May 11–17, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability levels for the period were elevated from previous weeks. The increase in activity can be attributed to the release of the May Microsoft Monthly Update and the release of Apple Security Update 2009-002. Microsoft Bulletin MS09-017 addressed 14 vulnerabilities in the Microsoft Office PowerPoint application. One of the vulnerabilities was publicly disclosed in April and is being actively exploited; this vulnerability is described in IntelliShield Alert 17966. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability. Apple Security Update 2009-002 for Mac OS X 10.5.7 addresses 46 vulnerabilities and is a 449 MB update for systems updating from Mac OS X 10.5.6 to 10.5.7. Updating from previous versions can increase the size of the update to 700 MB. IntelliShield published 124 events last week: 78 new events and 46 updated events. Of the 124 events, 100 were Vulnerability Alerts, three were Security Activity Bulletins, eight were Threat Outbreak Alerts, six were Security Issue Alerts, three were Malicious Code Alerts, three were Applied Mitigation Bulletins and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for March 11-17, 2009 Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability Microsoft has released a security bulletin and software updates to address the arbitrary code execution vulnerability in Office PowerPoint. Reports indicate that targeted attempts to leverage this vulnerability have occurred. A variant of the Trojan.PPDropper trojan, which is described in IntelliShield Alert 10845, is actively exploiting this vulnerability. Previous Alerts That Still Represent Significant RiskWorm: W32/Conficker.worm W32/Conficker has changed its command-and-control communications methods and begun to download malicious files to infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command-and-control communication, and download additional malicious files to the infected systems. Adobe Reader getAnnots Function Buffer Overflow Vulnerability Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF file. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-concept code is available. Adobe has confirmed this vulnerability and provided an official workaround. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software. Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail or host them on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. PhysicalGreece Halts Google Street ViewThe Hellenic Data Protection Authority (DPA) in Greece has blocked Google Street View and requested further information to ensure privacy rights of the areas added to the Google service. The Google Street View service provides a street-level view of the area and is available for several cities across the globe. Google Street View has faced similar challenges in other cities and countries where it was preparing the service, and has removed some previous Street View images due to complaints. Many of the complaints and concerns about the service are based on the privacy and potential criminal use of the service. Read More IntelliShield Analysis: Businesses have long included video surveillance systems for physical security measures and must operate the systems within legal limitations for privacy, access, use, storage and destruction of the videos. But other kinds of similar video surveillance practices are becoming more common, such as neighborhood watch groups and crime watch organizations streaming live video to access points on the Internet. Such services extend well beyond their previous use in physical security, and as with Google Street View, introduce new questions and concerns. LegalLaptop Owners Class Action Lawsuit Over Nvidia Graphics CardFive owners of Laptops from companies as diverse as Apple, HP and Dell are joining forces in an attempt to bring a class action lawsuit against the graphics card maker Nvidia. According to the plaintiffs, the faulty cards could cause the system to run too hot or even shut down. HP and Dell issued a BIOS update that would cause the Nvidia card fan to run faster. However, this fix has been reported to be inadequate and only pushes out expected lifetime of the card so that it stretches past the warranty date. IntelliShield Analysis: While Nvidia has set aside 196 million dollars for warranty costs in the replacement of graphics cards that fail, the plaintiffs claim that this is insufficient and anything short of a full replacement of all of the affected cards is inadequate. It remains to be seen if this case will gain class action status. If it does and the plaintiffs win, Nvidia may be required to replace all of the defective model cards in all laptops that shipped with that model cards, and also potentially pay some amount of damages to consumers who bought laptops that shipped with the defective cards. On the other hand, the court may simply rule that Nvidia must replace the faulty cards for users who experience problems with the cards even after the warranty has expired. TrustNY Man Pleads Guilty to Corporate EspionageA Long Island man, working for a rival company, has pleaded guilty to illegal wiretapping in a corporate espionage case that targeted two Bergen County, New Jersey companies that were competitors of the man's firm. This individual was able to access internal e-mail as well as connect to and listen in on company conference calls through the use of default passwords for both e-mail and voice conferencing accounts. This access provided the individual with some of the company's internal and confidential information regarding pricing and contract bidding strategies. The individual was then able to leverage this