December 1–7, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels during the time period were highlighted by the release of updated versions of the Java Runtime Environment and multiple alert notifications by Sun. IntelliShield analysts identified 23 distinct and previously undisclosed vulnerabilities from these Sun notifications. Due to the wide range of systems that are affected by vulnerabilities in Java, administrators are advised to test the Java updates as soon as possible to ensure that users can safely install the updates without losing the ability to perform critical functions. Microsoft released the Advanced Notification for the December 2008 security bulletin release. Of the eight bulletins scheduled for release on December 9, 2008, Microsoft scored six with a maximum severity rating of Critical and two with a rating of Important. These bulletins address vulnerabilities in the Microsoft Windows operating system, the Microsoft Office Suite of applications, the Microsoft Developer Tools and Software, Microsoft Internet Explorer, and Microsoft Server Software products. In other vulnerability-related events, the ElcomSoft security software vendor released an advisory claiming that the password protection mechanism of Adobe Acrobat 9 is significantly weaker than that of prior versions. ElcomSoft reported that, although the encryption algorithm of the newer version is more complex, the password protection scheme is less secure. This claim is based on the time required to recover lost passwords to encrypted .pdf documents. This advisory underscores the reality that users should not rely solely on password protection and encryption to secure sensitive documents. To improve the security of sensitive information, users are also advised to take measures to limit access to documents to only intended recipients and consider deleting such documents when they are no longer necessary to retain. In malicious code activity, a new worm is propagating across vulnerable networks by exploiting the Microsoft Windows Server Service Remote Procedure Call (RPC) request handling code execution vulnerability. W32/Conficker.worm is the latest worm exploiting the MS08-067 vulnerability. When installed, the worm starts an HTTP server, downloads and executes additional malicious files, and modifies the system registry. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by this worm. This worm is documented in IntelliShield Alert 17121. Additional malicious code activity includes a mass mailing worm known as W32.Ackantta@mm. This worm is spreading using three different holiday-themed e-mail messages. One of the propagation e-mail messages claims to contain a Christmas coupon from McDonald's, while another e-mail appears to arrive from Coca-Cola announcing a new Christmas promotion. The last of the known e-mails circulating is the frequently used malicious Hallmark e-card. These e-mails contain a malicious ZIP archive that, when opened, contains the malicious executable. When installed on a system, the worm has backdoor capabilities and can log system keystrokes. Additional details on this worm are available in IntelliShield Alert 17147. Cisco Security Intelligence Operations detected a threat outbreak for this worm on December 3, 2008; details are available in IntelliShield Alert 17172. IntelliShield published 141 events last week: 37 new events and 104 updated events. Of the 141 events, 115 were Vulnerability Alerts, 15 were Threat Outbreak Alerts, seven were Malicious Code Alerts, three were Security Issue Alerts, and one was a Security Activity Bulletin. The alert publication totals are as follows: Weekly Alert Totals
2008 Monthly Alert Totals
Cumulative Alert Totals 
Previous Alerts That Still Represent Significant RiskAdobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability Adobe Acrobat Professional, 3D, and Standard and Adobe Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans, as described in IntelliShield Alert 14388, is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail. Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code. Exploit code is publicly available. The Troj/Gimmiv-A, W32.Kernelbot.A, and W32.Wecorl worms are also actively exploiting this vulnerability to install themselves on target systems. Additional information about these worms is available in IntelliShield Alerts 16947, 16985, and 16994. Microsoft has confirmed the vulnerability and released software updates. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Microsoft Windows Internet Printing Protocol Remote Code Execution Vulnerability Microsoft Windows contains a vulnerability in Internet Printing Protocol (IPP) request processing that could allow a remote attacker to execute arbitrary code. Only systems that have IIS installed and support Internet Printing services are vulnerable. Internet Printing is not supported in default installations of Windows Vista systems and Windows Server 2003 and 2008 systems. When IIS is installed on Windows 2000 and Windows XP systems, Internet Printing is enabled by default. Functional exploit code is available. This vulnerability is actively being exploited. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Multiple Browsers and Adobe Flash Player Mouse Click Hijacking Vulnerability Independent security researchers have discovered a critical flaw that affects multiple, commonly used web browsers and the Adobe Flash Player. If an attacker can convince a user to visit a malicious web page, the attacker could take complete control over a user's mouse clicks, possibly convincing the user that they are clicking on a legitimate link. An exploit could allow the attacker to control the hidden HTML interaction that is occurring, hiding the invisible hyperlinks that the user is actually following. This type of exploit is being referred to as clickjacking. Adobe has released both a security advisory and a security bulletin and updated software to address this vulnerability. Sockstress Exploit Tool Exposes Vulnerabilities in TCP Stack Implementations of Multiple Vendors Independent security researchers developed the sockstress tool, which exposes vulnerabilities in the TCP stack implementation of multiple vendors. The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available. The researchers are coordinating the release of details to affected vendors through Funet CERT of Finland. The researchers made their presentation, but released few details, on October 17, 2008 at the T2 2008 security conference in Helsinki, Finland. Cisco has released a Security Response for this activity. PhysicalUnited States Copper Theft Continues to IncreaseA recent report issued by the United States (U.S.) Federal Bureau of Investigation (FBI) indicates that copper theft is on the rise in the U.S. In 2008, numerous reports of alarm system failures were reported as a result of the theft. Reports included a power failure in Florida that impacted 4,000 residents and the failure of a tornado warning system to sound for residents in Mississippi. The FBI report indicates that perpetrators are rarely convicted, and when they are found guilty, they serve minimal sentences. Since 2004, copper has tripled in price and is now valued at US$4 per pound. Read More IntelliShield Analysis: In addition to causing serious damage to infrastructure, copper theft increases multiple risks to organizations and employees. Companies rely on warning systems and other services to operate and protect both systems and workers that are being compromised by the theft of copper parts and connections. Several states, including California, Missouri, and Arizona, require that sellers provide thumbprints and pay by check and that metal merchants maintain records of all scrap metal transactions. Other states may consider implementing similar actions to prevent this type of theft. The increase in demand and price will likely result in more theft. Organizations using large quantities of the materials are advised to increase levels of monitoring and boost physical security on the materials. LegalDeadline Extended for Massachusetts 201 CMR 17 Data LawEnacted in September 2008, Massachusetts law 201 CMR 17.00 is a tough new addition to the list of state identity and data protection laws in the United States. The law was set to be enforced on January 1, 2009, but the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has extended this deadline to May 1, 2009. The OCABR cited the tough economic conditions as a primary concern, in addition to the ability of businesses to implement controls to comply with this new law. When the law takes effect, it will join nearly 40 other states that have passed similar laws to protect state residents. Read More IntelliShield Analysis: For businesses outside of Massachusetts, the deadline extension may not be significant; if existing policies were not sufficient to account for the new law, five additional months may not be enough to make a difference. However, for Massachusetts-based businesses that primarily serve state residents, the deadline may be important but not long enough. As with similar laws already in effect in other states, organizations that do business with Massachusetts residents must ensure that current policies cover the requirements of this new law, or can be amended to do so. Beyond businesses located in states that are geographically close to Massachusetts, this may be of particular concern for companies that serve customers in higher education, technology, biotechnology, and other industries that are heavily represented in the state. TrustBlackBerry Enterprise Security Certified by Fraunhofer SITThe Fraunhofer Institute for Secure Information Technology (SIT) certified the security posture of Research in Motion's BlackBerry Enterprise Solution for Microsoft Exchange. The certification is valid until the end of 2010. The evaluation takes into consideration the component pieces of the BlackBerry Enterprise Solution, its interfaces, and software platforms and protocols. The evaluation also accounts for secret key exchange procedures, encryption, host server security, and smart phone management. As a part of the certification process, Fraunhofer SIT confirms the absence of both hidden functions and backdoor access to user or system data. IntelliShield Analysis: Users and Research in Motion will likely benefit from the certification and recommendations. The true value of the certification process may be in suggested configuration changes made by Fraunhofer SIT. These changes include using a more secure encryption routine, isolating the attachment service with firewalls, as well as other actions on the host servers. Fraunhofer SIT states that these changes could protect from all known attack methods. Administrators of these systems may consider using Fraunhofer SIT's report to