January 12–18, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels remained consistent with those of similar time periods from January, 2008. The activity was highlighted by security advisories released by various major vendors. Microsoft released its security bulletin for January, 2009. The bulletin addressed three vulnerabilities in the Microsoft Windows operating system when handling the Server Message Block (SMB) protocol. These types of vulnerabilities can be leveraged by attackers to develop malicious code designed to propagate among poorly configured systems that do not adequately protect ports 139 and 445. One particularly dangerous scenario involves users bringing infected systems inside a corporate network. The malicious code may find little or no resistance once it bypasses the network's perimeter defenses. While no exploit or malicious code has been identified targeting these specific vulnerabilities, previous SMB worms have had severe impact on penetrated network environments. Cisco Security Intelligence Operations has detected significant activity involving misleading Barack Obama inauguration e-mails on January 17, 2009. The threat arrived just in time for the presidential inauguration today, January 20, 2009. The e-mail messages contained subject lines regarding Barack Obama's readiness to become the next president and suggests that the new president is not ready for the position. The message body contains a link to one of several domains hosting a malicious executable file. If the recipient follows the link and executes the file, the user's machine is infected with a copy of the W32/Waledac worm, which is documented in IntelliShield Alert 17327. Details regarding the Barack Obama inauguration threat outbreak are available in IntelliShield Alert 17421. Spam messages attempt to exploit current popular events to entice users. Users should be aware of these tactics and reminded of the threats surrounding events as they approach. Oracle released its critical patch update for January, 2009, which covered 41 distinct vulnerabilities. Independent security researchers released technical details that describe eight of those vulnerabilities. Of particular importance were vulnerabilities that affect the Oracle Secure Backup server and the Oracle WebLogic Server, many of which can be exploited remotely without prior authentication. Examples of these vulnerabilities are available in IntelliShield alerts 17409, 17410, 17420. Research In Motion released security advisories and updated software to address three vulnerabilities affecting multiple BlackBerry products. The vulnerabilities are described in IntelliShield alerts 17388, 17399 and 17400. All three vulnerabilities reside in the PDF Distiller of the Attachment Service and can be exploited via malicious .pdf documents. Such documents are commonly used in business and academic settings. The ubiquitous nature of PDF files may aid attackers in exploits. Users may be willing to open PDF files from untrusted sources because the file type is perceived as safe and non-executable. Cisco released a security advisory to address vulnerabilities in the Cisco IronPort Encryption Appliance and a security response to address cross-site scripting vulnerabilities in Cisco IOS. The security response for Cisco IOS is especially noteworthy as it was released outside of the normal schedule for Cisco IOS advisories. The response was part of a coordinated release of proof-of-concept code by a security researcher. Ongoing exploitation of the MS08-067 vulnerability continues to occur this week by the W32/Conficker.worm, also known as Downadup. Numerous reports have indicated that the worm has infected millions of machines, although these reports have not been confirmed. Cisco Security Research and Operations has tested Cisco Security Agent to verify that it prevents the malicious actions initiated by active exploitation of the MS08-067 vulnerability and as a result could limit attempts to propagate using this method by the worm. This worm is documented in IntelliShield alert 17121, and multiple mitigation methods are included in Cisco Applied Mitigation Bulletin 16944. IntelliShield published 165 events last week: 44 new events and 121 updated events. Of the 165 events, 138 were Vulnerability Alerts, eight were Security Issue Alerts, seven were Threat Outbreak Alerts, five were Security Activity Bulletins, three were Malicious Code Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskWeak MD5 Cryptographic Algorithm Allows for Certification Authority Certificate Spoofing Attacks Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI), which is used to issue digital signatures and certificates for secure websites. The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function. Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates. Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm. Root CAs that do not rely on the MD5 algorithm cannot be impersonated using this attack. The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers. Microsoft Internet Explorer XML Parsing Arbitrary Code Execution Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a crash of the browser, resulting in a denial of service condition. Proof-of-concept code is available. Microsoft has confirmed the vulnerability and released updated software. Reports indicate that known websites are attempting to exploit this vulnerability to install malicious software on vulnerable systems. Microsoft Windows WordPad Text Converter File Handling Memory Corruption Vulnerability Microsoft Windows contains a vulnerability within the WordPad Text Converter that could allow an unauthenticated, remote attacker to corrupt memory and execute arbitrary code on the system. Microsoft has confirmed the vulnerability, but updated software is not currently available. Reports indicate that this vulnerability is actively being exploited and several antivirus vendors are detecting exploits that install additional malicious code on the targeted system. Other exploits contain a backdoor trojan, which could provide attackers with unauthorized access to infected systems. This tactic is commonly referred to as exploiting a zero-day vulnerability. Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability Adobe Acrobat Professional, Acrobat 3D, Acrobat Standard and Adobe Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans, as described in IntelliShield Alert 14388, is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail messages. Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code. Exploit code is publicly available. The Troj/Gimmiv-A, W32.Kernelbot.A, and W32.Wecorl worms are also actively exploiting this vulnerability to install themselves on target systems. Additional information about these worms is available in IntelliShield alerts 16947, 16985, and 16994. Microsoft has confirmed the vulnerability and released software updates. