December 8–14, 2007The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. Please note that the Cyber Risk Report will not be published on December 29, 2008 or January 5, 2009 due to the holiday season. Significant activity from these periods will be included in the report scheduled for release on January 12, 2009. VulnerabilityRecent activity levels centered around newly published vulnerability and threat research from Cisco and the monthly Microsoft security updates that were released on December 9, 2008. Of the 28 vulnerabilities that were were addressed as part of the Microsoft release, 23 were deemed Critical, which indicates that unauthenticated, remote attackers could execute arbitrary code or completely compromise vulnerable systems. As part of this release, Microsoft also disclosed details about a buffer overflow vulnerability in a Microsoft Visual Studio ActiveX control that is described in IntelliShield Alert 16460. This vulnerability was disclosed previously and has been used to conduct attacks against specific targets. Very shortly before the Microsoft release, independent security researchers disclosed details about a zero-day XML parsing vulnerability in Internet Explorer. This vulnerability, which is documented in IntelliShield Alerts 17236 and 17241, is being exploited in the wild. Known exploits are leveraging this vulnerability to install malicious software, including Infostealer.Gampass, which is documented in IntelliShield Alert 17254. Cisco Security Research and Operations has investigated the malicious executables that are associated with this trojan, most of which are being used by attackers to log system keystrokes and steal online gaming details. Other executables contain a backdoor component that is related to the Graybird family of trojans, which is documented in IntelliShield Alert 5649. Because the malicious website that is hosting these files has been removed from the Internet, there is a slight reduction in the threat associated with this trojan. In addition to the regularly scheduled December security bulletin release, Microsoft published a security advisory later in the day to address a vulnerability in the Microsoft Windows WordPad Text Converter. This zero-day vulnerability, which is also being exploited, is described in IntelliShield Alert 17238. In non-Microsoft vulnerability activity, a message stream processing vulnerability in Digium Asterisk is also under active exploitation. Users should note that this vulnerability, which is described in IntelliShield Alert 15465, was originally reported in March 2008. Updated versions have been available since that timeframe. In malicious code activity, a variant of the infamous Koobface worm is using Facebook's redirect functionality to bypass filtering software that is specifically intended to protect users from the worm. Koobface is most widely known for propagating via the Facebook and MySpace social networks, but the worm is now targeting the following networking websites: bebo.com, blackplanet.com, friendster.com, and myyearbook.com. Social network account holders and other site users are advised to verify the authenticity of unexpected links that may exist on online pages. For assistance in verifying these links or any other URLs, users can employ the IronPort Security Network E-mail and Web Reputation Tool on the SenderBase website. Further details on Koobface are available in IntelliShield Alert 17240. In other threat activity, Cisco released the Preliminary Edition of the 2008 Annual Security Report at the C-Scape analyst conference during the time period. In the full version of the Cisco 2008 Annual Security Report, which is now available, Cisco warns of more sophisticated, targeted Internet attacks from the online criminal economy. The report details many specific threats across the web ecosystem and concludes with recommendations for 2009. IntelliShield published 161 events last week: 87 new events and 74 updated events. Of the 161 events, 135 were Vulnerability Alerts, ten were Threat Outbreak Alerts, three were Security Activity Bulletins, four were Security Issue Alerts, three were Malicious Code Alerts, five were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for December 8–14, 2008Microsoft Internet Explorer XML Parsing Arbitrary Code Execution Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a DoS condition. Microsoft has confirmed the vulnerability, but updated software is not currently available. Reports indicate that known website's are attempting to exploit this vulnerability to install malicious software on vulnerable systems. This tactic is commonly referred to as exploiting a zero-day vulnerability. Microsoft Windows WordPad Text Converter File Handling Memory Corruption Vulnerability Microsoft Windows contains a vulnerability within the WordPad Text Converter that could allow an unauthenticated, remote attacker to corrupt memory and execute arbitrary code on the system. Microsoft has confirmed the vulnerability, but updated software is not currently available. Reports indicate that this vulnerability is actively being exploited and several antivirus vendors are detecting exploits that install additional malicious code on the targeted system. Other exploits contain a backdoor trojan, which could provide attackers with unauthorized access to vulnerable systems. This tactic is commonly referred to as exploiting a zero-day vulnerability. Previous Alerts That Still Represent Significant RiskAdobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability Adobe Acrobat Professional, 3D, and Standard and Adobe Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans, as described in IntelliShield Alert 14388, is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail. Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code. Exploit code is publicly available. The Troj/Gimmiv-A, W32.Kernelbot.A, and W32.Wecorl worms are also actively exploiting this vulnerability to install themselves on target systems. Additional information about these worms is available in IntelliShield Alerts 16947, 16985, and 16994. Microsoft has confirmed the vulnerability and released software updates. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Microsoft Windows Internet Printing Protocol Remote Code Execution Vulnerability Microsoft Windows contains a vulnerability in Internet Printing Protocol (IPP) request processing that could allow a remote attacker to execute arbitrary code. Only systems that have IIS installed and support Internet Printing services are vulnerable. Internet Printing is not supported in default installations of Windows Vista systems and Windows Server 2003 and 2008 systems. When IIS is installed on Windows 2000 and Windows XP systems, Internet Printing is enabled by default. Functional exploit code is available. This vulnerability is actively being exploited. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Multiple Browsers and Adobe Flash Player Mouse Click Hijacking Vulnerability Independent security researchers have discovered a critical flaw that affects multiple, commonly used web browsers and the Adobe Flash Player. If an attacker can convince a user to visit a malicious web page, the attacker could take complete control over a user's mouse clicks, possibly convincing the user that they are clicking on a legitimate link. An exploit could allow the attacker to control the hidden HTML interaction that is occurring, hiding the invisible hyperlinks that the user is actually following. This type of exploit is being referred to as clickjacking. Adobe has released both a security advisory and a security bulletin and updated software to address this vulnerability. Sockstress Exploit Tool Exposes Vulnerabilities in TCP Stack Implementations of Multiple Vendors Independent security researchers developed the sockstress tool, which exposes vulnerabilities in the TCP stack implementation of multiple vendors. The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available. The researchers are coordinating the release of details to affected vendors through Funet CERT of Finland. The researchers made their presentation, but released few details, on October 17, 2008 at the T2 2008 security conference in Helsinki, Finland. Cisco has released a Security Response for this activity. PhysicalRelief from Airline Liquids Ban Highlights FlawsThe United States Transportation Security Administration (TSA) has voiced plans to relieve the liquid bans for commercial air travel over the coming year and remove them altogether in 2010. The TSA has cited technical improvements in scanning and detection capabilities as the reasoning for removing the ban. Improved scanning systems should allow TSA agents to remove the liquid size ban first and then progress to allow liquids to remain packed in carry-on luggage. IntelliShield Analysis: Critics have complained about the ban for some time, claiming that reproducing liquid explosives from their component parts within an airport or on board a plane is neither a simple nor undetectable process. As long as the TSA remains committed to screening for harmful liquids, however, the technical improvement is positive step for security. Properly calibrated machines can improve consistency and assist screeners in eliminating some of the more arbitrary decisions that untrained staff may be inclined to make. Removing a hassle from passengers should reduce the strain they experience during security checks and may make them less likely to subvert security for the sake of convenience. Organizations are advised to consider similar opportunities to reduce user impact, which can improve consistency, efficiency, compliance, and adoption. LegalUnited States Federal Bureau of Investigation Agent Accused of Criminally Accessing FilesAn agent of the United States Federal Bureau of Investigation (FBI) has been charged with five counts of criminally accessing the FBI computer systems. Allegedly, the agent accessed an FBI document that contained information about a recent and highly publicized wiretapping trial in the state of California. Reports indicate that the agent may have been motivated to access the information by his girlfriend, a well-known American actress who may be associated with the convicted individual, California detective Anthony Pellicano. The breach appears to be tied to a key FBI report that sparked discussions during Pellicano's trial about disparities between the defense and prosecution's copies. Read more IntelliShield Analysis: This case is a clear demonstration that even after thorough background checking and candidate vetting, the potential still exists for employees to act inappropriately. For this reason, a layered approach to security is important, especially safeguards that can prevent the misuse of corporate resources and fully audit user actions. Such a posture should include the auditing of access to sensitive information, which the FBI seems to have employed. Certain regulations and compliance requirements include these controls, but all organizations should consider implementing the capabilities to protect both their interests and assets. TrustRecent Israeli Elections Interrupted by Computerized Voting MalfunctionsIn what media reports have called a blunder and disgrace, the Israeli Labor and Likud primary party elections were both interrupted due to malfunctions with computerized voting machines. The Labor primary elections were postponed for two days after several system malfunctions and failures, and the