Please note that the Cyber Risk Report will not be published on December 29, 2008, or January 5, 2009 due to the holiday season. Significant activity from these periods will be included in the report scheduled for release on January 12, 2009.

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity from the previous week centered around patched vulnerabilities in multiple web browsers. Of particular interest was the Microsoft patch for the XML parsing arbitrary code execution vulnerability in Internet Explorer, as described in IntelliShield Alert 17241. Mozilla released security advisories and updated software to address 13 previously undisclosed vulnerabilities in Firefox, SeaMonkey, and Thunderbird. Opera Software released security advisories and updated software to address six previously undisclosed vulnerabilities in the Opera browser. Weaknesses in browsers represent attractive targets for attackers. Attackers can generally exploit these vulnerabilities by using social engineering tactics to convince the user to visit a malicious website. These techniques have proven to be a successful method for distributing malicious code.

Apple released a security bulletin and updated software to address 11 new and 10 previously disclosed vulnerabilities in the Mac OS X operating system. Included in the updated software is an updated version of the Adobe Flash Player Plug-in. This update could be especially important because attackers and researchers are showing increased interest in Flash Player as an attack vector. Users should keep their Flash Player update as well as exercise caution when viewing Flash content.

Independent security researchers released details and a proof-of-concept code regarding multiple cross-site scripting vulnerabilities affecting the social networking site Facebook. These vulnerabilities could be especially dangerous given the large number of users that are registered with Facebook. Generally, attackers exploit cross-site scripting vulnerabilities by convincing unsuspecting users to follow malicious links. Users may be willing to place an inordinate amount in links to a website they already use on a daily basis.

IntelliShield published 121 events last week: 58 new events and 63 updated events. Of the 121 events, 97 were Vulnerability Alerts, seven were Security Issue Alerts, five were Security Activity Bulletins, five were Threat Outbreak Alerts, five were Malicious Code Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day	Date	New	Updated	Total
Friday	12/19/2008	11	16	27
Thursday	12/18/2008	13	13	26
Wednesday	12/17/2008	12	16	28
Tuesday	12/16/2008	14	12	26
Monday	12/15/2008	8	6	14
Weekly Total	—	58	63	121

 

Significant Alerts for December 15-21, 2008

Microsoft Internet Explorer XML Parsing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17241, Version 5, December 17, 2008
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a crash of the browser, resulting in a denial of service condition. Proof-of-concept code is available. Microsoft has confirmed the vulnerability and released updated software. Reports indicate that known websites are attempting to exploit this vulnerability to install malicious software on vulnerable systems.

Previous Alerts That Still Represent Significant Risk

Microsoft Windows WordPad Text Converter File Handling Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 17238, Version 16, December 16, 2008
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft Windows contains a vulnerability within the WordPad Text Converter that could allow an unauthenticated, remote attacker to corrupt memory and execute arbitrary code on the system. Microsoft has confirmed the vulnerability, but updated software is not currently available. Reports indicate that this vulnerability is actively being exploited and several antivirus vendors are detecting exploits that install additional malicious code on the targeted system. Other exploits contain a backdoor trojan, which could provide attackers with unauthorized access to vulnerable systems. This tactic is commonly referred to as exploiting a zero-day vulnerability.

Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 16999, Version 8, November 26, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-2992

Adobe Acrobat Professional, 3D, and Standard and Adobe Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans, as described in IntelliShield Alert 14388, is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail.

Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability
IntelliShield Vulnerability Alert 16941, Version 3, October 24, 2008
Urgency/Credibility/Severity Rating: 3/5/5
CVE-2008-4250

Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code. Exploit code is publicly available. The Troj/Gimmiv-A, W32.Kernelbot.A, and W32.Wecorl worms are also actively exploiting this vulnerability to install themselves on target systems. Additional information about these worms is available in IntelliShield Alerts 16947, 16985, and 16994. Microsoft has confirmed the vulnerability and released software updates. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed.

