July26–August 1, 2010The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityVulnerability activity for the period was consistent with previous periods. The vulnerability activity included several highlights from Black Hat USA presentations and vulnerability research; vendor security updates were released by IBM, Red Hat, FreeBSD, CentOS, Mozilla, Google Chrome, Apple Safari, and HP. Additional information was also released regarding the Microsoft and Siemens vulnerabilities, and the related exploit activity. Microsoft announced that it will release an out-of-band security advisory for the Microsoft .lnk vulnerability today, on Monday, August 2. This vulnerability affects virtually all Windows systems, is being used to specifically target SCADA systems, and is being actively exploited through multiple attack vectors. There are currently few reliable or feasible mitigation methods for these vulnerabilities or exploits, which further increases the importance of this security update. Highlights and presentations from the Black Hat USA and DEFCON security conferences and training sessions are available from their respective web sites. Several vulnerabilities and security issues were presented in detail on consumer routers, GSM encryption, VxWorks, the Smart Grid architecture and more. For many the highlight of the DEFCON conference was the social engineering contest where contestants attempted to use social engineering techniques to gather sensitive information about organizations' networks and systems that could be used to attack those organizations. This contest and the techniques used provide valuable insight for any organization. The Cisco 2010 Midyear Security Report has already received wide-spread coverage and reporting by the media and industry analysts. The full report is available for download in PDF format, and a video recording with Cisco security leaders discussing the finding of this year's report is available as well. IntelliShield published 111 events last week: 50 new events and 61 updated events. Of the 111 events, 86 were Vulnerability Alerts, 14 were Security Activity Bulletins, three were Security Issue Alerts, seven were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for July 26-August 1, 2010Microsoft Windows .lnk File Processing Arbitrary Code Execution Vulnerability Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. Functional exploit that is a part of the Metasploit framework is publicly available. Microsoft has re-released a security bulletin with updated workarounds and additional information about attack vectors used to exploit the Microsoft Windows .lnk file processing arbitrary code execution vulnerability. Microsoft Windows .lnk File Vulnerability Used for Malware Outbreak Targeting SCADA Systems New malware, called W32/Stuxnet-B, has been reported. This malware propagates using USB drives apparently infected with malformed shortcut (.lnk) files. F-Secure detects the LNK exploit as Exploit:W32/WormLink.A. Reports suggest that the malformed shortcuts exploit a remote code execution vulnerability in Microsoft Windows, which has been reported in IntelliShield Alert 20918. Siemens has confirmed that its products are being affected by the malware outbreak targeting SCADA systems. Previous Alerts That Still Represent Significant RiskMicrosoft Windows Help and Support Center Whitelist Bypass Vulnerability Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild. Microsoft has confirmed this vulnerability in a security advisory; however, updates are not available. DNSSEC-Enabled Queries to the DURZ Serving Root May Affect DNS Services Signed root DNS zones are designated to go into effect during a maintenance window July 15, 2010, establishing the availability of DNSSEC-enabled queries. Microsoft Exchange Server Outlook Web Access Cross-Site Request Forgery Vulnerability Microsoft Exchange Server contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks on an affected site. Proof-of-concept code that exploits this vulnerability is publicly available. Updates are not available. Multiple Adobe Products Remote Arbitrary Code Execution Vulnerability Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system or cause a denial of service (DoS) condition. Functional code that exploits this vulnerability is available. Adobe has confirmed this vulnerability and released updated software. IBM and Oracle Java Web Start Java Development Kit ActiveX Control Command-Line Injection Vulnerability Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Red Hat has released an additional security advisory and updated packages to address the Oracle Java Web Start Java Development Kit ActiveX control command-line injection vulnerability. Kernel Hook Bypassing Engine Affects Multiple Security Applications A security research team has created a tool that is able to bypass security software protections provided by host-based security software on Microsoft Windows systems and execute arbitrary code with kernel privileges. Microsoft SharePoint Server 2007 Cross-Site Scripting Vulnerability Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability and released software updates. Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability. PhysicalThere was no significant activity in this category during the time period. LegalLibrary of Congress Publishes Update to Digital Rights RegulationsThe Digital Millennium Copyrights Act of 1998 gave the Librarian of the Congress the authority to issue rules regarding what is and is not legal use of copyrighted materials. The Librarian has issued rules regarding the question of "fair use" of copyright digital materials four times since the 1998. The most recent regulation, published last week, allow individual owners to circumvent digital locking and encryption technologies in some interesting cases. The most reported ruling is that it is not a violation of copyright for an owner of a digital device to "jailbreak" or unlock the device to enable personal use of the device beyond those permitted by the manufacturer of the device. In addition, the regulations make clear that is not illegal to circumvent encryption in order to incorporate small portions of copyrighted materials in non-commercial, research or educational works. The new regulation also makes clear that it not a violation of copyright to circumvent hardware key systems (a.k.a. dongles) in cases where the key is lost or broken and cannot be replaced. It is also permitted to apply text-to-speech conversion to material where the rights holder does not already provide the capability. Perhaps the most interesting regulation, due to the potential precedent it creates, states that is not a violation of copyright for a researcher to circumvent software protections on video game software, for the purposes of analyzing and correcting security flaws. Read More IntelliShield Analysis: While the ruling, as stated, is limited to computer video games, it may still set a precedent for researchers to assert they can legally circumvent copyright controls for other software products for the same purposes, to research and correct security flaws. This possible precedent certainly bears watching by software vendors who are the focus of one or more outside vulnerability research efforts. They may find they have one less legal option available for controlling who can examine and manipulate their software products. TrustResearchers Uncover Check Counterfeiting Scheme Aided by Zeus BotnetJoe Stewart, researcher from SecureWorks Inc., recently posted details about a check counterfeiting scheme dubbed Big Boss. The scheme relied upon the Zeus trojan horse botnet to compromise databases of processed check images, produce counterfeit checks based on the account information on those captured images, find job seekers via online employment sites, hire them as "money mules," and then send those checks via overnight delivery to the mules recruited to cash the fraudulent instruments. Stewart estimates that over 9 million US dollars was directly defrauded through this scheme, and an additional $65,000 was defrauded via credit card transactions to pay for the overnight check delivery to the mules. IdentityThere was no significant activity in this category during the time period. HumanVictims of Scareware Reluctant to Fight BackRecent research indicates that a large percentage of those impacted by scareware scams rarely make any attempt to recover the charges they've incurred through the purchase of rogue antivirus software and other software advertised through these scams. Many victims simply felt too embarrassed to report their situations, some actually thought that the scareware they downloaded made a positive impact on their computer, and others who did in fact take action eventually gave up due to frustration. Read More IntelliShield Analysis: The embarrassment felt by these consumers which, in turn, prevented them from reporting these events is very similar to the reasoning used by public enterprises when failing to report data leakages, attacks on their own networks, and other damaging acts performed by miscreants. Many corporations feel that reporting these events will bring additional attention to the matter with the end result being an adverse impact on their public reputation. While such feelings are certainly understandable, this behavior makes it increasingly difficult for the law enforcement community to make headway in identifying and subsequently prosecuting the individuals and groups responsible for these nefarious acts. While it may be somewhat overly optimistic, it is expected that the more these types of events are reported the more likely they will begin to diminish over time. GeopoliticalWikileaks Reveals the Best and the Worst of Web 2.0Over 92,000 classified documents were posted on the free-speech site Wikileaks this month, constituting the single largest leak of classified government information in U.S. history. Publication of the trove of raw intelligence sparked a media frenzy over the implications, which allege, among other things, high-level Pakistani support for the Taliban, cover-ups of extensive civilian casualties, and NATO heartburn over the course of the war. U.S. officials are saying that the documents do not reveal much information that was not already known. Wikileaks founder Julian Assange is keeping a low profile, and to date, rumors of his imminent arrest have not proved true. Assange has asserted that Wikileaks takes pains to protect its sources, and that in most cases he is personally unaware of their identities; however, investigators quickly narrowed down the suspected whistle-blower to a low-ranking U.S. intelligence analyst serving in Iraq, who they say bragged in a chat room about his actions. IntelliShield Analysis: The Wikileaks story provides one of the best or worst illustrations to date of the potential of Web 2.0 to throw open the floodgates of information to the court of public opinion. On the one hand, by publishing a vast cache of classified documents, Wikileaks has thrown light onto information that could potentially impact the course of the war in Afghanistan, and increased public knowledge of the unscripted, real-life prosecution of war. On the other hand, the revelations imperil untold numbers of operations, soldiers and informants who are risking their lives to assist the military effort in Afghanistan. Because so much of the data is in raw form, it is easy to misinterpret complicated events. It also undermines trust among intelligence agencies that have stepped up efforts to share information. For information security specialists, the event underscores the extensive damage that can be done by trusted insiders. Particularly in large organizations, trust must be augmented by ongoing efforts to harden auditing and access management tools and rigorous enforcement of need-to-know. Upcoming Security ActivityUSENIX Security: August 11–13, 2010 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: World Expo (Shanghai, China): May 1–October 31, 2010 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
