The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.
Vulnerability
Vulnerability and threat activity levels continued to increase in a manner consistent to this same time period the previous year. IntelliShield analysts responded to an average 545 events per month from January 2007 through June 2007. This number increased to 617 events from January 2008 to June 2008. The number of revised alerts remained similar during these time periods, but 2008 has brought a marked increase in the number of new alerts.
Microsoft released its Microsoft Security Bulletin Advance Notification for July 2008. Microsoft scored all four of the bulletins scheduled for release on July 8, 2008 with a maximum severity rating of Important. These bulletins address vulnerabilities in the Microsoft Windows operating system, Microsoft Exchange Server, and Microsoft SQL Server.
Mozilla released 12 security advisories to address vulnerabilities in the Firefox web browser and the SeaMonkey Internet application suite. These vulnerabilities could allow a remote attacker to gain access to sensitive information, conduct spoofing or phishing attacks, or execute arbitrary code. Users can mitigate these vulnerabilities by following security best practices guidelines. These guidelines include not visiting untrusted websites or following untrusted links, and not installing software from untrusted sources.
Apple released Security Update 2008-004 and Mac OS X version 10.5.4 to address 25 distinct vulnerabilities. These vulnerabilities could allow attackers to cause a denial of service condition, gain access to sensitive information, or execute arbitrary code. However, this update failed to fix the Apple Mac OS X and OS X Server Apple Remote Desktop Agent privilege escalation vulnerability, which is detailed in IntelliShield Alert 16117.
Independent security researchers announced that Apple has not updated the Mac OS X operating system for the iPhone platform since February. A user could be exposed to many known vulnerabilities despite having the most recent updated iPhone software. As a result, a user may unknowingly be exposed to vulnerabilities as they handle day-to-day tasks. Users can mitigate these vulnerabilities by following best practice guidelines, including avoiding untrusted websites and not installing or running files from untrusted sources.
In malicious code activity this week, two JavaScript trojans are exploiting the RealNetworks RealPlayer rmoc3260.dll ActiveX control memory corruption vulnerability, as described in IntelliShield Alert 15356, and the RealNetworks RealPlayer ierpplug.dll ActiveX control arbitrary code execution vulnerability, as documented in IntelliShield Alert 14365. JS/RealPlr.T and JS_REAPLAY.C, which are detailed in IntelliShield Alert 16172, attempt to exploit these vulnerabilities to install additional malicious software on the system. Users may encounter these JavaScript trojans by visiting malicious websites. Systems that do not contain a vulnerable version of RealPlayer will be unaffected by exploitation attempts. Additionally, systems that do not allow JavaScript to run on untrusted sites may not be affected by this vulnerability because the affected scripts will not be allowed to run.
IntelliShield published 132 events last week: 44 new events and 88 updated events. Of the 132 events, 117 were Vulnerability Alerts, eight were Security Issue Alerts, three were Daily Malicious Code Summaries, two were Malicious Code Alerts, one was a Security Activity Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:
Weekly Alert Totals
2008 Monthly Alert Totals
Cumulative Annual Alert Totals
Previous Alerts That Still Present Significant Risk
Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 16117, Version 2, June 24, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-2830
Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability.
Adobe Flash Player Multimedia File Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 15623, Version 5, June 4, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-0071
Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The Downloader.Swif.C trojan, which is detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software.
Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 6, May 26, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285
Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could be easily determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.
Microsoft Jet Database Engine msjet40.dll MDB Parsing Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 14568, Version 6, May 20, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-6026
Microsoft Jet Database Engine contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code. Proof-of-concept code that demonstrates the possibility of code execution on Microsoft Access 2003 SP3 is available. The TROJ_MDROPPER.MB trojan, which exploits this vulnerability, is currently active and is documented in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability in a security bulletin and released updates.
Oracle Critical Patch Update April 2008
IntelliShield Security Activity Bulletin 15676, Version 2, April 18, 2008
Urgency/Credibility/Severity Rating: 2/5/4
Oracle has released the Critical Patch Update advisory for April 2008. This update addresses a total of 41 vulnerabilities that affect Oracle Database products, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle Siebel Enterprise products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available.
Microsoft Jet Database Engine Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 15469, Version 4, May 1, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1092
Microsoft Jet Database Engine contains a vulnerability that could allow a remote attacker to execute arbitrary code on the affected system. The vulnerability has been identified as being used by the TROJ_MSJET.C trojan, which is detailed in IntelliShield Alert 15486, and by the Trojan.Acdropper.C trojan described in IntelliShield Alert 10679. Microsoft has confirmed the vulnerability but software updates are unavailable.
Microsoft Windows GDI File Name Parameter Vulnerability
IntelliShield Vulnerability Alert 15561, Version 5, May 9, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2008-1087
Microsoft Windows contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is currently being exploited in the wild by the Trojan.Emifie trojan, which is documented in IntelliShield Alert 15642. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.
Physical
Physical Identity Theft Risks in Companies
The director for PacketFocus Security Solutions and CEO of RedFlag Security, Joshua Perrymon, recently reported physical identity theft security risks within high-level US companies, including banks and ISPs. Perrymon conducts social engineering assessments, and within the past year was able to steal thousands of identities. The assessments consist of physical attacks that include posing as a legitimate worker, such as an auditor or repairman, and physically obtaining information from offices. In one case, Perrymon was able to obtain a US mail tray in approximately seven minutes that contained 500 customer statements. Read more
IntelliShield Analysis: Most companies are aware of the risks of online identity theft but fail to realize the potential for the physical theft of identity-related documents. The Federal Trade Commission (FTC) is requiring companies that provide credit to asses the risk of customer identity theft via physical means by November of this year. This action requested by the FTC has increased the demand for services similar to the ones RedFlag Security provides. Employees should be educated on being mindful of the activities of visitors, recognizing counterfeit badges and securing sensitive data against easy access. Even if data is not physically stolen, recording devices may be used to retain personal information.
