Monday 08/31/2009 8 1 9
Weekly Total 31 52 83

 

2009 Monthly Alert Totals

Month New Updated Monthly Total
January 148 392 540
February 227 249 476
March 222 335 557
April 164 206 370
May 218 175 393
June 232 209 442
July 128 167 295
August 176 225 401
Annual Total 1515

1958

3474

 

The IntelliShield alert metrics show a continued decline in the overall volume of vulnerability activity, as reported in Cisco's 2009 Midyear Security Report. The end-of-month alert totals for August 2009, were 3,474, while the end-of-month alerts total for August 2008, were 4,857. The results show a 28 percent decline for the year.

Significant Alerts for August 31-September 6, 2009

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 4, September 4, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3023

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges. Microsoft confirmed this vulnerability and updated software is available for some platforms.

Previous Alerts That Still Represent Significant Risk

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 18847, Version 5, September 1, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-2692

The Linux Kernel versions 2.4 through 2.6.30.4 contain a vulnerability that could allow an unprivileged, local attacker to execute arbitrary code with elevated privileges or cause a DoS condition. Proof-of-concept exploit code is publicly available. Red hat has released Updates.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 9, August 27, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0901

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability
IntelliShield Vulnerability Alert 18595, Version 9, August 11, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-0015

Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX Control that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released an additional security bulletin and software updates to address the Microsoft Windows video msvidctl ActiveX control code execution vulnerability.

ISC BIND Dynamic Update Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 18730, Version 9, August 25, 2009
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2009-0696

ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a DoS condition. Apple and Novell have released security advisories and updated software to address the ISC BIND dynamic update remote DoS vulnerability.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 5, August 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1136

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability.

Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18366, Version 3, July 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1537

Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has indicated that limited, active attacks are occurring. Microsoft has released an update that corrects this vulnerability.

Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability
IntelliShield Vulnerability Alert 18261, Version 3, June 9, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-1535

Microsoft IIS versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Physical

California Wildfires Threaten Radio and Cellular Infrastructure

Wildfires continue to threaten the city of Los Angeles, California (United States) and related power and telecommunications infrastructure. Transmitters atop Mount Wilson provide cellular telephone, radio, and television network service throughout Los Angeles. Situated to the north of Los Angeles, Mount Wilson is dangerously close to the fires. Electrical power lines surrounding the area of the fire have been threatened as well. The fires continue to burn in California, displacing residents and threatening outages that may affect the entire city.
Read more  
Additional Information  

IntelliShield Analysis: In addition to the risks to life and property, the danger to infrastructure continues, and although outages have not yet been reported, some may yet occur. Businesses are advised to implement plans for outages that are related to all types of risks, and distribute communication modes as a workaround for single outages. Additionally, the deployment of new infrastructure should take into account natural threats. By geographically distributing transmitter equipment, businesses can protect against threats to concentrations of telecommunication infrastructure such as those deployed on Mount Wilson.

Legal

United States Appeals Court Says Plainview Doctrine Does Not Apply to Electronic Searches

The United States (U.S.) Circuit Court of Appeals for the Ninth Circuit has ruled that the plain view doctrine does not apply to data that is stored on electronic devices, rejecting arguments from the U.S. Department of Justice. The case involved records that were stored on the computers of Comprehensive Drug Testing, Inc. (CDT). A warrant was issued to collect the records of ten Major League Baseball players, who were suspected of steroid use. However when the warrant was executed, instead of collecting only the records that pertain to the players in question, all records on the computer system were collected, including the records of hundreds of other players and many unrelated individuals. The opinion of the court states that the warrant was specific to only the records of ten players, and that if other records are collected during the warrant execution, a third party should be designated to segregate the other records prior to being given to government investigators.
Read more  
Additional Information

IntelliShield Analysis: Although this ruling seems to make warrantless electronic searches illegal, the ruling actually highlights data that is not specified in a warrant and inadvertently discovered or collected. The ruling still allows searches that are mandated by a sufficiently broad search warrant, including so called "fishing expeditions" or searches of any electronic equipment where no search warrant is required, such as searches at border crossings. These searches have been either explicitly or implicitly agreed to because any person crossing a border with electronic equipment and any other item is subject to search. Businesses should remain current with developing precedents, and advise users, particularly those who travel internationally, to avoid legal issues.

