The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity levels from 2008 increased 6.8 percent from those of 2007.  IntelliShield Analysts published 442 more alerts in 2008.  A portion of the overall rise in activity can be attributed to a rise in alerts revised because of vendor responses or the release of additional information.  The number of new alerts actually fell by 47.  Despite the drop in new alerts, IntelliShield analysts produced reports for almost two hundred more previously undisclosed vulnerabilities in 2008 than in 2007.

On December 30, IntelliShield reported on a weakness in the Internet Public Key Infrastructure, which is used to issue digital signatures and certificates for secure websites.  This weakness is detailed in IntelliShield alert 17341.  Attackers could leverage this weakness to create false Certification Authority certificates that web browsers would accept as valid.  This exploit technique helps defeat a layer of security to aid phishing sites that are designed to steal user information or host malicious code.

An independent security researcher released information regarding a technique for exploiting vulnerabilities across multiple versions of Cisco IOS Software that are running on the PowerPC platform.  The release was a part of a presentation at the 25th Chaos Communication Congress (25C3).  This technique is based on using predictable memory addresses for specific versions of the ROMMON boot loader, which are common across multiple versions of Cisco IOS Software.  In some cases, an attacker may be able to use this technique to create a single exploit that would work on multiple versions of Cisco IOS Software, but specific conditions must exist for the exploit to be successful.

Numerous holiday-themed malware continued to emerge over the past couple of weeks, including W32.Waledac.  W32.Waledac is a worm that is being widely distributed and disguising itself as a harmless Christmas e-card.  If the user is fooled into opening the malicious e-card attachment, the worm is installed on the system.  Once installed, the worm opens a back door, downloads additional files, and may cause network congestion and flood e-mail servers with its mass-mailing routine.  This worm is documented in IntelliShield alert 17327.

Continued exploitation of the Microsoft Windows Server Service remote procedure call (RPC) request handling code execution vulnerability also occurred this week by a variant of W32/Conficker.worm.  The worm, also known as Downadup, continues to attempt to exploit the MS08-067 vulnerability.  When installed, the worm starts an HTTP server, downloads and executes additional malicious files, and modifies the system registry.  Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by this worm.  This worm is documented in IntelliShield alert 17121.

Microsoft released the Advanced Notification for the January 2009 security bulletin release.  Microsoft scored the one bulletin scheduled for release with a maximum severity rating of Critical.  The bulletin addresses vulnerabilities in the Microsoft Windows operating system.  Microsoft also responded to reports pertaining to a previously undisclosed vulnerability in the Windows Media Player.  This vulnerability is detailed in IntelliShield alert 17338.  The original reports from third-party sources claimed a remote attacker could use crafted media files to execute arbitrary code on the target user's system.  The Microsoft response indicated that although the vulnerability exists, the impact of a successful attack would likely be limited to a crash of Windows Media Player.

Oracle has also issued its pre-release announcement for the January 2009 Oracle Critical Patch Update (CPU).  The January 2009 CPU will include 41 security vulnerabilities, including nine unauthenticated remotely exploitable vulnerabilities.

IntelliShield published 140 events last week: 24 new events and 116 updated events.  Of the 140 events, 125 were Vulnerability Alerts, eight were Security Issue Alerts, four were Security Activity Bulletins, and three were Malicious Code Alerts.  The alert publication totals are as follows:

Weekly Alert Totals

2008 Monthly Alert Totals

Previous Alerts That Still Represent Significant Risk

Weak MD5 Cryptographic Algorithm Allows for Certification Authority Certificate Spoofing Attacks
IntelliShield Security Activity Bulletin 17341, version 4, January 9, 2009
Urgency/Credibility/Severity Rating: 2/5/3
Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI), which is used to issue digital signatures and certificates for secure websites.  The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function.  Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates.  Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm.  Root CAs that do not rely on the MD5 algorithm cannot be impersonated using this attack.  The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers.

Microsoft Internet Explorer XML Parsing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17241, version 5, December 17, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-4844
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a crash of the browser, resulting in a denial of service condition.  Proof-of-concept code is available.  Microsoft has confirmed the vulnerability and released updated software.  Reports indicate that known websites are attempting to exploit this vulnerability to install malicious software on vulnerable systems.

Microsoft Windows WordPad Text Converter File Handling Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 17238, version 2, December 16, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-4841
Microsoft Windows contains a vulnerability within the WordPad Text Converter that could allow an unauthenticated, remote attacker to corrupt memory and execute arbitrary code on the system.  Microsoft has confirmed the vulnerability, but updated software is not currently available.  Reports indicate that this vulnerability is actively being exploited and several antivirus vendors are detecting exploits that install additional malicious code on the targeted system. Other exploits contain a backdoor trojan, which could provide attackers with unauthorized access to vulnerable systems.  This tactic is commonly referred to as exploiting a zero-day vulnerability.

Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 16999, version 8, November 26, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-2992
Adobe Acrobat Professional, 3D, and Standard and Adobe Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.  A variant of the Pidief family of trojans, as described in IntelliShield alert 14388, is actively exploiting this vulnerability in the wild.  Adobe has confirmed the vulnerability and released updated software.  Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed.  Users should also be cautious of unsolicited PDF files that may arrive via e-mail messages.

Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability
IntelliShield Vulnerability Alert 16941, version 3, October 24, 2008
Urgency/Credibility/Severity Rating: 3/5/5
CVE-2008-4250
Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code.  Exploit code is publicly available.  The Troj/Gimmiv-A, W32.Kernelbot.A, and W32.Wecorl worms are also actively exploiting this vulnerability to install themselves on target systems.  Additional information about these worms is available in IntelliShield alerts 16947, 16985, and 16994.  Microsoft has confirmed the vulnerability and released software updates.  Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed.

Physical

Police Officer Shooting Sparks Investigation

Two videos that taped a police officer shooting have initiated an investigation to determine the events that occurred New Year's Day in the Bay Area Rapid Transit (BART) in Oakland, California.  The police officer under investigation shot an unarmed man in the back around 2:00 a.m. (0200) after detaining two groups of passengers.  Reports allege that the 22-year-old victim was cooperating with officials.  The community is mourning the loss and awaiting further details because information is currently being withheld to avoid compromising the investigation.  Read More

IntelliShield Analysis: Media reports indicate the community is anxious to hear the conclusion of the investigation and has already rallied against BART outside the headquarters in Oakland.  The victim's family attorney, John Burris, has filed a US$25 million claim with BART citing "wrongful death and violation of civil rights by use of excessive force."  With the increase of technology and availability of video on cell phones, several videos of the incident were recorded and submitted to the local media, KTVU-TV, and posted to multiple websites.  These posted videos may have added to the outrage and community backlash.  The protests have caused local damage and interruptions to businesses.  Organizations are encouraged to maintain updated continuity plans and keep employees informed about procedures and expectations when faced with upheaval within the community.

Legal

United States Department of Homeland Security Requires Certification

The Voluntary Private Sector Preparedness Certification is being developed by ANSI at the request of the United States (U.S.) Department of Homeland Security (DHS) and by Public Law 110-53, which was signed August 3, 2007.  The program was officially announced on July 30, 2008 and is scheduled to be in place by February 14, 2009. The goal of this currently voluntary program is to enhance nationwide resilience in all hazardous environments by improving private sector preparedness and resiliency.  As of today there are no set standards for this program and private industry has been requested to submit comments on the program.  Read More

IntelliShield Analysis: Industry did not find out about this program until late in the game but was instrumental in getting the word voluntary inserted into the law. Industries have expressed many concerns about having the U.S. government mandate how to prepare and respond to disasters. Even though voluntary has been inserted, the Government Supply Agency (GSA) has already stated unofficially that it will require certification before signing contracts. One remaining question we have is this: "How deeply will the GSA require this certification?" Because it was signed into law, the new administration cannot stop the requirement, but can change it drastically.  There are a lot of industry and academic groups that are now trying to set up working groups to advise the new administration and DHS. It still remains to be seen whether they will use any of these attempts to influence the final outcome.

Kentucky Court of Appeals to Rule on State's Attempt to Seize Domain Names

A state court ruling that the U.S. state of Kentucky could seize the Internet domain names of 141 gambling sites is now up for appeal. The original ruling would allow Kentucky to take ownership of the domain names in question even if they were not registered in Kentucky, and even if the owners of the domains do not reside in Kentucky.  Read More

IntelliShield Analysis: The original ruling was willing to make exceptions for sites that implement Internet blocking technology to prevent Kentucky citizens from accessing the gambling sites. However, the arguments in the appeal contend that such technology is not always accurate and can be bypassed by users via technologies, such as Tor, that are widely available.  Selective blocking is also argued to be prohibitively expensive.  If the appeal does not overturn the original court ruling, the ruling would set an new precedent.  Any U.S. state could potentially seize control of the Internet domain name of any domain that hosts a website providing a service that is illegal in that state.  Although this would prevent access from that state to such sites, it would also prevent access from users from any U.S. state.  If the ruling is upheld, it could have far-reaching consequences for many Internet businesses that operate in the United States.

Trust

The End of Digital Rights Management for Music?

