July 21–27, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityThreat levels remained low for the time period, with peak vulnerability activity surrounding the release of exploit code for the multiple vendor DNS implementations insufficient entropy vulnerability. The exploit code allows the insertion of malicious DNS records to poison the cache of the targeted DNS server. The exploit caches a single malicious host entry into the DNS server. A successful exploit in this manner could allow the attacker to spoof DNS entries, causing the targeted DNS server to insert the additional malicious records into the cache. Additional exploit code that allows for complete domain hijacking through the modification of Start-of-Authority (SOA) records is also available. With the release of this functional exploit code and a better overall understanding of the vulnerability, the threat to DNS systems has significantly increased. Multiple tools and scripts are also available to identify vulnerable DNS servers, making the exploitation of vulnerable systems trivial. Additional vendors have confirmed this vulnerability and released updated software. The Cisco Applied Intelligence team has released a white paper entitled DNS Best Practices, Network Protections, and Attack Identification to provide administrators with DNS best practices and protection information. IronPort Threat Operations Center has reported several virus outbreaks for the United Parcel Service (UPS) trojan that is actively being distributed in spoofed UPS-related e-mails. Downloader.Diliv, as described in IntelliShield Alert 16279, continues to be a prominent threat. Several e-mail variations of the trojan exist as well as modified attachments and filenames. The most recent e-mail message being sent to users states that UPS has received a parcel from France and asks the user to fill out a customs declaration form that is attached in the e-mail. The attachment is not a declaration form, but rather a copy of the trojan. Known attachment and executable filenames that are associated with this trojan contain the text ups_invoice or tax_invoice. Best practices dictate that users not open unexpected e-mail attachments or executables from untrusted or unexpected sources. Users should verify the source before opening any attachment. Also receiving media attention this week is a worm that leverages Advanced Systems Format (ASF) functionality as part of its routine. Although this functionality is known, this worm represents the first implementation in active malware. Users will likely become infected inadvertently by downloading previously-infected music files on P2P networks. Once installed, the worm converts MP2 and MP3 audio files on the system to the Microsoft Windows Media Audio format, and wraps them in an ASF container. When the user plays these infected music files in Windows Media Player, the worm causes the player to launch Internet Explorer and access a malicious website that contains additional malware. Administrators are advised to warn and educate users about the risks related to P2P application use. Administrators may also consider blocking or restricting the use of P2P applications within internal networks. IntelliShield published 109 events last week: 18 new events and 91 updated events. Of the 109 events, 98 were Vulnerability Alerts, six were Security Issue Alerts, one was a Security Activity Bulletin, two were Daily Malicious Code Summaries, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for July 21–27, 2008Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. The attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released. This exploit caches a single malicious host entry into the DNS server. A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious records into the cache. Additional exploit code that allows for complete domain hijacking through the modification of SOA records is also available. Previous Alerts That Still Represent Significant RiskOracle Critical Patch Update July 2008 Oracle has released the Critical Patch Update advisory for July 2008. The update contains 45 distinct security fixes for various Oracle products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available. Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability. Adobe Flash Player Multimedia File Integer Overflow Vulnerability Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The Downloader.Swif.C trojan, which is detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software. Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization. Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. The TROJ_MDROPPER.MB trojan, which exploits this vulnerability, is currently active and is documented in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability in a security bulletin and released updates. PhysicalHurricane Dolly First of 2008 Atlantic Storm SeasonTropical storm Dolly was classified as a category one hurricane as it approached the United States and Mexico border via the Gulf of Mexico. The storm was briefly upgraded to a category two hurricane as it moved toward South Padre Island, an island off the Texas coast. The storm was downgraded again as it made landfall. The hurricane is responsible for displacing several thousand residents due to flooding, and approximately 100,000 residents are still without power. Only a single death has been attributed to the storm. Both the United States (U.S.) Department of Homeland Security and the Federal Emergency Management Agency (FEMA) stated that they were ready to provide assistance to the stricken areas. The State of Texas chose to rely on its own emergency response capabilities. The governor of Texas has requested that 14 counties within southern Texas be declared a federal disaster area, qualifying residents to receive federal assistance. This request was granted by U.S. President on July 25, 2008. IntelliShield Analysis: Although 2007 had a relatively quiet hurricane season, forecasters predict that 2008 may be a record breaker for the number of hurricanes and typhoons in a season. Organizations that are located within a hurricane area are advised to use this time to perform reviews of their Business Continuity and Disaster Recovery plans to ensure that long-term operations are not negatively impacted. It is not uncommon for a business to be forced to relocate to an alternate site for 4 to 6 weeks or more due to flooding and property damage. Organizations are advised to plan for such eventualities. LegalSarbanes-Oxley Act Being Challenged in CourtThe United States (U.S.) accounting firm of Beckstead & Watts has brought a lawsuit against the Public Company Accounting Oversight Board (PCAOB) that enforces the Sarbanes-Oxley Act alleging that the PCAOB is unconstitutional. The political action committee Free Enterprise Fund (FEF) is also involved in the case. The intent of the lawsuit is to challenge and strike down the Sarbanes-Oxley Act of 2002. The plaintiff argues that PCAOB is a government entity and that its membership should require Senate approval. The plaintiff also claims that because there is no "severability" clause, if one part of the law is found to be unconstitutional, the entire act should be dissolved. IntelliShield Analysis: Because Sarbanes-Oxley is an expensive law for companies to comply with, this attempt to nullify the law is not surprising. However, the financial scandals of companies like Enron and WorldCom, which caused this law to go into effect, are still matters of concern to lawmakers and citizens. The case being brought forth hinges on a technicality. Even if the courts