The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.
Vulnerability
The number of new vulnerabilities identified by IntelliShield analysts decreased during the time period, although many vendors released security and software updates to address previously disclosed vulnerabilities in common applications such as X.Org Xserver, Apache-based web servers, Wireshark, and Adobe Flash Player. Since the release of the January 2008 Oracle Critical Patch Update, surprisingly few details of undisclosed vulnerabilities in Oracle products have been made public. Typically, independent security researchers coordinate the disclosure of vulnerabilities to coincide with the release of each Critical Patch Update, but the January 2008 release has not seen a corresponding release of researcher information.
IBM released security advisories and updated software to address seven previously undisclosed vulnerabilities in the AIX operating system. All of the vulnerabilities are restricted to attackers with local access to the affected system. Attackers could exploit these vulnerabilities to access sensitive information, modify existing packages, cause denial of service conditions, or execute arbitrary code. In some cases, an attacker may take control of targeted systems.
During the time period, the malicious code SymbOS/Beselo, described in IntelliShield Alert 14994, began circulating in Asia. This worm targets mobile phone devices that are running the Symbian S60 2nd Edition platform and propagates over Multimedia Messaging Service (MMS) and Bluetooth connections as files named beauty.jpg, love.rm, or sex.mp3. Most operating systems launch files using an appropriate application, such as an image viewer for .jpg files, or a media player for .mp3 and .rm files. However, the Symbian operating system installer loads files based on file content instead of file extension. Because the files are actually in the Symbian Installation Source (SIS) file format, the files load as applications and initiate a prompt to the user. A user must accept the installation prompt for the infection routine to succeed, and this requirement may limit the effectiveness of this worm. SymbOS/Beselo sends itself to all the contacts located on the mobile phone device. With malicious messages that arrive from seemingly trusted sources, this worm has the potential for a high rate of activity. Users are advised not to accept or install file transfers from unknown parties and should verify the authenticity of unexpected files.
IntelliShield published 161 events last week: 37 new events and 124 updated events. Of the 161 events, 144 were Vulnerability Alerts, five were Security Issue Alerts, four were Daily Malicious Code Summaries, four were Security Activity Bulletins, two were Malicious Code Alerts, one was an Applied Mitigation Bulletin, and one was the Cyber Risk Report. The alert publication totals are as follows:
Weekly Alert Totals
Previous Alerts That Still Represent Significant Risk
Microsoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 14951, Version 2, January 17, 2008
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2008-0081
Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Reports indicate that attackers are leveraging this vulnerability in targeted, ongoing attacks. No public examples of exploit code have been observed. Attacks against this vulnerability are likely not widespread as details of this vulnerability are still not well known. Microsoft has confirmed the vulnerability in a security advisory; however, no updates are available.
Oracle Critical Patch Update January 2008
IntelliShield Security Activity Bulletin 14949, Version 3, January 23, 2008
Urgency/Credibility/Severity Rating: 2/5/3
Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities spread across Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts detailing individual vulnerabilities will be released in the near future as technical details become available.
ClamAV popen() Function Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 14034, Version 8, January 14, 2007
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-4560
ClamAV contains a vulnerability that could allow a remote attacker to execute arbitrary code. Exploit code, which is similar to other, much older attacks against other types of systems, is available. An attacker may be able to easily modify the code to conduct multiple attacks. ClamAV has confirmed this vulnerability and released updated software.
Microsoft Message Queuing Service Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 14720, Version 5, January 17, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-3039
Microsoft Message Queuing Service contains a vulnerability that can allow an attacker to execute arbitrary code. Exploit code is available that demonstrates this vulnerability on Windows 2000 machines. This exploit code is more automated than the previously disclosed proof-of-concept code that was released. The new exploit code requires only a little modification by an attacker for each targeted host system. The exploit automatically extracts the FQDN of the host from it's Netbios name, making it easier for an attacker to exploit this vulnerability. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.
Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14568, Version 2, December 13, 2007
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-6026
Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. Public reports indicate that this vulnerability is actively being exploited. Microsoft has not confirmed this vulnerability, and no updates are available.
Cisco Security Agent Windows System Driver Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14655, Version 2, December 24, 2007
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2007-5580
Cisco Security Agent contains a vulnerability that could allow an attacker to cause a denial of service or execute arbitrary code. A remotely exploitable vulnerability such as this, one that likely affects a large number of highly sensitive systems, is a very attractive target and may garner significant interest from agencies or individuals perpetrating attacks. Public knowledge of the details of this vulnerability may place these sensitive systems at increased risk. Cisco has confirmed this vulnerability and released updated software.
