January 28–February 3, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityIntelliShield analysts reported on one known vulnerability and four previously undisclosed vulnerabilities associated with the patches released with the Oracle Critical Patch Update of January 2008. Independent security researchers released additional technical details, including a comprehensive list of affected CLSIDs, for the buffer overflow vulnerability in the Oracle Jinitiator ActiveX control. This vulnerability is described in IntelliShield alert 14045. Details were publicly released for a pair of cross-site scripting vulnerabilities affecting the Oracle E-Business Suite in the CRM Technical Foundation component and the Oracle Application Object library. These vulnerabilities are detailed in IntelliShield alerts 15042 and 15046. Independent researchers also released technical details for a buffer overflow vulnerability and a SQL injection vulnerability in the XML DB component of the Oracle Database Server. IntelliShield analysts have detailed these vulnerabilities in alerts 15025 and 15026. Independent security researchers released a proof-of-concept video to demonstrate the viability of privately developed exploit code for the IGMP and MLD code execution vulnerability in the Microsoft Windows kernel. This vulnerability is detailed in IntelliShield alert 14854. Originally this vulnerability was reported to be difficult to exploit. Certain conditions must be met for an attack to be successful. However, the video demonstrates that an attack may not be as difficult to accomplish as previously thought. The Expedia.com and Rhapsody.com websites have been compromised during this period. These legitimate websites were inadvertantly serving malicious software via Shockwave Flash banner ads. The ads appeared to be reputable, but when the user clicked on the ad their browser was redirected to a malicious website hosting malware. Legitimate websites have been compromised in a similar fashion before and these types of attacks are not expected to decrease anytime soon. Also during this time period, the embassy websites in Ukraine and Russia were compromised and serving malware. These types of compromises on popular websites provide malware an additional method for propagation. Users are advised not to click on advertising banners found on websites as they may be malicious. IntelliShield published 114 events last week: 29 new events and 85 updated events. Of the 114 events, 105 were Vulnerability Alerts, three were Security Activity Bulletins, two were Daily Malicious Code Summaries, two were Malicious Code Alerts, one Security Issue Alert, and one Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
2007 Monthly Alert Totals
Previous Alerts That Still Represent Significant RiskMicrosoft Office Excel Malformed Header Handling Arbitrary Code Execution Vulnerability Microsoft Office Excel and Office Excel Viewer contain a vulnerability that could allow an attacker to execute arbitrary code. Reports indicate that attackers are leveraging this vulnerability in targeted, ongoing attacks. No public examples of exploit code have been observed. Attacks against this vulnerability are not likely widespread, as details of this vulnerability are still not well known. Microsoft has confirmed the vulnerability in a security advisory; however, no updates are available. Oracle Critical Patch Update January 2008 Oracle has released the Critical Patch Update Advisory for January 2008. The update provides patches for a total of 26 vulnerabilities spread across Oracle Database products, the Oracle Application Server, the Oracle Collaboration Suite, the Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Additional IntelliShield alerts detailing individual vulnerabilities will be released in the near future as technical details become available. ClamAV popen() Function Arbitrary Code Execution Vulnerability ClamAV contains a vulnerability that could allow a remote attacker to execute arbitrary code. Exploit code, which is similar to other, much older attacks against other types of systems, is available. An attacker may be able to easily modify the code to conduct multiple attacks. ClamAV has confirmed this vulnerability and released updated software. Microsoft Message Queuing Service Remote Code Execution Vulnerability Microsoft Message Queuing Service contains a vulnerability that can allow an attacker to execute arbitrary code. Exploit code is available that demonstrates this vulnerability on Windows 2000 machines. This exploit code is more automated than the previously disclosed proof-of-concept code that was released. The new exploit code requires only minor modifications by an attacker for each targeted host system. The exploit automatically extracts the FQDN of the host from its Netbios name, making it easier for an attacker to exploit this vulnerability. Microsoft has confirmed the vulnerability in a security bulletin and released software updates. Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. Public reports indicate that this vulnerability is actively being exploited. Microsoft has not confirmed this vulnerability, and updates are unavailable. Cisco Security Agent Windows System Driver Buffer Overflow Vulnerability Cisco Security Agent contains a vulnerability that could allow an attacker to cause a denial of service or execute arbitrary code. Such remotely exploitable vulnerabilities that likely affect a large number of highly sensitive systems are very attractive targets and may garner significant interest from agencies or individuals perpetrating attacks. Public knowledge of the details of this vulnerability may place these sensitive systems at increased risk. Cisco has confirmed this vulnerability and released updated software. Apple QuickTime RTSP Response Content-Type Header Buffer Overflow Vulnerability Apple QuickTime Player contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. With the release of functional exploit code, this vulnerability will likely be exploited in the wild. The vulnerability is triggered during the initial handshake of the RTSP negotiation via a malformed Content-Type header. An attacker is required to send less than 2000 bytes of data to compromise an affected host. Because of the nature of the vulnerability, attackers have a large payload window to leverage. Apple has confirmed this vulnerability in a security bulletin and released updated software. PhysicalDamage to Undersea Cables Disrupts Internet Service in Asia and the Middle EastDamage to three undersea cables that provide Internet service and other telecommunications services to multiple countries throughout Asia and the Middle East has caused interruption to services across these regions. Two of these cables are located in the Mediterranean Sea, and the other runs through the Gulf of Oman and the Persian Gulf. Initial reports indicated that a ship operating in the Mediterranean Sea near the coast of Alexandria, Egypt caused the damage to the first two cables. Later reports indicate that these cables were damaged in different locations within hours of each other. Other reports dispute that a ship's anchor caused damage to these cables, citing a lack of maritime traffic in the affected area during the time period. The damaged cables include two operated by Fiber-optic Link Around the Globe (FLAG) telecom. Damage to the first cable, which runs between Alexandria, Egypt and Palermo, Italy, reportedly occurred near the coast of Alexandria. The second cable owned by FLAG telecom was damaged either between Muscat, Oman and Dubai, or between Haloul Island, Qatar and DAS, United Arab Emirates. The third cable is part of the South East Asia Middle East Western Europe 4 (SEA-ME-WE 4) cable system. The FLAG-operated cable that runs between Alexandria, Egypt and Palermo, Italy and the SEA-ME-WE 4 operated cable combined are reported to provide as much as 75-percent of the Internet connectivity between Europe and some Middle Eastern and Asian countries. Disruptions have affected as many as 70-percent of networks that are located in some countries, including Egypt and Pakistan. Read more IntelliShield Analysis: Internet Service Providers are using alternate routes to restore service to some affected areas; however, delays and reduced service levels are expected to continue until the damaged cables can be repaired, which could take anywhere from one week to 15 days. This outage affects connectivity to local businesses and to larger global corporations that have outsourced business functions to companies that are located in the affected countries. Although these types of events are rare, incidents have occurred over the past several years that have impacted critical points, resulting in widespread interruptions. As businesses experience an increased need for interconnectivity, risk managers are advised to investigate their service provider's capabilities and coordinate their business continuity plan with their service provider's plan. LegalWeak Virus Laws Force Japanese Law Enforcement to Prosecute Other ChargesMasato Nakatsuji is suspected of having helped spread the malicious code Trojan.Haradong (IntelliShield Alert 11152) and was arrested February 1, 2008. However, police are unable to prosecute him for his suspected involvement due to a lack of laws against those who author and spread malicious applications, including trojans. The police were instead forced to arrest Nakatsuji for copyright infringement, as the trojan is accompanied by an image from an anime film. Trojan.Haradong deletes files on an infected system and was spread through illegal file-sharing programs. It is not believed that Nakatsuji wrote the virus. Read more IntelliShield Analysis: Although the United States remains the primary base for malicous code activity, the Asian markets continue to be targeted. As this case illustrates, legislatures are having a difficult time keeping laws current and applicable. Forensic evidence of computer crime can be difficult to collect and weak laws force investigators to find very specific evidence, which may be difficult to obtain. If different countries develop a reputation of difficult prosecution it may create an environment for cybercrime to develop nearly undisturbed. As a result, organizations may bear an increased burden to perform thorough detection and incident response that will produce sufficient evidence to meet stringent requirements in areas that lack more robust cybercrime legislation. TrustGerman Police Pursue Surveillance Software to Monitor Skype TrafficDocuments have appeared on the Internet that are purported to be official communications between officials in Germany's Bavarian Ministry of Justice and a technical services firm, DigiTask. The documents allege that the Ministry of Justice asked DigiTask to develop software that could intercept communications sent from a computer before the communications were encrypted. Recent statements from the German police have cited difficulties with investigations where suspects used Skype and other encrypted communications protocols, and an interest to deploy software similar to what is described in the posted documents. Some privacy advocates have expressed concern that in order to accomplish this, German authorities propose to use software that, in the hands of criminals, would be considered malicious