The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity levels from 2008 increased 6.8 percent from those of 2007. IntelliShield Analysts published 442 more alerts in 2008. A portion of the overall rise in activity can be attributed to a rise in alerts revised because of vendor responses or the release of additional information. The number of new alerts actually fell by 47. Despite the drop in new alerts, IntelliShield analysts produced reports for almost two hundred more previously undisclosed vulnerabilities in 2008 than in 2007.

Vulnerability and threat activity levels remained low for the time period. Much of the activity stemmed from vendor updates for previously undisclosed vulnerabilities. Apple has released security bulletins and updated software to address vulnerabilities in multiple Apple products. Of the addressed vulnerabilities, 33 had been previously reported and 21 were previously undisclosed. Many of the vulnerabilities are in third-party components. The bulletins are described in IntelliShield Alert 17610.

Microsoft released its security bulletin for February 2009. Microsoft rated the vulnerabilities in the Internet Explorer cumulative update (MS09-002) and the Microsoft SQL Server update (MS09-004) with a 1 in the Exploitability Index. This rating indicates that exploit code is publicly available or could easily be created. Because of the high profile of these vulnerabilities, administrators are advised to expedite applying the patches. Attackers often rush to create working exploits to take advantage of vulnerabilities in Microsoft products after the monthly security bulletin release.

Research in Motion released a security advisory to address a buffer overflow vulnerability in the BlackBerry Application Web Loader ActiveX control. A remote attacker could exploit the vulnerability by convincing a user to visit a malicious website that calls the ActiveX control. The ActiveX control is marked safe for scripting, so it will run without any warnings. Successful exploitation could allow the attacker to execute arbitrary code with the privileges of the user. This vulnerability is described in IntelliShield Alert 17553.

Proof-of-concept code for the encoded multibyte character SQL injection vulnerability in ProFTPD has been publicly released. Reports indicate there are active attempts to exploit this vulnerability. This vulnerability is described in IntelliShield Alert 17571.

Cisco Security Intelligence Operations released 12 Threat Outbreak Alerts during this time period. Much of the threat activity was centered on the recent Valentine's Day holiday, including a recent seeding of the Waledac family of worms. W32.Waledac, as described in IntelliShield Alert 17327, is now a major player in generating spam. Thousands of variants are created each day, according to some reports. The latest campaign by the worm involved a spam message that attempts to convince a user to download a Valentine's Day–themed development kit called the Valentine Devkit. In contrast to the well-publicized e-card approaches, the message states that the recipient can use the Valentine Devkit18 to create a customized e-card. This new and innovative method is likely to deceive many users until public awareness of this new method has been raised.

Cisco Security Intelligence Operations has also detected significant activity related to e-mail messages that masquerade as responses to employment inquiries or job offers. The messages attempt to convince users to download a .zip attachment that supposedly contains an application form labeled job-application-form.zip or copy of your cv.zip. The archive contains an .exe file with the same name as the .zip file. When the .exe file is executed, it attempts to infect the system with a variant of the Vundo family of trojans. It is no surprise that malicious code authors are leveraging the current economic crisis as a means of malware propagation. As people become increasingly desperate for work, they may become more susceptible to these tactics.

IntelliShield published 101 events last week: 68 new events and 33 updated events. Of the 101 events, 72 were Vulnerability Alerts, 12 were Threat Outbreak Alerts, six were Security Activity Bulletins, five were Malicious Code Alerts, three were Applied Mitigation Bulletins, two were Security Issue Alerts, and one was the Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Previous Alerts That Still Represent Significant Risk

Worm: W32.Waledac
IntelliShield Malicious Code Alert 17327, Version 9, February 13, 2009
Urgency/Credibility/Severity Rating: 4/5/4
W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. Recently, the Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open their attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities.

Worm: W32/Conficker.worm
IntelliShield Malicious Code Alert 17121, Version 10, January 27, 2009
Urgency/Credibility/Severity Rating: 4/5/3
W32/Conficker.worm is a worm that is quickly propagating across many networks. The worm has reportedly infected millions of systems. One propagation routine of the worm involves exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability as described in IntelliShield Alert 16941. The worm prevents the system from accessing essential antivirus and security-related websites, which makes diagnosis and removal efforts more difficult. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by the worm and to take steps to isolate any suspected infected systems until they can be fully restored.

Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 16999, Version 10, January 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-2992
Adobe Reader, Acrobat Professional, Acrobat 3D, and Acrobat Standard contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans, as described in IntelliShield Alert 14388, is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail messages.

Weak MD5 Cryptographic Algorithm Allows for Certification Authority Certificate Spoofing Attacks
IntelliShield Security Activity Bulletin 17341, Version 5, January 15, 2009
Urgency/Credibility/Severity Rating: 2/5/3
Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI), which is used to issue digital signatures and certificates for secure websites. The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function. Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates. Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm. Root CAs that do not rely on the MD5 algorithm cannot be impersonated using this attack. The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers.

Microsoft Internet Explorer XML Parsing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17241, Version 5, December 17, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-4844
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a crash of the browser, resulting in a denial of service condition. Proof-of-concept code is available. Microsoft has confirmed the vulnerability and released updated software. Reports indicate that known websites are attempting to exploit this vulnerability to install malicious software on vulnerable systems.

Microsoft Windows WordPad Text Converter File Handling Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 17238, Version 2, December 16, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-4841
Microsoft Windows contains a vulnerability in the WordPad Text Converter that could allow an unauthenticated, remote attacker to corrupt memory and execute arbitrary code on the system. Microsoft has confirmed the vulnerability, but updated software is not available. Reports indicate that this vulnerability is actively being exploited and several antivirus vendors are detecting exploits that install additional malicious code on the targeted system. Other exploits contain a backdoor trojan, which could provide attackers with unauthorized access to infected systems. This tactic is commonly referred to as exploiting a zero-day vulnerability.

Physical

Attempted Robbery of TED2009 Conference Access Badge

Photographer and technologist James Duncan Davidson recently had an encounter with an assailant who attempted to steal his badge for the Technology, Entertainment, Design 2009 (TED2009) conference. TED is an annual conference that only invited participants may attend. The program consists of short speeches from 50 people who are considered "thinkers and doers." The assailant attempted to steal the access badge by assaulting and threatening Davidson on his way back to his hotel. Davidson, who refused to relinquish his badge, was able to break free of the attacker's grasp and get help from local police. The identity of the attacker has yet to be determined. Read More

IntelliShield Analysis: When attending conferences or similar events that require identification, participants are advised to keep security badges and access passes hidden when leaving the establishment. This rule can also apply to employees leaving their place of business. Someone who can obtain the access pass could easily circumvent security by replacing the photo or information contained on the badge. A security check that requires two or more forms of identification may help mitigate such an attack; however, a determined attacker may be able to obtain the necessary information. In the event of a security breach, organizations are advised to ensure data is protected using physical security and environmental controls for equipment, as well as personnel controls that limit exposure to disgruntled current or former employees. In addition, companies are advised to implement a plan to notify or alert the proper authorities in case of a breach.

Legal

Fugitive Accused of Fraudulent VoIP Services Arrested in Mexico

Edwin Pena was arrested in 2006 for fraud related to VoIP services. Pena, along with Robert Moore, is accused of compromising the networks associated with 15 VoIP service providers. Pena would then sell access to VoIP service from the compromised networks. He is charged with selling more than 10 million minutes of air time, earning more than US$1 million for himself. Pena has been taken into custody by Mexican authorities. The United States is seeking to have him extradited from Mexico to face these charges in court. Read More

IntelliShield Analysis: Pena and Moore ran numerous scans on phone networks in an attempt to find unsecured networks. They reportedly conducted six million network port scans against the AT&T network alone. The pair would then use stolen administrative authentication credentials to reprogram the routers to accept VoIP traffic from their customers. The pair also used brute-force techniques to guess proprietary codes to force networks to authorize incoming calls. Fortunately, providers have been auditing the use of their VoIP services, which helped detect the activities of Pena and Moore. Auditing also greatly aided law enforcement officials in compiling evidence against the pair.

Trust

Information Security Vendor Websites Compromised

A Romanian security researcher exposed SQL injection vulnerabilities in websites that are associated with F-Secure, Kaspersky, and a reseller for BitDefender. The researcher exploited the vulnerabilities in an attempt to access information from the databases associated with these sites. In all cases, the researcher posted details of the attacks, including screen shots, on a blog.
Read More
Additional Information

IntelliShield Analysis: The exposed flaws caused considerable embarrassment for each of the affected companies. In the case of usa.kaspersky.com/support, the researcher used a flaw in code developed by a third-party organization. In all cases, the exposure of these flaws highlighted the need of organizations to thoroughly review all code on their websites. SQL injection attacks are an increasingly popular choice to compromise websites. Attackers can leverage code flaws on poorly secured websites to access sensitive information, modify data, or—in some cases—host malicious code on the target website.