strike down the entire law, it is likely that Congress will take it up again. Corporate accountability in the form of accurate accounting and audits of that accounting are at the root of Sarbanes-Oxley. Some may argue that the cost of securing and auditing financial data is too high a cost for U.S. companies to pay, putting U.S. companies at a competitive disadvantage with other companies worldwide. Others would argue that the law is the best way to properly secure and maintain valid corporate financial data. Companies are advised to follow this case as it may go to the U.S. Supreme Court. Because the case rests solely on the issue of how the PCAOB board members are selected, it is likely that this technicality will be addressed and that the law will be modified in order to ensure that Sarbanes-Oxley is upheld by the courts. TrustInvestigation Uncovers Criminal Mortgage BrokersThe Miami Herald newspaper conducted an investigation of mortgage brokers in the state of Florida, United States, which found that thousands of licensed brokers had criminal records that should have been discovered during mandatory background checks. Regulators must approve licenses for mortgage brokers in Florida where background checks have been required since 2006. Additionally, regulators have not revoked the licenses of mortgage brokers that have committed fraud. The investigation estimates US$85 million in losses due to fraud, identity theft, and theft of savings and homes involving licensed brokers. Read more IntelliShield Analysis: In an industry plagued with serious problems that are impacting economies and financial institutions across the world, the Herald's investigation has raised further trust issues within the mortgage industry. It is also important to note that this investigation was limited to the state of Florida, and similar situations may exist in other areas. With public records and the current technologies available to anyone with an Internet connection, conducting background checks is a relatively simple, inexpensive, and quick control that can identify potential security issues. This is a basic first step in vetting possible employees to establish a base of trust that is complimented by current procedures, monitoring, and additional internal controls. Although all employees may not require these checks, such checks are necessary if not required for employees and insiders that have access to sensitive business, personal, or financial information. Companies that are unfamiliar with conducting background checks or uncomfortable with their ability to perform the necessary background checks can contract established companies that specialize in this service. Ultimately, businesses will be impacted by employee crimes and should not rely fully on the oversight of regulators. IdentityPhysicians Offered Incentives for Using Electronic Prescription SystemThe Unites States (U.S.) government is offering incentives in the form of Medicare payments to doctors who submit prescriptions to pharmacies electronically, as opposed to the conventional written form that must be hand delivered by the patient. Advocates of the new system are stating that it will save time, money, and lives. The greatest obstacle thus far has been the expense of setting up new hardware and software. The U.S. Congress is attempting to assist doctors that have made the switch by increasing their reimbursement rates over the next five years. Read more IntelliShield Analysis: The electronic prescription system is a good next step in modernizing the healthcare practice in the U.S., but certain safeguards are necessary in order to protect patients from identity and data theft, as well as protecting pharmacies from potential compromises. Any repository of patient information should be both electronically and physically secure from theft or unauthorized access. In addition to protecting the storage of data, the transmission of data must be suitably protected; updating pharmacies to receive this service may be the next challenge. Once in place, appropriate monitoring and auditing will be necessary to guard against those who would take advantage of the trust that users place in the system. The incentives may encourage a quick adoption, but participating organizations should be thorough and avoid a hasty implementation. HumanTV Anchor Fired for Accessing Colleague's E-mailTelevision newscaster, Larry Mendte, formerly of television station KYW-TV in Philadelphia, Pennsylvania, United States, was formally charged on Monday for accessing the e-mail of his former colleague, Alycia Lane. Mendte was fired last month after the FBI seized his personal computer from his home. Allegedly, Mendte used keylogging hardware to record Lane's Yahoo! e-mail password, accessed her account for over two years and leaked some of the information accessed to a reporter from the Philadelphia Daily News. The information, which was posted in the media, contributed to Lane's dismissal from the station in May 2008. If convicted, Mendte could be sentenced to up to six months in prison. Read more IntelliShield Analysis: Physical keylogging devices can be difficult to discover, especially if the keylogger is planted by someone who has regular physical access to the targeted device. Even victims who are careful about their activities on work machines can find themselves susceptible to further incidences if the attacker can access passwords used by the victim. These passwords may be used to monitor the victim's activities as well as lead to the installation of further malicious software. Employees who save or access personal information on a work system need to be aware of the implications and take measures to protect that data. Keeping employee pay confidential and taking additional security precautions for high-publicity employees may also be required. GeopoliticalDDoS attack on Georgian President's WebsiteThe website of Georgian President Mikhail Saakashvili was the target of a Distributed Denial of Service (DDoS) attack, making the site inaccessible for about 24 hours. The attack appears to have been instigated by Russian hackers according to a posting by the Shadowserver Foundation, an independent security watchdog. The incident was reminiscent of massive DDoS attacks that crippled Estonian government computers in 2007. Although Shadowserver did not have direct evidence that the DDoS attack was of Russian origin, the posting indicated that the botnet used in the Georgian websites case was a MachBot controller frequently employed by Russian hackers. Moreover, the domain involved had Russian ties. Read more IntelliShield Analysis: In addition to the attacks modus operandi, Russian hackers would have a motive as well. Relations between Georgia and Russia have worsened in recent months over the breakaway Georgian regions of Abkhazia and Ossetia, as Russia continues to struggle with the European Union for influence over former Soviet nations. It is unlikely that the attack had state-backing, however, as the Kremlin has little to gain from bringing down a website for a few hours. From the perspective of IT security specialists, the attack serves to underscore the continued vulnerability of websites to DDoS attacks. It also serves as a reminder that despite continued media attention on the volume of malware and hacking originating from Chinese hackers, Russian hackers are both an active and leading threat. Upcoming Security ActivitySANSFIRE 2008: July 23–31, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Beijing 2008 Summer Olympics: August 6–24, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