code. IntelliShield Analysis: Governments have long relied on capabilities in standard telecommunications infrastructure to intercept and monitor criminal communications, such as phone conversations. As technology has developed beyond the limitations of existing laws, governments are facing difficulties in keeping pace with advances in criminal methods. As a result, courts and legislatures, including those in Germany, are exploring options to improve existing laws or implement new ones to maintain an investigative and prosecutorial advantage for law enforcement. At the same time, privacy advocates are striving to protect the rights of citizens from what is perceived to be an untrusted government overseer. Particularly interesting is the purported proposal by DigiTask to use overseas proxy servers, which could further complicate the legality of collecting data that transits one or more additional jurisdictions. As governments and their citizens work out acceptable balances in their laws, organizations may find that their proprietary information could be exposed during criminal investigations. As a result, the distribution and use of confidential information across national and regional boundaries may require additional controls to safeguard sufficiently. IdentityStored Credit Card Information Missing from Storage FacilityA tape containing the credit card numbers for 650,000 people, as well as the Social Security numbers for 150,000 people, has gone missing, according to GE Money, USA, a General Electric subsidiary. The company has confirmed that J.C. Penney Co. customers were affected but has not disclosed any other firms whose customers were listed on the tape. The tape is normally located at an Iron Mountain, Inc. storage facility, but when someone requested it, the tape could not be found and there was no record of it having been checked out. The tape was unencrypted. Read More IntelliShield Analysis: Two Hundred and thirty retailers had customers on the lost tape. There is no proof of theft, although since the tape cannot be found and there is no official record of it being checked out or moved, a theft of the tape is possible. While GE Money was using a professional service to keep their data safe, this incident shows that even professional services can lose track of stored data. For this reason, companies should seriously consider encrypting all sensitive data that is stored on portable media. It may also be advisable to encrypt sensitive data even on production systems for additional safety. HumanIdentities of Storm Worm Authors Believed to have Been FoundDmitri Alperovitch of Secure Computing claims that those who control the Storm worm network have been identified by law enforcement officials. Extradition has been prevented due to lack of assistance by authorities in Saint Petersburg, Russia. Alperovitch claims that members of the Russian government are using influence to protect them. Read more IntelliShield Analysis: At this point, no evidence of Dmitri Alperovitch's claims have been presented. If what he has reported is true, diplomatic steps may be necessary before those behind the Storm worm are apprehended. Even if the reports are untrue, technology-related criminals may base their operations from Saint Petersburg if think the city is off-limits for law enforcement, regardless of whether or not they are actually protected. Organizations may consider adjusting plans to account for the impact of prolonged electronic threats without the relief of legal recourse. GeopoliticalSnow Storms in China Highlight Energy WoesAs the Lunar New Year holiday approaches in China, the country is struggling to cope with its worst snowstorms in 50 years. Road and rail links were disabled by the storms as tens of millions of people embarked on holiday travel. Power shortages brought about by transport disruptions and shortfalls in coal imports from South Africa and Australia led to brownouts across half the country. The cold weather impact on crops in the south and crippled commodity transport pushed up food prices at a time when inflation is already on the rise. In a rare move, Premier Wen Jiabao appeared at train stations with a bull-horn, apologizing to stranded travelers and assuring them that the government has things under control. The government also issued an order to cease all exports of coal in order to focus on domestic needs. The New York Times commented that Wen's appearances indicated the Communist party's concern over widespread popular discontent in the face of shortages, high prices, and massive social displacement due to China's breakneck economic growth. Read more IntelliShield Analysis: China's storm-related transport and energy paralysis highlights the country's vulnerability to disruptions as it operates at the limit of its ability to meet demand. Coal consumption will likely continue to rise, despite China's urgent efforts to diversify its power sources. The government is expanding nuclear power generation capabilities, but that will take time. Meanwhile, efforts to expand hydropower have been crippled by drought. China is expected to become a net importer of coal this year, with much of the supply likely to come from Australia. Companies doing business in or sourcing from China can probably expect higher prices and disruptions as a result of the storms. Longer term, increasing energy problems will likely result in further volatility. Upcoming Security ActivityMicrosoft Security Bulletin Update for January: February 12, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Mardi Gras, New Orleans, United States: February 5, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||||||||||||||
