The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.
Oracle has released the Critical Patch Update (CPU) advisory for July 2008. This update is detailed in IntelliShield Alert 16276. The update contains 45 distinct security fixes for various Oracle products, including products obtained through recent acquisitions of TimesTen, Hyperion, and BEA Systems. Only 11 of these vulnerabilities affect the traditional Oracle Database Server products. Information about vulnerabilities in WebLogic products is available in both a risk matrix in the CPU and in a separate advisory page at the following link: WebLogic Advisories. Oracle also modified its vulnerability identification system. Each vulnerability in the CPU is now labeled with a CVE identifier. This change should help security professionals when they correlate vulnerability details with items in the risk matrices of the CPU.
A virus outbreak was reported this week on a trojan being distributed in spam e-mails that appear to originate from the United Parcel Service (UPS). Downloader.Diliv, described in IntelliShield 16279, is being delivered in an e-mail. This message states there has been a delivery error involving a package and the reader should download and print a copy of the attached invoice to remedy the problem. Of course, the attachment is not an invoice; instead, it contains a copy of the trojan. All the known attachment and executable filenames associated with this trojan contain the text ups_invoice in them. As a general rule, users are advised not to open unexpected e-mail attachments or executables from untrusted or unexpected sources. The source should be verified before opening any attachments.
If installed and executed, Downloader.Diliv attempts to download additional malicious files from the Russian domain fixaserver.ru. This domain is known to be used by other banking trojans. The IronPort Security Network E-mail and Web Reputation Tool on the SenderBase Website rates the fixaserver.ru domain as poor. As defined by IronPort, IP addresses or domains that receive a poor web reputation score are considered highly problematic and should be filtered or blocked. IronPort Threat Operations Center reported a virus outbreak for this trojan on July 14, 2008.
IntelliShield published 126 events last week: 47 new events and 79 updated events. Of the 126 events, 111 were Vulnerability Alerts, five were Security Issue Alerts, three were Daily Malicious Code Summaries, three were Security Activity Bulletins, two were Malicious Code Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:
Weekly Alert Totals
Significant Alerts for the Reporting Period
Oracle Critical Patch Update July 2008
IntelliShield Security Activity Bulletin 16276, Version 1, July 15, 2008
Urgency/Credibility/Severity Rating: 2/5/4
Oracle has released the Critical Patch Update advisory for July 2008. The update contains 45 distinct security fixes for various Oracle products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available.
Previous Alerts That Still Represent Significant Risk
Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability
IntelliShield Vulnerability Alert 16183, Version 6, July 17, 2008
Urgency/Credibility/Severity Rating: 2/5/3
DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Event data from Cisco Remote Management Services has detected activity on signature 4004/0 in relatively small amounts. The data was captured on July 15, 2008. This signature is new and may be triggered by normal network traffic. Because the technical details of this vulnerability are not yet public, it is unlikely that activity on this signature is indicating actual exploits. However, that is likely to change once the technical details become public, which is expected to occur in August 2008 at the Black Hat conference in Las Vegas.
Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 16117, Version 2, June 24, 2008
Urgency/Credibility/Severity Rating: 2/4/4
Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability.
Adobe Flash Player Multimedia File Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 15623, Version 5, June 4, 2008
Urgency/Credibility/Severity Rating: 3/5/4
Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The Downloader.Swif.C trojan, which is detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software.
Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 8, June 20, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285
Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.
Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14568, Version 6, May 20, 2008
Urgency/Credibility/Severity Rating: 3/5/4
Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. The TROJ_MDROPPER.MB trojan, which exploits this vulnerability, is currently active and is documented in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability in a security bulletin and released updates.