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. PhysicalRecession Leads to Unmonitored CCTV Surveillance CamerasDue to the current recession, police officials in the United Kingdom are having to tighten budgets where possible, which in some cases leaves some CCTV surveillance cameras unmonitored. In Worcester, costs for CCTV cameras have totaled 500 million euros over the past ten years. Plans to reduce operating costs include limiting the personnel required to monitor the cameras, which could save 4.3 million euros. In the United States, researchers conducted a test to determine whether placing unmonitored cameras in high-crime areas would reduce overall crime. Results indicated that there was a 20% reduction in property crime, but other crimes remained unchanged. However, it has been reported that CCTV video assisted Scotland Yard in solving crimes in 86 out of 90 investigations. IntelliShield Analysis: Without the availability of personnel to monitor video feeds in real-time, criminals will likely continue to succeed in executing crimes. However, the video footage of CCTV surveillance does appear to play a vital role after the fact as forensic evidence when solving cases. Despite the on-going controversy of privacy invasion through surveillance and the lack of resources to monitor feeds, law enforcement agencies will likely continue to make use of such tools, even if budget cuts prevent them from using installed cameras to their full potential. Organizations should carefully consider the role of their surveillance systems and the objectives behind their use, whether for real-time monitoring, response forensics, or a combination of the two. The role and objectives of the systems should align with the deployment, staffing, storage and operations of those systems to gain maximum benefit. LegalThere was no significant activity for this time period. TrustInformation Security Experts Release List of 25 Most Dangerous Coding ErrorsThe SANS Institute and MITRE Corporation released a list of the 25 most dangerous errors made by software developers, as related to security vulnerabilities and exploits. The list was developed through a collaboration of over 30 information security organizations. The individual errors were enumerated using MITRE's CWE identifiers, and then organized into Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses categories. IntelliShield Analysis: The list focuses on the most dangerous security errors, and according to the SANS Institute, two of the errors led to over 1.5 million compromised web sites in 2008 alone. By focusing on preventing and correcting these most common and dangerous errors, organizations can mitigate a large number of vulnerabilities. There are multiple uses for such a list. Educators may choose to place particular emphasis on the noted errors when teaching secure coding practices, and employers may wish to consider hiring candidates whose educational backgrounds include programming that covers topics from this list. Software developers can place special emphasis on testing for these types of errors, and executives can use the list to refine software testing procedures. It is possible that corporations and individuals may even choose to consult this list when making software purchases. The list is not all-inclusive, and other errors may more prominently impact some vendors' software products, but in general this list provides a strong common reference for all software developers. IdentityContinental Airlines Reports Stolen LaptopContinental Airlines has reported that a laptop was stolen from one of the airline offices sometime between December 31, 2008 and January 2, 2009. The laptop contained names and social security numbers of an undetermined number of people, affecting as few as two New Hampshire residents or as many as 230 people. Currently there is no evidence that the stolen personal information has been used. Read More (PDF) IntelliShield Analysis: This loss of data is especially concerning because the information lost may have included fingerprint data. The victims of this type of data theft are especially at risk because they can not change biometric data, such as fingerprints. Many organizations have been impacted by the lack of procedures for securing laptops, and it continues to be a challenge for many. The protection of biometric data requires additional emphasis due to the inability to change these biometrics. While many organizations are using or considering two-factor authentication, including a biometric as one factor, the procedures, storage, and controls of these authentication controls should be given additional review to protect the biometric information and files. HumanLatvia Coup and Demonstration Organized OnlineLatvian government and police officials are investigating the posting of calls to protest and overthrow the government of Latvia. Multiple web sites and social networking sites were used to post calls to protest and provide details for actions. The protests did materialize on January 13, 2009 in the city of Riga, and led to violent outbreaks and multiple arrests. Read More IntelliShield Analysis: Businesses should consider similar business and security intelligence measures to monitor for the organization of activities against the company or in the vicinity of its office. While many of these attempted online organizational efforts have resulted in little physical presence, the proliferation of social networking has allowed such attempts to become more effective, timely, and widely distributed. GeopoliticalEuropean Gas Crisis Drags OnRussian and Ukrainian officials are working with European mediators to restore natural gas supply to Europe in the midst of severely cold temperatures across the continent. The supply cut-off highlights the dependence by Europe on Russia for winter heating. For example, Russian gas monopoly Gazprom supplies Germany with 40 percent of its gas. Unlike crude oil or coal, which can be shipped by rail or sea, natural gas is best shipped via pipeline, so mitigating over-dependence on one source is a multi-year prospect. The showdown between Russia and Ukraine, dragging past its second week, has been particularly hard on Baltic and central European states, which are even more reliant on pipelines transiting Ukraine than Germany. Many businesses with offices in these countries have been forced to close, causing production and service interruptions, and requiring extraordinary measures on the part of some business managers to prevent sensitive equipment from freezing during the shutdown. IntelliShield Analysis: The crisis casts light on several important problems affecting Western Europe, its allies, and companies doing business in the region. For one, it would seem that Russia prioritizes its political agenda with Ukraine over both lost revenues and its reputation as a reliable supplier of energy to Europe, and as a reliable business partner. As both parties blame the other for obstructing a solution, it becomes clear that the Kremlin is ready to make sacrifices in order to maintain its influence over the Western-leaning Ukraine. And meanwhile, the apparent inability of the European Union to force a solution is rooted in the fact that European countries have each negotiated unilateral energy supply contracts with Russia. This lack of unity is also responsible in part for the lack of alternate supply routes being established, despite the fact that politicization of Russian supply has been a recurring problem. Finally, for businesses, the importance of crisis planning and business continuity measures is underscored, as well as the potential impact of geopolitical events on any company's bottom line. Upcoming Security ActivityUnited States Presidential Inauguration: January 20, 2009
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
