The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

The month of July, 2008, marked a notable increase in vulnerability and threat activity, exceeding levels from both the previous month and July, 2007.  Much of this activity can be attributed to vendors releasing updated software for previously disclosed vulnerabilities.

Many vendors continued to release updated software to address the insufficient entropy vulnerability affecting multiple vendors DNS implementations that is described in IntelliShield Alert 16183.  The presence of multiple sets of publicly available functional exploit code and exploit tools suggests that administrators should consider the patching of affected systems a high priority.  Cisco re-released a security advisory to address a Port Address Translation (PAT) DNS cache poisoning issue in multiple products.  This issue is related to the insufficient entropy vulnerability and is described in IntelliShield Security Issue Alert 16345.  Affected devices use a predictable source port allocation policy when performing PAT operations. This issue could allow unauthenticated, remote attackers to conduct DNS cache poisoning attacks against DNS servers that rely on an affected device to perform PAT.  These attacks could result in the modification of stored DNS entries, allowing the attacker to conduct further attacks.  Even those DNS servers that have been patched for CVE-2008-1447 will be vulnerable under these circumstances.

Oracle released security advisories to address buffer overflow vulnerability in the Oracle WebLogic Server.  Oracle rarely releases advisories outside of its critical patch update cycle.  The vulnerability is detailed in IntelliShield Alert 16322.  The available proof-of-concept code demonstrates an exploit that results in a denial of service (DoS) condition or code execution, but the example is incomplete and requires additional work for use in staging an attack.  Oracle has released a CVSS score for this vulnerability that suggests it could be exploited by an attacker to achieve a full system compromise.   Some common configurations of the affected applications are likely to run the Apache web server with SYSTEM privileges.

Evilgrade, an exploit toolkit taking advantage of the current DNS cache poisoning vulnerability, was released during the time period.  As documented in IntelliShield Alert 16335, Evilgrade allows an unauthenticated, remote attacker to use man-in-the-middle attack techniques to execute arbitrary code on systems that automatically download unsigned updates.  The attacker must first target one or more DNS servers and can then choose any desired malicious code to install on the targeted systems.  The attacker can use the tool to set up a web server that is designed to dispense an updated version of one or more applications.  The tool contains built-in modules that can be used to serve malicious updates to a number or programs.  To mitigate these attacks, administrators are advised to determine whether their ISP is running DNS servers that are susceptible to cache poisoning.

The Storm worm, described in IntelliShield Alert 14009, is currently sending massive amounts of e-mails containing a message that the FBI will soon receive instant access to Facebook accounts.  The e-mail contains a link to a web site that hosts a copy of the worm.  The web site instructs the targeted user to save and run the FBI vs. Facebook article on the user's machine.  If the user clicks the save it hyperlink, a copy of the worm is downloaded and executed on the user's system.  The worm is using the the filename fbi_facebook.exe.  Some of the known e-mails subject include: F.B.I may strike Facebook, F.B.I watching us, The FBI's plan to "profile" Facebook, and F.B.I. watching you.  Users are strongly encouraged to always verify the authenticity of unexpected links within e-mail.  For assistance in verifying the authenticity of links, users can check the reputation of any URL using the IronPort Security Network's E-mail and Web Reputation Tool on the SenderBase website.

IntelliShield published 159 events last week: 32 new events and 127 updated events.  Of the 159 events, 137 were Vulnerability Alerts, 11 were Security Issue Alerts, four were Daily Malicious Code Summaries, three were Security Activity Bulletins, two were Malicious Code Alerts, one was an Applied Mitigation Bulletin, and one was the Cyber Risk Report.  The alert publication totals are as follows:

Weekly Alert Totals

2008 Monthly Alert Totals

Significant Alerts for the Time Period

Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability
IntelliShield Vulnerability Alert 16183, Version 15, August 1, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-1447

DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks.  Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server.  Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released.  This exploit caches a single malicious host entry into the DNS server.  A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious record into the cache.  Additional exploit code that allows for complete domain hijacking through the modification of SOA records is also available.  Multiple exploit tools are becoming publicly available, increasing the risks associated with not patching affected products.

Previous Alerts That Still Represent Significant Risk

Oracle Critical Patch Update July 2008
IntelliShield Security Activity Bulletin 16276, Version 1, July 15, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the Critical Patch Update advisory for July 2008.  The update contains 45 distinct security fixes for various Oracle products.  Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available.

Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 16117, Version 2, June 24, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-2830

Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges.  A local attacker could exploit the vulnerability to perform actions with root privileges.  The attacker could leverage these privileges to take complete control of the targeted sources.  Malicious software is currently exploiting this vulnerability.  OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability.

Adobe Flash Player Multimedia File Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 15623, Version 5, June 4, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-0071

Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges.  The Downloader.Swif.C trojan, which is detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability.  Reports indicate that this malicious code is currently active in large-scale attacks.  Adobe has confirmed the vulnerability and released updated software.

Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 8, June 20, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285

Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted.  As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods.  Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.

Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14568, Version 6, May 20, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-6026

Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code.  Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available.  The TROJ_MDROPPER.MB trojan, which exploits this vulnerability, is currently active and is documented in IntelliShield Alert 12562.  Microsoft has confirmed this vulnerability in a security bulletin and released updates.

Physical

There was no significant activity in this category during the time period.

Legal

Australian Government ISP Content Filters

The Australian Communications and Media Authority (ACMA), has been testing content filters with the intention of mandating their use by Australian ISPs.   The tests used built-in black lists and a test base of 3,930 sample URLs.  The results, with 30 simulated users, blocked 88–94 percent of the intended blocked content, while giving false positives for 1–3 percent of the requests.  The filtering processes also consumed up to 75 percent of network resources.   The government is planning a trial rollout to several ISPs for further testing before mandating filtering for all Australian ISPs.  Read more
 
IntelliShield Analysis:  The Australian government has tried installing content filters on ISPs in the past, but the filters significantly impacted performance.  Critics have stated that testing has been limited and does not scale well outside of the test environment.  Additionally, the filters that were tested were unable to deal with files in P2P file-sharing networks.  If the filtering scheme goes forward as currently designed, there may be a large-scale migration to P2P network file sharing.  The issue of the 1–3 percent (and possibly more) of legitimate content that is incorrectly blocked also remains.  Critics are concerned that the blocked content could be arbitrarily controlled by the government, since the black lists are not publicly available.  Australian ISPs would carry the largest burden, including the costs of installing and maintaining the software, and the decrease in available network bandwidth may compel ISPs to buy additional equipment and raise customer pricing.  One positive aspect may be a decrease in ISP liability for illegal content passed through the network, provided the ISPs can prove conformance to government requirements.

Trust

IBM ISS X-Force Vulnerability and Malicious Code Trending Report for 2008 Released

The IBM ISS X-Force Research and Development team has released a midyear report addressing vulnerability and malicious code trends reported in the first six months of 2008.  The team compared the trend to results observed over the previous 10 years.  Trends and explanations are included for the most common types of attacks and exploits and how those attacks and exploits have changed over the years.  Statistics are included, as are detailed graphs and charts.  Read more

IntelliShield Analysis:  According to the research, reported vulnerabilities appear to be primarily disclosed by ten "top vendors" who account for nearly 20 percent of the total number reported.  With the increase in vendor reports, clients may place a stronger trust in vendors who are actively identifying and correcting vulnerabilities in their products.  Vendor diligence can build on the client-vendor relationship and increase the likelihood of customers staying with a particular vendor, and even assist the economy by securing jobs due to the revenue earned from clients remaining with a company.  Customers should not, however, rely on vendors exclusively for reports on potential vulnerabilities.  Numerous independent researchers do not report vulnerabilities directly to the vendors, but post findings on blogs and websites.  In addition, malicious code continues to be prevalent,  with online games and banking entities especially targeted.  Although continuous threats remain, an increased trust between clients and vendors should allow customers to rely more on vendors for information about ways to protect systems.

Identity

Marketing of Korean Identity Information

Police investigators in Seoul, Republic of Korea, have arrested eight suspects in connection with the purchase, resale, and misuse of personal identification information.  The two-year investigation uncovered the theft of identification information by Chinese hackers. The identification information was then purchased by Korean loan businesses and resold to additional loan businesses and marketing companies.  The information is believed to have been stolen through as many as 2000 compromised websites of financial institutions, universities, and e-commerce businesses.  In statements,  police emphasized that businesses contributed to the growth of these crimes by not reporting information compromises.  Read more

IntelliShield Analysis:  This investigation exposes a single incident cycle of the global criminal market for identification information.  The information is compromised through websites, sold and resold, and ultimately used for target marketing and to further exploit victims on a global scale.  The market for the information includes the criminal organizations and hackers performing the compromises and the legitimate businesses that feed the criminal market through the purchase, trade, and exploitation of the information for profit.  The investigation highlights the need for improved international law enforcement cooperation and global reporting of identification information compromises.  Much like spam, this activity will continue regardless of increased defensive information security measures as long as profits are high and probability of arrest is low.  Businesses play an important role in defeating identification information crime by securing their websites, reporting attacks and compromises, cooperating with law enforcement investigations, and promoting international standards and cooperation.

