The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Much of the vulnerability and threat activity from the previous week centered around disclosures from independent security researchers and research groups. Of particular interest were vulnerabilities disclosed for the Apple Mac OS X operating system, the Firefox web browser, and the Microsoft Word application.
Apple Mac OS X and OS X Server contain a vulnerability in the Apple Remote Desktop Agent (ARDAgent) that could allow an attacker to perform actions with root privileges. The attacker could use these privileges to take complete control of the target system. To exploit this vulnerability, an attacker must have the ability to launch a terminal session. This condition limits the number of potential attackers.

Mozilla released version 3.0 of its Firefox web browser. An independent security research group released preliminary details of a vulnerability affecting this version of the browser. The vulnerability could allow a remote attacker to execute arbitrary code with elevated privileges. To exploit the vulnerability an attacker must convince a user to visit a specially-designed website that causes Firefox to execute malicious code. This is a common scenario that is used by attackers to distribute malicious code. Due to the popularity of the Firefox web browser and its wide availability for multiple systems and languages, there may be an increase in the number of users that are susceptible to this vulnerability.
Microsoft Word contains a vulnerability due to an error when handling bulleted lists. Proof-of-concept code that demonstrates a denial of service condition is publicly available, while unconfirmed reports indicate attackers may be actively exploiting the vulnerability. To exploit this vulnerability, the attacker must convince a user to open a malicious Word document and manipulate bulleted lists in a specific manner.

The Storm worm, as described in IntelliShield Alert 14009, is currently propagating with the file beijing.exe. The worm uses an e-mail body that contains a link to a website that is hosting a copy of the worm. The website is related to the recent earthquakes in Beijing and claims to have a video of the details surrounding this disaster. If the user clicks on the video, a copy of the worm is downloaded and executed on the user’s system. Users are strongly encouraged to always verify the authenticity of unexpected links within e-mail. As an added measure of protection, before following links, users can check the reputation of any URL using the IronPort Security Network’s E-mail and Web Reputation Tool on the SenderBase Website.

IntelliShield published 134 events last week: 36 new events and 98 updated events. Of the 134 events, 118 were Vulnerability Alerts, nine were Security Issue Alerts, two were Daily Malicious Code Summaries, two were Malicious Code Alerts, one Applied Mitigation Bulletin, one Security Activity Bulletin, and one Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Previous Alerts That Still Represent Significant Risk

Adobe Flash Player Multimedia File Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 15623, Version 5, June 4, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-0071

Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The Downloader.Swif.C trojan, as detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software.

Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 6, May 26, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285

Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features and may be easily guessed through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.

Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14568, Version 6, May 20, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-6026

Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. The TROJ_MDROPPER.MB trojan, which exploits this vulnerability, is currently active and is documented in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability in a security bulletin and released updates.

Oracle Critical Patch Update April 2008
IntelliShield Security Activity Bulletin 15676, Version 2, April 18, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the Critical Patch Update advisory for April 2008. This update addresses a total of 41 vulnerabilities in Oracle products that affect Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available.

Microsoft Jet Database Engine Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15469, Version 4, May 1, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1092

Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has been identified as being used by the TROJ_MSJET.C trojan, as described in IntelliShield Alert 15486, and by the Trojan.Acdropper.C trojan described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable.

Microsoft Windows GDI File Name Parameter Vulnerability
IntelliShield Vulnerability Alert 15561, Version 5, May 9, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1087

Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is currently being exploited in the wild by the Trojan.Emifie trojan, which is documented in IntelliShield Alert 15642. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Physical

Floods Affecting United States and India

Both the United States and India are reacting to floods brought about by strong storms with high levels of rainfall. India’s yearly monsoon rains have caused floods that have afflicted three eastern states with landslides, loss of electrical power, damaged roads and disrupted railway services. Officials estimated that the floods in India have affected over 2 million people, leaving many stranded, and conditions will worsen as the rains continue. In the United States six Midwestern states are facing similar consequences as flood waters continue to move south down the Missouri and Mississippi rivers. Flooding has caused damage to major roads and highways, railway systems, and broad infrastructure systems in several cities. Flooded fields have destroyed corn and soybean crops, resulting is higher prices on these goods as well as their derivatives. Many communities are attempting to place sandbags around their local waterways as the floodwaters continue to crest and levees overflow.
Read more
Additional information

IntelliShield Analysis: The impact of the United States floods remained local for a short period of time, but have already started to show a larger economic effect. Corn and soybean prices are expected to rise as well as ethanol prices. Transportation in both India and the United States has suffered with shipped goods taking a longer period of time to arrive or not arriving at all. Civilian recovery may take longer than what is typical, as relief organizations have been taxed recently due to earthquakes, storms and other events. Businesses should examine their continuity plans if they are in danger of flooding, taking into consideration interruptions due to loss of power, low employee availability, and safety concerns. Adjusting overall expenditures due to increased prices should also be considered. Supply chains and operations should also be investigated and altered if necessary.