Apple QuickTime RTSP Response Content-Type Header Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14610, Version 3, December 14, 2007
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-6166
Apple QuickTime Player contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. With the release of functional exploit code, this vulnerability will likely be exploited in the wild. The vulnerability is triggered during the initial handshake of the RTSP negotiation via a malformed Content-Type header. An attacker is required to send less than 2000 bytes of data to compromise an affected host. Because of the nature of the vulnerability, attackers have a large payload window to leverage. Apple has confirmed this vulnerability in a security bulletin and released updated software.
Samba WINS Server Daemon Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14546 Version 15, January 24, 2007
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2007-5398
Samba contains a vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Only systems configured as WINS server daemons are vulnerable; however, this is a common configuration in environments that use Samba to perform domain authentication. Due to the large number of potential targets, this type of vulnerability could be used to produce malicious code that propagates in an automated manner.
Physical
Intelligence Agency Says Blackouts Linked To Cyber Attacks
The United States (U.S.) Central Intelligence Agency (CIA) stated recently that at least one blackout has occurred outside the U.S. as a result of cyber intrusion. Alan Paller, director of research at the SANS Institute, and Tom Donahue, a senior analyst with CIA, delivered the news to a conference of utility company engineers and security managers in New Orleans, Louisiana. The statement alleged that hackers used the threat of blackouts to extort money from the energy companies, but that no specific details were available to corroborate the report. Paller and Donahue assert that information security controls at the utility companies are lacking and need significant improvement.
Read more
IntelliShield Analysis: This announcement by a senior CIA analyst brought mixed reactions from the security community that ranged from dismissing it as little more than a scare tactic to a confirmation of threats to critical infrastructure. While the announcement was unusual, it lacked details from which organizations could learn or plan action. No indication has been given about who was affected, or when, or how. Without additional technical information, such statements do little to improve reasonable dialogue or define proper risk assessments. This report coincides with a release of cyber security guidelines from the U.S. Federal Energy Regulatory Commission, the agency that details standards for electric utilities on a wide range of logical, physical, and administrative controls. Organizations are cautioned against taking drastic action without further information and guidance. Critical infrastructure is likely to continue to receive increased focus by government and industry organizations. This sector is likely to see additional security requirements and regulations similar to the focus on the financial sector over the past years, and will likely require additional resources to provide responses to these developments.
Legal
700-MHz Spectrum Sale
The use of sections of the 700-MHz spectrum in the United States (U.S.) is up for auction by the Federal Communications Commission (FCC). The auction was opened to raise money for the FCC to provide a subsidized switch from analog to digital broadcast television, and the terms of use for the auctioned spectrum blocks have many bidders interested in supporting networks for cell phone usage, broadband data and other services. Divided into sections labeled A through E, the spectrum auction is receiving the most attention for blocks C and D, sections that are available for nationwide commercial use. Block C, which has two 11-MHz spectrums, is regulated by the FCC to require open access and open device usage, and is of prime interest to companies looking to make an entrance into the cell phone market. The D-Block is composed of two 5-MHz bands, but operators of D- Block must also support 24-MHz of spectrum with infrastructure for use as a national public safety frequency.
Read more
Additional Information
IntelliShield Analysis: The technical merits of the 700-MHz spectrum offer great potential to all manner of technologies, but the two most talked about are national broadband over wireless (to compete with DSL and cable for mobile or "last-mile" rural customers) and national converged public safety communications. The U.S. 9-11 Commission Report cited hampered communications among police, fire, and other emergency responders as a major failure in the aftermath of the 2001 terrorist attacks. Organizations may benefit in numerous ways from the outcome of these auctions, but perhaps most of all if the result is effective, converged, public safety communications nationwide.
Trust
French Bank Société Générale Accuses Jérôme Kerviel of EU4.9 Billion Fraud
Chairman and Chief Executive of Société Générale, Daniel Bouton, has placed the blame of a EU4.9 billion loss on Jérôme Kerviel. Bouton claimed that Kerviel, one of the bank's traders, used his position and his experience working in the banks risk-management office to conceal his losses through falsified transactions. The fraud was discovered when auditors found one of the false transactions because of an apparent error by Bouton. The loss nearly nullifies the EU5.5 billion pre-tax profit that Société Générale was preparing to announce and the bank is seeking capital to secure its financial stability. Kerviel came forward on January 26, 2008, and is complying with authorities. Bank officials believe that Kerviel acted alone, but his managers have been dismissed from the company.