John Mueller's Paper on Protecting the Homeland
John Mueller, Department of Political Science at Ohio State University, wrote a paper for the National Convention of the International Studies Association in March. The paper closely examines the "costs, benefits, and probabilities" for protecting the country from terrorism. Mueller mentions at least five key premises that comprise policy formulation as well as four policy implications that result from these premises. The final conclusion suggests applications of the policy proposals, giving examples of possible futile situations as well as those that may be effective. Read more
IntelliShield Analysis: Terrorism and protecting the homeland from an attack have probably been the most debated topic in the United States government since 9/11. The debate essentially asks, "can terrorism be prevented?" and "can terrorism be predicted?" After numerous studies and billions of dollars, the Department of Homeland Security seems to be no closer to determining where an attack will occur. With over tens of billions of dollars spent in the last 4 1/2 years, there are questions about whether money should be spent on other safety measures to reduce the number of deaths nationwide. For example, placing smoke alarms in households reduces one death for every US$200,000 spent opposed to US$64 billion on homeland security. In addition, money saved could be better spent by assisting with rebuilding the aftermath of an attack. It may now be the time to reconsider where money is spent to better save lives rather than attempt to predict the next terrorist attack.
Judge Rules in Favor of eBay in Counterfeit Sales Suit Brought by Tiffany
A United States federal court judge has ruled in favor of the Internet auction house eBay in a suit that was brought by the Tiffany jewelry company. The suit was intended to force eBay to be held liable for sales of counterfeit Tiffany products taking place in eBay auctions. Sales of counterfeit products, such as copies of Tiffany jewelry, are illegal. However, the judge ruled that it is the responsibility of the trademark owner, in this case Tiffany & Company, to police the market themselves for imitations.
IntelliShield Analysis: Although Tiffany is expected to appeal this ruling, this could be a landmark case. eBay does provide Tiffany with tools to police eBay auctions and they promptly take down auctions that clearly infringe on the rights of Tiffany when these auctions are brought to the attention of eBay. It would be a major expense for eBay to police all auctions itself. If Tiffany had won this case, eBay could be fined for allowing such auctions to take place. This case is similar to a recent one in France where the fashion house of LVMH Moet Hennessy Louis Vuitton was awarded US$61 million from eBay over the same issue—allowing imitation products to be sold in auctions. eBay plans to appeal this ruling. Both of these cases are similar to the cases brought against Google regarding copyright-protected materials appearing on YouTube. The Internet is creating a whole new market for goods, information, and services where the laws that govern activity on the Internet are not fully developed. Further, legal precedents are still being established, especially in terms of whether service providers are responsible for the activities of those who use their services. Over time, the laws and precedents will become established, but many companies are currently taking high legal and financial risks during this time of change and development.
Linux Kernel Developers Avoid Full Security Disclosure
Recently, Brad Spengler of the security-oriented PaX project issued a complaint with Linux kernel developers about how security flaws were being disclosed. According to Mr. Spengler, developers are not marking changelogs as security related, and therefore commercial Linux distributions are not including these fixes retroactively for older, yet still-supported, versions of the Linux kernel. Many kernel developers—including the original developer and project coordinator for Linux, Linus Torvalds—have commented publicly that paying special attention to security issues is not an activity that they are interested in pursuing. These comments have ignited a heated debate across the Linux community.
Additional information 1
Additional information 2
IntelliShield Analysis: These conversations raise the question: what level of trust can users place in open source security efforts? Resistance from Torvalds and other senior kernel developers speaks very strongly against full disclosure, which has been one of the core strengths of the free and open source software movement. Although the kernel developers do not control how all open source projects decide to handle these issues, they may set a precedent of decline in transparent vulnerability reporting. Even though the developers appear to be providing updates for identified issues, the failure to highlight them as security related may keep them from being modified to fix holes in older, supported distributions. Organizations that rely on older versions of the Linux kernel may wish to contact their commercial Linux vendors to determine how security fixes are identified and backported to support their installations.
Florida State University Markets Student Information
The Consumer Warning Network initially reported on an agreement between Florida State University (FSU) and the Bank of America for the marketing of student information, including their names and addresses. Additional reports have identified similar agreements between multiple universities and banks. The agreements reportedly allow the banks to use the university-provided student information to market credit cards to the students and use university colors and logos. Under the agreements, the private athletic booster clubs that support university athletics would receive payments based on the students' credit card account usage.
