The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Threat levels were relatively low during the time period, with peak vulnerability activity surrounding the Microsoft Security Bulletin Advance Notification for August 2008 that was released on August 7.  Of the 12 bulletins scheduled for release, Microsoft scored seven with a maximum severity rating of Critical and five with a maximum severity rating of Important.  These bulletins address vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Office products, Outlook Express, Windows Mail, and Windows Messenger.

The Black Hat and DEFCON security conferences occurred during the time period and may actually have contributed to a reduction in vulnerability activity. Many security researchers and hackers were in attendance to learn new techniques and to explore the latest technologies in computer, network, and information security.  One of the most anticipated presentations at the Black Hat conference was security researcher Dan Kaminsky's talk on DNS.  Kaminsky gave a large audience additional and detailed attack avenues for the multiple vendor DNS implementations insufficient entropy vulnerability, one of the most severe vulnerabilities of the year.  The presentation comprised over 100 slides and discussed creative ways of exploiting the DNS flaw as well as the ease with which it can be combined with other vulnerabilities.   IntelliShield analysts expect elevated levels of active exploits of this vulnerability over the coming weeks because of the information, attack vectors, and techniques disclosed at the Black Hat and DEFCON security conferences.

A new worm targeting users of MySpace and Facebook online social networks has been discovered.  W32.Koobface.A,  described in IntelliShield Alert 16373, searches the infected system for browser cookies related to the Facebook and MySpace websites.  If an appropriate cookie is found, the worm manipulates the settings and embeds links to malicious websites in the user's profile.  The links may arrive as an inbox message on Facebook accounts and on MySpace, or the links may be embedded in the user-comments section of user profiles.  The message appears to contain a link to a site containing a video clip.  If the user tries to view the video, an error message is displayed stating that there was an error downloading the video codec and the user needs to install the latest version of the Flash Player.  However, instead of a Flash Player download, the file codecsetup.exe is downloaded on the user's machine, which is a copy of the worm.  W32.Koobface.A is expected to be successful because many users of the social networking sites are trusting of messages that appear to be left by friends.  The likelihood of the user following the malicious link is high due to the added trust level.  Users are strongly encouraged to always verify the authenticity of unexpected links.  For assistance in verifying the authenticity of links, users can check the reputation of any URL using the IronPort Security Network E-mail and Web Reputation Tool on the SenderBase website.

Several phishing attempts and spamming of malware occurred during the time period, with much activity surrounding the start of the Olympic Games in Beijing, China.  Fake Olympic ticketing sites were created months ago to fool users into purchasing fake tickets. The phishing websites are discussed in greater detail in the Human risk management category of this report.  E-mails that appeared to originate from the Cable News Network (CNN) were also circulating during the time period.  These e-mails, which contain a link to a malicious website that is hosting malware, were propagating with subject lines such as "CNN.com Daily Top 10."  Also contributing to spamming activity were false e-mails that referenced updates for the Internet Explorer 7 browser.  These e-mails contain From: addresses of admin@microsoft.com, subject lines of "Internet Explorer 7," and attachments with the filename update.exe, which is a copy of the malware. As a general best practice to avoid being victimized by e-mail scams, users are advised to avoid opening unexpected e-mail attachments or executables from untrusted sources.  Users are also reminded of the importance of not following unsolicited links and verifying the authenticity of unexpected links prior to following them.

IntelliShield published 108 events last week: 36 new events and 72 updated events.  Of the 108 events, 98 were Vulnerability Alerts, three were Security Issue Alerts, three were Daily Malicious Code Summaries, two were Malicious Code Alerts, one was a Security Activity Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Previous Alerts That Still Represent Significant Risk
Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability
IntelliShield Vulnerability Alert 16183, Version 17, August 7, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-1447

DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks.  Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server.  Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released.  This exploit caches a single malicious host entry into the DNS server.  A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious record into the cache.  Additional exploit code that allows for complete domain hijacking through the modification of SOA records is also available.  Multiple exploit tools are becoming publicly available, increasing the risks associated with not patching affected products.

Oracle Critical Patch Update July 2008
IntelliShield Security Activity Bulletin 16276, Version 1, July 15, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the Critical Patch Update advisory for July 2008.  The update contains 45 distinct security fixes for various Oracle products.  Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. 

Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 16117, Version 2, June 24, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-2830

Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges.  A local attacker could exploit the vulnerability to perform actions with root privileges.  The attacker could leverage these privileges to take complete control of the targeted sources.  Malicious software is currently exploiting this vulnerability.  OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability.