Microsoft Windows Internet Printing Protocol Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 16798, Version 4, October 20, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1446

Microsoft Windows contains a vulnerability in Internet Printing Protocol (IPP) request processing that could allow a remote attacker to execute arbitrary code. Only systems that have IIS installed and support Internet Printing services are vulnerable. Internet Printing is not supported in default installations of Windows Vista systems and Windows Server 2003 and 2008 systems. When IIS is installed on Windows 2000 and Windows XP systems, Internet Printing is enabled by default. Functional exploit code is available. This vulnerability is actively being exploited. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Multiple Browsers and Adobe Flash Player Mouse Click Hijacking Vulnerability
IntelliShield Security Activity Bulletin 16770, Version 7, November 17, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-4503

Independent security researchers have discovered a critical flaw that affects multiple, commonly used web browsers and the Adobe Flash Player. If an attacker can convince a user to visit a malicious web page, the attacker could take complete control over a user's mouse clicks, possibly convincing the user that they are clicking on a legitimate link. An exploit could allow the attacker to control the hidden HTML interaction that is occurring, hiding the invisible hyperlinks that the user is actually following. This type of exploit is being referred to as clickjacking. Adobe has released both a security advisory and a security bulletin and updated software to address this vulnerability.

Sockstress Exploit Tool Exposes Vulnerabilities in TCP Stack Implementations of Multiple Vendors
IntelliShield Vulnerability Alert 16773, Version 4, October 17, 2008
Urgency/Credibility/Severity Rating: 2/5/3

Independent security researchers developed the sockstress tool, which exposes vulnerabilities in the TCP stack implementation of multiple vendors. The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available. The researchers are coordinating the release of details to affected vendors through Funet CERT of Finland. The researchers made their presentation, but released few details, on October 17, 2008 at the T2 2008 security conference in Helsinki, Finland. Cisco has released a Security Response for this activity.

Physical

There was no significant activity in this risk management category during the time period.

Legal

Guilty Plea in Siemens Versus the United States

On December 15, 2008, Siemens AG, a German engineering company, and three subsidiaries pleaded guilty to violations of the United States (U.S.) Foreign Corrupt Practices Act (FCPA). The charges included attempted bribery payments to government officials from 2001 through 2007. In addition, Siemens AG "falsified corporate books and records" and "failed to implement internal controls". The three subsidiaries each pleaded guilty to one count of conspiracy against the FCPA. The company was also charged in 2007 by the Munich Public Prosecutor's Office for a separate investigation involving "failure to supervise its officers and employees" within operating groups other than the telecommunications division. The charges from the U.S. Department of Justice, U.S. Securities and Exchange Commission, and the Munich Public Prosecutor's office against Siemens AG total US$1.6 billion in fines. Siemens AG will also have an independent compliance officer who reports to the U.S. Justice Department for four years. Read More

IntelliShield Analysis: Siemens is one of the largest engineering and electronics companies in Europe, with headquarters in Berlin and Munich, Germany. With a total of more than 480,000 employees worldwide, this bribery case could have serious implications for Siemens employees. The Munich case in 2007 caused the Nigerian government to cancel a contract. The Munich case also forced the resignation of the then CEO and chairman of Siemens, Klaus Keinfeld and Heinrich von Pierer respectively, despite not being directly implicated. Due to the current system in which a supervisory board is governed by a management board with at least half the supervisory board seats being labor representatives, there appears to be a dependency in which the management needs the labor representatives' support to remain in a job. Siemens' new CEO and the company's employees will likely be monitored closely over the next few years as a result of the company's history of bribery. Siemens may consider re-evaluating its internal controls and implement strict compliance and anti-corruption measures throughout the company.

Trust

Mobile Phone Service Providers Barred From Advertising 'Safe' Voice Mail Service

Mobile phone service providers AT&T and T-Mobile reached a settlement in response to a permanent injunction filed in a Los Angeles, California court in the United States. The injunction alleges that these providers falsely advertised that their voice mail services were secure from unauthorized access. The providers each agreed to cease advertising their services as 'secure' and pay a fine. Read More

IntelliShield Analysis: The injunction was the result of a year-long investigation into the security of the voice mail services. The investigation categorized cell phone voice mail as being easy to hack into using third-party software. Multiple complaints alleging unauthorized access to voice mail accounts triggered the investigation. Unauthorized access to voice mail puts any sensitive information that is stored in the user's account at risk. Because many companies distribute cell phones to employees for business use, this threat could pose a great risk.