Likud primary elections were extended due to system malfunctions that left voters standing in lines for hours the following week. The details of the malfunctions were not released but reportedly included multiples types of malfunctions, failures, and system crashes at various voting locations. In addition to the electronic malfunctions, election planners apparently also failed to consider human factors such as extended extended polling times for voters who were attempting to use the electronic systems for the first time. IntelliShield Analysis: Although issues continue to plague electronic voting systems, the public and media response to the election disruptions seemed to focus primarily on party and election officials. Officials continue to apologize, but the election issues have cast doubt on the results. Media reporters are also questioning the capabilities of a party to govern that encountered so many problems with managing an election. The public loss of trust, confidence, and integrity due to these elections should serve as a universal reminder that the public expects organizations to be able to perform their expected functions. When they fail to do so, the risk of damage to their reputations and trustworthiness greatly increases. Organizations are advised to expect similar issues in the application of new technologies and conduct extensive prior testing, plan responses for potential problems, and anticipate the human factors involved with the deployment of the technologies. IdentityUnited States Residents Arrested for Home Equity Account TheftUnited States (U.S.) authorities recently arrested eight individuals in connection with an identity theft ring that is accused of stealing personal information from home equity lines of credit. Affected banks include Citibank, JPMorgan Chase, Bank of America, and many others. U.S. federal authorities continue to investigate this security breach, but the total amount stolen from home equity accounts has been reported to exceed US$2.5 billion. Read more IntelliShield Analysis: News reports indicate that the perpetrators stole and stored personal data from publicly available databases and records that were posted on U.S. government websites. Using the stolen data, the crime ring apparently transferred money from home equity accounts via phone, FAX, and via the Internet. To help prevent these kinds of incidents, organizations are encouraged to increase their monitoring of data flow. These types of data compromises have continued for quite some time, and large corporate compromises have largely failed to produce any increased security measures or legislative actions to prevent them. A complex combination of controls is paramount, but the central key should involve identifying where sensitive information is stored and tracking the movement of information from that location. HumanChinese Hacking Leads to Government E-mail OrderChinese hackers have reportedly accessed the India Prime Minister's Office and the National Informatics Centre. The incident is being compounded by the discovery that employees from the two organizations have been sending and receiving official government communications using the Google Gmail e-mail service, which is not encrypted. This method of transmission allowed the hackers to obtain official information about policy decisions within the Prime Minister's Office. Read more IntelliShield Analysis: It is not advisable to conduct sensitive communications using web-based e-mail services, because these systems are not secure, and they bypass most government and corporate security policies. India's Prime Minister's Office has since instructed their employees to cease using these services for official business, but organizations are also advised to implement and reinforce user awareness programs and training sessions that highlight the importance of these kinds policies, in addition to the results of not following them. Access to web-based services can also be restricted, which should force employees to use official e-mail services for communications. As governments and corporate organizations face the increasing availability and use of collaborative services, users must be educated on the potential gains and risks associated with their use. GeopoliticalUnrest in Greece May Indicate Heightened Global RiskDays of violent demonstrations have affected the city of Athens, Greece following the shooting of a teenage boy who was allegedly harassing police officers. Sympathetic demonstrations quickly manifested themselves in other parts of the country, in Cyprus, and even in Spain. At the same time, similar but unrelated violent demonstrations were reported in other locations including Thailand, China, India, Iceland, and South Korea, among others. IntelliShield Analysis: Although specific events might incite these protests, the intensity and duration suggests underlying popular discontent that may be related to the worsening global economic conditions. In today's deteriorating economic environment, social frustrations that might otherwise have occurred quietly in global countries are more likely to erupt into violent unrest. Given that many of the recent demonstrations have been documented and fomented on the Internet via outlets as YouTube and Twitter, it appears that unrest in the information age is capable of manifesting and spreading more rapidly than ever before. Organizations with global operations may consider reviewing crisis contingency plans, keeping in mind economic and social conditions and quick reaction times. Upcoming Security Activity25th Chaos Communication Congress: December 27–30, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Christmas: December 25, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