Identity

Kaiser Permanente Data Breach Detected

Kaiser Permanente recently notified 29,500 of its northern California employees that their personal information has been compromised. This information includes names, addresses, birth dates, phone numbers, and Social Security numbers. The compromised information was discovered by law enforcement on a confiscated file. Reports indicate the suspect is not an employee of Kaiser. Some employees have reported identity theft related to this breach.
Read More
Additional Information

IntelliShield Analysis: Kaiser Permanente is working with law enforcement to investigate this incident further. To help prevent these kinds of incidents, organizations are encouraged to review how they monitor the flow of data. A complex combination of controls could be needed, but the key is to identify the sensitive information storage and the movement of the information from that point. Because information from this breach has already been used to conduct fraud, the victims of the breach should be on high alert for other malicious activity.

Data Breach Strikes the Federal Aviation Administration

The United States (U.S.) Federal Aviation Administration (FAA) has revealed that the personal information of 45,000 employees and retirees has been accessed. The attacker accessed two files on the FAA's computer system. The information in these files includes names, Social Security numbers, and encrypted medical information. No evidence of identity theft has been reported, but all employees are advised to watch for signs of malicious activity. Read More

IntelliShield Analysis: The FAA officials have reported that this incident was the first one at the agency. Organizations have found that the additional security measure of monitoring personal information is difficult, or they have failed to implement the level of security required. Both issues make data leakage and insider threats hard to detect, prevent, or measure.

Human

Multiple Sources Indicate Rising Levels of Cybercrime

Multiple sources—from the U.S. Federal Bureau of Investigation, to local police departments, to experts at the recent World Economic Forum in Davos, Switzerland—are warning of the increasing threats of cybercrime. Although many of these reports point to organized crime groups for increasingly sophisticated attacks, a growing number of less-sophisticated attacks and scam operations are being carried out on a smaller scale. Local police quoted in one article indicate the normal rate of one to three cybercrime complaints per week has grown to an average of 20. The current macroeconomic conditions may account for some of this increase and could continue to drive the numbers higher.
Read More
Additional Information

IntelliShield Analysis: It appears that many of these recent scam operations are occurring through popular auction and trading sites, as well as localized text messaging scams that target smaller financial institutions. Users of these sites and smaller local financial institutions may be more susceptible to these scams because of a higher level of trust and familiarity. While police are continuing to improve their cybercrime investigation units, users should increase their sensitivity to these types of scams and use additional caution when using these sites and when handling e-mail and text messages. Operators of these sites and financial institutions can assist users with the reporting of suspicious activity and determining the validity of messages, offers, and payments.

Geopolitical

Vodafone Warns of Regulation Creep

Following food riots in Egypt in March 2008, Egyptian authorities required United Kingdom–based Vodafone to hand over communications data for use in tracking down activist organizers, according to a Vodafone executive. At about the same time, Egypt also pressed mobile phone companies to bar anonymous users for public security reasons. The Vodafone executive warned an audience at an industry event that the move was emblematic of what she called the "scope creep" of telecommunications regulatory requirements that are levied by many governments around the world.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Companies that handle personal user data encounter considerable risk when they submit to the complexities of global telecommunications regulations. As the Vodafone executive pointed out, the specifics of a given regulation may be interpreted broadly by the host government, particularly in a situation where law enforcement authorities perceive that national security is at stake. Repercussions can be significant, as evidenced by the damage to the reputation of Internet portal Yahoo! last year when it was accused of giving identifying information to Chinese authorities, leading to the arrest of Chinese political activists. At this time, there is no international agreement defining the rights and responsibilities of telecommunications companies regarding the protection of customer data. Until such a framework can be established, companies that handle personal information and are considering expansion into new markets will be wise to carefully consider regulatory issues. These companies are advised to take into account not only the specifics of existing regulations but also the potential for those regulations to be interpreted according to the interests of the host government.

Upcoming Security Activity

Black Hat DC 2009: February 16–19, 2009
Financial Cryptography and Data Security '09: February 23–26, 2009
InfoSec World 2009: March 7–13, 2009
CanSecWest Vancouver 2009: March 16–20, 2009
Black Hat Europe 2009: April 14–17, 2009
RSA Conference 2009: April 20–24, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top