Adobe Flash Player Multimedia File Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 15623, Version 5, June 4, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-0071

Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges.  The Downloader.Swif.C trojan, which is detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability.  Reports indicate that this malicious code is currently active in large-scale attacks.  Adobe has confirmed the vulnerability and released updated software.

Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 8, June 20, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285

Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted.  As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods.  Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.

Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14568, Version 6, May 20, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-6026

Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code.  Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available.  The TROJ_MDROPPER.MB trojan, which exploits this vulnerability, is currently active and is documented in IntelliShield Alert 12562.  Microsoft has confirmed this vulnerability in a security bulletin and released updates.

Physical

TSA Vendor Finds Missing Laptop

Verfied Identity Pass (VIP), a vendor for the United States Transportation Security Administration (TSA), recently located a laptop that it had reported missing and feared stolen from the San Francisco International Airport on July 26, 2008.  The VIP company is one of the primary operators for the Registered Traveler program, Fly Clear.  The laptop contained unencrypted information that included the names, passport numbers, and other personal data of 33,000 registered customers of the Fly Clear program.  The chief executive officer of VIP released a statement that apologized for any confusion and announced that a preliminary investigation indicated that the information on the laptop did not appear compromised.  An investigation is also being conducted by law enforcement personnel.  Read more

IntelliShield Analysis:  It is currently unclear whether the laptop was stolen or simply misplaced.  The use of laptops and other mobile devices in lieu of desktop computers has become commonplace, but the practice carries a different type of security risk.  Mobile devices can be easily stolen or lost and businesses need to examine options such as encryption for securing data.   Additionally, tracking physical possession of the equipment and  furnishing employees with portable equipment to secure mobile devices should be considered.  Educating users on storing and traveling with mobile equipment, and who to contact if an incident occurs, will also reduce the risks associated with using these devices.

Legal

Crime Ring Indicted on Multiple Credit Card Thefts

A ring of cyber criminals operating from several countries has been indicted on mutiple charges of credit card theft.  The thefts targeted a number of businesses, many of whom had reported losses of data, and included TJ Max,  Boston Market, Barnes & Noble, DSW Shoe Warehouse, OfficeMax,  Boston Market,  Forever 21, BJ's Wholesale Club, Sports Authority, and Dave & Buster's, Inc.  The theft totaled some 40 million credit card and debit card numbers and is considered the largest theft of this type to date.  After a three-year undercover investigation, authorities connected all the cases to a group of 11 individuals operating from China, the Ukraine, the United States, Belarus, and Estonia.
Read more 
Additional information
 
IntelliShield Analysis:  The indicted group members kept in contact with one another using the ICQ instant messaging application and collaborated to develop quality software to meet their needs.  With diverse nationalities, the group was able to take advantage of whatever laws or resources a ring member's country of origin could provide to steal credit card numbers and debit cards.  One member of the group is believed to have obtained US$11 million from the thefts.  One of the techniques used by the theives and described in the indictment was the installation of packet sniffers on the cash registers of at least 11 locations of the Dave & Buster's restaurant chain.  With the packet sniffers in place, the cyber criminals were allegedly able to steal some 5,000 card numbers from the targeted Dave & Buster's locations.  The thieves are also believed to have used a technique called "wardriving," which involved driving  near a business using a laptop equipped for wireless communications.  If the business' network was not sufficiently secured, the attackers could access the network with their laptop.  With the network accessed, further attacks could take place, ultimately leading to a loss of sensitive data.

An undergound economy exists for the sale of stolen credit cards or other personal information.  Financial gain is the driving motivation for many hackers.  While this large operation has been stopped, companies will need to be more vigilant than ever to protect against future thefts.  Law enforcent agencies will need to stay current with the techniques used by cyber criminals.