Trust

Attack Against WPA Made Practical by Japanese Researchers

Researchers in Japan have developed a way to break Wi-Fi Protected Access (WPA) systems that use the Temporal Key Integrity Protocol (TKIP) in about a minute. WPA using TKIP now joins the ranks of Wired Equivalent Privacy (WEP) as very insecure. WPA was a replacement for WEP, which was rendered insecure by an attack after just a few years of existence. Although WPA encryption using Advanced Encryption Standard (AES) remains secure, WPA as a protocol has been depreciated in favor of WPA2. All devices displaying the Wi-Fi Alliance "Wi-Fi-certified" sticker since March 2006, support WPA2, and users are now urged to reconfigure their devices to use WPA2 wherever possible.
Read More  
Additional Information

IntelliShield Analysis: Security attacks as well as the security standards under attack continue to evolve. Just as Moore's Law has increased the speed and density of computing equipment, attacks on previously secure protocols have evolved to render those protocols insecure. Although the attack is currently beyond the reach of a casual user, it will not be long before the attack is coded into an easy to use program and becomes available to the world of hackers. The clued in network administrator will always stay apprised of evolving standards and move to them when they become stable.

Identity

There was no significant activity in this category during the time period.

Human

Back to School, Back to Basics

This time of year brings two information security events to the forefront: the return to school by students in many countries, including the United States (U.S.), and the month of October, which is National Cyber Security Awareness Month in the U.S. As students return to school, many are being met with an increased presence of computers and web-based education. Many students now have or are required to have personal computers, and books are being moved online to reduce costs, and assignments, teachers, and assistance with homework are available through school websites. Schools will also likely provide students with acceptable use policies and safe computing presentations. Similarly, this is the time of year for businesses to re-educate users on these very same security basics. An abundance of educational and reference material is available at the links below, and many of the major vendors, government and professional organizations will be holding security events throughout the month of October.
Additional Information  
Additional Information

IntelliShield Analysis: Educators, parents, and managers can make use of the numerous websites and resources available to message and re-educate users. Most provide simple, straightforward advice and recommendations about the basics of cyber security. As complex, expensive, and intimidating as many cyber security issues can be, it is often a failure to perform basic practices that lead to more severe security problems. By using strong passwords and changing them regularly; updating software; enabling the included security features on computers and browsers; and avoiding known risky behaviors can provide users with a basic level of protection and usability. As social networking sites top the list for use by students and users, trends in criminal activity show an increased focus on these sites, attempting to exploit their popularity and users. Social networking sites should be used with an increased level of awareness that can be provided during security presentations.

Geopolitical

Cloud Computing Complicated by Global Context

The global economic downturn has proved a boon for cloud computing, as business and government entities that are caught between tight budgets and expanding demand turn to scalable, pay-as-you-go cloud services, such as Software as a Service (SAAS). The expanding demand has brought international players into the mix, including Indian offshoring giant Wipro, which last week announced a new SAAS offering that may compete with the likes of Amazon.com and IBM.
Read more  
Additional Information

IntelliShield Analysis: Cloud computing has been called the ultimate form of globalization, a description which should align it with concepts like offshoring and outsourcing. However, physical proximity of data centers to the client remains important for latency reasons, prompting companies like Wipro to consider locating data centers close to their clients. A potentially more troubling concern may be the unwanted offshoot of a key cloud computing advantage, that of distribution. In an attempt to insulate clients from physical outages based on geographical location, Amazon Web Services, for example, provides so-called availability zones which allow distribution of data across various countries and regions. With data potentially residing in multiple jurisdictions, enterprises run the risk of falling victim to varying data protection and privacy laws. In the United States (U.S.), Sarbanes-Oxley compliance and data protection requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Patriot Act could lead governments to require a web services provider to hand over a client's data. In the European Union (E.U.), the Data Protection Directive addressed in part under the U.S.-E.U. Safe Harbor Act creates obstacles for the movement of data outside of E.U. legal jurisdiction.

Upcoming Security Activity

ASIS International 55th Annual Seminar and Exhibits: September 21–24, 2009
Cisco IOS Security Bundle Release: September 23, 2009
G20 Summit, Pittsburgh, Pennsylvania: September 24–25, 2009
U.S. National Cyber Security Awareness Month: October, 2009
Hack In The Box Malaysia 2009: October 5–6, 2009
Oracle Critical Patch Update: October 20, 2009
CSI2009 Annual Conference, Washington, D.C.: October 24–30, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Ramadan: August 21–September 19, 2009
Rosh Hashanah: September 18, 2009
Yom Kippur: September 27, 2009
German Parliament elections: September 27, 2009
China National Day Holiday: October 1, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top