The Recording Industry Association of America (RIAA) and Apple announced that iTunes stores will now offer music files without digital rights management (DRM) protection.  The RIAA has been steadily withdrawing from its previous position of filing lawsuits against illegal music downloaders, universities, and service providers, and is now working with companies and the industry.  The new strategy is to make the music available and protect against piracy by continuing to pursue lawsuits against only the largest piracy operations. The music downloads without DRM protection will be available for sale, and previously purchased music can be upgraded to non-DRM format. Read More

IntelliShield Analysis: The RIAA strategy of DRM and lawsuits was seen by many as doomed from the start, primarily because it was attempting to oppose a market shift driven by consumer demand and the availability of improved technologies.  While the strategy has had limited success against P2P networks and large piracy operations, the strategy also targeted and alienated the music industry's largest consumer groups.  It has taken the RIAA nearly 5 years and an unknown amount that is likely in the millions of dollars (U.S.) to determine the strategy was limited and to provide a solution that protects the revenues of the industry while meeting the demands of the users.  Similarly, heavy-handed security policies are seldom successful.  Security policy developers should consider solutions to work with users, employees, and businesses to enable the security and legal demands of those groups.

Human

LinkedIn Distributing Malware

Attackers have created several fake celebrity profiles on the LinkedIn social networking website to distribute malware.  The false celebrity accounts claim to have nude photos of the celebrity or other enticing media content to lure unsuspecting users.  If the user chooses to follow the malicious link on the celebrity's profile, the user is taken to a website that is hosting malware that is ultimately installed on the user's system.  Read More

IntelliShield Analysis: Social networking sites are increasingly the choice for cybercriminals, and IntelliShield expects attacks of this nature to continue increasing.  The success rate of such attacks is fairly high because of the available user base and the fact that the fake celebrity profiles were being indexed by Google.  Users of social networking sites are advised to use extreme caution when visiting other users' profiles and to verify the authenticity of links on online pages.  For assistance in verifying links or any other URLs, users can employ the IronPort Security Network E-mail and Web Reputation Tool on the SenderBase website.  LinkedIn is aware of the false profiles and is in the process of removing them.

Twitter Accounts Compromised

Accounts from the Twitter web service have been compromised by a brute-force dictionary attack.  The attacker identified and compromised an account belonging to a Twitter service staff member and then used that privileged account to access other high-profile Twitter accounts, such as those owned by politicians and celebrities. Twitter has reportedly conducted a security review of the service and made security improvements to prevent similar attacks in the future.  Read More

IntelliShield Analysis: The attack on Twitter was unimpeded because protections against brute-force attacks were missing.  The publicly exposed administrative account and high-profile user accounts created an attractive target.  Businesses are advised to consider the potential risk of using third-party services, such as Twitter, as part of business operations.  These third-party services may not have the same standards for monitoring and securing sensitive information as the business themselves.

Geopolitical

Middle East Conflict Inflames the Internet

Parallel to the escalation of hostilities between Israel and the Palestinian Territories in the past 2 weeks is a corresponding expansion of its Internet corollary.  According to a variety of sources, more than 10,000 Israeli websites have been defaced.  Targets included such high-profile sites as ynetnews.com and israelairlines.com, both defaced by a Moroccan hacking team that accessed the sites from a New York–based server.  Second Life Israel has been infiltrated by sympathizers to the Palestinian cause, with the majority of attacks originating from countries in the region.  Threatening e-mail and text messages are reportedly being sent back and forth across the borders. Hamas websites have also been suppressed for months by Israeli hackers, with the assistance of a botnet known as help-israel-win.net, reports say.
Read More
Additional Information

IntelliShield Analysis: Although defacing websites and sending threatening text messages is tame compared to the impact of rockets and bullets, the implications of individually waged Internet warfare are immense, particularly because of its uncontrollable and scalable nature. The current Israeli-Palestinian hostilities—in part because they involve fairly plugged-in players—may demonstrate more clearly than any preceding armed confrontation the potential impact that can be had by individuals anywhere who are armed only with Internet connections.  The damage goes far beyond denial of service attacks; Israeli air attacks have taken out cellular and land-based communications across the Gaza Strip intentionally, just as they have blocked international reporters from crossing into Gaza.  The Israeli military recognition of the strategic value of individual wireless communications was further demonstrated when soldiers, prior to participating in the ground offensive, were required to surrender their cell phones.  The Internet activity also includes postings of videos, dissemination of actual and malicious news reports, and the creation of support groups on social networking sites at a level that has not been seen in previous conflicts.

Upcoming Security Activity

United States Presidential Inauguration: January 20, 2009
Networkers Barcelona: January 26–29
2009 U.S. Department of Defense Cyber Crime Conference: January 26–30, 2009
World Economic Forum: January 28–February 1, 2009
ShmooCon 2009: February 6–8, 2009
Black Hat DC 2009: February 16–19, 2009
Financial Cryptography and Data Security '09: February 23–26, 2009
CanSecWest Vancouver 2009: March 16–20, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top