July 13–19, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityVulnerability and threat activity for this period remained consistent with the low levels seen through the first half of 2009. Cisco Security Intelligence Operations published the Cisco 2009 Midyear Security Report on July 14, 2009, which highlights the significant activity and trends throughout the first half of 2009, makes recommendations on addressing those threats, and offers expert analysis of how the trends will evolve. Microsoft issued the Security Bulletin Release for July 2009, addressing nine vulnerabilities. Oracle also released their quarterly update during the time period. Additional information on these vulnerabilities, updates, and additional mitigation information is available at the Cisco Security Center. The Microsoft ActiveX vulnerabilities continue to be exploited, as reported in IntelliShield Alerts 18595, 18633, and the Cisco Security Intelligence Operations Blog. Users are advised to apply the appropriate fix or mitigation for these vulnerabilities. In additional vulnerability activity, two zero-day vulnerabilities were reported in the current versions of the Mozilla Firefox browser and reported in IntelliShield Alerts 18647 and 18660. Updates are available for these vulnerabilities. These vulnerabilities and threats again raise the issue of browser vulnerabilities and the need for users to keep their browsers updated and configured as securely as possible. ActiveX vulnerabilities continue to be a major source of exploits, and many of these can be prevented by using the kill bit or security options in the browsers to prevent ActiveX from executing. ActiveX is widely used in the current trend of "drive-by" exploits, infecting users through their browsers when they visit a compromised or infected websites. IntelliShield published 83 events last week: 52 new events and 31 updated events. Of the 83 events, 65 were Vulnerability Alerts, six were Security Activity Bulletins, seven were Threat Outbreak Alerts, four were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for the Time PeriodMicrosoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability exists due to an unspecified error in the Office Web Components ActiveX Control. Reports indicate that exploit that leverage this vulnerability are ongoing. Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the msvidctl ActiveX control that could allow an unauthenticated, remote attacker to execute arbitrary code. Previous Alerts That Still Represent Significant RiskMicrosoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are not available, and Microsoft has indicated that limited, active attacks are occurring. Microsoft has released a tool that will disable QuickTime parsing without requiring manual registry editing. Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability. Worm: W32/Conficker.worm W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems. Adobe Reader getAnnots Function Buffer Overflow Vulnerability Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1 and earlier contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided an official workaround. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software. Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail messages or host them on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. PhysicalThere was no significant activity in this category during the time period. LegalIrish Government to Retain All Web, Text, and Telephone Data for Two YearsThe Irish Ministry of Justice has published a bill that refines the requirements for the retention of Internet and telephone data. Depending on the type of data, the information could be retained for up to two years, similar to the European Union Directive 2006/24/EC, which also specifies that data may be retained for up to two years. The bill puts limitations on the people who would have access to the data and provides specific safeguards and remedial actions if a disclosure request has been made against an individual. Read More IntelliShield Analysis: This bill is seemingly at direct odds with the United States (U.S.) ruling previously reported in the Cyber Risk Report for July 6-12, 2009, in that IP addresses are not personally identifiable information (PII). The policies for IP address retention vary in the U.S. and on a provider by provider basis. But if that information is paired with time-of-use data, a specific user could be identified. If anonymity is desired or required, the use of an anonymizing proxy, or a method such as onion routing, could be used. While some compliance and regulatory requirements have become more aligned and standardized, the data retention issues continue to vary widely, requiring businesses to consider the specific and often conflicting regulatory requirements across the countries in which they operate or store data. In considering cloud computing options, the conflicting regulatory requirements could cause unnecessary complexity and delays in adoptions. TrustCollisions and Advancements in Recent Crypto ResearchA paper published in June 2009 claims to have found a lower ordered complexity attack against the SHA-1 hash function. In February 2005, a team of cryptographers in China devised a method to find a collision in 269 calculations. The researchers at Macquarie University in Sidney, Australia, have reduced the required calculations to 252. This news was recently followed by an announcement that École Polytechnique Fédérale succeeded in breaking 112-bit elliptical curve encryption within six months using 200 Playstation 3 devices. IBM recently announced breakthroughs in developing homomorphic encryption methods. Homomorphic encryption allows operations to be applied to encrypted data, which affects the decrypted data in the same way. IntelliShield Analysis: It is no surprise that cryptanalysis is finding faster collision attacks against SHA-1 since 2005, and many are expecting the discovery of the first collision within the year. Collision attacks exploit a flaw that allows two separate inputs to yield the same output, and any source trusting that output could be duped into trusting a falsified or malicious input. No credible and realistic threat yet exists and the majority of uses of hash functions are not affected by collision attacks, but those that are should be updated to SHA-2. Realizing that SHA-1 