Cyber Risk Report

June 29–July 5, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity returned to low levels after large-scale vendor announcements in early June 2009. After witnessing double-digit, year-over-year increases in vulnerability activity, IntelliShield analysts have observed a sharp decline so far in 2009. IntelliShield published 2,777 alerts by mid-2009, in comparison to 3,700 in 2008 and 3,270 in 2007. If this trend continues through the remainder of the year, 2009 may reflect an actual reduction in activity over previous years.

IntelliShield has also observed several trends that may be contributing to a decline in activity:

  • Vendors have incorporated secure coding procedures that have resulted in the identification and correction of vulnerabilities prior to public exposure.
  • Vendors and security researchers have cooperated to correct vulnerabilities through private communications prior to public reporting.
  • Rather than scanning and exploiting vulnerabilities on systems, criminal elements on the Internet increasingly use social engineering methods to exploit user systems.
  • Criminals do not expose identified vulnerabilities but keep them private in attempts to exploit users and systems without alerting vendors and users.

These trends align with other activity that indicates the improving state of vulnerability management and the increasing criminalization of threat activity that now dominates Internet activity.

IntelliShield published 56 events last week: 25 new events and 31 updated events. Of the 56 events, 44 were Vulnerability Alerts, four were Security Activity Bulletins, five were Threat Outbreak Alerts, one was a Security Issue Alert, one was a Malicious Code Alert, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 07/03/2009 0 0 0
Thursday 07/02/2009 5 3 8
Wednesday 07/01/2009 5 2 7
Tuesday 06/30/2009 3 25 28
Monday 06/29/2009 12 1 13
Weekly Total 25 31 56

 

2009 Monthly Alert Totals

Month New Updated Monthly
Total
January 148 392 540
February 227 249 476
March 222 335 557
April 164 206 370
May 218 175 393
June 232 209 442
Annual Total 1,211 1,566 2,777


Previous Alerts That Still Represent Significant Risk

Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18366, Version 2, June 3, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1537

Microsoft Windows DirectShow contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are not available, and Microsoft has indicated that limited, active attacks are occurring. Microsoft has released a tool that will disable QuickTime parsing without requiring manual registry editing.

Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability
IntelliShield Vulnerability Alert 18261, Version 3, June 9, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-1535

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. The vulnerability is due to improper processing of Unicode characters in HTTP requests. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system. Exploit code is available. Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17966, Version 3, May 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0556

Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability continue to occur. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability.

Worm: W32/Conficker.worm
IntelliShield Malicious Code Alert 17121, Version 18, April 9, 2009
Urgency/Credibility/Severity Rating: 4/5/3

W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems.

Adobe Reader getAnnots Function Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18088, Version 5, May 19, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-1492

Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1 and earlier contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided an official workaround.

Adobe Acrobat Products PDF File Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 17665, Version 11, April 24, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0658

Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software.

Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17689, Version 6, April 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0238

Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available.

Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 17519, Version 6, March 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0075

Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail messages or host them on websites. Several antivirus vendors are reporting the activity.

Worm: W32.Waledac
IntelliShield Malicious Code Alert 17327, Version 10, March 23, 2009
Urgency/Credibility/Severity Rating: 4/5/4

W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities.

Physical

Guard Arrested for Alleged Insider Attack on Hospital HVAC System

A security guard was arrested by the United States Federal Bureau of Investigation (FBI) following computer intrusions at a medical clinic in the state of Texas. The guard is charged with illegally accessing heating, ventilation, and air conditioning (HVAC) computer control systems. The intrusion could have damaged temperature-controlled pharmaceuticals or injured patients who are reliant on the heating and cooling functions. Although the guard had local, physical access to the control systems during his night watch shift, it is unknown how he accessed the supervisory control and data acquisition (SCADA) systems. The intrusion was discovered when an associate reposted screenshots the guard took from compromised systems. A concerned SCADA security researcher at Mississippi State University's Critical Infrastructure Protection Center alerted authorities. Read More

IntelliShield Analysis: SCADA control systems have become targets for amateurs and professionals who are interested in inflicting real damage to a specific location. Although SCADA systems are frequently disconnected from publicly accessible networks, including the Internet, insiders are often able to obtain physical access. The isolated nature of SCADA systems, which are frequently out of sight behind locked doors, may lend themselves to neglect. Businesses are advised to carefuly restrict physical access to SCADA control systems and regularly monitor and evaluate their operation. Control systems can also be protected through the use of disk-based encryption, and compromises can be prevented by disabling removable media devices and drives.