information to win a number of contract bids that were being also being bid on by his competition. IntelliShield Analysis: There has been a considerable number of events that have occurred over recent months that involved the use of weak and default passwords that resulted in the illegal acquisition or use of confidential personal data. This case, however, highlights the fact that the ability to obtain corporate passwords can result in an adverse impact to the company's financial position as well. All corporations, regardless of size and nature of business, should establish, maintain and adhere to corporate password policies, which should always consist of a requirement to change default passwords after initial access. And while it is not apparent from this article whether or not the passwords leveraged were associated with accounts for employees who had subsequently left the company, corporate password policies should also always include user account revocation practices for users that leave the company for any reason. IdentityMisuse of Patient Records by Trusted EmployeePatient records were improperly accessed by a former Johns Hopkins Hospital employee, according to a report filed with the state of Maryland. The thefts were suspected to be part of a fraudulent driver's license scheme in Virginia. Thirty-one individuals with connections to the hospital have reported identity thefts since January. This breach did not involve a hacking incident; at the time the employee had access to these records as part of her job. Read More IntelliShield Analysis: The frequency that individuals are required to turn over sensitive personal information, such as social security numbers, is of concern. One person in a trusted position is all that is required for successful identity theft. No hacking or compromise of a trusted system is required. Many systems require redesign in order to avoid the use of social security numbers for identification. HumanTwitter Roundup: Twittercrat, Twitternaut, Twitterpanic, TwitterfedsBritain's Cabinet Office appointed Andrew Stott (DirDigEng on Twitter) to the newly created post of Director of Digital Engagement, earning Stott a title from the press of “Twittercrat” and an annual salary of approximately US$250,000. Stott's mission is to promote conversation and collaboration between the government and citizenry using Web 2.0 technologies. Meanwhile, NASA astronaut Mike Massimino (astro_mike on Twitter) posted updates from outer space to his thousands of followers on Twitter as he cruised toward a repair mission for the Hubble Space Telescope. In Guatemala, police arrested and jailed a Twitter user on a personal mission (jeanfer on Twitter) for “inciting financial panic” after he sent a 96-character message asking people to withdraw funds from a state-owned bank. And in the United States, the FBI also began posting updates to Twitter (FBIPressOffice on Twitter). IntelliShield Analysis: Although a Nielsen survey reported in April that 60 percent of Twitter users quit using the micro-blogging service after a month, the number of new users continues to rocket as celebrities, politicians, and 17 million other people jump on the Twitter bandwagon. Global collaboration and conversation are spectacularly enhanced by Web 2.0 technologies; however, users of the services are reminded that cyber criminals are drawn to cyber crowds. At work among the multigenerational Twitterers are fraudsters posting URLs that download malcode, tricksters creating games that ask users to provide answers to questions that are commonly used as security questions, and scammers seeking “friends” and “followers” to fleece with variations on the Nigerian banking ploy. Hackers continue to phish successfully for usernames, passwords, and other confidential information that could be used to perpetrate cyber crimes. Users are advised to apply caution and common sense when providing personal information to updates. Additionally, with the widespread adoption of social networking services by businesses, employees should be well-versed in their company's policies concerning the use of collaborative services. GeopoliticalPRC Governments Hardened Operating SystemA secure operating system known as Kylin has been deployed by the Chinese government for use on its computers, according to recent Congressional testimony by the U.S. Economic and Security Review Commission. In fact, Kylin was jointly developed by Lenovo and China's National Defense Technology University (NDTU), and deployed as early as 2004. Its purpose was not only to protect Chinese computers from network intrusion attempts, but also to afford China's computer networks greater autonomy from Western-controlled Unix, Linux and Windows platforms. IntelliShield Analysis: The Chinese government is not alone in its quest for a hardened operating system with which to defend sensitive government networks. U.S. government information security experts have been engaged for years in the process of strengthening and certifying secure operating systems for use in critical information systems. The European Union is supporting development of the Dutch-designed operating system Minix, which aims to be small, reliable, and secure. There is little doubt among government planners around the world that future military conflicts will include a cyber component, and the quest to build secure operating environments for sensitive government systems is a common starting point. Upcoming Security ActivityCSI SX Security Exchange: May 17–21, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: 20th anniversary of Tiananmen Incident (China): June 4, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