is becoming outdated, the National Institute of Standards and Technology has been holding a competition to define the next hash standard by 2012. Attempts to break the new standard should soon follow. The IBM research into homomorphic encryption has some interesting applications, especially as industries look to cloud computing and outsourcing as a way to cut costs. The encryption would protect the data even when handled by third parties. With current technology and cryptographic methods, practical results are likely to be decades away, assuming the encryption holds up to scrutiny by the security community. IdentityUnited Kingdom DNA Continues to Grow Despite Court RulingA judge on the European Human Rights Council ruled in December 2008 that it was illegal for samples of DNA from innocent people to be kept on record. However, since the time of that ruling, the United Kingdom (U.K.) National DNA database has grown by over 300,000 samples. The Home Office in charge of the National DNA database of the U.K. has responded by saying that it will not retain the DNA samples of innocent people for more than six to 12 years. Read More IntelliShield Analysis: Very few things can identify a person more authoritatively than a DNA sample. DNA testing is often used in court cases. Typically,it is used to identify criminals or those alleged to be criminals. If the DNA samples of innocent people were disclosed, the potential for identity theft would be immense. Privacy advocates in the U.K. are upset that the National DNA database is growing rather than shrinking. The European Union council's ruling will influence how the issue is handled in the U.S. and around the world. With the sensitivity and long-term impact of the data, very strong security requirements should be in place to prevent the data from falling into the wrong hands. HumanLow Success Rates with Spam Still Make It ProfitableThe results of some recent surveys have indicated that the overall number of Internet users who actually open spam e-mail messages and subsequently purchase the items being advertised by these messages is extremely low. While this news is not too surprising, that an overall low positive response rate of users continue to open these e-mail messages translates into millions of dollars in annual revenue to the spammers. Read more IntelliShield Analysis: It has become increasingly obvious that so long as there is a capability to generate income entailing minimal expenses and resources, cyber criminals will continue to both maintain existing as well as develop new ways to exploit poor decision-making on behalf of the Internet user community. This poor decision-making is due in large part to an overall lack of awareness and understanding by the user community of the inherent threats that exist on the public Internet. Unfortunately, the fact that the sending of spam e-mails can be done in such an expedient and inexpensive fashion makes the return on investment quite high, regardless of how few users actually succumb to these type of "spam scams." While awareness efforts have shown some results, the remaining small percentage requires additional approaches through technology and law enforcement to further reduce the spam activity. GeopoliticalRio Tinto Arrests Alarm InvestorsThe Chinese government arrested four employees of the Australian mining company Rio Tinto in early July and charged them with bribery and espionage, specifically theft of sensitive information pertaining to China's steel and iron ore industries. Beijing further accused Rio Tinto employees of bribing 16 companies across the iron and steel industry to obtain confidential industry information. Rio Tinto has advised all of its non-Chinese employees to leave the country as a precaution. The arrests have raised tensions between Beijing and key trading partners Australia and the United States. In addition to the increasingly hard line taken by Canberra, United States (U.S.) Commerce Secretary Gary Locke said he brought up the issue in meetings with high level officials in Beijing during a visit there. IntelliShield Analysis: The Rio Tinto case has received so much attention in international media in part because the arrests follow only weeks after Rio Tinto called off a proposed deal in which state-owned Chinalco would have taken a major stake in the Australian mining company. Although Chinese authorities deny a connection and there is no proof, press speculation has been intense. Both Australian authorities and the U.S. Commerce Secretary publicly stated that China's handling of the case had the potential to impact bilateral trade relations and was of concern to multinational companies doing business in China. As Australian Prime Minister Kevin Rudd put it, the world is watching closely how this case is handled. MiscellaneousTwitter Account Intrusions Highlight Password Recovery WeaknessesA hacker called Croll was able to gain access into the accounts of the CEO of Twitter, the micro-blogging website. By guessing the CEO's "secret question" password recovery queries, the hacker gained account access and was able to then access other accounts, including online financial and e-commerce sites. The attacker and other websites then published the confidential documents recovered from the intrusion, including lists of Twitter employees, their credit card numbers, and food preferences. Read More IntelliShield Analysis: The emergence of social networking means that more information about us than ever before is available online and is even volunteered as part of our online profiles. However, because site password recovery tools consider these very same details to be private, there exists a dangerous disconnect between what users believe to be private and the mechanisms used to discern legitimate users from pretenders who are gaming the password recovery system. Websites are wise to adopt password recovery methods that do not involve the secrecy of our mother's maiden name, favorite car, first pet, and dream house when those details are frequently posted on users' sites. Users must also take care when posting personal information online, use complex passwords, and use as much care in creating complex "secret question" answers as they do in password creation. Upcoming Security ActivityInternational ISACA Conference: July 19–22, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