Legal

Compromise Being Reached on US Surveillance Laws

Democrats and Republicans have worked together to fashion an amendment to the Foreign Intelligence Surveillance Act (FISA). This bill was originally put into place in 1978 following the spying that took place in the Watergate scandal. The Democrats wanted to conduct inquiries into whether or not President Bush acted legally when asking various phone companies to perform warrantless wiretaps prior to the passing of the Protect America Act of 2007 last August. This act allowed such behavior under certain circumstances as a part of the war on terrorism. The President claimed that it was within his wartime powers to conduct the warrantless wiretaps. A compromise was reached that will grant immunity to phone companies that helped the president perform surveillance as long as the company can prove to a court that it had a presidential request.
Read more
Additional information

IntelliShield Analysis: The issue of determining whether the President acted within his legal rights when requesting warrantless wiretaps to be performed by phone companies has been a major political issue since it was reported. The political parties could not come to an agreement about how to resolve the questions over these wiretaps. The Protect America Act of 2007, which explicitly authorized warrantless wiretapping was allowed by Congress to expire last February, which returned matters to the same state they were in before that bill was passed, with the potential for legal inquiries to take place. The new bill is designed to put the questions of the legality of the warrantless wiretapping in the past, giving immunity to phone companies, and also allowing the president to continue the Terrorist Surveillance Program, but now strictly under the statutes of the revised FISA. As a part of the compromise, the amendment to FISA contains a measure that states that the government cannot invoke war powers to supercede the requirements of FISA in the future . This issue highlights the risks faced by telecommunications and hi-tech companies who may be asked to cooperate with unconventional government requests.

Trust

ATM Fraud Linked to Data Breaches

Hundreds of victims have seen their accounts drained through fraudulent ATM withdrawals. The South Bend, Indiana police department, along with the United States Federal Bureau of Investigation, received reports from victims with accounts under seven local banks and at least 4 large national financial institutions. The customers accounts were used in ATM withdrawals and transactions in Nigeria, Russia, Ukraine and Spain. In a similar report, two men were arrested in New York for making an estimated US$750,000 worth of fraudulent withdrawals from hundreds of accounts using New York City ATMs. Reports indicate that the New York ATM fraud may be linked to the data breach of a major bank, which would be the first time such a crime could be directly linked to the data breach of a bank system.
Read more
Additional information

IntelliShield Analysis: These recent ATM related crimes are increasing in number, indicating a possible shift in criminal focus. Previously the Internet crime of trading and selling credit cards and personal identification information was primarily used to make fraudulent credit card charges, transfer funds from existing credit card accounts, or create new accounts to obtain access to funds. While ATMs have been impacted by physical incidents of theft, forced withdrawals and modified card readers, the linking of the compromised information to a particular data breach is a significant shift in the criminal modus operandi. While a data breach is always a major security concern, the criminal targeting of ATM information through a data breach allows criminals more direct and rapid access to cash. While many people have now taken measures to protect their credit cards through monitoring services, ATM or debit cards may not be monitored as closely; however, these types of cards need the same type of monitoring and protection. ATM and debit cards do not always have the same fraudulent activity protections provided by credit card companies as well.

Human

First Sentencing for Economic Espionage Under Economic Espionage Act of 1996

An engineer working for Quantum 3D, a company supplying military flight simulation software to the United States government, was sentenced on June 18 after pleading guilty to the charges of economic espionage and violating arms export laws following a lengthy investigation by the United States Department of Justice. The man sought only monetary gain from selling intellectual property, rather than spying on behalf of another country. This sentencing is the first for what appears to be purely economic espionage under the Economic Espionage Act of 1996. Read more
IntelliShield Analysis: Hiring and review processes that only perform limited background checks may be unequipped to deal with employees who attempt to sell intellectual property purely for profit rather than as part of international industrial espionage. Businesses may consider performing credit checks as well as engaging human resource capabilities to identify those employees who may be at high risk for stealing secrets. Businesses may consider including clear and sufficient penalties as part of policies that address the secure handling of trade secrets or other confidential information. Additionally, businesses should continue to restrict employee access to only that information required for daily work activity. While this case is the first example of a purely economic motivation for the theft, money has long been one of the primary motivations for espionage.

Geopolitical

China Diplomatic with Neighbors

China has made progress on a number of important international diplomatic issues in recent weeks. Most visibly, in the first formal, direct talks in almost a decade, China and Taiwan agreed to establish representative offices in each others countries, and are significantly expanding direct flights across the Taiwan straits. China’s President Hu has helped improve relations with Japan, reaching a partial compromise on its longstanding disagreement over delineation of the East China Sea. Low-level Chinese government officials have even met with Tibet’s exiled leader, the Dalai Lama, and although China’s efforts on the humanitarian crisis in Sudan have fallen short of Western expectations, Beijing is signaling a gradual change of heart on its role in this crisis. Read more
IntelliShield Analysis: China’s interest in trade is likely influencing Beijing’s diplomatic offensive, as some have dubbed it, but the upcoming Olympic Games may also be a contributing factor. During China’s period of rapid growth, its robust trade relationships have sprung up with countries who have outstanding disputes with Beijing. These loose ends must be tied up if China is to ensure healthy trade and regional stability, both of which are essential to the Chinese interests.

For now, China and its Asian neighbors appear focused on putting off a permanent resolution for these issues, favoring instead a diplomacy that will allow business to go forward and economies to grow. From the perspective of Western IT firms, these developments point to a China which, over the medium term, is more likely to join international standards bodies, and adopt international rules on issues like intellectual property protection. It also serves as a reminder that there are potential problems down the road which have yet to be resolved.

Upcoming Security Activity

Cisco Live (previously Networkers): June 22–26, 2008
FIRST: June 22–27, 2008
The Last HOPE: July 18–20, 2008
USENIX: May 28–August 1, 2008
Black Hat: August 6–7, 2008
DEFCON 16: August 8–10, 2008

Because of the potential for increased risk on multiple vectors, organizations’ security teams should be aware of and consider making special preparations for the following dates:

Elections (Zimbabwe): June 27, 2008
Independence Day (United States): July 4, 2008
34th G8 Summit (Japan): July 7–9, 2008
Summer Olympics: August 6–24, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top