Legal

Prank 911 Calling Conviction in United States

A blind 19-year-old Unites States citizen has been sentenced to serve 11 years in prison for hacking into telephone networks to make spoofed 911 emergency calls since the age of 14. The prank calls, which are often referred to as "swatting," are used as a form of harassment to summon local police SWAT teams to a target's house at a cost of US$1,000 to the local government. Read More

IntelliShield Analysis: The indicted man worked with several other individuals to make the fraudulent phone calls using social engineering techniques like "pretexting" to obtain information from companies. The group also used a technique called "wardialing," in which a computer dials many numbers in an attempt to locate computer systems or phone company lines.  These are known techniques that continue to be used; organizations and users alike can protect themselves from these attacks by refusing to provide information over the phone without proper proof of identification from the requesting party. Organizations must also ensure that computers or phone services that answer automatically are well secured with usernames, password, or other access controls.

Trust

There was no significant activity in this category during the time period.

Identity

Data Privacy Concerns Surround Closure of Registered Traveler Vendor

The sudden closure of Clear, an organization that helped expedite frequent travelers through airport security, has experts wondering how customer-provided personal and biometric data will be handled. Clear's parent organization, Verified Identity Pass, Inc., was the largest of six vendors who were approved by the United Stated Transportation Security Administration (TSA), and its demise has many questioning the viability of the program. In addition to submitting an application, participants were required to provide their fingerprints, iris pattern, and two forms of identification, as well as undergo a federal background check. All data was then stored by Verified Identity Pass. The chairman of the United States House Committee on Homeland Security has required the TSA to disclose how it intends to safeguard the information in question by July 8, 2009.
Read more
Additional Information

IntelliShield Analysis: Often, the insolvency of a company can introduce an amount of chaos and uncertainty, which can make the organization more susceptible to identity thieves or the accidental disclosure of personal data. In this case, it appears that Clear is taking action to avoid this outcome. The company does not intend to sell or provide customer data to any entity other than those approved by the TSA's Registered Traveler program, but it does not appear that customers have the opportunity to opt out of the transfer. Users of any service that requires the collection of sensitive data should closely examine the privacy and data protection policy of the service, taking care to identify how information will be handled by third parties and note contingencies in the event of service suspension.

Human

United Stated Federal Trade Commission Settles with Defendants in Bogus Computer Scan Case

The United States Federal Trade Commission (FTC) recently announced a settlement with two defendants who were charged with propagating scareware, or software that is designed to intimidate users into a purchase. The defendants used interactive advertisements suggesting that a victim's PC had been scanned and was infected with malware that did not actually exist but could be removed for a fee. Over one million consumers purchased scareware marketed under names such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. Total revenue for the scam was estimated at US$1.9 million.
Read more
Additional Information

IntelliShield Analysis: Scareware is becoming increasingly more common, and distribution methods are growing in sophistication. This type of malicious software is distributed through both traditional malware vectors like malicious e-mail attachments and relatively newer vectors like advertisements on legitimate websites. The growing sophistication of scareware will likely result in further steps to protect consumers from this threat.

Geopolitical

Global Governments Formulate Cyber Strategies

The United Kingdom has announced plans to launch an Office of Cyber Security as part of an overhaul of the nation's national security strategy. The new office will coordinate the government's Internet security strategy and collaborate with foreign governments. Almost simultaneously, the United States (U.S.) announced a new Cyber Command military command only weeks after establishing a new White House office for cyber security. Reports that Russian President Medvedev may pressure U.S. President Obama for an international treaty on cyber issues are also emerging in the days leading up to their summit. Any treaty would be the first of its kind.
Read more
Additional Information

IntelliShield Analysis: Governments are facing pressure to secure critical national networks in the 21st century just as they faced the imperative of securing the seas in the 19th century and the air in the 20th century. Questions as to how the feat will be accomplished and to what extent it is possible or advisable for nations to work together toward a common defense are already shaping the global discussion. Concerns are emerging, for example, that an international treaty on cyber issues might require increased government oversight of the Internet, a prospect which raises privacy concerns around the world. Moreover, by definition, rogue nations and non-state actors would not subject themselves to the limitations of an international agreement. Given the borderless nature of Internet vulnerabilities, information security specialists—particularly those with business that crosses international borders—can expect network security to be a prime consideration for global governments in the coming decade. As new regulatory frameworks and international consortia evolve, security specialists are reminded to be aware that their organizations may become involved in mutually contradictory frameworks, or in situations that are politically volatile.

Upcoming Security Activity

International ISACA Conference: July 19–22, 2009
Black Hat Training and Briefings: July 25–31, 2009
DEFCON: July 31–August 3, 2009
18th USENIX Security Symposium: August 12–15, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top