enhance their own security posture. IdentityIdentity Theft Resource Center Reports a Rise in Data Breaches in the United StatesThe Identity Theft Resource Center has released a report indicating that the number of disclosed data breaches in the United States (U.S.) has already reached 449 for 2008, outpacing the 446 data breaches for 2007. Note that 446 data breaches in 2007 exposed data from 127 million records, with approximately 90 million of those records attributed to the 2007 T.J. Maxx breach. The 449 breaches disclosed in 2008 have exposed data that is associated with 22 million records to theft, leaving affected individuals vulnerable to credit fraud, identity theft, or other malicious activities. IntelliShield Analysis: The ITRC re-stated in its announcement several of the known issues involved with the accuracy of the data related to security breaches, and that due to these issues, the numbers should not be given "inordinate weight". That said, the report has more important information for security teams, including the reasons behind the security breaches. The causes of the breaches indicate several security issues such as physical control of data and laptops, insider threats, and human errors that all contribute to the problem with relative equality, instead of a single massive compromise, vulnerability, or attack that should be focused upon as occurred in 2007. These findings are consistent with other similar reports and reinforces the need for a holistic risk management approach that touches on the multiple vectors being exploited in the breaches. HumanYouGov PLC Poll Indicates Human Error Top IT Security ConcernsAccording to a recent YouGov PLC poll of IT directors and senior managers based in the United Kingdom, errors by their own employees are the most likely source of security problems. Internal threats accounted for 86% of the highest ranked responses and were categorized by human error (37%), employees who ignore security policies (31%), employees lacking training or knowledge of security policies (13%), and industrial espionage performed by employees (5%). Read More IntelliShield Analysis: Human error can take many forms and is difficult to manage. Although mitigation techniques, such as blocking spam and malware via a mail gateway are important, users play a critical role in IT security. Organizations are advised to offer employee training that teaches secure behavior practices to fully understand the risks associated with spam or malicious websites. It may be prudent to block some websites for employees as a partial protection against this. Also important to maintaining reasonably satisfied employees is high employee morale; high morale may result in more cautious actions, which may reduce human error. GeopoliticalIndia Inc Reels from Mumbai AttacksAs the investigation of the November 26, 2008, terrorist attacks on Mumbai proceeds, India's security apparatus has come under criticism for its response time and failure to prevent the attacks. In the first stage of the attacks, an elite counter-terrorism team based in New Delhi was delayed ten hours while an aircraft was located to transport them. Further contributing to the confused response, the regional counter-terrorism chief was executed while sitting in a police van outside Mumbai's main train station. Indian business leaders, including the CEOs of outsourcing corporations, Tata and Infosys, are warning that the Indian government must improve security if it is to prevent foreign investors from relocating. All of this is bad timing for India's Congress Party-led government, which must hold elections by May. IntelliShield Analysis: India has long battled the threat of terrorism, but as it becomes a major player in the global economy, the potential economic damage from violent attacks has implications far beyond India. Although it remains unlikely, the threat of a regional conflict has increased as Pakistan and India, both nuclear powers, trade accusations. Arrests have included Pakistanis and Indians, including one who used false identification to acquire SIM cards used during the attacks, a reminder that the terrorism threat in India may include home-grown elements. The cost of doing business in India has risen as companies boost corporate security measures. Additional cost increases in the coming weeks and months include extra government security measures that will slow shipping and transportation and increased insurance premiums. As the global economic slowdown continues, multi-nationals may also reconsider outsourcing expansion plans. Evidence that the terrorists used high-tech devices including SMS and GPS to guide them suggests that communications companies will receive increased scrutiny by the Indian government. Although it does not appear that western businesses or individuals were targeted this time, landmarks that are representative of India's growing wealth and prowess were targeted. Moreover, a variety of reporting suggests that India's IT sector may be a target of future extremist violence. Travelers to the region may consider avoiding staying in the most prominent hotels and maintain a high level of situational awareness in their daily movements. Upcoming Security Activity25th Chaos Communication Congress: December 27–30, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Hanukkah: December 21–28, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