Identity

German Credit Card Customer Data Breach

A German newspaper reported that tens of thousands of German credit card customers' bank information has been compromised. The Frankfurter Rundschau newspaper received a cardboard box that contains secret numbers and other sensitive information. The box also contained pieces of microfilm containing sensitive information. The stolen information included customers' names, addresses, bank account numbers, credit card numbers, payments, transfers, and credit card details such as pin numbers. The affected credit cards include, Amazon Visa, White Lable Premium, various ADAC Visa and Master Cards, LBB cards, and the Xbox classic card. Read More

IntelliShield Analysis: The Frankfurter Rundschau has described this security breach as an extremely serious case of identity theft, possibly the worst case of data theft reported in Germany. This breach may result in thousands of customers, who hold the affected credit cards, being subjected to financial loss and legal issues. Because identity theft has been an ongoing problem for financial institutions, these organizations should consider reevaluating their security procedures in order to guard against further attacks. One point of interest in this case was the continued use of microfilm records and the practices for shipping those records using insecure methods. Similar to the shipping of archived documents, tapes or other media, the secure shipping and handling of those records must be carefully considered.

Human

Consumer Confidence Survey Results

Ponemon Institute LLC asked approximately 6,500 consumers to rate the top five companies they trusted the most when handling personal information, as well as the top five companies they trusted the least. This survey, entitled 'Most Trusted Companies for Privacy', listed American Express Co. as number one the third year in a row for protecting and sharing personal information. The remainder of the top 20 companies appeared to be similar to last year with one addition being Facebook. The survey results indicate that financial services have decreased in ratings and technology companies, such as Apple and Microsoft, have increased. Read More

IntelliShield Analysis: The survey results should help companies realize the importance of trust when handling personal information and when to share data to third parties. People rely on computer systems to keep personal information safe. With the availability of technology, taking advantage of people has become easier. The survey results indicate that the number of consumers who feel they have control over personal information decreased 14 percent since 2006. Organizations must always consider the trust that customers place in them for handling sensitive information and the impact on their customer base in the aftermath of information disclosures. Businesses should ensure that proper security measures are in operation for handling consumer information and communicate their security measures with their customers.

Geopolitical

Huawei Dogged by Government Relationship Doubts

Chinese telecommunications equipment giant Huawei is denying charges that it has links to the Chinese government, which could be a security concern for Australia. The charges surfaced in connection with a public Request for Proposal to build out Australia's National Broadband Network. Tension plagued this major public deal last week when Australian network provider Telstra was disqualified from the bidding. The new front runner, Singtel Optus, now appears to be on the defensive because of its rumored proposal to partner with Huawei on the deal. Huawei has been accused by various Western think tanks, including the Rand Corporation and the Heritage Foundation, of having close ties to officials in Beijing.
Read More
Additional Information

IntelliShield Analysis: Huawei has been discreet about its ownership and government ties. The company may find, however, that in order to fully participate in global markets, particularly in the most lucrative developed markets, it will have to provide greater transparency. Indeed, United States (U.S.) Congressional concerns over security put an end this year to Huawei's bid to acquire the U.S. firm 3Com, whose major customers include the U.S. Department of Defense. Cyber espionage concerns similarly cost Huawei a deal with the Indian government in 2005.

The situation is indicative of the level of risk that global companies face as they seek to balance their home-government relationships with international business expansion. It also confirms that state-sponsored espionage concerns have gone beyond the theoretical to become a key consideration for governments as they build out national telecommunications networks. Security experts within technology companies may consider keeping this public and corporate governance challenge in mind as Huawei addresses this latest challenge.

Upcoming Security Activity

25th Chaos Communication Congress: December 27–30, 2008
2009 DoD Cyber Crime Conference: January 26–30, 2009
ShmooCon 2009: February 28, 2009
BOSS Conference 2009 & Sourcefire Users Summit: February 8–10, 2009
Black Hat DC 2009: February 16–19, 2009
Financial Cryptography and Data Security '09: February 23–26, 2009
World Economic Forum: January 28-February 1, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Hanukkah: December 21–28, 2008
Christmas: December 25, 2008
Boxing Day/Day of Goodwill: December 26, 2008
New Years Eve: December 31, 2008
New Years Day: January 1, 2009
United States Presidential Inauguration: January 20, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

---

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top