March 16–22, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityDuring this time period, vulnerability and threat activity levels dropped slightly from those of previous weeks. Additional information is available to describe propagation methods associated with the Adobe Acrobat and Reader JBIG2 buffer overflow vulnerability. Reports indicate that the malicious .pdf files that are exploiting this vulnerability are now being distributed in spam messages using a network of infected systems known as a botnet. This situation could expand the current outbreak of this threat. This vulnerability is detailed in IntelliShield Alert 17665. The CanSecWest security conference hosted its third annual Pwn2Own contest, where security researchers successfully launched several zero-day exploits against fully patched browsers, including Firefox, Safari, and Internet Explorer. One exploit targeted Microsoft Windows 7 running Internet Explorer 8, which introduced a method to bypass the Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) security features. In addition, information was disclosed regarding a cache poisoning vulnerability in Intel processors that are running x86/x86_64 architectures. The vulnerability could allow a local attacker with elevated privileges to gain read and write access to memory areas where the System Management Mode (SMM) memory is located. The attacker could use this vulnerability to execute arbitrary code from SMM memory. Further details about these vulnerabilities are available in IntelliShield Alerts 17847 and 17839. In malicious code activity, Trojan.Skimer is targeting ATMs manufactured by Diebold that are running the Microsoft Windows operating system. The trojan has the ability to log sensitive information, such as account details and PINs, and also has the functionality to dispense cash. Security experts have not seen this type of malware before, and it is speculated that the malware author had insider information about the ATMs to be able to construct the malicious software. Furthermore, physical access is required for the malicious software to be installed. Information is not available regarding how the attacker gained access to the ATMs. Further information on this trojan is available in IntelliShield Alert 17824. Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages with subject lines that claim 18 people have been killed by a dirty bomb. The body of the message contains a link that appears to go to a news article. The fake news page uses the viewer's IP address to detect the viewer's general location and constructs a news story based on that location. The fake news story claims to have video content and prompts the user to download additional Flash software to view it. The software is actually malicious code that is detected as a variant of the W32.Waledac family of worms as documented in IntelliShield Alert 17327. Additional information about this threat is detailed in IntelliShield Alert 17811. Cisco will be releasing its semi-annual Cisco IOS Software security bundle on Wednesday, March 25. Additional information regarding this release will be available on Wednesday at the Cisco PSIRT home page. IntelliShield published 104 events last week: 43 new events and 61 updated events. Of the 104 events, 75 were Vulnerability Alerts, 11 were Threat Outbreak Alerts, nine were Security Activity Bulletins, four were Malicious Code Alerts, four were Security Issue Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for March 16–22, 2009Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader and Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software for version 9 of the affected products. Previous Alerts That Still Represent Significant RiskMicrosoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. Misconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet Services On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router that issued routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield Alert 17670. OpenBSD has fixed a similar flaw, which is described in IntelliShield Alert 17658. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in an XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and deliver the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. Recently, the Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open their attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. Worm: W32/Conficker.worm W32/Conficker.worm is a worm that is quickly propagating across many networks. The worm has reportedly infected millions of systems. One propagation routine of the worm involves exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability, which is described in IntelliShield Alert 16941. The worm prevents the system from accessing essential antivirus and security-related websites, which makes diagnosis and removal efforts more difficult. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by the worm and to take steps to isolate any suspected infected systems until they can be fully restored. PhysicalOlympic 2010 Sponsors Receive Threats from ProtestorsA threat assessment document compiled in July 2008 by the Integrated Threat Assessment Centre in Canada was released recently, detailing potential security risks during the Vancouver Olympics in 2010. Canadian federal security agents are investigating several terrorist and anarchist groups who have promised to protest and disrupt the Winter Olympics. Activists are concerned how the Olympics may affect poverty levels and the environment, as well as the overall budget of Vancouver and its surrounding areas. Read more IntelliShield Analysis: Some are skeptical about the threat assessment, raising questions about the validity of the findings in the document. Others also expressed skepticism over the amount of attention certain activist groups are receiving as compared to those they believe could do significant physical harm. Events that draw a great deal of attention on an international scale have always attracted extremist groups, and the current economic climate could intensify the number of groups as well as their activities. Businesses and organizations associated with the Olympics could be targeted and are encouraged to maintain updated incident response plans for these types of threats or actual attacks. Employees should also be kept informed about procedures and expectations in response to these types of incidents. LegalThe Difficulty of Adequately Deploying BlacklistsIn a response to the Telecommunications Carriers Forum draft code of practices regarding section 92A of the Copyright Act in New Zealand, Google has provided details of the takedown notices it received under the United States Digital Millennium Copyright Act. Google has reported that 57 percent of the notices were businesses targeting competitors and 37 percent were not valid. Google also called for an independent adjudicator to evaluate copyright infringement claims. In a related story, Australia's blacklist of banned websites has been leaked by Wikileaks, which has also posted blacklists for Thailand, Denmark, and Norway. Although these lists may be intended to prevent illegal activities, opponents of the blacklists point out the potential for corruption of the lists and the ineffectiveness of attempting to limit access or activity on the Internet. IntelliShield Analysis: Aside from legal, political, ethical, or security intentions, both references for this item show the inherent difficulties of creating, implementing, and maintaining controls such as blacklists. Security teams that consider