Legal
There was no significant activity in this category during the time period.
Trust
EU and US Nearing Completion of Private Data Sharing Agreement
The European Union and the United States have nearly completed an agreement designed to govern the sharing of private information regarding travel information and Internet data of residents of member countries. The agreement will make it easier to share data for purposes of law enforcement by having a single set of rules governing the exchange and handling of private information. Privacy rights advocates in countries of the European Union, where there currently exist stricter privacy laws than in the United States, are concerned private data regarding citizens may be more easily accessed without authorization. Additionally, negotiators still have not solved the difficult problem of what recourse citizens may have in the case of data loss or misuse. Read more
IntelliShield Analysis: Businesses used to the stricter privacy laws in the European Union are advised to be aware of this new agreement. Although the sharing of data between the groups is not new, the agreement may make sharing easier and more difficult to contest or monitor. The member organizations may be able to share information such as Internet browsing histories and travel information, potentially containing information sensitive to business operations.
Identity
World of Warcraft Goes Two-Factor
Blizzard Software, producer of the popular Massively Multiplayer Online Role Playing game, World of Warcraft, has begun to offer simple two-factor authentication to their subscribers. The company is now selling inexpensive security tokens that can be linked to a subscriber’s account to help prevent fraudulent access. Blizzard hopes this action will result in a major blow to the underground economies that commonly trade real-world money for stolen virtual cash and items from subscribers. Read more
IntelliShield Analysis: As virtual and physical economies collide, so do the realms of criminal activities. The subscribers of online role playing games such as Blizzard’s World of Warcraft are increasingly coming under attack by the cyber underworld. Both phishing and malware attacks designed to obtain the account credentials of subscribers are now a common occurrence. Attackers subsequently utilize these credentials to empty the virtual banks and inventories of the users in game avatars of both virtual cash and property, which can then be sold to other players for real-world money. This growing trend has moved Blizzard Software to be one of the first to offer two-factor authentication to a non-financial, for-pay service. While Blizzard may be one of the first in this arena, expect to see many other services offering a similar solution as the price of security tokens and the related infrastructure software continues to plummet.
Human
Airport Laptop Theft
The Ponemon Institute recently reported that laptop losses at some medium and large airports reached over 600,000 cases per year, and more than half are not reclaimed. The report also highlighted some staggering statistics showing that few travelers took steps to protect confidential information, many people held no hope of recovering their computers, and some took no steps whatsoever to attempt recovery. The report cites confusion near airport security stations and poor user habits elsewhere as reasons for some of the losses, and theft is considered a common cause. Read more
IntelliShield Analysis: The information provided in this study should be alarming for US businesses. Companies should ensure that data security policies are enforced for mobile devices, including common best practices like hard drive encryption, only storing essential data on devices, and using separate “clean “ travel laptops. User education is also important, and simple steps such as placing laptops as the last item on X-ray conveyor belts and waiting to enter the metal detector until all items have entered the conveyor may help travelers to keep pace with their equipment. Other policies that place some responsibility or repercussions on travelers, such as penalties to individuals or departments in the case of theft, may encourage users to follow best practices. Organizations and employees must work together to safeguard data, but if one or the other is not contributing to device security then losses can be significant.
Geopolitical
IP Protection Agreement on the Table at G8
At the G8 summit taking place this week in Japan, policy makers are expected to discuss support for the Anti-Counterfeiting Trade Agreement (ACTA), which would set tougher standards for evaluating countries’ performance on intellectual property (IP) theft and anti-piracy laws. The ACTA is a draft agreement under discussion by the US, EU, Switzerland, Australia and Japan. Its aim is to establish an international framework for catching and prosecuting piracy of copyrighted material. A draft of the agreement, leaked to WikiLeaks, shows that it would create an international framework allowing the search of electronic devices such as laptops and MP3 players for possible copyright-infringing content. It would also require ISPs to disclose more customer information.
Read more
Additional information
IntelliShield Analysis: The proposed agreement has sparked considerable opposition on blogs for its potential to constrict peer-to-peer file sharing, broaden the mandate for border searches, and at the same time increase the burden on ISPs to police content. While multinational businesses have been calling for increased government-level attention for IP protection and anti-piracy, and copyright holders stand to benefit from an international framework for enforcement, the draft ACTA agreement, if it is supported at the G8 summit this week, will probably spawn significant opposition from various Internet stakeholders and merits attention in the coming weeks.
Upcoming Security Activity
Microsoft Security Bulletin Update for July 2008: July 8, 2008
The Last HOPE: July 18–20, 2008
USENIX: July 28–August 1, 2008
Black Hat: August 6–7, 2008
DEFCON 16: August 8–10, 2008
Oracle OpenWorld 2008: September 21–25, 2008
Because of the potential for increased risk on multiple vectors, organizations’ security teams should be aware of and consider making special preparations for the following dates:
34th G8 Summit (Japan): July 7–9, 2008
Summer Olympics: August 6–24, 2008
Additional Information
For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service
For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
Trial Registration
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
Back to Top