Trust

Microsoft Announces Plan to Collaborate More Closely with Security Industry

During the Black Hat conference held during the time period, Microsoft announced the Microsoft Active Protections Program (MAPP).  The program is intended to give security software vendors additional time and information about Microsoft vulnerabilities, which will allow the vendors to adjust products to warn and protect customers against soon-to-be-revealed vulnerabilities.  In recent years, exploits have been reverse-engineered from Microsoft patches in short order; in some cases, in just two hours.  In addition to the pre-release information, Microsoft also plans to incorporate an Exploitability Index that is intended to assist customers in prioritizing the application of patches.  Microsoft also announced intentions to work with other vendors to identify vulnerabilities in third-party software that runs on the Windows operating system.  The new programs are scheduled to begin in October, 2008.  Read more
 
IntelliShield Analysis:  Microsoft's increased collaboration with security software vendors reflects the changing landscape of the security industry.  With operating system hardening, there is a greater focus on attacking a system through weaker third-party software.  The speed with which criminals have been able to produce exploits has accelerated considerably, while the amount of time needed to mitigate and patch a vulnerable system has not improved.  Microsoft's program demonstrates the continued growth of vendor diligence.  It also shows the necessity for the security community to work together to minimize the window of risk when a vulnerability is made public.  Businesses should take note of security software updates prior to any major patch release and review Microsoft's Exploitability Index to decide if systems need to be patched outside of the usual cycle.

Identity

There was no significant activity in this category during the time period.

Human

Olympic Games Ticket Phishing

With the start of the Olympics Games in Beijing, China, the International Olympic Committee has been notified of several websites that claim to be selling tickets to the Olympic events.  The phishing websites prompted customers to fill out registration forms before entering credit card information.  Tickets were not delivered after payment and the websites retained all customer-provided funds.   Reports indicate that this phishing event is one of the largest ticket scams ever reported, with an estimate of over US$40 million stolen.  Two websites, beijingticketing.com and beijing-tickets2008.com, that were known to have been involved in these phishing attempts have since been shut down. 
Read more
Additional information

IntelliShield Analysis:  Scammers frequently capitalize on major sporting events and potential ticket buyers need to be wary.  Because there was no input validation associated with the payment forms on the websites,  users could enter any character string in any fields, a disparity that is often a good indication that the site is fake and does not intend to deliver the purchased goods.  These sites appeared legitimate and were very professionally created using the Olympic trademarks.  In fact, the United States (U.S.) television network MSNBC added to the confusion by hosting links to at least one of the false ticketing sites on MSNBC.com.   The websites were also among the first items to appear in Google search results.  To avoid these types of scams, sports fans should do extensive research when making online purchases to ensure they are ordering tickets through an authorized dealer.  For assistance in verifying the authenticity of sites and to learn when domains were registered, users can employ the IronPort Security Network's E-mail and Web Reputation Tool on the SenderBase website.

Geopolitical

Beijing Visitors Cautioned To Modify Expectations of Privacy

With the Beijing Olympic Games underway after years of preparation and months of anticipatory media coverage, many visitors are being warned by friends, companies, and governments to expect little physical or data privacy during their trip.  The U.S. Department of State 2008 Olympic Fact Sheet notes that hotel rooms and offices may be monitored or accessed without an occupant's knowledge, and many commentaries assert that taxi cabs will also be monitored.  According to the Wall Street Journal, Beijing taxis are also equipped with GPS tracking devices and remote engine-kill capability.  Thousands of video surveillance cameras have been enabled throughout city.  When leaving China, border agents in many countries, including the U.S., have the authority to seize laptops, MP3 players, and other digital devices with little or no prior cause. 
Read more
Additional information 

IntelliShield Analysis:  Despite the widespread coverage of China's surveillance capabilities, given the sheer numbers of people visiting Beijing over the coming weeks, the likelihood that any one individual's taxi conversations will be recorded, e-mail intercepted, or laptop seized is remote.  Moreover, the heightened level of surveillance and security may well have the intended effect of deterring those who would disrupt the Olympic Games or cause bodily harm to spectators.  Visitors or business travelers to the region should probably leave behind not only those electronic gadgets that can be spared, but also expectations of privacy and freedom of speech.  The only sure way to avoid having sensitive information being overheard, intercepted, or impounded while traveling is to leave it at home.

Upcoming Security Activity

Microsoft Security Bulletin Update for August 2008: August 12, 2008
sec-t: September 11–12, 2008
OWASP Israel 2008: September 14, 2008
Oracle OpenWorld 2008: September 21–25, 2008
OWASP NYC AppSec 2008: September 22–25, 2008
Kiwicon 2k8: September 27–28, 2008
SANS Network Security 2008: September 28–October 6, 2008
BA-Con Argentina 2008: September 30–October 1, 2008
Virus Bulletin 2008: October 1–3, 2008
ekoparty Security Conference: October 2–3, 2008

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Beijing 2008 Summer Olympics: August 6–24, 2008
Democratic National Convention: August 25–28, 2008
Republican National Convention: September 1–4, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top