implementing or are required to implement these types of controls should be aware of the potential technical and operational difficulties. Blacklisting, filtering, and other similar controls are generally most effective and manageable on a limited scale, such as for an individual home PC, business, school, government, or other local area network. The further upstream on the network or the higher on the scale the controls are applied, the greater the potential for corrupted controls and negative impact. In addition to the high operational overhead of maintaining the controls, as opponents of blacklists point out, a number of users will likely attempt to or succeed at circumventing the controls. The potential for controls to be bypassed creates additional exposures and covert channels and increases the overall risk to the systems and network. Organizations are advised to carefully consider the broader issues in the risk/reward calculations of implementing these controls. TrustHackers Target Russian Automated Teller MachinesIn January, Diebold, Inc., a manufacturer of automated teller machines (ATMs) and other integrated and self-service technologies, issued a security update for its Windows-based ATMs. The update was issued in response to a series of targeted attacks against Russian ATMs, in which the criminals installed malicious code on the devices after gaining unauthorized physical access to them. The malicious code is believed to allow the criminals to capture card details as customers access their accounts and later print those details by visiting the ATM and accessing the malware's backdoor interface. Suspects have been apprehended in connection with these attacks. Read more IntelliShield Analysis: Although this may be the first of this type of publicly disclosed ATM-based malicious software, threats against consumers at ATMs are not new. Because this particular trojan horse program required physical access to be installed, it remains similar to previous attacks that used, for example, cameras and external card skimmers to steal customer information. However, researchers from Sophos have noted that the malware took advantage of many undocumented Diebold functions, which indicates that advanced knowledge was leveraged to implement this attack. Organizations should continue to protect all systems with recommended hardening techniques and monitor ATMs for attacks that use this emerging threat vector. IdentityCredent Technologies Releases Mobile Phone Unprotected Data StudyCredent Technologies has conducted a survey of 600 commuters at the London Railway. The survey showed that 80 percent of mobile phone users store sensitive information on their mobile phones. Many users reported using their mobile devices to conduct some sort of business activity, even if they have been instructed not to by their employer. About 35 percent of users send and receive business e-mails with their mobile devices, and 77 percent store business names and contact information on their devices. Seventeen percent of users download business documents, and 23 percent of users store customer information on their mobile devices. Of these users, 40 percent of them do not use any form of encryption. Read more IntelliShield Analysis: The survey indicates that many mobile device users store sensitive personal and business information on their portable devices without measures to protect this data. Losing the device or having it stolen would allow access to such information as the user's e-mail, passwords, birthday, business documents, children's names, and pets' names so that those who possess the device can easily masquerade as the user. Separate business and personal mobile phones could aid in protecting business data, but the employees may object or be unsuccessful at implementing this control. Employers and mobile device users are encouraged to consider encryption to protect personal as well as corporate information stored on their portable devices. Additional security measures and features are available on some devices, and users are advised to consider these features when selecting a device and service provider. HumanJuror Misconduct Results in MistrialIn Florida, nine jurors in a federal trial caused a mistrial declaration by admitting they had independently been using the Internet to do their own research on the case during the trial. Portability and availability of Internet access from mobile devices allowed the jurors to gather information from sources external to the courtroom, flouting the judge's orders about not seeking outside information and contravening hundreds of years of jurisprudence. At a federal corruption trial in Pennsylvania during the same time period, a juror posted trial updates to Twitter and Facebook accounts. Although a mistrial was not declared, defense lawyers plan to use the juror's posts as the basis for their client's appeal of a guilty verdict. Read more IntelliShield Analysis: With the capability to send and receive voice and text messages, recordings, videos, and images, mobile communications devices allow users to connect with friends, family, the Internet, and the office, as well as the ability to upset judicial proceedings. Businesses also face risks from users of these devices when unrestricted access to facilities or data is allowed. User education would seem to be the key to protecting sensitive data; however, jurors in the Florida and Pennsylvania trials were specifically instructed to avoid using the Internet to seek information about the cases. Placing limitations on the use of mobile devices could help prevent mistrials and business losses. Fines or imprisonment for users who disregard the limitations could enforce safe data handling and raise awareness of the need to keep sensitive data protected. GeopoliticalIran Thwarts Online Soft Coup AttemptIran's Islamic Revolutionary Guard Corp (IRGC) announced last week that it had dismantled a network of websites that targeted the religious beliefs of Iranian society. According to the reports, several of the site owners, who included individuals in Iran and elsewhere, were arrested by the IRGC. The websites are alleged to have been funded by foreign intelligence services to foment a soft coup in Iran by attacking Iranian religious and cultural beliefs. Among the arrested individuals were journalists from BBC Persian TV in Iran. IntelliShield Analysis: Iran is believed to have the third most active blogging community, after the United States and China. This active, outspoken online presence poses a rapidly evolving threat to Iran's Islamic regime. Iranian authorities have been aggressive in jailing activist bloggers and monitoring or blocking websites that are deemed threatening or destabilizing. One such website belonged to one-time presidential candidate and popular reformer Mohammad Khatami, who pulled out of the political race unexpectedly last week. Efforts to intimidate bloggers reportedly are also reaching to Facebook and YouTube, where positive identities are hard to gauge, creating an atmosphere of fear according to bloggers. This is a particularly sensitive time for Iran, with closely watched presidential elections scheduled for June. Authorities are intensifying their attention to Internet communications in an indication that they comprehend the magnitude of this new threat. Upcoming Security ActivityCisco IOS Software security bundle: March 25, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: United States NCAA basketball tournament: March 19–April 6, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