Read more
Additional information
IntelliShield Analysis: Kerviel's motivation seems to have been to promote his trading skills but not for purely personal gain. The bank has described him as "not one of our stars" but recognize that he was able to breach five layers of control. Some analysts are finding it difficult to believe that such a low-level trader managed to lose nearly a year's profit without earlier detection. The latest details indicate that he falsified data, created fake corporations, and stole computer access codes. This case will be closely watched to identify weaknesses in the common risk management systems and controls used within the banking industry. Those within the trading industry should monitor the case for future findings and adopt any additional measures as necessary, as well any additional regulation and compliance requirements.
Identity
New Phishing Kit Targets Novice Scammers
Netcraft, an Internet security company, has released details about a free prepackaged phishing kit offered by a Moroccan hacker group called Mr. Brain. After analyzing the kit contents, Netcraft said that while the kit appears to function as intended (to steal personal information from victims and send it via e-mail to the attacker), information is also forwarded to a Gmail account controlled by the Mr. Brain group. In effect, the phishing kit steals what the free phishing kit recipients are stealing.
Read more
IntelliShield Analysis: This tactic allows the Mr. Brain hackers to reap benefits with little risk to their organization. Scammers who use this kit to enter the phishing community will share stolen information and profits with the authors of the kit. The construction of phishing scams that target other phishers hints at growth in the cyber criminal community. An awareness that there are droves of new scammers with little experience seems to have driven at least this group to prey on phishing novices. Organizations should continue to proactively combat phishing scams, and whenever possible implement controls that make scams less effective and more expensive to operate.
Human
Polyglot Malware Propagating over MSN Messenger
A recent variant of the IRCBot family of worms, described in IntelliShield Alert 4141, has been propagating over MSN Messenger this past week. This worm is a polyglot, capable of changing malicious messages to correspond with the language of the targeted system. The worm achieves this social engineering tactic by referencing the country code within the infected system's registry and customizing the message for the corresponding language.
Read More
Additional Information
IntelliShield Analysis: Although this is not the first polyglot malware to propagate over instant message clients, very few worms are known to use this social engineering tactic. A polyglot worm is able to target a wider audience and will likely have a higher rate of infection, because the messages are customized for the language of the targeted user. Users are advised not to follow unsolicited links and should verify the authenticity of unexpected links prior to following them. This malware demonstrates an increasing threat related to public instant messenger products. Organizations that have not moved to internal instant messenger servers and prohibited the use of public products for compliance requirements should consider these strategies for risk management.
Geopolitical
Potential Impact of Economic Slowdown on Information Security Industry
The global stock market turmoil over the past week appeared to confirm suspicions that the United States (U.S.) economy was headed for a slowdown and could drag other economies with it, particularly Japan and the European Union. At the same time, cautious market comebacks indicated lingering investor optimism that the Federal Reserve Banks rate cuts, a promised fiscal stimulus package, and infusions of cash from emerging market sovereign wealth funds will soften the blow. The World Bank believes that continued expansion in developing countries will help offset a slowdown in the developed world.
Read more
Additional information
IntelliShield Analysis: From the perspective of the information security industry, a key ingredient in the mix is the extent to which the slowdown is consumer-led rather than business-led, as was the case in 2001. A consumer-led recession will hit consumer-dependent technology industries first, and if a recession is reasonably short-lived, may not appreciably hit corporate investment on information security. However, if the recession lingers, corporate budgets will tighten and spending on any line items not perceived as mission critical to a company's survival will be reduced. While few corporate boardrooms would classify information security as non-mission critical, new hiring and investment in this sector may be postponed until the economy picks up again..
Upcoming Security Activity
Financial Cryptography and Data Security Conference: January 28–31, 2008
Shmoocon: February 15–17, 2008
North American Network Operators' Group (NANOG): February 17–20, 2008
Black Hat DC: February 18–21, 2008
Because of the potential for increased risk on multiple vectors, organization's security teams should be aware of and consider making special preparations for the following dates:
World Economic Forum: January 23–27, 2008
Mardi Gras, New Orleans, United States: February 5, 2008
Carnival, Brazil: February 2–5, 2008
Ash Wednesday: February 6, 2008
Chinese New Year: February 7, 2008
Pakistan Elections: February 18, 2008
Additional Information
For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service
For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
Trial Registration
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
Back to Top