San Francisco City Employee Denies Network Access to All
A network engineer for the City of San Francisco's Department of Technology has allegedly locked down the city's new Fiber Wide Area Network (FiberWAN), denying administrative access to other employees. The city uses the FiberWAN to send e-mail, handle payroll, and manage law enforcement and jail records. The engineer has pleaded not guilty to four felony counts of computer tampering and is currently being held in jail with a US$5 million bail. The city does not yet have full access to the network and there is some concern that it may need to be rebuilt if access cannot be restored quickly. Thus far, there have not been any interruptions to the services that rely on the FiberWAN; only the ability to administer the network has been affected. Some believe that the bulk of the design and implementation of the network was entrusted to the employee and he became overly protective of the system in response to a password audit and a disciplinary dispute with a manager. His lawyer is claiming that the situation is a misunderstanding that has been highly magnified by the media. The engineer was once convicted of aggravated burglary, but he disclosed this to the city prior to employment. Negotiations are said to be underway to relinquish access to the city. Read more
IntelliShield Analysis: The greatest security risk for most institutions remains the threat of insider attacks, and those with a high level of authority or access can inflict a great deal of damage. A separation of duties can limit the scope of damage that could be caused by any one individual, as can limiting administrators and managers to the least amount of privileges necessary for their duties. In addition to these approaches, monitoring and oversight are necessary, especially of those who enjoy a large degree of autonomy and access in their duties. Business continuity plans should document necessary access information as well as coverage for staff who may be unable to perform their primary duties because of such factors as vacation or illness. These plans should also enforce a strong backup policy for business-critical infrastructure.
China's Economy Hits a Bump
Growth in China's gross domestic product (GDP) has slowed about 1 percent year-on-year, according to recently released figures, from over 11 percent in 2007 to just over 10 percent. China's stock exchanges have also suffered dramatic declines since peaking in October last year, with the Shanghai Composite index down more than 50 percent. China's property markets are suffering big declines as well, following bubble-like gains in 2007. These slowdowns are in large part a product of domestic government policy measures to tame inflation, including tightening banks' capital reserve requirements and raising taxes on stock trades. These measures compounded the effects of declines in export demand, internal shocks such as the early 2008 snowstorms and the Sichuan earthquake, and global financial weakness.
IntelliShield Analysis: With stock markets and property values depressed, tight credit, and expanding inventories, China's employers could be forced into layoffs and bankruptcies. This is a particular concern if a post–Olympic games hangover materializes, as some economists fear. The Chinese government is likely anxious to head off such a scenario, which could trigger social and political unrest. In the coming year, China's economy will slow somewhat, but few are suggesting it is headed for a true hard landing. Corporate profits will probably continue to grow, just not at the breakneck speed they have experienced. Telecom industry revenues are up 26.8 percent year-on-year according to government figures, and computer maker Great Wall Information Industry is expecting net profits to be up some 400 percent. Given these growth rates, a moderate slowdown may be in the country's long-term best interests. However, companies with business in China should be aware of the fluid state of affairs as they consider strategies for 2009.
Upcoming Security Activity
SANSFIRE 2008: July 23–31, 2008
USENIX: July 28–August 1, 2008
Black Hat: August 6–7, 2008
DEFCON 16: August 8–10, 2008
sec-t: September 11–12, 2008
OWASP Israel 2008: September 14, 2008
Oracle OpenWorld 2008: September 21–25, 2008
OWASP NYC AppSec 2008: September 22–25, 2008
Kiwicon 2k8: September 27–28, 2008
SANS Network Security 2008: September 28–October 6, 2008
BA-Con Argentina 2008: September 30–October 1, 2008
Virus Bulletin 2008: October 1–3, 2008
ekoparty Security Conference: October 2–3, 2008
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:
Beijing 2008 Summer Olympics: August 6–24, 2008
For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service
For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
Back to Top