Human

Keying Mistakes May Evade Common Error Checking

Professor Kai A. Olsen has recently published  research findings of human fallibility in entering data.  His research was inspired by a 2006 court case in Norway, in which a bank customer accidentally entered one digit too many and Norwegian Kroner equivalent to US$100,000 was deposited into the wrong account.  His research involved a simulator in which users would manually enter data for 30 transactions and confirm or edit the entries to be sure the information was correct.   The students entering the data failed to enter the correct account number 7 percent of the time, higher than the expected failure rate on actual systems.  In some cases, the use of checksums may have caught the mistake, but in other cases, the data was acceptable but not correct.  Read more
 
IntelliShield Analysis:  Data protection has become an important topic as businesses, financial institutions and the medical industry have become more reliant on information technology.  Ensuring data integrity, that data is complete and correct, is equally important.  Data entry is often handled by temporary or entry-level workers who are expected to accomplish the tedious task of manually entering massive amounts of data within a short period of time.  The data itself is not always easy to parse and much of the error correction must be handled by the tools designed or adapted for the task.  As the Norway case shows, even a simple mistake in one field can carry a heavy cost.  User interfaces should be designed to perform sanity checks and give users feedback about unexpected input without disclosing information that may aid in attacks against other users or the system.  Using forms and invoices to automatically populate fields and breaking up long strings of numbers into smaller chunks have been used in the past to minimize the number of mistakes a user can make when entering data.   Businesses should ensure that policies and employee education cover both data entry and verification.

Geopolitical

India Watching Cyber Cafés in Wake of Bombings

In the aftermath of deadly serial bombings in the Indian cities of Bangalore and Ahmedabad,  threatening e-mails have extended the impact of the attacks.  A Muslim militant group calling itself the Indian Mujahideen has claimed that the attacks were revenge for riots in 2002 in which an estimated 1,000 people, many of them Muslims, were killed.  Reports surfaced after the bombings that an e-mail had been sent from the account of a United States expatriate resident that warned of the Ahmedabad bombings just minutes before the explosions.  Authorities believe that the expatriate's email account was hijacked for the purpose of sending the warning and that he is probably not involved.  Since that time, more threatening e-mail messages have kept Indians on high alert.  In the space of a few days, the Hindi news channel, India TV, received an e-mail from a Yahoo account threatening to blow up India TV's office in Uttar Pradesh; threats were also received by the Japanese embassy in Delhi and the Kolkatas High Court.  Police are intensifying their scrutiny of cyber cafés across India, requiring customers to provide identification for use of the cafés and screening cyber café owners as well.  Read more

IntelliShield Analysis:  While the majority of the threat e-mails are hoaxes, each one must be taken seriously, causing enormous expenditure of resources and creating inconvenience and delay by requiring re-routing of traffic and closure of important public landmarks.  It also bolsters the arguments of government authorities that increased monitoring of telecommunications is called for given the renewed threats.  The threat e-mails come at a time when Indian authorities were already restricting the spread of cyber cafés and raising bureaucratic hurdles for café owners owing to terrorism fears.  The unintended result could be a slowing of the spread of Internet usage in India, given that more than half of Indians access the Internet via cyber cafés, and household broadband connectivity lags far behind China.  More bombings in the coming weeks could lead multinational companies operating in India to reconsider travel or even investment plans to and within these important Indian technology centers.

Upcoming Security Activity

Black Hat: August 6–7, 2008
DEFCON 16: August 8–10, 2008
sec-t: September 11-12, 2008
OWASP Israel 2008: September 14, 2008
Oracle OpenWorld 2008: September 21–25, 2008
OWASP NYC AppSec 2008: September 22–25, 2008
Kiwicon 2k8: September 27–28, 2008
SANS Network Security 2008: September 28-October 6, 2008
BA-Con Argentina 2008: September 30–October 1, 2008
Virus Bulletin 2008: October 1–3, 2008
ekoparty Security Conference: October 2–3, 2008
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:
Beijing 2008 Summer Olympics: August 6–24, 2008
Democratic National Convention: August 25–28, 2008
Republican National Convention: September 1–4, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top